lessons learned while protecting gmail
TRANSCRIPT
![Page 1: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/1.jpg)
Lessons learned while PROTECTING GMAIL
Elie Bursztein, Nicolas Lidzborski, & Vijay Eranti
THE GMAIL SECURITY AND ANTI-ABUSE TEAM
![Page 2: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/2.jpg)
2004 2016
LESSONS WE’VE LEARNED WHILE protecting Gmail users for over a decade
![Page 3: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/3.jpg)
900 MILLION+ USERShundreds billion of messages per week
![Page 4: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/4.jpg)
Malware
5 MAIN THREATSTO GMAIL
![Page 5: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/5.jpg)
Malware
AccountHijacking
5 MAIN THREATSTO GMAIL
![Page 6: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/6.jpg)
Malware
AccountHijacking
Phishing
5 MAIN THREATSTO GMAIL
![Page 7: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/7.jpg)
XSS
Malware
AccountHijacking
PhishingWeb Attacks
5 MAIN THREATSTO GMAIL
![Page 8: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/8.jpg)
XSS
Spam
Malware
AccountHijacking
PhishingWeb Attacks
5 MAIN THREATSTO GMAIL
![Page 9: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/9.jpg)
We launched login challenges In 2011
![Page 10: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/10.jpg)
http://goo.gl/xMctOL
NEVER STOP IMPROVING YOUR DEFENSES
Phishers updated their kits to ask for the challenge answers
![Page 11: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/11.jpg)
THERE IS NO SILVER BULLET
99.9% accuracy detecting spammy email
91.7% Large linear ML classifier
+4.7%rule based system
+3.5%deep learning
?Next gen
http://goo.gl/0jgK96 *incremental coverage measurement
![Page 12: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/12.jpg)
TUNE YOUR CLASSIFIER to match your product need
Spam classified as good
Good classified as Spam
https://goo.gl/0jgK96
False Negative
less than 0.1%
less than 0.05%False
Positive
![Page 13: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/13.jpg)
IMPLEMENT CATCH-UP MECHANISMS
![Page 14: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/14.jpg)
EMPOWER USERSto take action through meaningful UI
https://goo.gl/gqk6Bn & https://goo.gl/sL5VWC
![Page 15: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/15.jpg)
USE OVERWHELMING FORCEDeploy many countermeasures at once
![Page 16: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/16.jpg)
EMAIL ATTACHMENT
![Page 17: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/17.jpg)
ATTACKS COME IN BURSTSplan for it
![Page 18: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/18.jpg)
DON’T PROCESS TWICE
Whitelisting and blacklisting allows
up to 50% reduction in computation
Caching
![Page 19: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/19.jpg)
Gmail does not allow executable attachments
EXE
BE SECURE BY DESIGN
Caching
Policy
![Page 20: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/20.jpg)
USE ENSEMBLE LEARNINGmultiple anti-viruses are combined
0.62 4
NUMBER OF ANTI-VIRUS ENGINE
F1 S
CO
RE
6 8 10 12 14
0.8
0.7
0.9
1 .0
Union
Majority Voting
Threshold = 3
Threshold = 5
Logit_wo_family
RF_wo_family
Bayes_wo_family
Logit_with_family
RF_with_family
Bayes_with_family
Caching
Policy
Multiple Engines
![Page 21: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/21.jpg)
Caching
Policy
Multiple Engines
Dynamic Execution
USE DYNAMIC EXECUTION
to catch undetected malwares (very rare)
![Page 22: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/22.jpg)
IMPLEMENT EMERGENCY BLOCKING SYSTEMS
Unpredictable attacks and bugs happen. Get as ready as possible for it
Caching
Policy
Multiple Engines
Dynamic Execution
Fast Rules
![Page 23: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/23.jpg)
ENCRYPT EVERYTHINGin transit and at rest
OUTBOUND
82%Messages from Gmail
to other providersare encrypted
INBOUND
62%Messages from other
providers to Gmailare encrypted
https://goo.gl/iv2tIa * Gmail always tries to encrypt email communication. Encryption failures are due to other providers not supporting encryption
![Page 24: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/24.jpg)
BE METRICS DRIVEN
Number of XSS affecting Gmail webmail fixed per quarter
2008 2009 2010
0
1
2
3
4
5
2011 2012 2013 2014 2015
Q1
Q2
Q3
Q4
NU
MB
ER O
F EX
PLO
ITA
BLE
XS
S
![Page 25: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/25.jpg)
https://goo.gl/1tLf3w
Closure Templates Strict Autoescaping
VS
Manual and Unsafe Escaping
![Page 26: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/26.jpg)
PREVENT BUGS THROUGH GOOD SOFTWARE DESIGN
![Page 27: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/27.jpg)
script-src frame-src
CSP blocks a lot of bad stuff CSP helped us identify potential XSS
CSP violations for Google Inboxjust before launch
Smart labels potential XSS
<! <img src="><img src=x onerror=alert(1)// ">45.7% 54.3%
![Page 28: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/28.jpg)
IMPLEMENT DEFENSE IN DEPTH
CSP
Linear Classifiers
Deep Learning
Security audits
Encryption
Static Analyzers
DDOS prevention
Antivirus
Dynamic Execution
Fuzzing
Auto-escaping
![Page 29: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/29.jpg)
PAY FOR BUGSit’s worth it
0
10
20
30
40
50
$0
$5000
$10000
$15000
$20000
$25000
amount awarded
number of bugs
2010 2011 2012 2013 2014 2015
![Page 30: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/30.jpg)
Dynamic renderingCSS, Javascript. E.g Media Queries
Hacked siteGood sites used in phishing attacks
Email security standardsYet to be fully adopted
Advanced phishing attacks e.g spear phishing
KEY CHALLENGES IN 2016
![Page 31: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/31.jpg)
Combine detection technologies in each layerThere is no silver bullet so diversification is key to lasting security.
Defense in depthAdd multiple layers of security because sooner or later an attacker will break one.
Have a strong team that keeps runningIt takes all your efforts to keep the product clean. No rest for the brave.
KEY TAKEAWAYS
![Page 32: Lessons learned while protecting Gmail](https://reader031.vdocuments.net/reader031/viewer/2022030310/58f9b321760da3da068bd2ab/html5/thumbnails/32.jpg)
Thank you!