🎂 Securing more of the Internet with Cloudflare
Presented by: Chris Draper, Radwa Radwan, Zhiyuan Zheng
Originally aired on September 24 @ 12:00 PM - 12:30 PM EDT
Welcome to Cloudflare Birthday Week 2024!
2024 marks Cloudflare’s 14th birthday, and each day this week we will we announce new things that further our mission — to help build a better Internet.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog post:
Visit the Birthday Week Hub for every announcement and CFTV episode — check back all week for more!
English
Birthday Week
Transcript (Beta)
Hey everyone, thank you so much for joining us today. I'm super excited about Birthday Week where Cloudflare is releasing a bunch of network security and website security tools and products to our customers for free.
I think about 20% of all Internet connections interact with Cloudflare's network in one way or another.
And as a result of that, Cloudflare is a big responsibility to make sure that we're making the Internet a better place and that it's more secure.
I'm joined here by Radwa and Zhiyuan to talk about how Cloudflare is both securing websites and networks for everyone and making those products easier to use.
And I'll give Radwa a chance to introduce herself.
Thank you so much, Chris. My name is Radwa Radwan.
I am a product manager at the application security area, specifically within the WAF.
And I will be talking today about two exciting announcements, security analytics for everyone in Cloudflare and also leak the credential checks or detection to catch or be able to detect account takeover attacks as well.
Zhiyuan, would you like to introduce yourself? Of course. Thank you, Radwa.
Hello, everyone. My name is Zhiyuan, product manager at Cloudflare and I've been at Cloudflare for just more than three years.
Very exciting time ahead. I will today be talking about a page that we extend to the free plans.
I'll explain how you can use it and what you can expect from when we expand usage more.
So very exciting today.
And I'll hand it back to Chris to talk about first Cloudflare one. Awesome.
Yeah. And like I said, my name is Chris Draper. I'm also a product manager at Cloudflare.
In particular, I'm focused on analytics and troubleshooting within Cloudflare one, which is kind of a great way into one of the segments of this big how Cloudflare secures the Internet announcement that we're kind of diving into.
And so for everyone that might be new to the platform, Cloudflare one is a way for everyone to secure their networks, whether that's a home network, a home lab environment or an enterprise network.
Cloudflare one is a great way to make sure that you can secure the traffic, the applications, the cloud environments, whatever it may be that is actually connected to your network.
And what this actually is, is an SSE or a SASE platform, which stands for Secure Access Service Edge.
And there are lots of different individual products within the Cloudflare one platform that solve for different use cases.
Some examples of those products might be things that you all have heard of and are really familiar with, like access and gateway, data loss prevention and email security are all kind of included in this overall package.
And I think we're really excited about the announcement today because it's really about all of the free features that you can use within these different products to secure your network.
I have a question about this, Chris.
Well, I myself have been using Cloudflare one for my home network for quite some time now.
So how can customers use the free version of Cloudflare one better to secure the home network specifically?
Yeah. So the free version of Cloudflare one includes access to our gateway product.
And the whole idea of our gateway product is that customers can send all of their outbound Internet traffic through gateway and then apply policies on top of that traffic.
And some of the really cool things that you can do with Cloudflare one is actually combine different products together.
So I think a classic example that maybe lots of parents have encountered is maybe their kids are playing video games online and there is a store and sometimes your kids may get a hold of your credit card number and purchase way more things on that virtual store than you would have expected.
Well, Cloudflare one actually gives you a way to make sure that you can secure sensitive information that might be going through your network and actually prevent that sensitive information from being sent out to the public Internet.
So a great example would be, let's say that there's a video game store with a specific URL.
You can actually set up a policy in gateway to say, hey, if you ever see a credit card number going to this specific URL from a device on my network, make sure that you block that credit card number from going through.
And so that's just like one quick example of some of the cool things that you can do when you use products like gateway and data loss prevention together to better secure your home network.
Way to go.
Thanks, Chris. Another question here that might come up to many of our audiences, how can professionals use the free version of Cloudflare one to learn more about Zero Trust and network security in general?
