ℹ️ CIO Week: Introducing Cloudflare Security Center
Presented by: Malavika Balachandran Tadeusz , Dan Gould
Originally aired on December 9, 2021 @ 10:30 AM - 11:00 AM CST
In this CIO Week segment, Malavika and Dan will take a deep dive into the products and features we launched today.
Read the blog post: Introducing Cloudflare Security Center
Visit the CIO Week Hub for every announcement and CFTV episode — check back all week for more!
English
CIO Week
Transcript (Beta)
Hello everyone. Thanks so much for joining Cloudflare TV.
I am Malavika Balachandran.
I'm a product manager for the threat intelligence team at Cloudflare and I'm going to hand it off to my colleague Dan to tell us more about today's segment.
Yeah.
Hey, everybody, great to have you here. Super excited to be here.
Another amazing segment during CIO Week.
So much to announce, but today we're actually going to be talking about something that we're making available to all of our customers.
The Cloudflare Security Center, super exciting stuff.
And we've really been thinking about this, building this for a while now, and we're excited to finally roll it out today.
So there's a lot to cover.
This should be really awesome.
So I'm glad to be here.
Awesome.
Thanks so much. So with that, shall we get started?
Yeah, let's let's dive in.
So does it make sense to start from the top?
What are we unveiling today with Security Center?
Yeah, so Security Center really started with the prompt of how can we make an attack service actionable and accessible to everyone.
And so that's that's really what we're launching today with Security Center.
We wanted to bring together really we already at Cloudflare have a broad suite of security services.
We have security expertise, whether it's the security analysts and the product engineers on the team, as well as our own security team bringing that security expertise.
And we also see so much Internet traffic. We want to use that Internet intelligence and be able to allow our customers to make use of that.
So we wanted to bring all those things together and create security center, which is a single place for our customers to map their attack, surface review, potential security risks and threats to your organization, and then mitigate these threats.
Address these threats in just a few clicks.
Super exciting stuff.
And really what's compelling this is something one of the reasons I really enjoy working at Cloudflare is we're making this available for everybody today.
Right?
And so all of our paying customers and I think all of our customers will get access to this.
So I think you mentioned this and this is really important to underscore where people can go in day in, activate, turn it on and really start understanding their security posture and really looking for just maybe misconfigurations risks and take care of them right away.
So that's actually what's particularly exciting is we're making it not only actionable but accessible for everybody.
So maybe it makes sense just to make sure we all sort of set off from the same point to talk about attack surfaces, just what they are.
You know, this is still you.
We can talk a little bit later just about the sort of, I guess, space that's building around attackers management, for starters.
You know, I think of the attack surface and look to sort of run this past to sort of the entire IT footprint, if you will, of an organization.
And by and large, you know, for starters, many of the assets that are exposed to the internet, right.
If it's domains or application servers, you name it. And so is that is that how you look at it to.
Yeah, that's exactly how I think of it.
I think of it as sort of really just all of the devices, servers, applications anywhere that you have like IT infrastructure and it's accessible from the public internet.
I think that's the big thing. Unless you're probably in the military where like everything is truly air gapped, you probably have some sort of exposure to whatever asset it is to the Internet.
And indeed, it turns out there are bad people in the world who actually are keeping their eyes very closely peeled as to what organizations have exposed to the Internet to see where there might be a way in, where there might be a vulnerability that can be that can be taken advantage of.
Which brings us to the need for, quote unquote, attack surface management.
Right.
You've got a lot exposed to the Internet. It's vital that you understand what you have exposed any problems there, which really, I think is sort of the rationale behind what we're doing.
Yeah.
In fact, actually it was I think it was just a few weeks ago, right around Thanksgiving time, that the Google Threat Intelligence Group there had put out a report that something like 50% of compromised cloud resources were then in turn used to then scan other people's resources to find vulnerabilities.
So that's like I mean, it is it is such a big thing that people are doing is like looking for exposed your exposed infrastructure.
