Protecting Mercari from Cyberattacks! The Security Team Discusses Who Makes A Good Candidate for the New CSIRT/SOC #WorkWithMercari

Hello! This is @asai from the Talent Acquisition Team at Mercari!

Do you ever feel like you want more information than just the requirements listed in the job description? In the #WorkWithMercari series, we interview teams who are currently hiring, and ask more to find out just what kind of person they’re looking for!

Today, we’re introducing two teams (the Security and Privacy Planning Office and Security Engineering team). Both teams work together on building the security program at the Mercari Group. Together these two teams are establishing a new CSIRT/SOC team, to develop and operate the company’s monitoring systems, and establish and improve systems for incident response.

We sat down with members of both teams (@simon.giroux, @rung, and @json from the Security Engineering team, and @ushijima from the Security and Privacy Planning Office) to get a better idea of what kind of person they’re looking for for the CSIRT/SOC, and to get a glimpse of what it would be like to work with them!

*The mask is removed only during shooting.

Tell me more about Mercari’s Security Engineering Team

-At Mercari, the Security Team is part of the corporate division, supporting Mercari Japan, Merpay and Mercari US. The wider team is split into smaller teams, each focusing on a particular domain of security: Security Management, Product Security, Security and Privacy Planning, and Security Engineering. We’re looking for candidates for a new CSIRT/SOC which will initially be jointly managed by both the Security Engineering Team and Security and Privacy Planning Office.

-So what is the Security Engineering Team like?

@simon: Our team was created about a year ago with the goal of taking a comprehensive overview of security from the technical side. We are a diverse and multicultural group, with backgrounds in cloud infrastructure, coding, penetration testing, risk analysis, and forensics.

Simon Giroux（@simon.giroux）

@simon: For instance, @rung is trained in writing code for automation, and has a lot of knowledge in infrastructure security such as container security. @json started out as an interpreter for the Security Team, then joined the Security Engineering Team officially last year. He’s now leading many projects as a project manager. He’s a jack of all trades and a communications expert who contributes to various different projects.Other members have backgrounds as backend engineers, SREs, and as specialists in cloud infrastructure like AWS and GCP too.

-What kind of work do you do exactly?

@rung: We work to augment Mercari’s security across various different domains.

・ Strengthening security measures for infrastructure on the production environment
・ Strengthening security measures for internal IT systems
・ Monitoring logs and developing monitoring systems
・ Doing technical root-cause analysis in the event of a security incident, etc.

@rung: We work together with a lot of other teams to provide consultation on how they can secure their systems. We even carry out controlled attacks on our own systems to identify security issues and remediate them in a timely manner.

Hiroki Suezawa（@rung）

-You attack your own systems?

@rung: That’s right. Mercari as with all online services is a target for cyberattacks. We conduct controlled attacks on our own systems so we can identify vulnerabilities and remediate them early. If we find a problem, we can bring it to the relevant teams to get it patched immediately.

Of course, that’s not our only job. We work on many different projects and one that we can talk about that is particularly relevant to the SOC monitoring position we’re hiring for is the phishing detection system we built. Not only does the system detect attacks, we’ve been able to build it to the point of automating the investigation and response process too.We worked together very closely with the Security and Privacy Planning Office on this project especially in building out our incident response process.

Creating a new team under Security Engineering and the Security and Privacy Planning Office

-So tell me more about the Security and Privacy Planning Office managed by @ushijima.

@ushijima As @rung mentioned, we have been working on phishing incident handling, and were able to talk directly with browser vendors to develop an automated system that can quickly detect and shut down access to phishing sites.

When it comes to phishing attacks, it’s very important that we lower the risk of our customers accidentally accessing these malicious sites, by getting the sites taken down as soon as possible. We work closely with the Customer Support (CS) team and the Security Engineering Team to systematize and automate this kind of incident response.

@rung: That’s right. In addition to the efforts @ushijima already mentioned, we also take insights from inside and outside the company, looking at how these kinds of attacks are handled overseas, and reading up on the latest academic papers on them, as well as consulting with browser vendors directly to ensure we can build an effective automated response system.We hope to keep building on the system like this to get our automated response speed even faster.

@ushijima: Mercari is still growing as a service, and this growth is accompanied by all sorts of risks. As our system grows it is inevitable that more attackers will see us as a target.

We have been working closely with compliance, public policy, PR, and upper management to handle risks and incidents as they emerge. We even conducted in-house incident response training and created manuals and procedures to make sure we can be confident that the systems we have in place work in action.

However, attackers are using evermore sophisticated means and the growth of our services continues to make us a bigger target. As such we need to build an organization that is always ready to respond to whatever may happen. Upper management sees this as a priority too, and that is why we are now looking for highly skilled professionals we can count on to monitor and handle incidents, as well as enhance our systems as part of a new team.

