🎂 Making Email Links Safer to Click on (Area 1)
Presented by: João Sousa Botto, Tim Obezuk
Originally aired on July 24, 2023 @ 9:30 PM - 10:00 PM EDT
Join Cloudflare Group Product Manager João Sousa Botto and Product Manager Tim Obezuk to learn more about how to click on links safely.
Read the blog post:
Visit the Birthday Week Hub for every announcement and CFTV episode — check back all week for more!
English
Birthday Week
Transcript
Today by everyone. Welcome back to Cloudflare TV and to Birthday Week.
It's how 12th birthday, would you believe it or not?
We hope everyone has been enjoying the announcements we've been making during this week and we're super excited to talk to you today about two products within our email security and zero trust suites that we're making even better by bringing them together.
I'm your host. I'm the product manager for Browser Isolation.
And today I'm joined by João Sousa Botto, our product manager for email.
How are you doing, João?
Hey everyone, doing well.
Thanks, Tim.
Thanks.
Great. So, today we opened the beta for email link Isolation with everyone.
Everyone is our product to protect and secure email from phishing attacks, which and a lot more which we'll get into in a moment.
And the email link Isolation beta is a mechanism to protect risky clicks within emails so users can safely interact with emails without potentially being compromised by a phishing attack.
So before we dive into the solution, I first want to talk with you a bit about the problems most organizations are facing today, protecting themselves from email phishing campaigns.
You mind giving us an overview of these challenges?
Yeah, of course.
Well, companies want to stay safe.
They want to stay steer clear of cyber attacks.
Very few of them do successfully.
It's it's part of the business nowadays.
And the curious thing is that, according to Deloitte's research, about 91% of all cyber attacks around the world, they start with a phishing email.
And it's and for phishing, it's always a cat and mouse game like you're constantly chasing after the new attack vectors that the attackers come up with and they're being smarter and smarter like we have the most powerful email solutions out there.
One of the most powerful email solutions with Cloudflare area one area one is an email security solution.
It's a company that we've acquired about six months ago and that we have been using as a customer for, I don't know, maybe a couple of years before that.
So the biggest problem is that when you're doing email security at one point as you're processing emails, you need to classify them as positives or negatives.
Is it malware?
Is it not malware?
Is it a benign email?
And so as you're navigating that threshold, it's most of the times or the vast majority of the times.
To be honest, it's not binary, It's not this is definitely malicious or this is definitely benign.
It's somewhere there. Like we have very fancy machine learning models.
Cloudflare Area one does something that is incredibly innovative, that is it crawls the web just like Google has their crawlers to feed the search engine.
Cloudflare Area One has a crawler that goes around the web and tries to figure out infrastructure, see infrastructure that is built to serve malware even before that infrastructure is actually ready and weaponized.
And so we have all of that knowledge.
But still, when emails are going through, there are some of them that you can't really identify as malign.
I can give you some examples, some of which I put on the blog post.
Sometimes people attackers, what they do is they either set up a website and put some sort of goods in.
They do everything to make it look legitimate.
And then after a week, after two weeks, after a few days, they just weaponize it.
They send out an email.
Well, everything is legit.
As I mentioned, it's a legitimate website, it's a business or it's representing something.
It feels legit in every single way.
But then when the email with a link to it lands on a user's inbox, it's weaponized.
So that's really, really hard for an email security system to catch other things are the crawlers, like the one that I mentioned?
There are certain parts of the web that they can't go to.
There's infrastructure that is owned by cloud providers that simply should not be crawled because it's it's mostly used for internal company consumption.
But most things like imagine that you put something on a I don't know your Dropbox, your Google drive, anything like those are not being indexed, those are not being crawled, those are not being checked for safety.
And still you can put anything that you want there.
And so as the links go through, how do we know if they're safe or not?
I think that's the that's the biggest problem.
It's like.
People are asked to click on emails. There's an unsubscribe button If you receive an email that you don't like.