We credentials like that is just something that I think attackers are doing today.
And as soon as they find vulnerable resources, they then turn around and weaponize them and do the same thing to find more.
So I think that's it's certainly, I think a top of mind concern for a lot of IT teams.
Totally, totally, totally.
You know, we think about this and it's a really important problem and it's good it's getting more attention.
And, you know, I'm kind of, you know, when building this product and bringing this to market, we've spoken to a lot of security organizations as to sort of how they're thinking about this also.
And I wanted to touch on that a little bit.
For starters, this notion of attack, surface management like.
By and large, for the organizations you've spoken to, how do they tend to do this today or stay on top of this risk?
Yeah, I think it's I think one of the biggest challenges about attack surface management is it also means a lot of things.
And so a lot of companies have done is they've built sort of a combination of internal tooling.
They might have gone out and had, you know, purchased different software.
There are software vendors who specialize in this space.
And so there's I mean, there have been a lot of like internal efforts, whether it's using other software or building your own tools.
But it's just really hard because I think I mean, it just takes a lot of work to inventory your assets.
And one of the I think kind of going to that, maybe I'll steal your thunder.
One of the things kind of speaking to customers that came up is we already have a lot of their assets.
We might not have all of your assets, but we have a lot of them.
And like, wouldn't it be great if you didn't have to do any work?
And it could just like we can inventory your assets, we can tell you what all you have exposed to the Internet.
And that's kind of really to be honest, a lot of it came from customers asking us like, can you do this too?
We would love for you to do this, too, because whatever solutions we have today just are there are too much to manage.
And because there's so much to manage, we don't really understand our attack footprint.
And, you know, the way we've thought about this is, you know, rather than teams having to devote real resources in an ongoing basis.
Right.
This is an ongoing risk. Right.
So this is not a one and done sort of thing that what your risk profile looks like.
One week is very different the following week. Right.
And unfortunately, security teams are you know, they have their colleagues who might be pushing new things, buy new applications, etc..
So this is like changing.
And what we've been able to do is make this as simple as people go into their dash and they click start scan.
Right?
I mean, it's that easy. It is.
It's it's literally that easy. And I think, you know, if you and the more that you have on Cloudflare, the easier it is for us to help you understand and uncover your attack surface.
I mean just exactly to that point it teams spin up like new resources all the time.
A lot of our customers, too, don't even realize that they've got old resources still hanging out and need to decommission them.
And so I think just being able to and just being able to scan and see everything that you have, whether it's on Cloudflare and some of the features that we'll be looking forward to in the future.
If you're using Cloudflare Gateway and we're able to actually see your Internet traffic both from the reverse proxy side and the forward proxy side, we have a really comprehensive view of what your organization like all the assets that your organization has, and that really provides us with, I think, a treasure trove of your data that we can then turn around and give back to you so that you can understand and manage all of the places that you have.
Potential security.
Risks.
I love that. I love that.
And one note is, you know, you mentioned so teams have to either do this manually or they can turn to another product, right.
To, and I don't want to malign anybody or any products, right, in the service management space, but it is very much sort of coming together.
There are lots of startups, lots of money being infused. I think we've seen very big vendors acquire companies for hundreds of millions.
Like it is a space that's coming together. Now, to get your arms around your security posture is the best ask is not to rhetorically, but we won't answer it.
Deploying another tool.
In order to help you understand your tax search, you have to manage another tool, which almost in a way increases your tax surface.
And what's more.
So I saw last week a former colleague who now heads up SEs at an attack service management company.
They closed a round of funding for six figures. $100 million.
That's real money, right?
Even by Silicon Valley standards, that's real money.
And, you know, that's great.
They're a great product.
But at the same token. When does cost become an issue where it just becomes prohibitively expensive?
And unless you're the largest companies with the deepest pockets, the tax surface management is sort of out of reach, which is almost unfair.
