Protecting The Last Sunny Corner Of The Internet by Adrian MacAlister

i've been really uh missing so as as paul mentioned my name is adrian mcallister and just to give you a bit of a background in around who i am and sort of my background and experience and security i've been working now this is my 25th year working at nit so a quarter of a century so the greyhounds do do represent the the years of of stress and experience and i t 17 of those years have been predominantly focused in information security and i work currently as part of tick tock's cspo team which is our chief security and privacy office team and based here in dublin so my background is i spent sort of ten years working for caterpillar

and i was found a member of their c-cert team i then spent a few years working for aecom and was helping build and mature their incident response capabilities i then spent around about four and a half years at salesforce uh which moved me from dublin i'm sure as the accent gives away not not local originally from from belfast so moved down to dublin for the salesforce role and worked there for four and a half years helping with them with all of their critical incidents and cyber security issues i've been with ticktock now for the last nine months and that one of the things that really excited me about coming to work for for the platform was know the

company mission statement which is the inspire creativity and bring joy and you know being part of a a team that helps protect the platform which helps achieve that that goal was something that was really really interested in um so the agenda anyway for today i'm going to go through some of the characters that we face against how we prioritize security defense in depth i'm talking about our dublin fusion center something incredibly excited to talk about and share some of the challenges with kovid and how we've had to grow like exponentially remotely building teams and relationships all remotely without ever meeting anybody in person which is extremely challenging when you're trying to build relationships and then our path through to trust and

transparency so as i mentioned though tick tock platform to inspire creativity bring joy but anywhere on the internet that has something that's used for good there's always going to be people out there looking to find ways to do bad stuff on that platform so you can see that some of the things that we're up against are state sponsored actors gonna have misinformation disinformation and the motivation is to try and sort of gain some sort of narrative or so discord uh with with a subject matter organized crime you can have no financial gain people looking to you know make money from from the platform and exploit sensitive information from our tick tock users and then the terrorism

and then the hackers you know people looking to get information that's about users what we're doing looking to spread malicious content for the platform as well and causing damage to people as well so in order to help try and protect against all of those different fret factors now some of the things that we're doing here is the prioritizing security based on a lot of our core principles so it's obviously installing a security culture to enable our our people as the first line of defense which is the same regardless of where you work is our people our users our employees are always our first line of defense so we're building those strong foundations having our security team uh compromised

of industry experts know people very long tenured backgrounds and diverse experience in the private and public sector have came along to try and help protect the the platform and all of our users and expand in our capabilities and reach globally like all of you as i'm sure have seen the the exponential growth of tick tock and and the platform and with that we need to grow as well as as a team so we're expanding our footprint in washington mountain through singapore and dublin ireland so which has me here today now dublin is one of our regional centers of excellence for for cyber uh we are here obviously at a booth for actively haran and if you want to come

chat with me at the booth afterwards you can see some of the exciting roles that we have that that cover around how we protect our users and the platform and we're building a state-of-the-art monitor and response and investigative fusion center and i will touch more on what the fusion centers are later on in the slides it's something i'm incredibly excited and passionate about to be involved in and i think it's pretty cool as well some of the some of the different threat factors that we see in issues cross-functional with different areas and then enabling partnerships with world leading cyber securities firms for herbal touch and some of the later slides on some of the other

organizations that we're working with to help improve the the security of of the platform and you can see that obviously we adhere to a lot of security standards like nist uh cfs csf iso 2701 sock 2 and all the usual industry standard controls that you'd expect so with anything doing security well you need to have defense in depth and we use that for multiple layers of different methodologies and the first being on platform defense though as a mentioned we've got exponential growth you know there was a stat released last month where we had like a billion monthly active users which is just crazy scale of numbers and volumes that that we're seeing on the platform of of monthly

