A Tale Of Security In The World Of Hypergrowth

Aaron McKeownHEAD OF SECURITY ENGINEERING AND ARCHITECTURE,

XERO

Amol MathurDIRECTOR OF WEB SECURITY PRODUCT MANAGEMENT,

AKAMAI

Connecting people with the right

numbers anytime, anywhere, on any

device

Global smallbusiness platform

2,500+STAFF GLOBALLY

1,800,000+SUBSCRIBERS

$2.8t

TRANSACTIONS ACROSS THE

PLATFORM INT THE YEAR TO

31 MARCH 2019

2018

78,000subscribers

157,000subscribers

284,000 subscribers

717,000 subscribers

1,400,000 subscribers

475,000subscribers

1,035,000 subscribers

2012 2013 2014 2015 2016 2017

Timeline

2019

1,818,000 + subscribers

36,000subscribers

2011

17,000subscribers

2010

Increased use

of Akamai

Professional

Services

DNS Improved

Availability Bot Mitigation

Managed Kona

& Premium

Support

Zero Trust

Kona Site

Defender

Akamai

Performance/

Acceleration

Apply security at all layersDesign

principles

Encrypt at rest and in transit Technical and logical segregation

Maintaining and improving security

No breaches or

accidental information

disclosures

Support recognized

information security

standards

Automated and agile

infrastructure stack, with

developer initiated security

components

WEEKS

On-premises hardware

MINUTES

Amazon EC2

SECONDS

Containerization

MILLISECONDS

Lambda Function

Supporting our next wave of growth

Security Architecture

A complex cybersecurity ecosystem

Many prominent cyber

platforms were in the news

in 2018 for either being

acquired or raising capital.

Too many different solutions

Solutions do not cooperate –no shared intelligence or architecture

Source: https://momentumcyber.com/cybersecurity-almanac-2019/

https://momentumcyber.com/cybersecurity-almanac-2019/

“

Security Partnerships

Security Partnerships are Key to Increased Cybersecurity Maturity

+

Key Services Key Services

Distributed Denial of Service

Protection

Web Performance Acceleration

Web Application Firewall

Bot detection & mitigation

Fast DNS

Site Shield

24/7 Security Operations Alerting

Threat Intelligence

Professional Services

Geo-restriction & rate limiting

Caching

Ingress traffic inspection & control

Account takeover protection

Security reviews and attack drills

24/7 SOC alerting and remediation

TLS control

API prioritisation

External DNS

Extension of the Xero team

FRAMEWORK TO MANAGE BOTS

Detection

Categorization

Management

Visibility

| Akamai Security Summit World Tour | 14

Disposable IPs

Dynamic rotating IP

Rotating IPs

Single IP

Primitive

Pearl, Curl

Javascript

Engines

Headless

Browser

A LOOK AT THE MOST COMPLEX ATTACKS

Automated Browsers

w/Human Imitation

Behavioral

Detections(true)

• Creates a unique signature based on

human telemetry

• Uses browser characteristics to identify

Bot tools and improve machine learning

Pros• Identifies basic, moderate

and advanced bots

• Accurately identify humans

Attack tool sophistication

Att

ack D

ep

loy

me

nt

So

ph

isti

ca

tio

n

Automating Application Security with

Automated Attack Groups

• Strong set of Protections for Applications and APIs across 8 attack categories

• Automatic API Inspection

• Zero-day protection

• Auto-upgraded, Auto-tuned

• Quick onboarding and Low-to-No ongoing maintenance

• Available to all KSD users!

Automating Application Security with AppSec APIs

“Let me automate it”

“Give me feedback”

Defence in

DepthDetective and preventive

controls are in place to

protect the Xero platform

and product systems

from malicious traffic and

to maintain compliance

obligations.

Cloud / Container / System Security

Edge Services

Secure Code

Threat Protection Zone (Ingress/Egress traffic inspection & control)

1. Implement a strong identity foundation

3. Apply security at all layers

4. Automate security best practices

5. Protect data in transit and at rest

6. Keep people away from data

Security Pillar:

AWS Well-Architected Framework

2. Enable traceability

7. Prepare for security eventsSource: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf

https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Identity &

Access Control

Network

Security

Xero Applications & Content

Inventory

& Config

Security IN

the cloud

Security

OF

the cloud

Data Encryption

Source: https://aws.amazon.com/compliance/shared-responsibility-model/

Shared Responsibility Model

https://aws.amazon.com/compliance/shared-responsibility-model/

Is there a help centre or confluence

page that lists the security teams and

what their function is?

Hi, I'm going on leave for a few weeks –

is there some way for me to delegate

Pacman approvals for my team to

someone else while I'm away?

Hi, who should I talk to for some advice/

best practice on one of my projects?

Where can I find the SOC2 report?#help-security

Security Architecture

Knowledgebase

Security

Considerations

Xero Tech Radar

AlignmentSteering

Pattern Creation

Continual Education

Automated compliance

xero.com