And those are the types of things I think about which make me excited about what we're doing is it's easy and it's included.
Sorry, that's a bit of a long winded rant about the status quo, but I feel like we're doing something a little bit different.
It is, I think a lot of a lot of what exists out there in attack surface management kind of you either have I mean scan the barriers to entry and scanning are really low and so there's a lot of folks building scanners.
But like, what do you do with all the output?
It's it's hard to make sense of all of it.
And it's not always actionable.
And I think at the other end of the spectrum, you've got really sophisticated threat intelligence startups.
But if you scratch under the surface, a lot of it's really sophisticated.
I mean, it's very expensive and there's a lot of sophisticated professional services that are also being sold alongside that.
And I think what I think most teams are probably somewhere in the middle.
Like they want something actionable.
They want something where they can identify and triage the most important threats.
But the reality is like I mean there is a lot in your attack surface that on say you have a team of even say 20 security people and that's a pretty healthy sized security team like you still have to make those decisions of what are you going to prioritize and what are you going to focus on and where are you going to spend your IT budget?
And just as you said, like there's a lot of security tools out there and you've got to and there's so many, so many needs now just again, across that entire attack surface, like how do you manage software supply risk and like expose things like account takeover and credential theft and all of that?
Like it's just so expansive and so being able to to consolidate vendors, consolidate cost is, is a huge help for our customers.
Yeah, indeed.
So I was just thinking, you know, maybe it'd be interesting to talk about some of the specific risks that come up that are reflected in Cloudflare Security Center, because I know these are really important and there's a reason why we have them in their organization should be aware of these types of risks.
And some things that we've spoken about in the past that I felt would be worthy is thinking about things like dangling domains for starters.
Right.
That is something we think a lot about. And I'm not sure if people quite realize what that is and why it's just risky and needs to be dealt with.
Yeah, I think actually one of one of the easiest things to do is create a cloud resource and it's actually really easy and you know, get a website set up and Cloudflare has made it remarkably easy.
You spin up your kind of say, I want to create a website, I can go register it, register a domain name.
I can go get like a server on Digital Ocean or Google Cloud or AWS and very quickly set up a website that's working.
And then very quickly, I can also shut down that website and I do it all the time.
I think we all do it all the time. Same with same with using all kinds of SAS services.
And we always set up these services we might set up, we might register a domain name, we point it to that service and a domain name is registered usually on like an annual or an every few years basis cloud resources.
You can spin up and shut down an hours.
And so that time differential, I think between when you buy and purchase a domain name and when you buy and purchase the resource that those domains are pointing to often lead folks to create DNS records, point it to an IP, shut down the IP, but then forget to shut to delete those DNS records.
And so what I mean, I've certainly done this many times creating dangling DNS records, but it's something we see actually really commonly across all of our customers.
And it's actually probably one of the you know, where we started was what are some of the like most fundamental problems that some of our Cloudflare customers have.
DNS is really one of the first products that Cloudflare launched. How do we help customers make the most out of Cloudflare?
And this is actually such a small such a small configuration, but can have really serious repercussions for our customers if they're having these dangling DNS records.
And so let me let me just make sure I'm hearing this right.
So, you know, you spin up a resource, right?
It's all set up publicly available.
Sometimes you'll take down that resource.
The domain will stay in place.
And at that point, that domain could be exploited in point people to a malicious resource, a new malicious resource substituted for your formerly legitimate resource that's been taken down since.
Exactly.
I did this once where I had I'd created a website and I put it on digital ocean and I forgot to delete the like I had the in my quad or I was on a record that pointed to the IP address of this digital ocean server.
Um, deleted the droplet.
The IP was reassigned to somebody else.
I think I had like what was a like it was, I was, it was like a little e-commerce site for some like letterpress cards.
I made the person fortunately who was then reassigned.
It was just like selling beer online.
But I went to my website actually.
I was curious what's and then I forgot and I had turned, you know, shut down the site and then it was redirected to a, to the beer website.