You click the unsubscribe button.
How do you know what's behind that unsubscribe button?
You don't even know what's what's there.
Most people don't.
Don't look into it. Or if you receive an email that looks legit, that looks like coming from, I don't know, your email provider that is asking you to click if you want to keep the same password that you've always had.
Well, is that legitimate?
Is that not legitimate?
And again.
Email security in a traditional sense can only go thus far. And so what we use is we use layers and that's where Zero Trust comes in.
That's what makes it so powerful.
Yeah, absolutely.
I think the point you just made about potentially like a Google Drive I think is a great example that links which crawlers typically would be able to crawl because it's sent directly to that recipient and it's from a very trusted, reputable website.
There's just no.
Way to.
Break it open as an outsider, as an outsider running a bot or a scraper.
Yeah, that's true.
So you've had quite some experience here at Cloudflare.
You run the Browser Isolation team that essentially tackles that same issue, but from a different angle, right?
When someone types in a URL protecting people from what may be behind that URL.
So why don't you tell us what you've done on your side, what the Browser Isolation team has built so far, that is that really makes this game changing.
Yeah, absolutely.
So Browser Isolation is a secure sandbox for browsing internet, one of the browsers of one of the most interesting pieces of software we run on our machines.
We use them for everything.
We access sensitive data, we use it for our email as well.
But they're also these engines that can run untrusted code from any connected network on the Internet.
And I think if you if you look back at the early days of the Internet, we thought Web browsers would be just document fields way of transmitting academic papers.
But then JavaScript came along and thousands of other web technologies have been built into browsers.
So they've become incredibly sophisticated pieces of software.
And when SAS came along, we were trusting these browsers to protect our most sensitive data within the business.
So this conflict between running untrusted code and running all of our sensitive app apps inside browsers puts businesses in a in a tricky situation where they want to enable users to connect to the Internet as much as possible to be productive, but also need need the tools to control that browsing experience to make sure that the user isn't at risk of malware within the web page.
Targeting an unpatched browser or any data potentially being exfiltrated onto an untrusted device.
So with Browser Isolation, what we've built is full featured chromium based browsers running at the edge of Cloudflare network and we stream vector based information to the user inside a bit more in a moment.
But this high level model of setting a remote browser provides a way of sandboxing execution of untrusted code like JavaScript.
So the user is protected.
It also protects the user from any.
It also practices it from any East West movement from the browser.
Since the remote browser is in an isolated network as well.
Remember, browser technologies are really interesting and there's been a few mechanisms, so how they've been implemented in the past and that is true.
Page scrubbing techniques, which means scrubbing the code for malicious code and filtering it.
So it's a safe website. However, these are fairly fragile and can potentially lead to compatibility issues or the worst case scenarios letting an undetected threat through to the local browser.
The effort is pixel pushing based solutions like live video streaming, which we're all doing here on.
So even even though we're talking right now, there's some latency between us and our audience that's listening to us today.
Web browsers are an experience which we've always used locally, so we used to zero latency and it's experiences.
But when you make it remote there is that roundtrip latency.
So having a pixel pushing based solution adds latency and heavy bandwidth requirements to your browsing experience.
And at Cloudflare, we always believe that performance doesn't mean security doesn't mean sacrificing performance.
So our approach for vector based solution has been to rather than record Remote Browser Isolation videos, send vector instructions.
These are things like draw squiggly lines or box or shape.
Combine enough of these instructions.
You actually get a full featured web page and the experience for the end user is just like a local browser.
Thanks to hosting it on our global network and keeping it close to the user.
So the roundtrip latency is very low.
That's so smart.
That's so smart.
So the Cloudflare Edge network is within 50 milliseconds of 95% of the Internet connected population.
So everyone is super close to that.
The latency is virtually unnoticeable.
50 milliseconds.
It's like a quarter of what it takes to blink your eyes. So.
