User Focused Security at Netflix: Stethoscope

User Focused Security at Netflix: Stethoscope

SHMOOCON 2017JAN 14

● PhD from UNC in Fall 2015

● Researched side channels in

encrypted network traffic

● Software engineer at Netflix

Andrew White

● Masters in HCI from Carnegie Mellon

● User experience

● Web development

● Information visualization

● Formerly: IBM Research, Figure 53,

Obama 2012, NASA/JPL

Jesse Kriss

...but no security background.

OPEN SOURCE USER-FOCUSEDSECURITY

Stethoscope

Infosec at Netflix

Keep Netflix employees and information safe

Thousands of employees.

Even more devices.

Lots of people with access.

Worldwide offices.

BYOD

3,000 users

8,000 devices

All cloud everything

Streaming infrastructure is 100% cloud

> 100,000 EC2 instances

> 700 internal cloud applications

Responsible people thrive on freedom, and are worthy of freedom.”

“

Bad processes creep in.

We try to get rid of rules when we can, to reinforce the point.”

“

Screenshot by Chris Gansen

Values are embedded in and communicated by systems, tools, and procedures, not just people.

Only at Netflix?

1. Education, not just automatic enforcement

Photo by #WOCinTech Chat

Work with your colleagues, not against them.

2.

The timing seems right for a renewal of interest in synthesizing usability and security.”

Mary Ellen Zurko

“

, 1996

BY HUMANSFOR HUMANS

User Focused Security

OPEN SOURCE USER-FOCUSEDSECURITY

Stethoscope

● Education

● Self service

● Personalized

● One place to go

● Actionable

● Complete the feedback loop

The approach.

● Forced updates

● Company-wide emails

● Information overload

● “This probably doesn’t apply to me...”

And avoiding...

● Stickers!

How do we get people to see it?

● Stickers!

● New employee “training”

● Targeted email campaigns

How do we get people to see it?

One place to go

What about other security alerts?

HOW THE THINGIS BUILT

Technical architecture

● Back-end

○ Python using Twisted + Klein

○ Plugin architecture

● Front-end: React

● Nginx

○ Serves static files

○ Proxies requests to API server

● No persistence layer required

Technology stack

● Windows: LANDESK

● Mac: JAMF

● Linux: OSquery (coming soon)

● Mobile: Google MDM

Device data sources

● Authentication logs (BYOD)

○ Wireless

○ VPN

● bitFit (owned devices)

Ownership attribution

Device data retrieval

Security practices● Disk encryption

● Firewall

● Automatic updates

● Up-to-date OS/software

● Screen lock

● Not jailbroken/rooted

● Security software stack (e.g., Carbon Black)

Status determination

● Events

○ Google, Duo auth logs

○ Import from Elasticsearch

○ Augment with, e.g., geolocation data

● Accounts: Google

● Alerts/feedback: Elasticsearch/REST

Other information

● Logging

○ Accesses: to Elasticsearch

○ Errors: to Atlas

● Auth: OpenID Connect

● Batch: to Elasticsearch/REST

Utilities

SHARINGIS CARING

Open-source

● Giving back to the community

● Knowledge sharing

● Collaboration

Why open-source?

● Front-end source

○ React-scripts for simple setup, builds, test, etc.

○ Static resources

● Back-end source

○ Plugins previously mentioned

○ Tests, example configuration, etc.

● Nginx configuration

● Docker development configuration

What’s included

● Primary device data source

● [Ownership attribution]

● Authentication provider

What do you need?

THE BIGPICTURE

Aggregated data

● Visualization at manager,

organization level

● Identifies groups for targeted

efforts

Individuals to organizations

● Nightly batch retrieval allows

tracking trends over time

● Identifies practices which

need particular attention

Are we making progress?

LESSONSSO FAR

What we’ve learned

● Inventory needs to be up-to-date and accurate

● Data sources can have different representations for identifiers

● Don’t always get a unique identifier for a device

Data quality

● Different users need/want different levels of context

● “Make it turn green” works well for many people

Context

● Additional notification channels

● Continuing user research (interviews, surveys)

● Measure long-term effectiveness

Future work

● Open sourcing very soon

● We are hiring!

Want to help us?

COME SAY HIGET IN TOUCH

Thank you!

netflix.github.iotechblog.netflix.com@NetflixOSS

Andrew [email protected]

Jesse [email protected]

Brooks [email protected]