And I got a bit nervous for a moment and then I remembered, oh yeah, I forgot to delete that DNS record.
But there are malicious actors actually that just almost like they're buying a lottery ticket will claim IP space and cloud services and then try to scan the Internet to find out who is pointing to those domains and then they can hijack your traffic.
They and so this is something a lot of threat actors do where I mean, we've seen this even with actually 1.2.3.4 and because of being on the threat intelligence team, we look at a lot of our passive DNS data to see like what kinds of malicious activity is happening on the Internet.
And we found a lot of malicious activity actually happening on some of these like very simple IP addresses because they're actors know people create tasks dot Cloudflare dot com.
And I we've seen it on some of our largest enterprise customers who have created test websites and then point it to IP addresses like 1.2.3.4 not realizing that actually malicious actors are taking advantage of exactly those kinds of things.
Yikes.
It sucks, man. So this definitely we'll see this in a demo momentarily.
You'll see some of these risks reflected.
There are a couple of other things that have come up and I wanted to remind people about or some other things those in security center and some things are just I guess they're sort of straightforward.
We assume that we need them, but it's a reminder we will remind people of things like multifactor authentication.
Right.
If somebody has, say, admin credentials. Right.
We want to make sure that there's really strong authentication. And I believe that is something we will remind people if, for instance, they don't have MFA enabled.
Right. Because that's just vitally important for authentication states.
Yeah.
I mean, a lot of what we a lot of what we really started with, I think in some ways could be thought of as like kind of basic security hygiene.
But actually as we started enabling this and testing it out with some of our largest customers, we realized, you know, just basics.
Like, have you kind of correctly configured your DNS records?
Have you set up MFA on your like all Cloudflare can be the keys to the kingdom of everything that you've got that's Internet facing.
And so do you have multi-factor authentication set up on your Cloudflare account for all of the users?
Do you have you created any like insecure configurations in Cloudflare Access where you've maybe created a test policy that's allow everyone on thought you were protecting an app?
And we actually found a lot of these kinds of examples of just insecure configurations across our some of our largest and most sophisticated customers.
So I think it's just really easy to make those mistakes. And hopefully, you know, this is where we start and then we can slowly, over time introduce even more sophisticated and even more nuanced scanning capabilities.
Totally.
And even things like making sure you've got the right route, the right protections in place, the right things, you know, enabled, of course, like we know that applications are the lifeblood of business.
And occasionally, though, humans make applications, they make mistakes, and sometimes that result in a vulnerability that the Web can help with.
The one last thing I did want to mention, and we'll see this momentarily, is thinking about in something for viewers or keen readers of the blog and follow these week's email security and email risk and phishing and spoofing is something we've thought a lot about recently.
If I'm not mistaken, we will see.
This also reflected some initial checks and security center now. Yeah.
So actually, maybe it was Birthday Week. Our DNS team had launched these wizards to help people create SPF DMARC and DXM Records.
These are really common email spoofing controls, but they're actually really hard to set up.
They have like very complex, like, like standard like guidelines as to how you're supposed to set them up.
And I mean, a lot of times, email services will have wizards to help you create those.
But then you got to make sure to know to create them and then port them over.
And so one of the things we've built in Security Center is any time we detect an Amex record or we see you have an apex domain, we'll just make sure that there is an associated SPF and DMARC record that matches the specification kind of set forth.
And if it doesn't, we'll throw we'll throw an alert saying or an issue or an insight, rather, in the security insights and say, hey, will you need to either your SPF record is missing or your DMARC records missing, or maybe it's malformed and you need to fix it.
And you can actually very quickly get the insight that it exists.
You can then use Cloudflare Wizard to set up the appropriate SPF or DMARC record for your domain and then hopefully kind of prevent people from actually using your domain and sending like phishing emails from your domain just because of the lack of some of these like email spoofing controls.
