lessons learned while protecting gmail
TRANSCRIPT
Lessons learned while PROTECTING GMAIL
Elie Bursztein, Nicolas Lidzborski, & Vijay Eranti
THE GMAIL SECURITY AND ANTI-ABUSE TEAM
2004 2016
LESSONS WE’VE LEARNED WHILE protecting Gmail users for over a decade
900 MILLION+ USERShundreds billion of messages per week
Malware
5 MAIN THREATSTO GMAIL
Malware
AccountHijacking
5 MAIN THREATSTO GMAIL
Malware
AccountHijacking
Phishing
5 MAIN THREATSTO GMAIL
XSS
Malware
AccountHijacking
PhishingWeb Attacks
5 MAIN THREATSTO GMAIL
XSS
Spam
Malware
AccountHijacking
PhishingWeb Attacks
5 MAIN THREATSTO GMAIL
We launched login challenges In 2011
http://goo.gl/xMctOL
NEVER STOP IMPROVING YOUR DEFENSES
Phishers updated their kits to ask for the challenge answers
THERE IS NO SILVER BULLET
99.9% accuracy detecting spammy email
91.7% Large linear ML classifier
+4.7%rule based system
+3.5%deep learning
?Next gen
http://goo.gl/0jgK96 *incremental coverage measurement
TUNE YOUR CLASSIFIER to match your product need
Spam classified as good
Good classified as Spam
https://goo.gl/0jgK96
False Negative
less than 0.1%
less than 0.05%False
Positive
IMPLEMENT CATCH-UP MECHANISMS
EMPOWER USERSto take action through meaningful UI
https://goo.gl/gqk6Bn & https://goo.gl/sL5VWC
USE OVERWHELMING FORCEDeploy many countermeasures at once
EMAIL ATTACHMENT
ATTACKS COME IN BURSTSplan for it
DON’T PROCESS TWICE
Whitelisting and blacklisting allows
up to 50% reduction in computation
Caching
Gmail does not allow executable attachments
EXE
BE SECURE BY DESIGN
Caching
Policy
USE ENSEMBLE LEARNINGmultiple anti-viruses are combined
0.62 4
NUMBER OF ANTI-VIRUS ENGINE
F1 S
CO
RE
6 8 10 12 14
0.8
0.7
0.9
1 .0
Union
Majority Voting
Threshold = 3
Threshold = 5
Logit_wo_family
RF_wo_family
Bayes_wo_family
Logit_with_family
RF_with_family
Bayes_with_family
Caching
Policy
Multiple Engines
Caching
Policy
Multiple Engines
Dynamic Execution
USE DYNAMIC EXECUTION
to catch undetected malwares (very rare)
IMPLEMENT EMERGENCY BLOCKING SYSTEMS
Unpredictable attacks and bugs happen. Get as ready as possible for it
Caching
Policy
Multiple Engines
Dynamic Execution
Fast Rules
ENCRYPT EVERYTHINGin transit and at rest
OUTBOUND
82%Messages from Gmail
to other providersare encrypted
INBOUND
62%Messages from other
providers to Gmailare encrypted
https://goo.gl/iv2tIa * Gmail always tries to encrypt email communication. Encryption failures are due to other providers not supporting encryption
BE METRICS DRIVEN
Number of XSS affecting Gmail webmail fixed per quarter
2008 2009 2010
0
1
2
3
4
5
2011 2012 2013 2014 2015
Q1
Q2
Q3
Q4
NU
MB
ER O
F EX
PLO
ITA
BLE
XS
S
https://goo.gl/1tLf3w
Closure Templates Strict Autoescaping
VS
Manual and Unsafe Escaping
PREVENT BUGS THROUGH GOOD SOFTWARE DESIGN
script-src frame-src
CSP blocks a lot of bad stuff CSP helped us identify potential XSS
CSP violations for Google Inboxjust before launch
Smart labels potential XSS
<! <img src="><img src=x onerror=alert(1)// ">45.7% 54.3%
IMPLEMENT DEFENSE IN DEPTH
CSP
Linear Classifiers
Deep Learning
Security audits
Encryption
Static Analyzers
DDOS prevention
Antivirus
Dynamic Execution
Fuzzing
Auto-escaping
PAY FOR BUGSit’s worth it
0
10
20
30
40
50
$0
$5000
$10000
$15000
$20000
$25000
amount awarded
number of bugs
2010 2011 2012 2013 2014 2015
Dynamic renderingCSS, Javascript. E.g Media Queries
Hacked siteGood sites used in phishing attacks
Email security standardsYet to be fully adopted
Advanced phishing attacks e.g spear phishing
KEY CHALLENGES IN 2016
Combine detection technologies in each layerThere is no silver bullet so diversification is key to lasting security.
Defense in depthAdd multiple layers of security because sooner or later an attacker will break one.
Have a strong team that keeps runningIt takes all your efforts to keep the product clean. No rest for the brave.
KEY TAKEAWAYS
Thank you!