ℹ️ Email Security with Area 1, Browser Isolation and DLP
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Ayush Kumar, João Sousa Botto, Tim Obezuk, and Noelle Gotthardt.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
- How Cloudflare Area 1 and DLP work together to protect data in email
- Email Link Isolation: your safety net for the latest phishing attacks
For more, don't miss the Cloudflare CIO Week Hub
Transcript (Beta)
Hi, welcome to Cloudflare TV and CIO Week. We hope that everyone has enjoyed the exciting announcements that have already happened and we're more excited to show you in this segment about how our Zero Trust products work together.
My name is Ayush Kumar and I'm a product manager at Area 1.
Today, I'm joined by João Sousa Botto, product manager at Area 1 Email Security, Tim Obezuk, who is our product manager at Browser Isolation, and Noelle Gotthardt, our product manager for Data Loss Prevention.
Today, we've announced Area 1 Email Security partners with Browser Isolation and Data Loss Prevention to strengthen our customer security posture.
To kick us off, João, would you mind giving us an overview of the challenges some of the teams are facing today?
Yeah, after so many years, email is still the biggest attack vector for people.
Actually, 90% of all phishing attacks or all cyber attacks actually start with phishing.
So this is huge. And hackers typically use phishing emails to try and trick users into clicking on links, opening malware programs, and sometimes that leads to the big ransomware attacks that we read on the news.
But phishing is actually the origin of the vast, vast majority of compromises.
People lose a lot of money with these attacks. The estimate is that companies have lost about $43 billion between 2016 and 2021, so five years, $43 billion, and that's in the U.S.
alone. This is data from the FBI, and people actually think that the number is much higher, but people don't report enough.
Like some companies, they don't report those crimes. And these aren't always like the billion dollar or the million dollar ransomware attacks.
These are often $400,000 here or $5,000 there.
It's smaller amounts that companies keep losing because of fraud and fraud that starts with phishing attacks.
Actually, 35 % of the ransomware attacks, at the very least, start with email.
So it's a very, very common angle.
And if in the past, most of those fancy ransomware attacks or most of the big attacks, they came from, I don't know, nation-state actors, big, sophisticated enterprises targeting other companies.
Now it's almost become commodified.
There's what our CEO has called ransomware as a service. You can find ransomware operators from which you buy malware programs that you use to start attacks.
So you find people in their basements are starting these kinds of attacks.
It's not, again, just those nation-state actors like Bay Firepower. It's very, very different.
And adding to that, a lot of people still feel like they can go with the native capabilities of their email infrastructure provider.
But Forrester is actually calling out that now corporations are starting to realize that they need an additional layer of machine learning focused and BC focused.
So BC as in business email compromised protection against the most sophisticated phishing attacks.
Yeah, no, these are large problems. And in Cloudflare, we're solving these problems with kind of a cohesive, a complete Zero Trust solution.
Maybe Joan, could you talk a little bit more about some of the main building blocks that go into the solution that we're building?
Yeah, I'll start by talking a little bit about area one and hopefully Tim and Noel can fill in about their respective areas of expertise.
So email security is one, it's just one of the trust. You can't just limit yourself to this.
But often there's a problem where the Zero Trust solutions that companies try to deploy, they're not working well together.
So they may deploy something from one company for email security and then deploy a completely different solution from a completely different vendor for something else.
And those become disjointed and don't work well together.
Area one is focused on defending against the evolving threats that come over through inbound email attacks.
What it does is essentially it tries to preemptively block phishing. And what do I mean by preemptively?
Preemptively means that area one goes out and looks across the Internet for infrastructure that is being built for malicious intents.
So infrastructure that even if it's not yet available, we see the building blocks forming of something that may be part of a large scale phishing attack, or even a spear phishing, as we say about those more targeted things.
One of the biggest advantages of area one is not only that it goes out and preemptively looks for this type of infrastructure, but it's also that being cloud native, everyone, every single customer is constantly protected against everything that we find.
It's not like one of those legacy vendors that you need to wait days or weeks for signature updates before they propagate and before they make it available to everyone.
At the same time, this thing of being cloud native, it also brings additional advantages, such as saving IT time and resources.
So the IT departments, usually they have to deploy either appliances or deploy, or at the very least, configure a bunch of connectors, and they need to endlessly tune the services to their environments.
We don't do that. It learns from your environment, but it's ready to protect you.
It starts protecting you from day one.
It starts protecting you from the minute that you turn it on. Again, it always has the latest signatures and looks for the latest things, but it also stops business email compromise attacks.
Those are some of the costliest and the ones that our customers call out as the ones that they're most afraid of.
And we do that by looking at sentiment analysis of messages, the intent, the tone, the sender relationships.
