Embed Size (px)
Citation preview
A Tale Of Security In The World Of Hypergrowth
Aaron McKeownHEAD OF SECURITY ENGINEERING AND ARCHITECTURE,
XERO
Amol MathurDIRECTOR OF WEB SECURITY PRODUCT MANAGEMENT,
AKAMAI
Connecting people with the right
numbers anytime, anywhere, on any
device
Global smallbusiness platform
2,500+
STAFF GLOBALLY
1,800,000+
SUBSCRIBERS
$2.8t
TRANSACTIONS ACROSS THE
PLATFORM INT THE YEAR TO
31 MARCH 2019
2018
78,000subscribers
157,000subscribers
284,000 subscribers
717,000 subscribers
1,400,000 subscribers
475,000subscribers
1,035,000 subscribers
2012 2013 2014 2015 2016 2017
Timeline
2019
1,818,000 + subscribers
36,000subscribers
2011
17,000subscribers
2010
Increased use
of Akamai
Professional
Services
DNS Improved
Availability Bot Mitigation
Managed Kona
& Premium
Support
Zero Trust
Kona Site
Defender
Akamai
Performance/
Acceleration
Apply security at all layersDesign
principles
Encrypt at rest and in transit Technical and logical segregation
Maintaining and improving security
No breaches or
accidental information
disclosures
Support recognized
information security
standards
Automated and agile
infrastructure stack, with
developer initiated security
components
WEEKS
On-premises hardware
MINUTES
Amazon EC2
SECONDS
Containerization
MILLISECONDS
Lambda Function
Supporting our next wave of growth
Security Architecture
A complex cybersecurity ecosystem
Many prominent cyber
platforms were in the news
in 2018 for either being
acquired or raising capital.
Too many different solutions
Solutions do not cooperate –no shared intelligence or architecture
Source: https://momentumcyber.com/cybersecurity-almanac-2019/
“
Security Partnerships
Security Partnerships are Key to Increased Cybersecurity Maturity
+
Key Services Key Services
Distributed Denial of Service
Protection
Web Performance Acceleration
Web Application Firewall
Bot detection & mitigation
Fast DNS
Site Shield
24/7 Security Operations Alerting
Threat Intelligence
Professional Services
Geo-restriction & rate limiting
Caching
Ingress traffic inspection & control
Account takeover protection
Security reviews and attack drills
24/7 SOC alerting and remediation
TLS control
API prioritisation
External DNS
Extension of the Xero team
FRAMEWORK TO MANAGE BOTS
Detection
Categorization
Management
Visibility
| Akamai Security Summit World Tour | <Location>14
Disposable IPs
Dynamic rotating IP
Rotating IPs
Single IP
Primitive
Pearl, Curl
Javascript
Engines
Headless
Browser
A LOOK AT THE MOST COMPLEX ATTACKS
Automated Browsers
w/Human Imitation
Behavioral
Detections(true)
• Creates a unique signature based on
human telemetry
• Uses browser characteristics to identify
Bot tools and improve machine learning
Pros• Identifies basic, moderate
and advanced bots
• Accurately identify humans
Attack tool sophistication
Att
ack D
ep
loy
me
nt
So
ph
isti
ca
tio
n
Automating Application Security with
Automated Attack Groups
• Strong set of Protections for Applications and APIs across 8 attack categories
• Automatic API Inspection
• Zero-day protection
• Auto-upgraded, Auto-tuned
• Quick onboarding and Low-to-No ongoing maintenance
• Available to all KSD users!
Automating Application Security with AppSec APIs
“Let me automate it”
“Give me feedback”
Defence in
DepthDetective and preventive
controls are in place to
protect the Xero platform
and product systems
from malicious traffic and
to maintain compliance
obligations.
Cloud / Container / System Security
Edge Services
Secure Code
Threat Protection Zone (Ingress/Egress traffic inspection & control)
1. Implement a strong identity foundation
3. Apply security at all layers
4. Automate security best practices
5. Protect data in transit and at rest
6. Keep people away from data
Security Pillar:
AWS Well-Architected Framework
2. Enable traceability
7. Prepare for security eventsSource: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Xero Applications & Content
Inventory
& Config
Security IN
the cloud
Security
OF
the cloud
Data Encryption
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
Shared Responsibility Model
Is there a help centre or confluence
page that lists the security teams and
what their function is?
Hi, I'm going on leave for a few weeks –
is there some way for me to delegate
Pacman approvals for my team to
someone else while I'm away?
Hi, who should I talk to for some advice/
best practice on one of my projects?
Where can I find the SOC2 report?#help-security
Security Architecture
Knowledgebase
Security
Considerations
Xero Tech Radar
AlignmentSteering
Pattern Creation
Continual Education
Automated compliance
xero.com