Hisaharu Ushijima（@ushijima）

@ushijima: At Mercari, the Security Team is under the Management Strategy Office in the corporate division, supporting Mercari JP, Merpay, and Mercari US. The SVP of Strategy, Shuji Kawano (@shuji), is the lead of the security team. Thanks to our place in the organization, we are able to work very closely with upper management and we benefit from an eagle eye view of the company.

@rung: If something comes up, we can immediately contact @shuji, CTOs, and other executives on Slack as necessary. It’s great that even as the organization continues to grow larger we can get a response from upper management so swiftly! I think Mercari’s Slack culture is a huge factor in this rapid response.

@ushijima: We are currently working remotely, but when an incident arises, we are still able to hold online meetings together and discuss how to respond. We also have a process to hold regular “check-in” meetings which executives join too allowing us to take prompt and decisive action.

@simon: As everyone mentioned, we have good communications in place. However, one area we would like to continue building on is our resources and team structure for more in-depth investigation. As @ushijima said, as long as Mercari’s services continue to grow, the scope of our
monitoring will continue to expand, and we need a scalable structure in place to handle this.

@json: The Security Engineering team is responsible for building out our in-house SOAR (Security Orchestration, Automation and Response) system which is built to monitor logs and automate alerting and response. In reality, there are a lot of systems we need to monitor, and we really need more specialists who can work on building detection systems and proactively respond to them in real-time.

Jason Fernandes（@json）

@json: Up until now the responsibility for this has fallen mostly to the Security Engineering Team, but as the scale of the company has grown and systems have become more complex, we are now in need of establishing a dedicated team for these tasks. That is our vision for the CSIRT/SOC. We’re looking for people who will not only do monitoring, but thrive at diving into challenging problems, searching for the root-cause, and using technology to automate their solutions for scalable response.

Looking for more than just monitoring for the SOC

-Tell us more about what kind of person the new CSIRT/SOC Team is looking for!

＜SOC work responsibilities (excerpt from the job description)＞
・ Monitoring security events and responding to security incidents (log
aggregation, investigation, analysis, reporting, etc.)
・ Building on Mercari’s log analysis platform, improving monitoring rules, and automating security operations through further developing Mercari’s in-house SOAR system

@rung: We want someone who loves automation and diving into logs; someone who is highly skilled at that kind of analysis. The new SOC will work hand-in-hand with the Security
Engineering Team, and that is why we are looking for people who have coding experience as well.

The focus of our SOAR system is on automation and response. In general, people might think of SOC work as simply reviewing logs and responding manually to alerts. But at Mercari,
automation and proactive response is key. We want to limit what we have to do manually by automating as much as possible. That’s what makes Mercari’s SOC position unique. We would very much like to work with someone who enjoys the challenge of thinking about how to automate the investigation and response for potential incidents, and be able to push such solutions through development to implementation.

@json: We’re looking for people who go beyond basic security operations, and people who look for fundamental solutions for problems. We want people who can see the big picture and fix things at the root cause.

-What kind of tasks do you think someone in this position will be assigned to after
joining the company?

@rung: At Mercari, we are currently improving our EDR (endpoint detection and response) and monitoring systems, and as a result we have a vast amount of data logged on the cloud, but our　systems still need a lot of improvement. Someone joining the SOC would likely work together with us on improving our monitoring rules for these systems at first.

@simon: We’re in an environment where we can test the latest technology including things like AI, this allows us to test some very advanced measures in creating rules and solutions!

@rung: As we mentioned before, the SOC job involves a lot of technical work, and we expect a high level of technical skill from SOC candidates, so applicants who aren’t passionate about technology and automation probably wouldn’t be a good fit.

@simon: That’s right. Our team is looking for people who have the drive to come up with and execute technical solutions to handle and respond to incidents. It’s probably not a position for anyone who isn’t up for taking on technical challenges like this.

Want an eagle-eye view? Then the CSIRT position is for you

-Please tell us about the CSIRT position.

＜CSIRT work responsibilities (excerpt from the job description)＞
・ Ensuring the smooth operations of Mercari’s incident response, and
proactively making improvements to the process
・ Cooperating across departments to drive security incidents to resolution(containment, recovery, post-mortem activities, etc.)
・ Documenting incident handling processes, and ingraining processes into
practice by conducting incident response training
・ Conducting threat intelligence and collaborating with external parties　and experts

@ushijima: For the CSIRT, we are looking for a specialist who can scale-up our incident response systems.

When an incident occurs, we often have to collaborate with external organizations and agencies to bring incidents to remediation. We also have to communicate directly with upper management a lot. Mercari is a diverse organization, with international teams working together to handle incidents. If you enjoy the idea of communicating in that kind of environment then the job is definitely for you.

-Enjoy the idea of high-pressure communication?

@ushijima: By this I mean someone who is curious and likes to ask questions might be a good fit. Mercari uses the latest technologies and it’s important to stay caught up on them, we are at the pinnacle of ground breaking new businesses with interesting attack vectors and risks inherent within them so if you find the idea of handling these kinds of complex challenges you’ll definitely enjoy working here.