So it's really helping just get out ahead of domain spoofing phishing with using your company's name, really awesome stuff.
So I'd love to see this in action.
I think the I think it's let's give the people what they want.
They want to see the demo.
Demos are always the best part of building products, isn't it?
Yes.
I will share.
So we actually created a site called Candy Shop Rocks. Can you see my screen?
I'm sure can.
Awesome.
So we created a site called Candy Shop Dot Rocks on the Intel team, actually, for demoing.
It was a very insecure site.
And so as we see here, we ran a scan.
It was so the scans actually run on a regular cron job that's on a daily basis.
But for some customers, if you have the scan now button, you can hit that and you can also rescan your infrastructure as well.
But this was scanned pretty recently and we haven't made any config changes.
So looking here, it's performed a scan and what it's found are four critical issues that really require our most immediate attention.
And then we've got nine issues here overall with this, with our with our setup here.
And it seems like the most common issue that we've got are dangling C name records and then kind of more high level.
It seems like a lot of what we've got here are issues with insecure configurations and so I can see a few of these insights kind of broken down by severity.
I can see them broken down by the categories, and I can also just see the insights themselves.
And here we can do all of the things that you can otherwise do in your Cloudflare Analytics dashboards, where you can kind of filter out certain types, you can remove the filter, you can kind of drill down into specific issues.
So let's, let's do that.
We'll we'll drill down into some specific issues we'll look at.
Some of the dangling name records.
There's a few of them.
So if we go into a specific issue here, we can see that there was a dangling named record detected.
And we have a bit more details around what's the insight we found?
As we said, it's pointing to a resource that we think we no longer control.
And then, you know, maybe a little bit more about that risk.
One thing we found actually in early testing is a lot of our customers didn't know what dangling C name record even was and like why this was a problem.
So we wanted to make sure that we made it clear and spelled out like, what are you at risk of?
And here you're at risk of subdomain takeover. Like an attacker can gain control of this infrastructure and possibly redirect it as we kind of spoke about earlier.
And lastly, I think we also wanted to make sure our customers know.
Sometimes what we catch might be intentional on your side that you've set it up this way.
So we just want to tell you how we've detected it. And so we saw that you have seen a record and it's returning a 404 error when we're attempting to make this request.
And so because of that, we assume that it's dangling and this is our detection method and how we've calculated this or determine this.
It's just so that, you know, how it's been set up, how we've we've identified that so that we can help you address that issue.
So I've got actually one I set up.
A little bit earlier today.
This one the 50 cent so we'll, and actually, so let's actually resolve this one as well.
When we click resolve that's letting us take care of the risk mitigate things right yeah.
So we can actually in one click what's great about this is we're not just like creating an alert.
We want to create something that you can then go and solve and actually action.
And so here we go to this example resource and we see oh I can there's here is so here's the IP address that we've got set up and it seems to be pointing to an IPv4 address that we don't control anymore and it does not.
I just made up this IP address earlier today and we have a few options here.
We can replace the address, I can delete the record. So I'm going to delete this record.
So I'm going to hit delete record.
And the magic.
To just pull that off, right?
Is that right? Yeah, exactly.
I just deleted the DNS record and now I've addressed this problem.
So. So what we've.
Seen in our attack surface.
Right, exactly.
Close to that.
Love it.
Love it. And so but this is actually just so you can see that we've resolved it and we can see that we've been busy resolving lots of issues.
You can see that this is now in our archived list.
We've taken care of it.
We this earlier today, in the last few days, I've been testing it.
So resolving a handful of issues.
And you can see that here on the archive tab as well.
But this is actually just one half of Security Center.
But I'll pause there before we move on.
I don't know.
Dan, is there anything else you want to do? Let's look.
And so not only on the top, we see four critical insights. So that's like, okay, you log in.
This is the you really need to deal with this now, right?
Correct.
And we look down and see insights by severity. So it is critical, moderate and low and we can filter.
