Netflix Stethoscope – Open Source User Focused Security
Netflix recently released a project called Stethoscope they term as a “User Focused Security”. The concept works by the Stethoscope web application collecting information about user devices so it can provide security recommendations. Recommendations have details with the intent to educate the user why they should perform the remediation action. The details can be found HERE and below. At first look, it seems to be pretty awesome. Go Netflix!
Netflix is pleased to announce the open source release of Stethoscope, our first project following a User Focused Security approach. The notion of “User Focused Security” acknowledges that attacks against corporate users (e.g., phishing, malware) are the primary mechanism leading to security incidents and data breaches, and it’s one of the core principles driving our approach to corporate
information security. It’s also reflective of our philosophy that tools are only effective when they consider the true context of people’s work.
Stethoscope is a web application that collects information for a given user’s devices and gives them clear and specific recommendations for securing their systems.
If we provide employees with focused, actionable information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement.
Software that treats people like people, not like cogs in the machine
We believe that Netflix employees fundamentally want to do the right thing, and, as a company, we give people the freedom to do their work as they see fit. As we say in the Netflix Culture Deck, responsible people thrive on freedom, and are worthy of freedom. This isn’t just a nice thing to say–we believe people are most productive and effective when they they aren’t hemmed in by excessive rules and process.
That freedom must be respected by the systems, tools, and procedures we design, as well.
By providing personalized, actionable information–and not relying on automatic enforcement–Stethoscope respects people’s time, attention, and autonomy, while improving our company’s security outcomes.
If you have similar values in your organization, we encourage you to give Stethoscope a try.
Education, not automatic enforcement
It’s important to us that people understand what simple steps they can take to improve the security state of their devices, because personal devices–which we don’t control–may very well be the first target of attack for phishing, malware, and other exploits. If they fall for a phishing attack on their personal laptop, that may be the first step in an attack on our systems here at Netflix.
We also want people to be comfortable making these changes themselves, on their own time, without having to go to the help desk.
To make this self service, and so people can understand the reasoning behind our suggestions, we show additional information about each suggestion, as well as a link to detailed instructions.
Security practices
We currently track the following device configurations, which we call “practices”:
Disk encryption
Firewall
Automatic updates
Up-to-date OS/software
Screen lock
Not jailbroken/rooted
Security software stack (e.g., Carbon Black)
Each practice is given a rating that determines how important it is. The more important practices will sort to the top, with critical practices highlighted in red and collected in a top banner.
Implementation and data sources
Stethoscope is powered by a Python backend and a React front end. The web application doesn’t have its own data store, but directly queries various data sources for device information, then merges that data for display.
The various data sources are implemented as plugins, so it should be relatively straightforward to add new inputs. We currently support LANDESK (for Windows), JAMF (for Macs), and Google MDM (for mobile devices).
Notifications
In addition to device status, Stethoscope provides an interface for viewing and responding to notifications.
For instance, if you have a system that tracks suspicious application accesses, you could choose to present a notification like this:
We recommend that you only use these alerts when there is an action for somebody to take–alerts without corresponding actions are often confusing and counterproductive.
Mobile friendly
The Stethoscope user interface is responsive, so it’s easy to use on mobile devices. This is especially important for notifications, which should be easy for people to address even if they aren’t at their desk.
What’s next?
We’re excited to work with other organizations to extend the data sources that can feed into Stethoscope. Osquery is next on our list, and there are many more possible integrations.
Getting started
Stethoscope is available now on GitHub. If you’d like to get a feel for it, you can run the front end with sample data with a single command. We also have a Docker Compose configuration for running the full application.
Join us!
We hope that other organizations find Stethoscope to be a useful tool, and we welcome contributions, especially new plugins for device data.
Our team, Information Security, is also hiring a Senior UI Engineer at our Los Gatos office. If you’d like to help us work on Stethoscope and related tools, please apply!
Presentations
We’d like to thank ShmooCon for giving us the chance to present this work earlier this year. The slides and video are now both publicly available.