User Focused Security at Netflix: Stethoscope

Slide 1

Slide 1 text

User Focused Security at Netflix: Stethoscope SHMOOCON 2017 JAN 14

Slide 2

Slide 2 text

● PhD from UNC in Fall 2015 ● Researched side channels in encrypted network traffic ● Software engineer at Netflix Andrew White

Slide 3

Slide 3 text

● Masters in HCI from Carnegie Mellon ● User experience ● Web development ● Information visualization ● Formerly: IBM Research, Figure 53, Obama 2012, NASA/JPL Jesse Kriss

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

...but no security background.

Slide 7

Slide 7 text

OPEN SOURCE USER-FOCUSED SECURITY Stethoscope

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Infosec at Netflix

Slide 10

Slide 10 text

Keep Netflix employees and information safe Thousands of employees. Even more devices. Lots of people with access. Worldwide offices.

Slide 11

Slide 11 text

BYOD 3,000 users 8,000 devices

Slide 12

Slide 12 text

All cloud everything Streaming infrastructure is 100% cloud > 100,000 EC2 instances > 700 internal cloud applications

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Responsible people thrive on freedom, and are worthy of freedom.” “

Slide 15

Slide 15 text

Bad processes creep in. We try to get rid of rules when we can, to reinforce the point.” “

Slide 16

Slide 16 text

Screenshot by Chris Gansen

Slide 17

Slide 17 text

Values are embedded in and communicated by systems, tools, and procedures, not just people.

Slide 18

Slide 18 text

Only at Netflix?

Slide 19

Slide 19 text

1. Education, not just automatic enforcement

Slide 20

Slide 20 text

Photo by #WOCinTech Chat

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Work with your colleagues, not against them. 2.

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

The timing seems right for a renewal of interest in synthesizing usability and security.” Mary Ellen Zurko “ , 1996

Slide 25

Slide 25 text

BY HUMANS FOR HUMANS User Focused Security

Slide 26

Slide 26 text

OPEN SOURCE USER-FOCUSED SECURITY Stethoscope

Slide 27

Slide 27 text

● Education ● Self service ● Personalized ● One place to go ● Actionable ● Complete the feedback loop The approach.

Slide 28

Slide 28 text

● Forced updates ● Company-wide emails ● Information overload ● “This probably doesn’t apply to me...” And avoiding...

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

● Stickers! How do we get people to see it?

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

● Stickers! ● New employee “training” ● Targeted email campaigns How do we get people to see it?

Slide 40

Slide 40 text

One place to go What about other security alerts?

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

HOW THE THING IS BUILT Technical architecture

Slide 44

Slide 44 text

● Back-end ○ Python using Twisted + Klein ○ Plugin architecture ● Front-end: React ● Nginx ○ Serves static files ○ Proxies requests to API server ● No persistence layer required Technology stack

Slide 45

Slide 45 text

● Windows: LANDESK ● Mac: JAMF ● Linux: OSquery (coming soon) ● Mobile: Google MDM Device data sources

Slide 46

Slide 46 text

● Authentication logs (BYOD) ○ Wireless ○ VPN ● bitFit (owned devices) Ownership attribution

Slide 47

Slide 47 text

Device data retrieval

Slide 48

Slide 48 text

Security practices ● Disk encryption ● Firewall ● Automatic updates ● Up-to-date OS/software ● Screen lock ● Not jailbroken/rooted ● Security software stack (e.g., Carbon Black)

Slide 49

Slide 49 text

Status determination

Slide 50

Slide 50 text

● Events ○ Google, Duo auth logs ○ Import from Elasticsearch ○ Augment with, e.g., geolocation data ● Accounts: Google ● Alerts/feedback: Elasticsearch/REST Other information

Slide 51

Slide 51 text

● Logging ○ Accesses: to Elasticsearch ○ Errors: to Atlas ● Auth: OpenID Connect ● Batch: to Elasticsearch/REST Utilities

Slide 52

Slide 52 text

SHARING IS CARING Open-source

Slide 53

Slide 53 text

● Giving back to the community ● Knowledge sharing ● Collaboration Why open-source?

Slide 54

Slide 54 text

● Front-end source ○ React-scripts for simple setup, builds, test, etc. ○ Static resources ● Back-end source ○ Plugins previously mentioned ○ Tests, example configuration, etc. ● Nginx configuration ● Docker development configuration What’s included

Slide 55

Slide 55 text

● Primary device data source ● [Ownership attribution] ● Authentication provider What do you need?

Slide 56

Slide 56 text

THE BIG PICTURE Aggregated data

Slide 57

Slide 57 text

● Visualization at manager, organization level ● Identifies groups for targeted efforts Individuals to organizations

Slide 58

Slide 58 text

● Nightly batch retrieval allows tracking trends over time ● Identifies practices which need particular attention Are we making progress?

Slide 59

Slide 59 text

LESSONS SO FAR What we’ve learned

Slide 60

Slide 60 text

● Inventory needs to be up-to-date and accurate ● Data sources can have different representations for identifiers ● Don’t always get a unique identifier for a device Data quality

Slide 61

Slide 61 text

● Different users need/want different levels of context ● “Make it turn green” works well for many people Context

Slide 62

Slide 62 text

● Additional notification channels ● Continuing user research (interviews, surveys) ● Measure long-term effectiveness Future work

Slide 63

Slide 63 text

● Open sourcing very soon ● We are hiring! Want to help us?

Slide 64

Slide 64 text

COME SAY HI GET IN TOUCH Thank you! netflix.github.io techblog.netflix.com @NetflixOSS Andrew White andreww@netflix.com Jesse Kriss jkriss@netflix.com Brooks Evans brookse@netflix.com