Presented by Andrew White and Jesse Kriss at ShmooCon 2017. User Focused Security is an approach we are using to address employee information security at Netflix. If we provide employees with the right information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement. Letting people retain control over their devices means that they can maintain flexibility and productivity and address security recommendations as appropriate to their levels of access. This approach will only be successful, though, if we can provide clear and specific action, and make it easy to do the right thing. Stethoscope is a web-based tool that gives Netflix employees a view into the security state of their devices, with specific recommendations regarding disk encryption, firewalls, and other device settings. The website, in conjunction with email alerts, gives Netflix employees a straightforward way to see what actions they should take to remain safe. Andrew White and Jesse Kriss are both members of the Information Security team at Netflix, where they work on designing and building software tools that help people make good decisions around corporate security. Andrew holds a PhD in Computer Science from the University of North Carolina at Chapel Hill and a B.S. in Computer Science and B.A. in Mathematics from the University of Richmond. Jesse (@jkriss) holds a Master’s in Human-Computer Interaction from Carnegie Mellon University and B.A. in Music from Carleton College. Prior to Netflix, he worked at NASA/JPL, Obama 2012, Figure 53, and IBM Research.

1. User Focused Security at
Netflix: Stethoscope
SHMOOCON 2017
JAN 14

2. ● PhD from UNC in Fall 2015
● Researched side channels in
encrypted network traffic
● Software engineer at Netflix
Andrew White

3. ● Masters in HCI from Carnegie Mellon
● User experience
● Web development
● Information visualization
● Formerly: IBM Research, Figure 53,
Obama 2012, NASA/JPL
Jesse Kriss

6. ...but no security background.

7. OPEN SOURCE USER-FOCUSED
SECURITY
Stethoscope

9. Infosec at Netflix

10. Keep Netflix employees and
information safe
Thousands of employees.
Even more devices.
Lots of people with access.
Worldwide offices.

11. BYOD
3,000 users
8,000 devices

12. All cloud everything
Streaming infrastructure is 100% cloud
> 100,000 EC2 instances
> 700 internal cloud applications

14. Responsible people thrive on freedom,
and are worthy of freedom.”
“

15. Bad processes creep in.
We try to get rid of rules when we can,
to reinforce the point.”
“

16. Screenshot by Chris Gansen

17. Values are embedded in and
communicated by systems, tools, and
procedures, not just people.

18. Only at Netflix?

19. 1. Education, not just automatic
enforcement

20. Photo by #WOCinTech Chat

22. Work with your colleagues, not
against them.
2.

24. The timing seems right for a renewal
of interest in synthesizing usability
and security.”
Mary Ellen Zurko
“
, 1996

25. BY HUMANS
FOR HUMANS
User Focused Security

26. OPEN SOURCE USER-FOCUSED
SECURITY
Stethoscope

27. ● Education
● Self service
● Personalized
● One place to go
● Actionable
● Complete the feedback loop
The approach.

28. ● Forced updates
● Company-wide emails
● Information overload
● “This probably doesn’t apply to me...”
And avoiding...

37. ● Stickers!
How do we get people to see it?

39. ● Stickers!
● New employee “training”
● Targeted email campaigns
How do we get people to see it?

40. One place to go
What about other security alerts?

43. HOW THE THING
IS BUILT
Technical architecture

44. ● Back-end
○ Python using Twisted + Klein
○ Plugin architecture
● Front-end: React
● Nginx
○ Serves static files
○ Proxies requests to API server
● No persistence layer required
Technology stack

45. ● Windows: LANDESK
● Mac: JAMF
● Linux: OSquery (coming soon)
● Mobile: Google MDM
Device data sources

46. ● Authentication logs (BYOD)
○ Wireless
○ VPN
● bitFit (owned devices)
Ownership attribution

47. Device data retrieval

48. Security practices
● Disk encryption
● Firewall
● Automatic updates
● Up-to-date OS/software
● Screen lock
● Not jailbroken/rooted
● Security software stack (e.g., Carbon Black)

49. Status determination

50. ● Events
○ Google, Duo auth logs
○ Import from Elasticsearch
○ Augment with, e.g., geolocation data
● Accounts: Google
● Alerts/feedback: Elasticsearch/REST
Other information

51. ● Logging
○ Accesses: to Elasticsearch
○ Errors: to Atlas
● Auth: OpenID Connect
● Batch: to Elasticsearch/REST
Utilities

52. SHARING
IS CARING
Open-source

53. ● Giving back to the community
● Knowledge sharing
● Collaboration
Why open-source?

54. ● Front-end source
○ React-scripts for simple setup, builds, test, etc.
○ Static resources
● Back-end source
○ Plugins previously mentioned
○ Tests, example configuration, etc.
● Nginx configuration
● Docker development configuration
What’s included

55. ● Primary device data source
● [Ownership attribution]
● Authentication provider
What do you need?

56. THE BIG
PICTURE
Aggregated data

57. ● Visualization at manager,
organization level
● Identifies groups for targeted
efforts
Individuals to organizations

58. ● Nightly batch retrieval allows
tracking trends over time
● Identifies practices which
need particular attention
Are we making progress?

59. LESSONS
SO FAR
What we’ve learned

60. ● Inventory needs to be up-to-date and accurate
● Data sources can have different representations for identifiers
● Don’t always get a unique identifier for a device
Data quality

61. ● Different users need/want different levels of context
● “Make it turn green” works well for many people
Context

62. ● Additional notification channels
● Continuing user research (interviews, surveys)
● Measure long-term effectiveness
Future work

63. ● Open sourcing very soon
● We are hiring!
Want to help us?

64. COME SAY HI
GET IN TOUCH
Thank you!
netflix.github.io
techblog.netflix.com
@NetflixOSS
Andrew White
andreww@netflix.com
Jesse Kriss
jkriss@netflix.com
Brooks Evans
brookse@netflix.com