So that's nothing. And in addition to that, you're eliminating all the pixel pushing and instead you're just sending the draw commands that would have been rendered into cloud somewhere.
You just pick up those draw commands and you send them locally so that you so that you draw that in your local browser.
Yeah.
And to get to how this fits in with, with area one, the solution is essentially rewriting links in people's emails.
So when a user clicks a link in their email, either in their corporate workstation or on their mobile device, it's redirected over to a page to warn the user that they might potentially be going to the right or wrong place and should they want to interact with it, they're then loaded straight into a remote browser.
So with that technology, we're able to make sure that their experience within the site is both controlled and just like a local browser.
So if it's a legitimate website and they have and they want to use it, their experiences and isn't degraded by using a remote browser, it's also controlled since because we control all the execution of the web page, we're able to control how to use it, can interact with that site as well.
And this is great from the Zero Trust perspective.
Since we can control user input to prevent credential harvesting, we can prevent file uploads and downloads and soon with the integration into the connection into the Zero Trust platform.
That will mean things like connections to DLP and Caspi, which is our data loss prevention platform and cloud access service broker so that we can inspect any actions users are performing and prevent them from uploading a list of credit card numbers.
If they if they've been tricked into sharing some information they thought would have been with a vendor or a procurement team or something like that.
Yeah.
Yeah. We're really proud to be bringing you all this Zero Trust build solution, because that's the problem with most Zero Trust solutions.
And they're like different pieces from different organizations.
People just build their security in layers but from different vendors and they don't always work together.
And here you have two pieces of Zero Trust of Cloudflare Zero Trust Specifically, you have email security again powered by Area one, and on the other side you have Browser Isolation.
And the whole system working together is what makes this really, really shine.
And I think that there's an additional part of the Cloudflare that comes into play here that is, that is super important to mention.
That is, which links do we rewrite?
And so the thing is when you're doing email security, if you have chosen to deploy area one in mind, which means that area one filters the emails before they're delivered to the to the employees inboxes.
The other method, by the way, is via API.
That is well, they hit the employees inboxes and then you check them whether it's safe or not.
When you have deployed, it's in line. What we do is we are already inspecting those emails and making sure that those emails are safe.
We're taking this additional step to do to mark some links as suspicious.
And how do we feed?
How do we know if a link is suspicious?
There's multiple ways.
One of them is our DNS resolver.
It's Cloudflare.
So DNS resolver, Cloudflare Processes. I think it's something to the tune of 1.5 trillion requests every day.
And so it's a lot.
It's a lot.
We see pretty much requests for every site on the Web, every single day.
And so by processing all of that, we know which websites are also brand new. Like what are the domains that people are checking today or that are checking at this time, at this very minute that they have never seen before, that no one has seen before, that no one has accessed before.
And so we grab those and we put them in a suspicious link because, well, they're new enough that they haven't built a reputation, even if they have the sstl set up and if even if they have everything configured as a legitimate website, there's still two new to be trusted.
And so we put those domains into suspicious link.
And you can see already that a lot of those will be legit and there will be legitimate websites.
So we don't want all of those to be blocked or we don't want to be blocking a vast majority of those emails or marketing them to spam or suspicious.
No, that would be too hard.
Then it would cause users to lose to miss on important information, important communications to them.
And so what we do is we go through this link rewriting and give them a safer option to still open those links.
But it's not limited to newly seen domains.
This is also using other Cloudflare indicators that we have.
So for instance, for the Gateway, the Cloudflare Gateway, that controls Internet access for so many companies and that prevents users from going to websites that would otherwise not be safe.
And so or that may be suspicious.
And we also use that information and we use information that comes from a lot of additional data sources within Cloudflare.
Not only do we do that at this point, not only do we grab this list of suspicious domains and we rewrite them and we can be we can be really aggressive at be writing, to be honest, because we rewrite the links the user has virtually no most users don't even notice that it's running on an isolated browser in the cloud.
Right.
