Dropbox’s open-source Slack bot spots suspicious activity and chats with employees about it

About a year ago, Dropbox built a bot to respond to suspicious activity, and today that bot is being made available to anyone interested in using the bot or making their own version.

Named Securitybot, the bot chats with Dropbox employees inside Slack after suspicious activity is detected on their computer, email, or when they’re attempting to access sensitive parts of Dropbox servers. The employee is asked for an explanation of the activity in Slack, then an additional push notification is sent to their mobile device for authentication.

A bot that questions why an employee shut down antivirus software or logged in from IP addresses in very different parts of the world has saved Dropbox time and money, Luke Faraone of the Dropbox infrastructure team told VentureBeat in a phone interview.

“In the first six months since we’ve deployed it, we’ve found that it decreased the time spent on worker review and user reach-out by about 15 percent,” Faraone said. “It helps us greatly reduce the rate of false positives that have to involve the security team, and rather than spending their time repeatedly reaching out, our security engineers now have more time to focus on other projects and focus on improving our overall infrastructure security posture.”

Securitybot was also made to reduce what Faraone referred to as “alert fatigue.” Monitoring systems used before Securitybot sent too many notifications, a condition that can lead to security incidents being overlooked or ignored.

The bot is also used to reinforce positive security culture within companies. “If each time an employee tries to kill his antivirus, Mark gets pinged by that and has to respond, maybe he might not do it as often,” he said.

The scale Dropbox works at requires it to think beyond security as a checkbox-driven, compliance-oriented, blocking function that always says no.

A heavy-handed security team that always says no doesn’t work at a company the size of Dropbox or any modern tech company, Dropbox head of trust and security Mark Crosbie told VentureBeat in a phone interview, because at the end of the day, progress is slowed and engineers will just find ways to work around the security team.

“We can build very high-friction ways of doing security, we can really force people to jump through hoops, but what Securitybot is doing is it’s giving us the sweet spot we think we need between rapid alert handling and time to resolve alerts,” Crosbie said.

The initial idea to create Securitybot came from a post on the Slack blog Several People Are Typing, Crosbie said.

“That turned the lightbulb on in our heads and we began to explore what this would look like inside Dropbox and how we could take it and do it ourselves and that’s sort of what led us to do this,” Crosbie said.

Dropbox is a member of Talk Openly Develop Openly, or TODO, a consortium committed to supporting open-source projects. Member companies includes Google, Facebook, and Microsoft.

Dropbox is the second TODO company to share an open-source bot this month.

Earlier this month, Netflix released an open-source bot for the management of GitHub repositories.