Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.

Visa

Developed security tool which reconstructs and replays SUDO logs to investigate cyberattacks

Role: Software Engineering Intern

Team: Cybersecurity-Identity & Access Management

Location: Foster City, CA (HQ)

Timeframe: Summer 2019

01 - Security: Why is it important?

Data breaches and identity theft pose an escalating existential threat to businesses.

The growth of digital, mobile and Internet of Things (IoT) is bringing payments to millions of new connected devices —and millions of new potential entry points for cybercriminals. Today’s criminals are relentless in their attempts to exploit vulnerabilities with increasingly sophisticated malware, social engineering, and brute force attacks.

The Identity and Access Management team is responsible for protecting Visa’s assets in this dynamic threat landscape. To maintain their impressive track record of zero breaches to the Visa network, the team takes a proactive approach to deploy new security tools and monitor the cyberspace beyond the network.

02 - Context setting

I met with stakeholders and teammates to determine the direction of my project.

My team was replacing Red Hat's Unix Privelege Manager with an internally-developed Visa Managed SUDO to cut down on annual costs. One benefit of managed SUDO is that it enables session recording of user input and output for privileged commands.

The Cyber Investigations team wanted to use the recording feature for auditing and forensic use in the event of a malicious cyberattack or suspicious internal behavior. However, replaying logs was a 5-step, manual effort which took ~5 minutes to process each session.

My manager provided me with a broad prompt to automate the manual process and optimize the efficiency of the replay feature.

I began my work by meeting with the PM and stakeholders to understand their problems with the current process, which primarily involved efficiency and usability.

03 - My work

Deep dive into building a security automation tool to replay logs

Understand + research

After meeting with the PM and stakeholders, I compiled a list of issues with the current process, their expectations and requirements for the product, and their needs and wants. I also scraped through documentation of different proposals. After getting a good grasp on the task at hand, I was able to synthesize everything I had learned and define a new concept.

Defining product goals

After several meetings to determine the requirements of the product, I set out to streamline the current process. My top priority was to automate the multi-process, manual effort into a single step. I would also optimize the agent to handle large scale data through efficient session reconstruction.

Technical Approach

I developed a backend tool which leverages the ElasticSearch API to search and retrieve logs corresponding to a unique session ID. The logs undergo a reconstruction process where they are properly formatted. To make session reconstruction more efficient in order to handle large-scale data, the logs are processed in chunks. Then, sudoreplay is called and plays back the session, listing the output logs created by sudo.

Result

My final product was a backend agent which automates the 5 step manual process of replaying logs into a single step. The tool passed QA and User Acceptance Testing and is in production as of August 2019. My team presented my tool at the 2019 Annual Security Summit in Washington, DC.

At the end of my internship, I shared my work with CISO, Sunil Seshadri and SVP, Bill Shields, and it was met with warm reception.

Benefits

This backend tool streamlines the process of reviewing activity in servers. It takes <5 seconds to process one session which is a drastic improvement from the initial 5 minute manual effort. In the event of a malicious cyberattack, Cyber Investigations will use my tool to investigate hundreds of sessions in an efficient manner.

Taking the project one step further

During the final two weeks of my internship, I worked with a UX Engineer to develop a POC for a browser-based replay agent called SLARK, otherwise known as SUDO Log Alternative Replay Kit. This feature is a customization built on top of Kibana, the visualization dashboard for Elasticsearch, and will allow for a more intuitive user experience. The UI was built with Angular 5 and my replay agent as the backend.

04 - Secondary Project

I wrote scripts to remediate authorized keys for Access Management.

The Access Management team is responsible for removing SSH key authorizations. However, some of these authorizations are not successfully removed from the target servers because file permissions were too restrictive or the user's password expired so UKM cannot login in as that user.

I enhanced the remediation scripts to handle failure scenarios by performing a synchronous call to the BladeLogic API in order to run the validation steps on target servers. This automated the process of remediating authorized keys seamless for Access Management.

05 - Peer Learning Initiative

Encouraging inter-team knowledge sharing within Cybersecurity.

I worked with a Director of Product to launch a peer learning initiative within my organization. The purpose is to create an environment where engineers and PMs share knowledge and help each other grow.

I led a workshop where I taught PMs how Python can be used to automate common tasks like data processing, manipulation, and visualization. The workshop was well-received and my organization has decided to expand this initiative to other teams.

06 - Reflections

It was an incredible experience to work alongside such passionate and supportive individuals.

My manager would constantly remind me that an internship is a give-and-take. As an intern, I brought a fresh perspective and worked on projects that have a direct impact on the company's security. Visa in return provided me with valuable mentorship, networking, and experience.

My internship overall taught me the value of cross functional collaboration. I had to reach out to people across varying teams to learn about different products and processes, and get general feedback. I also spoke to people about their journeys to Visa and their current goals. In doing so, I was able to learn more about the company, the products, and the people. This allowed me to connect with my colleagues and truly become a part of the Security-IAM fam.

Moving to the Bay Area for 14 weeks was daunting, I am grateful to have experienced the Silicon Valley tech culture. Visa's internship program brought me life-long friends from literally all over the world. I explored the highlights of San Francisco, marched in #SFPRIDE 2019, attempted to "hike", and roadtripped down PCH to Monterey and Big Sur with 13 RTC gals for the Fourth of July.

I cannot wait for more Boba Guys, hummus, and mission burritos when I return next summer (read here).