Poornaprajna Udupi and Rudra Peram representing the Product and Application Security team at Netflix, discuss making security consumable in the form of tools, libraries and self-service applications to enable developers attain a rapid velocity of feature delivery while simultaneously being secure. This presentation to the audience of billing and payments enthusiasts, covers a few security techniques: infrastructure segmentation, tokenization, utilization of big data for fraud and abuse detection, prevention and sanitization. Some of the open source security projects such as Scumblr, Sketchy and others in the pipeline also get mentioned
Personal Intro
Discuss how we think about security for the Netflix billing and payments.
Responsible for security of the Netflix product.
Teams and developers are constantly striving for rapid velocity of feature delivery.
We make security consumable in the form of tools, libraries, self-service applications and services so that developers can be agile and simultaneously secure.
From an infrastructure perspective we segment sensitive data and apps that access/process sensitive data into a segregated environment. Sensitive data could be credit card information, account details, etc.
The high security environment has higher level of security controls including but not limited to
•Firewalling - using separate AWS accounts, security groups, mutual SSL,
•detailed audit logs - cloud trail logs, speedbump logs,
•restricted and authorized access using SSO etc.
•traffic monitoring - cloud passage egress monitoring
•file integrity monitoring - cloudpassage
•configuration monitoring - cloudpassage
•Periodic third-party security assessments for compliance e.g. PCI
Once we move mission critical security product to migrate B&P to the cloud, we want to take a stance such that in the worst case scenarios, even if a part of our infrastructure gets compromised, sensitive information is safe.
e.g. We do not want to store credit card information in unencrypted form. But, we need to access the credit card in various forms for :
-- fully decrypted for monthly billing
-- partially encrypted for CS verification
-- partially encrypted for DSE
→ cannot use external provider that would work for us in the cloud environment across all regions. We built Skeeball.
distributed responsibilities for payments, skeeball and cryptex
mutual authentication and least privilege system.
Types of attackers & their motivations
Free Trial Abuse (usually LATAM)
Stolen Card Validation
Account Takeover
Payment method validations in new territories (usually LATAM)
Location of Attackers dictates specific rules to cater to the attack signature
Fraud Detection tools are good at identifying global fraud patterns across industries and help block these requests in real-time
Fraud scenarios that are unique to a business necessitate the need for custom detection & cleanup tools
Account Creation Patterns & Attributes
Multiple accounts from same IP and/or same Name
Locale not matching Signup Country
Multiple profiles, streaming activity, devices associated, requests from different countries
Account Access Patterns
Signup Country & Streaming country being different
Zero/Lots Streaming activity
Identify fraudulent accounts & cleanup with minimal impact to legitimate users
Speedbump: Edge traffic management product that processes incoming requests > 60000rps and makes a decision on whether to block/redirect/allow a request and have the entire fleet of our edge services know when there is an offender.
(Open Source) Scumblr: Scours the web for mentions of Netflix, Account Generators, Credential dumps and helps us take them down and sanitize our accounts.
(Open Source) Sketchy: Take screenshots of such nefarious sites so that our machines do not get infected.
DirtyLaundry continuously scans Netflix edge end points for vulnerabilities and indicates any abnormalities.