Yeah, that's a great question. I think Cloudflare is really big on education and making sure that everyone has a good understanding of what it means to introduce Zero Trust into a network, what it means to provide like different network security tools.
And I think the free version of Cloudflare one, which is like a big part of the announcement that's going out today is really around how do we get people to be able to use our products for free to better understand how they work and to configure them themselves.
I know a lot of like IT administrators, IT professionals, network professionals typically have like a home lab where they will set up like different products and applications and then test them out.
Maybe you'll have like test email accounts, test cloud accounts, SaaS integrations, whatever it might be.
And so I think a huge advantage of this new like Cloudflare one free plan is just the ability for professionals to be able to set up our products on their own network and test them out, which I'm also super excited about.
That sounds awesome and very exciting to hear about that when it gets launched actually within birthday week this week.
Yeah, absolutely. And I think Radwa, there are some cool announcements that you want to talk about around like security analytics and like leaked credential detection.
I'd love to hear a little bit more about that. Yes, I actually have two exciting announcements to talk about today.
The first one is security analytics, which is originally intended to be presented by Jen Sells and her team.
They worked really hard on this feature, but unfortunately she couldn't be here today.
So I will be talking about that. So security analytics is a view which we have as of now given to our customers specifically on business plan and enterprise plan.
But now this specific week, we decided to give this as a birthday gift, of course, to everyone who is using Cloudflare.
So basically it will be available to our free customers and pro customers as well.
Well, security analytics is a great view and it's very useful for different reasons.
First, it gives you an overview about the entirety of HTTP traffic that you have going through your application.
And it also shows you some insights like top statistics, like maybe top IPs or the top users who usually access your application, which makes it easy for you to also secure or have an idea about the fingerprints, about the attacks or different detections that go through your account.
So this is the first announcement that we have here.
Exciting news. Everyone will have this visibility now, which is always empowering.
That sounds like an amazing announcement, Radwa.
I'm super excited about it. And I'm so glad that we are including this to all of our free customers and giving them access to it this birthday week.
Could you also tell us a little bit more about leaked credential detection?
I'm sure that there are a lot of free customers that are going to be really interested in this feature.
Yes, definitely. So let me first tell you what leaked credential detection does for customers, which is preventing or at least highlighting what could be like credential stuffing or account takeover attempts happening on your web application.
So account takeover in general is a type of fraud where an unauthorized person tries to gain access to a user's account.
And we have some leaked usernames and passwords which are out there in the wild as we speak.
And these credentials, sometimes attackers use them to launch credential stuffing attacks where they create bots and these bots try to access random emails and passwords, which has been leaked previously in the past.
So in order to prevent or provide some sort of detection or prevention to this problem, we are providing a feature called leaked credential checks, which means if someone is trying to access Cloudflare or any web application hosted on Cloudflare or proxied by Cloudflare, we will be able to detect these leaked credentials and highlight them to the owner of the web application so that they can take action based on that.
That's very exciting. So if you can, can you share a little bit more about how it actually works behind the scenes?
Yeah, definitely. So the first announcement which I spoke about, which is security analytics, is very linked to leaked credential checks.
So security analytics is about showing the detections and leaked credential is a detection.
So in return, all customers, starting from free customers or free users up to big enterprises, will now see the leaked credential detection on their security analytics.
There you will be able to see if you have any leaked passwords happening on your web application.
And based on that, you can take what Cloudflare actually does is comparing this to our leaked passwords database, which consists of Cloudflare collected database and also Have I Been Banned Service database leaked passwords, which is very awesome.
Like we have a very big comprehensive database as of now.
And then we flag these requests where customers can take any action that they would like to accommodate these kinds of attacks.
Cool. So with this information, with the visualizations, what are the kind of common questions, common actions that the customer can take on the leaked credentials?
So there are, I would say, two very common actions which customers can take.
The first one is rate limiting. If I see a specific IP, maybe trying many leaked credential attempts on my web application, I would like to take an action on this specific IP.