We look at all of those signals and we try and create a model of what communications fall out of the typical patterns.
And when those communications fall out of the typical patterns, we proactively stop and try and block those BEC attacks.
By the way, BEC attacks are the attacks where you try and ask for money, for resources, for access.
So essentially, you're trying to gain something else.
You're not just trying to infect the machine. And by doing this, by looking at all of the signals, what we do is we uncover the most sophisticated BEC attacks out there, including supplier account takeovers, which is one of the ones our customers are really afraid of.
Because even if they have the tightest of securities, if their partners are not secure and they inherently trust a given partner, that partner being compromised can compromise them.
And we've seen numerous attacks all over the years.
And so this is cloud native and it connects and enhances directly your Microsoft 365 or your Google Suite email deployment at your company.
And this is something that is really designed to work together with that.
We have multiple deployments solutions for area one, so we can deploy in line.
So we see the emails before your Microsoft 365 or your Google mailboxes see them, and we can filter out obviously all the malicious ones.
Or we can deploy as an API where we check everything as it comes in and we take care of that.
And not only that, but we also have connection to the typical seams that companies deploy and source.
So that if you prefer, instead of using our own console with all the data about email, you can see it in a single pane of glass with whatever solution you have already in-house.
Tim, you want to talk us through a little bit through your product?
Yeah, absolutely. Thanks for taking us through that, Joe. I always enjoy learning more about email security working with your team.
So hi, everyone. I'm Tim Mazzuca, product manager at Cloudflare.
I'm excited to talk about how browser isolations are adding an additional layer of defense to your email security posture.
I think it's very fair to say that both email and a web browser compete for that number one place as the most ubiquitous business application.
But what we do know is email is obviously most of the time the entry point for a phishing attack, but then the browser is used as the exploit factor.
Because fundamentally, all phishing attempts, they're trying to deceive the user into clicking a risky link, one that could, it opens up their browser and it attempts to load a phishing website and or potentially a malicious document.
And this places the user at risk of downloading some malware or inadvertently linking sensitive data into such as their credentials or trade secrets to a bad actor.
And controlling and protecting the web browser from being compromised in this situation is twofold.
Merely, in fact, merely clicking a link in an email is a significant risk because when you open up a web browser, your browser is downloading untrusted code from servers all over the Internet and those servers can talk to other servers to get code, which could lead to a browser-borne exploit, compromising their device.
Just last year in 2022, there were nine zero -day vulnerabilities affecting the Chromium runtime, which is the largest web browser runtime, 70% of all web browsers use it.
Or the website could masquerade as a legitimate website running benign code, but asking the user to input their credentials or some financial information that could lead to a successful phish.
And unfortunately, a challenge of the way the web was built is it's very hard to control how a user interacts with the website once it's been delivered to that browser.
It's a little bit easier if you can, if you control the website yourself, but if it's a third-party website, CIOs have no control over how the user interacts with it.
So where browser isolation fits in is mitigates this risk by rendering a target website in a full-featured browser hosted on Cloudflare's network.
These are hosted in a nearby data center, we have about 270 around the world, and by rendering it remotely, we're able to protect their device and any networks that user is connected to from malicious code on that site.
So that's the core value of isolating websites, separating the execution of browser code from the user's device.
But one of the really great things about rendering remotely is it enables us to control all interactions with that website.
So for example, if a user's going to a site on their mobile device or a corporate laptop, you're able to control how they can input into that website.
Are they allowed to type their credentials into it, or upload or download files into it.
These are really powerful tools preventing drive-by downloads or credential harvesting attacks from succeeding.
And finally, with our solution, with our browser isolation products, we've designed it to be virtually transparent, and we'll go into how it's integrated with email shortly.
But for any link, whether it's good or bad, if it's isolated in our remote browser, the experience is transparent to the end user.
We stream lightweight vector draw commands over the line.
These are things like draw a shape, draw a color, or draw a squiggly line.
And all of these combined together render the website locally on their machine, and isolates them from any of the active code on the website.
This is a sharp contrast from legacy methods of isolation, such as insecure DOM scrubbing, which could lead to malicious code landing on the user's device, or slow pixel pushing solutions that can frustrate the end users if they're going into isolated sites.
The way we've built it is when a user clicks on a link in their email, it is isolated instantly.
There's no service that your IT team needs to scale, and there's no time your users have to wait for the remote browsers to spin up.
It's just instantly isolated in a remote browser, very close to the user.
And it works for links in emails regardless of when they click it. So if they click it on their mobile device, or if they're on a managed workstation, that same isolation control works without the user needing to install any software on their mobile or on their corporate machine.
It's all fully browser -based technology, so the users can use it on any device.