active users so that's not a problem you can really have people throughout so you have to have machine learning automated monitoring tools to track anomalous and authentic behavior and take that content off the platform if it gets to the platform or stop it reach into the platform before it ever gets uploaded to a tick tock video and then like by design we're building security integration into all of our tools and our development life cycles and everything that we produce if you've been in any offices where you've seen all of the the the the posters that you get where it says like quality and security is like a swimming pool you can't add the water in

afterwards so the same with security you can't add that in afterwards it needs to be integrated into the beginning of all the development creation of all of the designs and products then with platform controls we we use a methodology of over the horizon threat defense so looking forward and trying to determine what threats are going to be effectiveness and making sure we're building in all of the appropriate global for monitoring tools and processes the real deal of that and then the other controls to define and implement measure controls to protect data including i am idm obviously that's a few examples there's quite a quite a large list of different controls that we use but that's a few

ones and then obviously user data the hardened the center of defense in-depth model focuses on protecting our user data we want the platform to be a safe place where people feel they can be their own authentic self produce content produce videos and have fun on the platform and we feel that people can do that best if they actually feel safe with the content that they're putting onto the platform and a question i get asked a lot is now where is your data stored how is data going around the world and stuff like that so one of the things at tiktok we do a lean localization strategy on where we store data so currently we have

uh data centers in the united states data centers in singapore and we've also made the commitment on creating the data center in dublin ireland so incredibly incredibly exciting to see the focus and investment in in ireland as well as as wider europe so as i mentioned in dublin we're building a fusion center and the the concept of a fusion center a lot of folks when i've said i'm working in the fusion center i'm the fusion center lead they're like no adrian what what does this fusion center thing that you're talking about so the way i try and sort of explain the fusion center it's it's all hazards incident management collaboration so typically in organizations and i am

going to be annoying and ask people to give me a show of hands but like how many times have you been involved in a security incident where it's been two or three weeks later and you only find out about the incident because like somebody has just thought well well maybe we should tell the security guys that this thing has happened which is real the fusion center the whole idea and philosophy of that is to bring all of the sort of usual dispersed silo teams together in one room and if you've like watched likes of the csi miami and you see like the government rooms with the big video screens and you know the multi-departmental sort of capabilities

that gives us that sort of same capability for our environment so you can see like all the different names of the different teams that we're going to have co-located in all of these fusion center rooms so i could be working on an incident or i could be just in the fusion center somebody could mention that there's a fire at a data center somewhere or there's an earthquake in japan or there's a active shooter situation somewhere and i'm going to be able to quickly know how that spans across all the different teams groups and how to respond all of that those types of incidents to best protect our employees our platform and and our users so

it's something incredibly excited to be involved in and and work in and get to see the sort of large wide span of different incident types that occur so you've got legal privacy data defense no actual physical security cyber security cyber threat intelligence you know all of those teams are really actively collaboratively working together now on a real real common ground and so it really makes the agility and and ability to respond the incidents much more quickly and effective so with the fusion center our goal is to now have that next generation cyber threat monitor and so we have that as i mentioned holistic you know all hazards incident management perspective of all of our incidents

we use the private and public cyber investigations and digital crimes groups and advancements on our platform threat discovery to protect our community which really like as i mentioned it really leads to more efficient operations so like our time to identify attempt to contain time the eradicate time to recover is all greatly reduced because of our greater efficiencies of all working together in a much more collaborative way and so as i mentioned our data centers and you can see the alignment of the data centers on our regional centers of excellence so with the fusion centers that we're building in dublin we're also have those in dc and also in singapore and that allows us to operate at a 24 7 follow the sun

support model so we can run incidents and issues throughout the day from singapore to dublin back to dc back to singapore back to dublin back to dc so we've got that fluid operations of all of the our incident management work through you know 27 uh 24 7 period we're branding internally all of the fusion centers as fuse so that's that's what we call ourselves internally as as the as the fuse team and from early 2021 we've been building and making that capability um you know into the real world fusion centers where we have folks located and working to run incidents and obviously unless you've been living under a rock for the last few years you

