Applied Security at Scale #

How scale has changed security:

  • Types of scale: people -> multiple devices per person -> multiple (hundreds!) services connected per device
  • Surface area: hardware -> software
  • Attackers: individuals -> nation states
  • Consequecnes: websites down/data stolen -> countries down
  • Defense: identity as an afterthought -> identity as frontline

Establishing Security at Scale #

Guest lecture: Eric Grosse, former Google VP of Security and Privacy

  • Originally: Bell Labs, where telco industry did not care much about privacy + was resistant to new security technologies e.g. transport encryption
  • Joined Google in 2007 after top researchers left Bell Labs; at this point Google no longer was a startup, but not a large multilateral corporation
    • However, security was still in the style of a startup
  • As a joining head of security, first priority is to assess what needs to be protected
    • Initial report: “if an attacker wanted in, they’re in”
    • Company decided that users’ data is what needed to be protected the most
  • Lots to be done initially; needed to make sure team was not demoralized
  • First order of business: detection capability, measures for if the company was being attacked
    • Dec. 2009: detection mechanisms raised an alarm: Chinese PLA had broken into Google’s networks; it was clear that the hackers were very experienced (Operation Aurora)
    • Launched major effort to find evidence and coverage of break-in
    • Detection was through large data exfiltration that made no sense; locked down compromised machines in response
    • Lateral movement was discovered via DNS logs
    • Difficulty: how to coordinate a response while the attackers were still in the system?
      • Created new, independent accounts on Chromebooks, which were very simplistic at the time, that they were reasonably confident attackers would not have accessed
    • Not the most sophisticated or devastating at the time; was the one that was best-known and most publicized
      • Founders were outraged and would not hush it up; devoted resources to publicizing what happened
  • This lead to a new approach: make the company care about security: what can we do to make sure that users’ data is secure?
    • Run read teams internally, tell people the real things that are happening
    • Founders and top execs realized that Google was actually a target of espionage
    • As a result: much more of a reason to spend a lot of money and head count on security
      • Increased readiness to make security changes, even if they increased risk (e.g. changes that might temporarily take a service down)
    • Takeaway: demonstrated threat has a large effect on an organization and its motivations
    • Operation Aurora originated from a vuln in Internet Explorer, not a Google product -> jumpstarted Google Project Zero to inform vendors of their vulnerabilities
  • Starter project: get the web to switch to HTTPS/TLS everywhere
    • However, this was very complicated especially due to ads ecosystem; needed to convince publishers to switch
  • Another difficulty: insider threat, protecting against rogue engineers and moles
  • Rapid changes to security, but also many many issues, even those that shouldn’t be issues anymore