And what I'm excited to hand over to Noelle next to talk about is how this integrates with our Zero Trust platform and the DLP solutions, because browser isolation is great at controlling how users are handling data wells.
And Noelle has a little to say about defining what is sensitive data and how it's managed.
So over to you, Noelle. Thanks, Tim.
I appreciate that great rundown of browser isolation. So what is data loss prevention?
It's sort of aptly named, but it really kind of targets the struggles that customers really encounter with, where is my sensitive data?
Who has access to that data?
Can it get exposed? And for most customers, they're really talking about PII.
But of course, there's cases of intellectual property and other sensitive data that obviously customers just don't want getting out.
It's important for them to keep it internal.
And so that can be a huge challenge, because at the same time, you have business operations to support, and you have data flowing in and out of your corporate network and your corporate infrastructure every day.
And so a lot of people struggle with, well, how do I know if my sensitive data is staying internal?
And how do I allow the data that I need to get out from my regular business operations to freely flow to vendors and partners or customers, wherever it may be?
And so that's really the goal with data loss prevention, is how do we give our customers the ability to say, keep my sensitive data internal, but allow my business operations to flow seamlessly?
And so that's the goal of everything that we're building with DLP.
And so as Tim mentioned earlier, DLP is built into our Zero Trust platform.
And we actively look to inspect the traffic of corporate traffic and HTTP traffic, to be specific, and really look for the sensitive data.
Customers can kind of define their data in an object and say, hey, I'm looking for financial information, like credit card numbers or IBAN numbers, something like that.
Or they can say, I'm interested in specific PII numbers, like social security numbers or tax file numbers or NSN numbers, whatever that may be, and say, hey, I'm concerned about these identifiers.
Or right now, they can build their own detections completely and say, hey, I have this specific identifier that I want to build.
And either Cloudflare hasn't yet provided it, or it's really unique and internal, specifically something maybe industry-specific, intellectual property, something like that.
Customers can build their own regex and say, this is the sensitive data I'm worried about protecting.
And then as those uploads and downloads of that business traffic is occurring, we can start looking into that data and saying, hey, you know what?
You have a social security number in here.
If you don't want to let this go, you can block it. Or hey, maybe this is something you're a little bit less worried about.
This is a purchaser using a credit card number.
You can allow it. So the customers are allowed to build the rule sets based on their business logic and their needs.
And one of the biggest concerns that we've heard a lot about, and what we'll talk a little bit about more as I pass it over to Ayush again, is then how do we protect one of those really obvious ways of data getting out of an organization via email?
It's very easy for somebody who's busy writing external emails all day.
Maybe they have a sensitive customer document that can only go to that one customer, and they accidentally attach it to someone else's an email bound for someone else, and accidents happen.
So a big part then of DLP is how do we make sure that the documents that are getting added up into email are protected?
So it's a really big piece of how we want to all tie in together.
But I'll leave that just with a little bit of a preview, and I'll pass it over to Ayush to really dive into how our products are working together.
Yeah, absolutely. And it's great to hear how all these things work at the core level by themselves, but I think the awesomeness is how they work together.
So maybe, Joram, could you kind of give us a preview on how link isolation works with Area 1, and how the two products kind of prevent data from getting out from the organization that shouldn't be?
Yeah, I'm happy to start with that.
So as I mentioned, the biggest advantage that we have here is that we have a complete Zero Trust solution, and the products work really neatly with one another.
So otherwise, you would be layering, adding different layers of protection, which is what you actually want to be able to make sure that nothing falls through.
But you're adding duplicated layers if you're not tuning, or if you're not buying your solutions to work really well together with one another.
And so in our case, what we've done is we've actually not only made sure that things work really well together, but also we started bringing bits and pieces of different solutions within our email solution, within the Cloudflare Area 1 email protection.
So the first one that I'm going to talk to you about is Cloudflare Area 1 with email link isolation.
So email link isolation is a different kind of link rewriting.
So there's a bunch of solutions out there that what they do is they rewrite any link, any web link that they see on an email.
And when you click on one of those, it checks for that link, and it lets the user open or doesn't let the user open according to the risk level.
But the risk level in emails, and especially if you're doing this at the last possible minute, which is when the user clicks, the solution isn't really that binary.
Some things are more dangerous than others, and some things may not seem dangerous, but they actually are, or the opposite.
And on one end, you don't want to let the users click on something that is malicious.
But on the other end, you don't want to disrupt user productivity, and that's arguably one of the biggest risks.
If you disrupt user productivity, if users start getting banners left and right every time they click a link, what's going to happen is that they'll start trying to undermine it.
They'll copy it and paste it directly in a browser window or do something to try and work around it.
And so the most critical thing is to do something that protects the user, but that is transparent to them, that doesn't add friction, that doesn't disrupt their productivity.