might have heard of this thing called covid that's been kicking around that caused a problem or two with uh meeting in person so like any any type of no cross team cross-functional thing though it's a lot of hearts and minds of winning over people relationship building and doing all that type of thing remotely is incredibly challenging they're trying to build those relationships and and those those close partnerships with folks all on the side other side of the screen is is much more challenging so that's one of the things that we've been extremely successful in doing that and building all of those relationships amongst all of the different teams so the xfn experience there if you don't

know what the abbreviation is it's cross-functional network so we've built all of those relationships as you've seen on one of the previous slides of all of our different partner teams legal finance new physical security cti cyber threat and we've been working tremendously closely together and building all of those relationships and one of the other advantages is then we're all operating on a common operation model so if something has a high severity incident in one team that cross-correlates to what high severity is in another team though that's the same language of incidences the same understanding of what's critical what's high what's medium what's low and it allows us to have that sort of rapid approach to be able to respond to

things in that commonality of being able to do things consistently across the board as part of the fusion center we've been doing a lot of great work on the forensics uh doing dashboards analytics metrics so you can also see what we're doing see the metrics drive improvement and understand how we can do things better and as i mentioned no the hybrid approach we're working with multi-function teams r d legal privacy operations trust and security internally but as well from from a hybrid approach we don't just work hybridly and cross-functionally internally we also look out to the industry our users and the and folks within the industry so the the screenshot you see here is a

little snippet from the tick tock tick tock app where you can actually report a security vulnerability from from the app so it gives our user base from the touch of their hands the ability to make us aware of a security vulnerability we also work with a lot of leading external parties to help verify and review code applications make sure everything is secure validate all of our controls or all of our technologies to make sure it's best in class for the industry we're also incredibly proud to partner with hacker one for bug bounty program so we can utilize external security researchers who can perform research on the platform identify vulnerabilities before the bad guys do allows us to address and

remediate those so we do a lot of cross-functional internally and externally one of the other things we heavily utilize is a perfect intelligence and and use it as a force multiplier as you mentioned as i mentioned earlier trying to do things in a manual no human centric process is extremely difficult and doesn't scale to the volume of of data that we're working with so we have a lot of anomalous activity detection where we can see things happening we have advanced libraries that feed into our systems converged intelligence counter measures and then the security automation that reacts to all of those intel feeds that come in that allows us to leverage and make better business decisions to help protect the community

so we have a foundation of security um and we're committed to earning the trust of our of our community like i mentioned earlier no it's a platform to inspire creativity and bring joy and we genuinely believe that people will do that in a place where they feel safe so how do we make people feel safe you know making sure they have a quality product that we have collaborating with security law enforcement privacy experts to protect our global community and making sure that the platform is safe and empowering users with choice so as a user of a platform you can choose if you want to be private if you want to be public how your data can be

viewed and seen by others so making sure folks know how that can be done correctly so they can they'll have that choice of how they want their data to be seen on on platform providing access to code and systems to validate security controls by third parties so a lot of strong strong controls around access validation review with transparency centers where we allow people to come and actually view our code and things like that to validate that it does what it says it does and though as i mentioned consistency with the wide range of cross-functional support teams and fusion centers we're working across a wide base of different teams doing things consistently same no incident response language so we can keep

the consistency of how we respond the incidents but also keeping our users informed of updates and how we enhance security so as i mentioned we offer a wide range of privacy and security settings that users can activate during the account setup or any time afterwards so if you create a tick tock account you want to be public you want to share all of the information that you have and then you'll later change your mind you can go in and change that we've run cyber security months where we've tried to do security awareness their user base to make them aware of how to use the platform securely as well as other ways they can enhance their own

security outside of out of the platform so we've done that through in-app safety and security videos we offer resources and tools for parents as well to better oversee their child's online experience so as a parent you can have a sort of feel a bit of assurance of knowing what your child is actually doing on platform and we obviously you know frequently update our security and privacy help with tips and resources on how to use the platform securely and and as i mentioned the inspire creativity bring joy is that is the mission statement of of the company and keeping everybody safe so that's the the intent is we hope it can help inspire creativity and bring joy to