Right, if we just want to look at the critical ones, because I think oftentimes that's the case.
There's only so many hours in the day, so many members on the team.
Let's just deal with the really important things so you can filter by those and we see okay so in that filters and that I see influences the results beneath the insights by type and insights.
So dangling C name records over provisioned access policies.
Now you were talking about that before.
So that's inadvertently we either maybe have an internal application exposed to the Internet.
What does that amount to? Yeah.
So a lot of times when people create an access, like when someone puts an application behind Cloudflare access, their intention is to prevent everyone from the on the Internet going out and being able to access it.
But just sometimes people will create a test policy called allow everyone on an access that's behind.
They might have a resource. They've, they've set it up such that Cloudflare is the reverse proxy.
And then you'll you'll set up Cloudflare Access such that we have effectively what is like a rule that only those that you allow to access your application can have access to that application.
Reading the details are really cool stuff.
So when we click Resolve there, so that's a little different.
That's helping resolve an access issue.
And what do we see?
Oh yeah.
So here we detect this. This actually will drop us directly into the Cloudflare for Teams dash.
So what we'll do is we'll redirect you to and I won't do that because that actually opens up in a new window.
But what this does is we give you a little bit of details here, actually the recommended actions.
So before we just drop you off in the teams dash, we'll tell you.
We recommend that you update your access policy to restrict who can access your application because what you've done is you just want to what we really want to do want to highlight, hey, we noticed what you've got here is probably like in no world does someone really want to create, like why would you set up Cloudflare access only to have a policy that's allow everyone it's usually like a pretty common testing configuration.
But what happens is people create them when they're testing and forget that it's a testing configuration and they think that they've actually protected it with some sort of real policy.
And so we just want to highlight it.
We think this could be an error, it might not be an error, and you can always archive it and dismiss it if that's the case.
But if it isn't here, here, you can go and address it.
And we just want to flag that you've got this policy on this domain.
Really powerful stuff.
Now, I see beneath on the left there the security standard, security insights and infrastructure.
Yeah.
So as we were saying before, this is actually just security insights is just half of what we've got in security center.
The other thing that you know.
Obviously with the surface management, we want to identify the risks and the vulnerabilities and bring that to the forefront.
But actually a huge and really invaluable piece of attack surface management is actually just knowing what assets you have to begin with.
And so all of the infrastructure and this is actually something you know, what's interesting is we've never really done this before in Cloudflare Like.
Yeah, we list all your websites and your account, but we didn't, we didn't really give you like a very useful summary of, of what you had and, and its security posture.
And that's actually what we really went out to do here is, okay, so what's like, what are all the assets that you have?
And actually, very quickly, you can see how many of them are which of these domains are proxy by Cloudflare, which of them are not proxy by Cloudflare?
You can very quickly see which applications are behind Cloudflare Access.
And then for these domains, what are the DNS records that you've created that are for those domains?
I see.
Can we click on one of those inventory domains and. Oh, it's not interactive yet.
Sadly, it's very soon.
I there's some exciting news actually.
There's some exciting new analytics features as well that are going to be rolled out soon that I'm sad didn't go out in this release.
But we'll get there.
We'll get there.
You know, Rome wasn't built in the day, but we've actually built quite a bit.
For starters, I have to say. I'm really excited.
I mean, to be honest, part of this is we've been really lucky that we've been able to iterate for the last few months with our customers.
And actually we're actually just have a few minutes left, so I'm going to stop sharing.
But going into those thank you's like really it's been the product of iterations where literally, quite literally the product of iterations.
But working with what we started with was actually this was very similar to internal tooling our own security team had built and we had a chance to kind of iterate with them, iterate with a number of our like members of our sales team, interact with customers and customers of all sizes.
Some of them were it consultants for small teams, some of them had small security teams.
Or we're like it's like a one man band.
IT, Security, all in like a small startup all the way to like Fortune 100 companies.
And we had literally companies of all sizes use this and give us feedback.