The CSIRT position also gives you an eagle eye view of the organization where you can be involved in many different areas of the business. If that sounds exciting to you, then you’ll definitely enjoy it! You’ll get to work closely with upper management and have to take an approach that takes business impact into account to make tough calls on difficult decisions, that’s why a high level of communication skills are key for the kind of person we are looking for.

-How much incident response experience are you looking for?

@ushijima: I think those with an engineering background likely already have some kind of experience with system and/or security incidents.

Because we deal with high stake incidents that have a real impact on the industry, it would be great if applicants had experience in responding to large-scale incidents. Having said that, it’s not a requirement. We hope to work with someone who is brimming with curiosity, and is interested in both the business and security side of things and enjoys working with both.

We are looking for self-starters. I feel that a more passive person would not do well here. Nor someone whose field of interest is very limited, as we have to deal with many different contexts. We need someone who can respond effectively to incidents, shows a curious and analytic approach to problem solving and someone who can easily communicate with a diverse set of stakeholders to get things done.

I would also not recommend this job to anyone who doesn’t like getting their hands
dirty, or anyone who wants to limit their field of work. I say this because when incidents occur, we expect even the CSIRT and not just the SOC to take part in log analysis etc. as needed. We need all hands on deck and someone who can take the initiative to solve problems swiftly and effectively on their own initiative.

I myself often do initial investigation when incidents occur and carry out simple queries to support the security engineering team in investigations. You don’t have to be able to make complex queries but you should be proactive in diving into investigations. We have an open environment for log analysis so it’s easy to get stuck in if you have a can-do attitude!

@json: I guess for both team’s we are looking for someone flexible who doesn’t have stubborn preconceptions on how things “should” be done. We work in a diverse environment, and there are many people with many different opinions on what to do. We want someone who is open to discussion, who listens to others, and who can bring new ideas to the table, and take the lead to push forward constructive discussions on how to proceed.

The best part of the team is getting to work with the latest tech!

-The topic of technology has come up a lot during this interview and I feel like that’s one of the most interesting parts of the CSIRT/SOC position. Tell us more!

@rung: We use GitHub to manage our code, make use of many interesting CI/CD tools, use cloud environments managed with infrastructure as code, and make use of Kubernetes for container development and operation, etc. There is a lot of interesting tech to get your hands on at Mercari.

@json: What’s great about our environment is that if you find something that you think can be automated, or that you can build a solution for, it’s easy to get started and create a solution yourself. For the SOAR system we have in place, it is super easy to develop new functionality. It’s possible to create many small solutions in a matter of minutes with simple automation using Cloud Functions and other serverless technologies, etc. For me in particular I appreciate that I have a team of highly skilled professionals around me who can peer review my code and help improve my work.

-What can candidates look forward to for the CSIRT position?

@ushijima: Cross-team communication is an essential part of the CSIRT and definitely one of the bonuses. We communicate closely with other teams and organizations, and get to work on many high profile issues. As a result we get to see trends in security for the industry as a whole. Being a part of the latest technology trends is a huge perk of the job. Mercari and Merpay are cutting-edge services in Japan and in this kind of business, a big picture approach to handling incidents is required. Someone with the ability to drive projects to completion and a solid understanding of the underlying technology and business side will find this a fun and interesting job.

People depend on our team whenever there is an incident and we get to work closely with product development teams, compliance, PR, public policy, etc. This wide range of communication gives us a high level of presence across the whole company.

The security team is one of the most diverse teams at Mercari and we have many members from overseas. Even though Mercari is a Japanese company, we have a global environment and while there are times working across different languages can be tough there is a lot to gain and a great sense of fulfillment from working in such an environment.

Our message for candidates considering applying

-Any last words you would like to leave anyone interested in applying?

@simon: Mercari is truly a unique company. The Security Team is a cross-functional, multicultural, and result-driven team. Due to our collective wide expertise, we get involved with production as well as corporate functions for Japan and the US market. If applied security, security as code, automation, and solving complex problems are things you like to work on, joining the Security Team will definitely be challenging.

@ushijima: Whether it’s our services, the technology we use, the talented individuals in our team, the support we get from the executives, or our work environment, you won’t be able to experience any of these exciting things at any other company. If that sounds exciting to you, we look forward to your application!

@rung: Our company is made up of a wide-range of specialists, both inside and outside the security team. If you ever have questions, our work environment makes it easy to reach out and talk to software engineers on the front line, and it is a great way to learn. If you are interested, we will be more than happy to talk to you more about our company, so please don’t hesitate to reach out!

@json: If you are interested in working with the latest technology, setting your own direction, and being able to make a real difference through impactful automation, then Mercari is a great place to work. The Security Team is a diverse team of great people who are wonderful to work with. If you want to build new skills and tackle big challenges in an inclusive environment, come join us!

If you’re interested in becoming a security engineer at Mercari we look forward to hearing from you!