Case study

The Challenge

The Information Security (InfoSec) team at Riot Games is responsible for protecting the vast technology ecosystem that is essential to the company’s mission of creating world-class gaming experiences from hundreds of millions from regular, active attacks.

The team had seen significant value in ‘deception’ approaches in their on-premise systems and were exploring opportunities to enable a solution in their cloud environments and elsewhere. Internally, time had been allocated to the deployment of decoys or canaries across their wider ecosystem.

The AWS environment, which provides a wide range of support to Riot’s infrastructure, was identified as a high priority target for these canaries, but given the vast scale and disparate nature of the environment, the complexity of scaling canaries was considered very high.

The Solution

The Riot team met Tracebit early on in the development of the Tracebit platform whilst considering their strategy for the upcoming year.

The pitch was simple - the automation that leveraged Terraform and read only API access could quickly and easily bring coverage across the entire AWS footprint without any manual work. The canaries would be deployed automatically and would blend in, despite the disparate nature of the environments.

Given the scale, the Riot team had naturally already invested in automation of cloud provisioning for the production pipelines, providing a perfect integration for Tracebit.

As the Tracebit platform continued to develop, a variety of ‘no brainer’ options became available that the team was able to leverage to quickly level up their detections with minimal efforts, including Canary Credentials on Workstations, Servers and Containers and Identity.

Significant time save with rollout across Riot Games’ AWS infrastructure

“We had the in-house skills and knowledge to deploy canaries ourselves, but when we considered the effort across all of our environments we estimated it could easily take a year full time to be production ready. With Tracebit we only spent an order of weeks of engineering hours to gain full coverage.”

Kevin Conley, Staff Security Engineer, Riot Games

The project began with a focus on Riot’s vast AWS environment with a goal of 100% coverage across Riot's hundreds of AWS accounts with Tracebit Canary Infrastructure. Due to the level of automation provided by Tracebit, the vast majority of this project was able to be run by a single individual on the Riot team.

The initial rollout focused on manual deployment of Tracebit into some accounts of medium level criticality and volume to prove out the integration and derisk the deployment.

Once this was verified, by integrating Tracebit into the internal cloud account factory system and making use of Tracebit’s auto on-boarding feature the team was able to rollout in batches of tens and then hundreds, scaling quickly and with minimal efforts.

Minimal impact on large Engineering Organization

“Security is here to enable the business, not create obstacles, so naturally a key part of our success criteria was not disrupting our engineering teams. I’m happy to say that the Tracebit deployment delivered on this goal.”

Pasquale Cipollone, Security Engineer, Riot Games

As expected, there were some initial concerns raised surrounding the AWS canary deployment. A significant number of AWS resources would be created that were designed to deceive attackers. It was possible that these could affect employees as well.

The approach here was to begin with a gradual rollout to assuage concerns, and targeted communication around the plans to anticipate any potential kick back. This pragmatic approach proved to be successful - there have been relatively few legitimate interactions and limited concerns flagged by AWS users.

Tracebit detections have proven the value

“While we believe that canaries are an integral part of our security posture, we felt it was important to validate our assumptions with external testing. Since our successful deployment, we’ve engaged two separate third party red teams to simulate attacks in our environment. In both cases Tracebit was able to detect them, most recently they detected them at the beginning of their engagement!”

Kevin Conley, Staff Security Engineer, Riot Games

The primary reason for the deployment of Tracebit was to extend existing strategies for detecting unauthorized behaviours. Since deployment, this goal has been met and value above and beyond existing approaches has been shown. In addition, Tracebit has been successful in detecting 2 of 2 red team exercises that have been executed in environments in which it was present. The Tracebit platform offers additional stealth features that give the Riot team confidence that future attempts at evasion will present challenges.

Further Investment

“As our environment evolves and attacker behavior and knowledge evolves it’s important that we stay ahead of the game, which is why we’re excited to partner with Tracebit on even more advanced canaries as they build them out.”

Chris Hymes, Chief Information Security Officer, Riot Games

Tracebit has been fully functional for some time now and has been well integrated into Riot Games’ Security Operations team’s workflows, leveraging Tracebit Alert integrations for SIEM and SOAR automation.

Tracebit has delivered on the promise of a canary platform that’s lightweight, a quick set up, low noise and with a low total cost of ownership. New Tracebit features and modules - including Canary Credentials and Identity Canaries - often stand out as ‘no-brainers’ for the team at Riot which continues to be excited early adopters of the latest canary technologies from Tracebit.

‍