Your SlideShare is downloading. ×
0
Building Security at Scale
P R E S E N T E D B Y A l e x S t a m o s B l a c k H a t U S A 2 0 1 4 | A u g u s t 7 , 2 0 1...
Agenda
▪ The Security Industry and Web Scale Problems
!
▪ Combating Security Nihilism
!
▪ What is Yahoo doing about it?
2
Theses
3
▪ The security industry has failed to consider the needs of
scale, including diversity of user base
!
▪ A post-Sn...
The Security Industry and Web
Scale Problems
5
What do I mean by scale?
Amount of
!
› Data
› Systems
› Users
Diversity of
!
› Users
› Threat Models
Who is the prototypical customer of security products?
6
7
Big Banks Web Scale
Customers x 10 x 10
Concurrent Users x 10 x 10
Front-End Servers x 10 x 10
Total Servers x 10 x 10
C...
8
Most security companies
are aiming for this
Our reality is more like this
[1]
[1] Flickr user Kevin Gebhart CC BY-NC-SA ...
Things People Try to Sell Us
What they try to sell us:
10
Super smart pizza boxes
Software sensors with
centralized intelligence
What we would buy:
[1]...
11
Arista 7508E
1152 x 10GbE
30Tbps backplane
5kW
Palo Alto 7050
120Gbps throughput
2.4kW
12
5kW
600kW
What they try to sell us:
Databased back SIEM
Hadoop based
anomaly detection
What we would buy:
[1]
[1] Flickr user Bob Mi...
What they try to sell us:
14
Windows Anti-APT
Virtualization or
Kernel Firewall
Docker HIDS
What we would buy:
[1]
[1] Fli...
Free Business Ideas
15
▪ Freemium Key Management System
› Bootstrap via manual approval, trust in network, or remote attes...
More Free Ideas
16
▪ ARM CoreOS Servers with Lightweight Remote Attestation
› ARM is going to be big in Big Data environme...
Breaking through the excuses
Security Nihilism
18
Ve believe zat nothing…
ist secure enough vor ze real world, Lebowski!
Flickr user Joe Goldberg CC BY...
19
“Your system is not secure against this [advanced attack|unlikely
scenario] therefore it shouldn’t exist”
“That’s just ...
20
“The [NSA|FSB|PLA] will just own up the user’s system and get the
data that way”
“Users are idiots and will screw this ...
What are we doing about it?
The New Yahoo Paranoids
22
CISO
Corp Security
Operations and
Monitoring
Product Security
Engineering
Paranoid Labs Penetra...
New Yahoo Paranoids
23
Chris Rohlf Doug DePerry Yan Zhu
24
Transport Encryption
Complete
!
› TLS 1.2
› ECDH(E)
› AES-GCM
› RSA 2048
Next up
!
› HSTS and pre-load
› ECDSA certific...
Backbone Encryption
25
Self-Service Security
26
▪ Our scaling challenges in providing app sec services:
› Breadth: 80+ products in 60+ countries
...
Bug Bounty
27
Bug Bankruptcy
28
▪ Important factors in getting bugs closed:
› Detailed descriptions and mitigation instructions
› Accura...
29
The Future is Bright
30
▪ Our profession has never been so impactful on…
› Individuals
› Nation-States
› History
!
▪ With ...
Thank you
!
stamos@yahoo-inc.com
Upcoming SlideShare
Loading in...5
×

Security at Scale - Lessons from Six Months at Yahoo

6,486

Published on

This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.

Published in: Internet
0 Comments
27 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,486
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
122
Comments
0
Likes
27
Embeds 0
No embeds

No notes for slide

Transcript of "Security at Scale - Lessons from Six Months at Yahoo"