And the experience is just like their local browser. And so we can be really aggressive at rewriting a lot of these domains whenever we have whenever we have doubts about it.
And the thing is, users are protected.
Users are protected against, against these by the two mechanisms that you talked about, the speedbump that they see first saying, are you sure you really want to go to this website?
It's something a bit suspicious.
And then if they choose to go to that website, they do so in an isolated browser that's that prevents zero day exploits and malware and downloads unintended downloads with malware like all of that and JavaScript.
So I think this is really neat.
Cool.
I'm glad. I'm glad you think that. Cool.
So we've been running this in my Cloudflare has been running this production for us, so for some time.
Would you mind.
About a month?
Yeah.
Would you mind giving us an overview of some of the stats? And I know you mentioned we can be extremely aggressive rewriting links, but I don't want to discount the just how good the initial intelligence of Area one is before it gets to that point of rewriting a link.
So let's know a bit about the numbers of what we've seen running it for ourselves.
Yeah.
Shameless plug here, by the way. So.
Area one of the reason why a lot of customers buy area one and some of them biased in conjunction with our competitors.
They already have one of our competitors and they get area one in is because we have such a low number of false positives but also low number of false negatives, meaning false positives again, are the situations where we find something that's that we think is malware.
And so we block that email from being delivered when in reality it's not.
So we have very low number of those, but we also have a very low number or lower than competition of false negatives, meaning emails or emails that go through that are indeed malicious.
But, but we didn't identify them as such.
So slug is over.
Now.
Let's talk about what we've what we've done internally. So internally what we see is that for the entire Cloudflare Company, because this is deployed company wide for the entire Cloudflare Company, that is about 3000 employees, a little over 3000 employees.
We see about 100,000 links being rewritten every week for emails.
That area one has actually already identified as spam or malicious.
Why do we rewrite those as well?
Well, we rewrite spam and malicious emails because someone may release them from quarantine because they may be a false positive again and they may be delivered back to the users.
And so for those reasons, we go to the extra length of even rewriting those.
In addition to that, what we do is we also rewrite on things that we call bulk.
And bulk are emails like their marketing campaigns that you've opted in typically.
So if you opt into those, those are delivered to your mail clients.
And for us we see about 2500, so 2500 of those a week.
And then there's the emails that we consider benign.
And I'm putting air quotes here because while they may or may not be benign, but we didn't identify anything that would that would make us consider those emails as being as being malicious and that would warrant us or to quarantine those emails.
And so out of those 1000 and it's 1000 emails a week. So it's it's already a low number of things.
That's so this is the lend on a user's inbox, right.
Yes.
So this is like the 1% of emails where you don't have enough intel to make a decision to clearly block it.
And as the trade off between blocking it and potentially not delivering an important email to a user and or.
Blocking it and not working it in the wrong thing, landing in the user's inbox.
Yeah.
Yeah, exactly. Exactly.
Because out of those 99%, 99.9 99 are completely benign emails, but it only takes one to compromise your company.
So we're being extra aggressive.
And so out of those 1000, we see people clicking on the links that have been rewritten.
And the end result is that only about 25 people per week or 25 clicks per week end up going into this remote Browser Isolation session.
Only 25% of those clicks end up going and being in that in-depth environment and seeing the link that they that they were clicking on.
So that's a very low number and but I'm still so glad that it's that low number is opening in Browser Isolation because that really keeps our users protected.
Yeah. Zero fishing.
Successful fishing campaigns, as far as we can tell so far.
Yeah.
Yeah, that's awesome. Cool.
I had a question for you quickly. So which is if I'm someone who is interested in trying this, but I already have email security or I don't want to.
Am I able to try area one without changing my current email security provider like?
Absolutely.
Absolutely. Well, one thing that we pride ourselves on is that we usually can deploy area one security and have it working, actually protecting you in 5 minutes.
I've never seen a deployment take longer than one hour.
So area one security was born as cloud native and it's super, super easy to deploy.
