Netflix has released a new security application that’s designed to give normal users detailed information about the security state of their various devices and help them remedy any issues, without going to IT or a help desk.
Stethoscope is a Web-based tool that the company says is part of its user-focused security ethos, and Netflix has released it as an open-source app on GitHub. The idea behind it is to help users avoid the simple, common errors that lead to many compromises, such as phishing attacks and malware infections. Rather than enforcing specific policies or rules, Stethoscope provides users with detailed guidance on issues such as software updates, encryption, and mobile device security.
“If we provide employees with focused, actionable information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement,” Jessy Kriss and Andrew White of Netflix’s information security team said in a post announcing the tool’s release.
“It’s important to us that people understand what simple steps they can take to improve the security state of their devices, because personal devices–which we don’t control–may very well be the first target of attack for phishing, malware, and other exploits. If they fall for a phishing attack on their personal laptop, that may be the first step in an attack on our systems here at Netflix.”
Stethoscope is implemented as a Web app that gathers information about the security state of each device, such as a laptop or mobile phone. The app gets user information from external data sources, such as authentication providers, which are implemented as plugins. Organizations can add their own services and provide alerts for users about events such as suspicious logins to an account or device. Many corporate security incidents have simple user mistakes as their root, which is why the Netflix engineers decided to focus Stethoscope on providing meaningful, easy to follow notices to users.
“The notion of “User Focused Security” acknowledges that attacks against corporate users (e.g., phishing, malware) are the primary mechanism leading to security incidents and data breaches, and it’s one of the core principles driving our approach to corporate information security. It’s also reflective of our philosophy that tools are only effective when they consider the true context of people’s work,” Kriss and White said.
Netflix has a history of releasing internally built security tools, including Security Monkey, a policy monitoring tool for Amazon AWS accounts, which it released several years ago.
Image: Jasleen Kaur, CC By-Sa license.