The other very common way is if someone is trying to log in with a leaked password, maybe I can redirect them to a reset your password flow or maybe two factor authentication flow or any other way so that I can verify that this is a legitimate user who is just using a used password and is not an attacker.
So all of these actions are valid and you can actually do them or take these actions through our rate limiting in the WAF.
And also you can create custom rules if you would like to do so.
And you can use transfer rules to add the header and send it to your origin where you can build whatever flow you would like to build.
So we have all of these actions and they are all available to all our customers.
Very exciting. And combining what Chris shared about the Cloudflare 1 as well as what Rado just talked about, leak credential check, I can already have a use case in my mind.
I do have a Homelab and I do host many of the services behind Cloudflare connected to Cloudflare's network using Autonomous and many other services under Cloudflare 1.
And now I will be able to see if I do use any password that has been leaked.
And even though I do randomly generate per service, but you never know.
So the visibility is definitely great. And that's a wonderful use case.
I'll definitely test out after the call. So now I will talk about the last exciting announcement about PageShield.
We also extend it for free. So briefly about how PageShield works and what it actually is.
PageShield is a product that Cloudflare started to develop more than three years ago in response to the increasing client-side attacks.
And what does that mean? Many of the web applications nowadays are hosted as a website.
So many of the functionalities of websites do take actions in the client environment, mostly in the browser.
So imagine now you are watching the video in the browser environment, and there are so many functionalities that are powered by JavaScript.
And because of this power, some of the JavaScript might turn malicious.
And that's the most commonly known as the supply chain attack in the client-side environment.
So some months ago, we have already seen the Polyfill that changed the ownership.
Polyfill.io specifically changed ownership.
And the owner of the Polyfill.io started to inject malicious content into Polyfill, which is actually a very widely commonly used library to power many of the legacy browsers.
With that particular response, we built a very quick rewrite action offered to all our customers.
But that also keeps us thinking about, should we extend what PageShield can detect in terms of JavaScript usage to all the users, including users on the free plan?
And that's basically what we offer now during birthday week.
After the announcement, free user, you'll be able to log into Cloudflare dashboard, enable PageShield, and PageShield will start collecting JavaScript running on your website.
And you'll be able to have visibility of what actual JavaScript dependency your website is actually using.
I have a question. What would be the way for using PageShield as a free plan user?
That's a super good question. So we have learned at Cloudflare over the past years is that visibility is the key.
And that's what Rana will talk about.
We offer security analytics now also to the free plan users. We are doing exactly the same with PageShield.
By looking at the visibility, by looking at the data collected, you will already be able to answer the question that many of our users wanted to know back when the polyfill.io got compromised, is that, is my website using a particular dependency?
And now with the data collected, you will be very easily using a filter and then get a question answered.
Am I using a certain dependency?
Because there are so many out there and there might be trends of dependencies used by the application.
Visibility is what we believe will help you take a long way to secure your application.
Awesome. And I totally agree. Visibility is definitely a key point just across Cloudflare in general.
I think the other thing that customers think a lot about is website performance, especially when they're putting Cloudflare in front of your network.
For all of the free customers out there, do they need to be worried about PageShield slowing down their website?
Very good question, Chris. I get being asked about this question quite a lot.
The answer, very shortly, is no. Behind the scenes, PageShield utilizes a web standard, a standard header called content security policy.
So it is a header that has been implemented already over decades in all the browsers.
Browsers have a way to be able to send back reports to us asynchronously while having no impact at all to the website.
And that's why we want to offer PageShield to all the customers as Cloudflare do proxy many of the websites.
Feel free to use PageShield to collect information while having no impact on your site with the visibility that you get that is running off your dependencies.
So, right. That's the announcement that I want to talk about and share a little bit inside of how things actually work at Cloudflare.
This is just the second day of birthday week and birthday week at Cloudflare, as all the innovation week, spent the entire week with exciting announcements.
So do pay attention, do look out for the upcoming announcement in the coming three days of birthday week.
And we are turning 14 years this year.
And do keep an eye out for the announcement of blog.Cloudflare.com. Thank you very much.
Thanks, everyone.