all of our our users and the content of the they create so just to to finish tech talk is focused on protecting our users but that should hopefully become clear from everything they've said and scaling our global teams to try and match the scale of of growth within the platform as well so we've a global team of security experts that deliver best in class capabilities and the importance of our work is that no the job is never done though it's constant iterative improvement of being better tomorrow than what we are today better today than what we were yesterday so that is the completion of my talk i'm happy to take questions from anybody for the next three minutes

any questions guys

yes absolutely thanks adrian great talk um content moderation um there are a lot of social media companies doing this and a lot of social media companies struggling with what is a a challenge um to solve technically and a lot of social media companies seem to throw eyes on glass at this problem you know and more content moderators how does tech talk approach this problem you know is it something you need to scale to or is there a technical solution that tick-tock bring to bear on content promotion yeah so some of the some of the things i mentioned in in the chapter was like you know that that sort of leaning to machine learning and using

technology to do what technology does best which is repeatable continual the process at crazy scale that people can't do and then embed that with our cyber threat intelligence our intel feeds and all of this sort of like no attribution of what we see if it's like a miss and disinformation type of campaign they're collecting all of the indicators that are similar to that and then detect it before it gets to the platform even and shut it off if it does get onto the platform get it taken down quickly for all of those detection mechanisms

i uh just have a quick question on like say digital forensics and the processing of imagery and video on your platform how you're tackling that at the moment you know in terms of its uh increase of the content you know sorry could you repeat the question didn't get to hear the start of it and so with digital forensics uh you know with the video and the imagery on the platform at the moment and the observation of images and such uh are you looking at specific ways to tackle this problem right now yeah there's there's many different ways like both both automated and obviously manual review of seeing how different threat actors try and absolutely absolutely care our detection

methodologies obviously i can't go into some of the elaborate details of what fret actors are doing the trans circumnavigate that and how we're dealing with that but we've absolutely seen you know campaigns and things where there's some of that that's been happening and you know building the detections and and processes to deal with that is something that we've done very successfully [Music] cheers um interested in your experience hiring here in ireland as you've been building out the team do you think there is a gap or a shortage in the market and if there is sort of at what level at what area what have you seen of that yes so some of the statistics i've seen

around unemployment in cyber security i think the last step that i read was that we're minus four percent unemployment in in security so as an industry wide like globally not even in ireland it's an issue the world over where there is a shortage of cyber skills so some of the ways i've historically dealt with that is i have having intern programs developing people apprenticeship programs come into these types of conferences building the contacts with folks because as many of you know security folks have several layers of tin foil hats of paranoia so they don't always be on social network platforms so uh trying to find people on different social network platforms to find talent doesn't really know a scalable effort

either so they'll find in the payment coming the conferences go into different things like that has been very effective for me to find folks but engaging with universities trying to sort of build and develop pipeline and stuff and i'm very passionate about and trying to help drive and fill talent but there's definitely is a shortage of of talent in the industry globally not just ireland

yep

[Music] um the question um is about the map about house divide that they i think the data center before it was uh for us was uh all the world in indonesia was about only the the the asia the area east like japan hong kong this kind of country and the china is not in in need of that some reason for threat modeling or is a business reason to to have a debt division yeah so the the data storage is in singapore and and dc currently and we've made the commitment to store it in our data in dublin as well with the creation of a data center it's really just that's no focus at echoes on where we're having

our regional centers of excellence so our cyber rep center of excellence for us is dc singapore for aipac and dublin for so it just really models where we're focusing all of our people and resources because china was not in nader in the yeah that's correct tick tock doesn't operate in china you can't download the app or use the app we don't store data in china there's no data sent to china it's all stored in the u.s is enough to use it in china correct yeah yeah you can't you can't you can't use the tick tock app there's no data sent to china stored in china it's all stored separately so tick tock is all outside of of china

rest of world and so it's you know u.s singapore and shortly dublin as well okay thanks