  1. 1. Building Security at Scale P R E S E N T E D B Y A l e x S t a m o s B l a c k H a t U S A 2 0 1 4 | A u g u s t 7 , 2 0 1 4
  2. 2. Agenda ▪ The Security Industry and Web Scale Problems ! ▪ Combating Security Nihilism ! ▪ What is Yahoo doing about it? 2
  3. 3. Theses 3 ▪ The security industry has failed to consider the needs of scale, including diversity of user base ! ▪ A post-Snowden nihilism is affecting our industry’s approach to securing users ! ▪ Enterprise security teams need to evolve to proactively gain trust
  4. 4. The Security Industry and Web Scale Problems
  5. 5. 5 What do I mean by scale? Amount of ! › Data › Systems › Users Diversity of ! › Users › Threat Models
  6. 6. Who is the prototypical customer of security products? 6
  7. 7. 7 Big Banks Web Scale Customers x 10 x 10 Concurrent Users x 10 x 10 Front-End Servers x 10 x 10 Total Servers x 10 x 10 Customer Value $100’s $.01s Cust Stickiness High Low-Medium Meat-Space Identity Strong Weak Post-Facto Action? Yes Rarely
  8. 8. 8 Most security companies are aiming for this Our reality is more like this [1] [1] Flickr user Kevin Gebhart CC BY-NC-SA 2.0 [2] Flickr user Dan Buczynski CC BY-NC-ND 2.0 [2]
  9. 9. Things People Try to Sell Us
  10. 10. What they try to sell us: 10 Super smart pizza boxes Software sensors with centralized intelligence What we would buy: [1] [1] Flickr user ms.akr CC BY 2.0 [2] Flickr user Mike Fleming CC BY SA 2.0 [2]
  11. 11. 11 Arista 7508E 1152 x 10GbE 30Tbps backplane 5kW Palo Alto 7050 120Gbps throughput 2.4kW
  12. 12. 12 5kW 600kW
  13. 13. What they try to sell us: Databased back SIEM Hadoop based anomaly detection What we would buy: [1] [1] Flickr user Bob Mical CC BY 2.0
  14. 14. What they try to sell us: 14 Windows Anti-APT Virtualization or Kernel Firewall Docker HIDS What we would buy: [1] [1] Flickr user broterham CC BY NC 2.0 !
  15. 15. Free Business Ideas 15 ▪ Freemium Key Management System › Bootstrap via manual approval, trust in network, or remote attestation › Create master cert, view into corporate keyspace with lazy security checks ! ▪ Freemium Overlay Network › Goes great with key manager! › Allow for easy IP management across public/private cloud › Could be IPv6 only. Terminate inside of containers? ! ▪ Bug Bounty with Automatic Verification › We’re building this ourselves with Selenium
  16. 16. More Free Ideas 16 ▪ ARM CoreOS Servers with Lightweight Remote Attestation › ARM is going to be big in Big Data environments › At scale building systems remotely is currently terrifying › Any scale organization does not have 100% physical control ! ▪ OpenSSL with Remotable Handshake › Why are we putting private keys on the most exposed systems? › Need to remote the handshake to an HSM or TXT backed key server › Should get 20:1 ratio
  17. 17. Breaking through the excuses
  18. 18. Security Nihilism 18 Ve believe zat nothing… ist secure enough vor ze real world, Lebowski! Flickr user Joe Goldberg CC BY-SA 2.0 [1] [1]
  19. 19. 19 “Your system is not secure against this [advanced attack|unlikely scenario] therefore it shouldn’t exist” “That’s just security through obscurity!” We need to build systems for all levels of user and adversary Non-obvious protections can increase the chance of catching an attacker in time, especially for interactive systems
  20. 20. 20 “The [NSA|FSB|PLA] will just own up the user’s system and get the data that way” “Users are idiots and will screw this up” Forcing an adversary to expend resources and risk detection is a valid goal A system is only secure if it is safe, by default, for the 25th percentile user
  21. 21. What are we doing about it?
  22. 22. The New Yahoo Paranoids 22 CISO Corp Security Operations and Monitoring Product Security Engineering Paranoid Labs PenetrationTesting Intelligence, Investigations and Response Risk and Vulnerability Management Privacy Engineering Chief of Staff
  23. 23. New Yahoo Paranoids 23 Chris Rohlf Doug DePerry Yan Zhu
  24. 24. 24 Transport Encryption Complete ! › TLS 1.2 › ECDH(E) › AES-GCM › RSA 2048 Next up ! › HSTS and pre-load › ECDSA certificates › Certificate Transparency › ChaCha20 and Poly1305 › STARTTLS Pinning
  25. 25. Backbone Encryption 25
  26. 26. Self-Service Security 26 ▪ Our scaling challenges in providing app sec services: › Breadth: 80+ products in 60+ countries › Speed: multiple daily web pushes and weekly mobile ! ▪ Any large org needs to create self-service options › Mobile libraries • Authentication and device identity • TLS with pinning › Mobile code scanning portal › CI/CD Scanner integration • Open-source coming!
  27. 27. Bug Bounty 27
  28. 28. Bug Bankruptcy 28 ▪ Important factors in getting bugs closed: › Detailed descriptions and mitigation instructions › Accurate prioritization › Consistent follow-up and real-time reporting › Executive visibility › Convincing company that you are a madman Works well for me
  29. 29. 29
  30. 30. The Future is Bright 30 ▪ Our profession has never been so impactful on… › Individuals › Nation-States › History ! ▪ With great power… › It is impossible to work in this field without being a moral actor ! ▪ Remember that trust is more than security! ! ▪ Take this opportunity to do something that you will remember with pride
  31. 31. Thank you ! stamos@yahoo-inc.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×