We also have something that we call a phishing risk assessment that anyone can request on the Cloudflare area one website.
And if you request a phishing risk assessment, what you get is 30 days of full use at no cost of the entire product.
You can see the product working end to end and again, you can choose to put it in line, which allows you to do things like email link isolation, or you can choose to put it as an API, and check it maybe after your other security vendor has already done so.
So that's definitely available to you whether you're already a customer of Cloudflare or not.
Yeah.
Email the isolation. Oh go ahead and say I could see the API option will be useful for retroactively scanning emails that were delivered previously and rewriting their links.
So unfortunately, email rewriting like you can't change the body of the email after it has already been delivered.
And so email link isolation like link rewriting for us or for any other security provider link isolation only works if you're in line.
So if the emails are going through you before they reach the people, the companies inboxes.
Yeah, that makes sense.
Cool.
And let's once I have area one running in line with my email provider with my email service, what is the lift to integrate Browser Isolation with this?
Just so I'll cover from Browser Isolation perspective.
There's no hardware to deploy.
It's all transparent to the user.
You just enable the product and you're able to use automatically connected to the closest data center and have the experience from the area.
One product side, what's involved with enabling Browser Isolation.
Five clicks.
So again, we're I'm using the number five here lot. But it is actually true.
So deploying area one in line takes about 5 minutes, same as deploying it through an API.
You have it protecting your system automatically and then it's an option in settings.
Once you're in the beta that we're starting today, it's an option in settings where you just enable email link isolation and you get exactly the same settings that we have been using internally.
So there's no additional knobs and tweaks that you may want to do.
You get those if you if you go through browser isolation through the through the Zero Trust.
But for this service, specifically email link isolation, you get exactly the same settings that have served Cloudflare so well.
Cool.
Well, that's that's really exciting. I think now would be a good time for us to wrap up.
Anything else you want to talk about?
Yeah.
Yeah.
I just want to add one last thing. That is the suspicious.
The suspicious domain list isn't actually static.
So not only this is something that we're updating pretty much in real time based on the data that we see through the resolver and through other components.
But also it's something that we're constantly checking and validating internally.
And so what happens is if we've rewritten a link and we thought that that link was suspicious, you click on that link and by default it will open that interstitial page that I told you.
That kind of says that it's that it might be dangerous and warns the user not to enter passwords or PII but and then leads you to Browser Isolation.
But if we notice that one of those websites, one of those domains has turned maligned, we change that interstitial and we don't even give them the option to open in Browser Isolation.
So we just tell the user, this is a website that is out of bounds.
Like you can't go here.
It's it's something that we've identified as malign.
And similarly, if we find that a website has been has been proven enough and that is actually benign, we will also toggle it to start opening in your local browser.
So no more interstitial page, no more scaring your user, saying that you shouldn't go to this website if we know that this is something that is actually that is actually common and that is legitimate, then you won't see those anymore.
And the same link without changing anything to the link, it just opens in your local browser.
Yeah, that's a really good point.
Cool.
Well, it's been a fun chat. I've really enjoyed building this building this product with you, and I'm super excited to continue working on it and iterating to make it even better with more features.
So everyone thinks of joining us today. Today we're covering email link isolation and which is the integration between area one and Browser Isolation Zero Trust from my browsing service.
This is such a great way to protect users from phishing campaigns and deferred threats.
So if you're interested in participating in debate or trying Area 1, please go to our website Area 1, or go to our blog.
We have a website blog on our website titled Click Here Safely, Automagical Browser Isolation for Potential Email links.
And it's awesome how often the word magic comes up in Cloudflare product names.
So everyone, thank you for joining us today.
Birthday Week isn't over.
We're ending on Thursday and I know we've had some very exciting updates today about Yubico and hardware keys, so please stay tuned to Cloudflare TV to watch that segment later today and to continue following our blog for more exciting announcement announcements during our 12th birthday.
Thank you for being here.
Bye. Bye.
80.
