The five-minute CIO: Alex Stamos, CSO, Facebook

11 Nov 2016

Pictured: Facebook CSO Alex Stamos. Image: John Kennedy

“We don’t want to be a mechanism by which you can attack individuals or companies,” said Facebook’s chief security officer Alex Stamos.

With 1.8bn users worldwide and some 12,000 employees to protect, you could argue that Alex Stamos of Facebook is one of the busiest chief security officers in the world.

Stamos is a world-renowned cybersecurity expert.

Prior to joining Facebook, he was chief information security officer at Yahoo, where he was a vocal NSA critic and referred to his team as “Paranoids”.

Before that, he was CTO of the security firm Artemis.

IT security used to be about firewalls that simply kept the bad guys out, but now it is much more porous thanks to mobile devices. How do you defend and protect?

When it comes to corporate security responsibility, we have the same issues that all companies have in terms of computers, desktops, laptops, wireless networks, offices, mobile devices and more. These are a set of risks every company has.

We have some interesting specific risks.

One of the things I talked about at the Web Summit is [that] we have to support devices in the field as they are in 2016.

I asked the room at the Web Summit how many of [them had] an iPhone 7 and that was about fifth of the room, and that has only been out three months. That phone costs half the per capita income of India, so that is not representative of people on Facebook right now, and if you have 1.8bn users and you add the next one, they are not going to have an €800 phone.

They are going to be on something that is €50 to €100, and might be top-of-the-line from 2014 but running an older version of Android. A lot of them have different form factors than we are used to in the developed world; they still have keyboards and have sliders and stuff.

So, one of our interesting corporate security issues is that we have a team whose job it is to make sure our devices and our experience is good for these people.

They do things like downgrade the speed and a lot of these engineers carry around these phones.

There is a team whose entire mission is to go against that. It is not just what device you are carrying, it is about thinking. When you are thinking of building a product, you think about yourself or your family members and what are they carrying in their pocket. We have a team that tries to specifically design technology so it works well for all of our users, especially in places where people are getting online for the first time.

But that means from a corporate perspective, we’ve got all these devices on our networks. We do adaptive authentication, where we detect the features of the phone and decide what level of access they get based upon that.

Do you use open source technologies to determine risk and build better security?

For everything we do in the corporate area of risk, we have a tool called OSquery which is open source and on GitHub. That’s a tool we built a while ago. It is an agent we run on every single production host and most of our corporate hosts, and that gives you this command line interface that lets you make SQL-like queries across your entire fleet.

And so, we can very quickly search for things like [a] table of all of the different start-up services running on all of our Windows machines. And then you can create a histogram and tell the difference between normal ones and ones running on two computers. Our people use that to hunt for possible attackers; they go out and make queries to look for anomalies and once they find those anomalies, it allows you to search very quickly for the same information across the fleet.

OSquery is an open source project now and we have a beta version of the Windows app – the last part of our fleet that isn’t running OSquery continuously – and we are going to be rolling that out real soon.

Do you use machine learning or AI in defending Facebook and its users?

Threat Exchange is our machine-to-machine, real-time threat-sharing platform. Threat-based defence is pretty obviously the future – you can’t defend your networks unless you understand what your adversary is doing and you understand their tools, techniques and processes.

Threat Exchange was built around some specific spam problems where spammers and malware authors were spreading across multiple networks, and so among tech companies, we wanted to share information and shut these guys down everywhere at once and not play Whac-A-Mole.

We now have over 450 companies using Threat Exchange and you have privacy settings that are pretty much equivalent to those on Facebook; where you can create private groups, post in those groups your information, and so smaller groups of organisations that trust information that share super high-end information like IP addresses of advanced attacks – we are seeing [them].

With OSquery, we can do regular queries across the entire fleet and bring all the information into our big data system and we can check that against the data that comes in on Threat Exchange.

If another organisation like us finds a piece of malware, they reverse engineer it and throw the Indicators of Compromise (IOCs) into Threat Exchange [and] we can automatically get an alert.

Is a large part of your work automated or is there still a manual aspect?

There are two parts here; there are people who attack us versus the people who use our platform to attack folks. We have dedicated teams whose job it is to track threat actors, to see what they are doing, watch what they are doing and try to block them as quickly as possible.

We don’t want to be a mechanism by which you can attack individuals or companies. If there is something we learned about the hacking that has gone on around the US election, it is that going after people individually in their personal accounts is as effective as going after their official accounts.

There are people who use their personal email and their personal social networks for a lot of important stuff.

This is especially true if you used to be in a position of power and now you are on your own, and no longer have a professional IT team providing support, and that can put you in a situation [where] you are at the most risk.

We have a team whose job it is to do that and part of it is manual, but a big part of it is: as we discover bad things going on, we can feed those into machine-learning algorithms and try to predict and prevent it in the future.

If we see a phishing site that gets tagged as such and whenever anybody posts a link on Facebook or sends via Messenger, we go and we fetch that site and we scan for malware and look for signs of phishing, a bunch of redirects and other things that look sketchy. By manually finding and categorising those bad things, we can train the machine-learning systems to react so quickly that the goal is the first time the link is sent that we block it.

There is a pretty decent amount of attacks that we stop before anybody sees them, because we have analysed those kind of attacks in the past, and we have done a really good job of our machine-learning algorithms adapting and understanding how to prevent them in the future. Some of that is manual too.

Is AI now on the front line of security?

Absolutely. I try not to use the term AI, these are very specific algorithms using deep neural networks. I don’t get to go in and say “Jarvis, how are we looking for spam today?”

They do very specific things. We provide as many options as possible for people to keep their accounts secure, but we have to anticipate that there are also people who will not turn on login verifications, who will not give us their phone number so we can have a secure communication.

If you have your account set up to warn you if someone is trying to access your account, the system that did that was a machine-learning system. When someone tries to log in, it takes a little over 80 data points and it feeds into a machine-learning algorithm that looks to say ‘Is this John or somebody else?’ It is trained to notice if you travel a lot or change your phone a lot or uses other systems. So that is a large part of the machine-learning algorithm; it gets trained on the good and not-so-good logins and is able to balance the different factors in a way that would be impossible for humans to do manually.

How do you ensure security is bolted into the day-to-day work of people at Facebook?

Every technical employee, including myself, has to go through a six-week bootcamp, where you take classes and go and work on actual problems on the production site.

In week 2, I got to fix a bug on the Facebook production site. The really important thing is it teaches you the Facebook way of building code.

If you are a Facebook developer and you want to put a text box with a drop down and submit button, if you were building that on your own, you have to build your J Query code, HTML and have code on the server side to accept the post. For us, that’s like only two lines of code because it has already been built.

But one of the big security benefits in those Lego blocks of code is that we have these security features built in, so you put together an app and not need to think about scripting errors. It takes the drudgery out of it and makes you super productive and it makes it very difficult to create a security flaw. It is peace of mind for the engineers but also for the security team.

Realistically, no company has a security team that can review all code. It doesn’t mean we don’t have bugs but they are often much more complex things, like very difficult corner cases and such.

But we generally don’t have generic flaws you see in web applications, and a lot of that is because we have just one code base upon which people use the same libraries. We have the ability to use code-scanning more effectively because you are not looking for flaws, but for people going around the Facebook way of doing things.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com