So email link isolation, the biggest use case is really to protect against deferred attacks.
And what is a deferred attack? A deferred attack is basically when someone sends a message that is benign, so it links to a website that is absolutely benign.
Maybe I set up a store last month, I set up a web store, I put all the certificates, it looks perfectly benign, I sold stuff on that web store, and so it looks good.
But then what happens is I send out an email, phishing campaign, target a bunch of customers, a bunch of companies, and the moment that they receive that email, I flip it, and I weaponize that website.
So that's one of the biggest dangers, and it's one of the most difficult types of phishing attacks to protect against.
That's where layers come in.
So if your email security solution didn't catch it at first, there needs to be additional layers of security.
And we have multiple. One of them is that we keep checking the emails after they have been delivered, so even if something is benign, the next day we check it again, it's no longer benign, we retract it, we take it out of the user's inboxes.
But at the same time, what we do with this email link isolation is we rewrite links that we're not absolutely sure about.
So if we don't know if this link is benign or malign, so if it's malign, we quarantine the email, we don't deliver that to the user.
If it's benign, well, we don't need to rewrite because otherwise we're going to impact productivity.
But if it's something that we're not 100% sure about, what we do is we rewrite it.
And the way to be sure or not sure, having a verdict or not having a verdict, this is thanks to Cloudflare Intelligence.
So Cloudflare runs one of the biggest DNS resolvers in the world, if not the biggest.
Right now, it's like trillions of queries that we process every day, and so we get super early signal on how many people are visiting which websites and what the user traffic looks like to those websites.
And so we know if it's something that was set up but not really published or if it's something that is seeing real traffic.
And so we rewrite if it's at the margin, if we're not absolutely sure about that website.
And then when a user clicks on that thing, we check it again because we keep checking it in the background.
So if it was marginal, if it wasn't something that we were sure about, we keep checking in the background to see if we have new information, new data.
And so when the user clicks it, if it's malicious, well, we don't let them open the websites, it's blocked.
If it's benign, we let them open normally, it's transparent, it opens in the local browser.
But if it's still marginal, if we're still not sure, what it does is, one, it presents an interstitial page, so a speed bump.
And that speed bump tells the user, hey, this website may be a little bit suspicious, we don't have enough information about this, so make sure that you don't type any passwords, make sure that you don't type any PII unless you absolutely trust this thing.
And so from the beta, and this product has been in beta for the past three months or so, from the beta, we see that very, very few users go past this interstitial.
There's less than a third of all users that click on a link that see that interstitial and still decide to navigate to the website.
And then if they do decide to go to that website, that's when we open it with browser isolation, with what Tim told us about.
And this is now included in email link isolation, which is, in itself, included in some Area 1 plans, in the enterprise plans.
So you now click on any user that clicks on one of those links, we'll open it on, we'll see the big interstitial page, the speed bump, and then if they decide to go through, they open in browser isolation.
It's virtually indistinguishable from opening it in the local browser, but it's secure.
It's something that if the page has malware, if it's trying to install something locally, if it has one of those zero-day vulnerabilities that Tim just told us about, like nine in a year, that's almost one per month, those are blocked.
And so we had really good results in the beta. We have the biggest thing that we were hoping for, that is no productivity complaints from the customers, and we have big Fortune 500 companies using this in the beta.
And we got really good feedback. So today it's GA, and it's available, it's included for all Area 1 enterprise customers.
Ayush, do you want to tell us a little bit about DLP?
Yeah, absolutely. And for those who haven't seen the email link isolation, it is really cool to see it in action, so definitely worth checking out.
But I guess to go a little bit deeper on how we think about DLP with Area 1, really where this is coming from is, within the last few years, we're seeing a lot of organizations switch towards cloud -based email services.
And I think what has become an afterthought is just how much of a surface area email is when it comes to having sensitive information.
If we think about how many times has there been an exchange of an invoice that has maybe social security numbers on it, or anything along those lines, it's something that organizations have a blindside to.
So at Area 1 and at Cloudflare, we have this opportunity to have really robust DLP practices running to make sure that there isn't any incidental leakage of data, or if there's a malicious actor that they're not able to compromise an account and gain access to a treasure trove of information.
So one of the ways that Noel brought up earlier was this way of preventing egress of email data via HTTPS.
And what Noel mentioned was, let's say with a new organization, you know that there's certain things you want to check within attachments that, hey, if this has my tax ID number in it, I don't want it being sent out.
So with Cloudflare's DLP product, you have the levers to scan if your employee's uploading an attachment to an email in your Office 365 or G Suite environment.
And if it's suspected to have sensitive information in there, we'll block it according to the policy.
So that's just one of the levers that's afforded by the DLP tool.
But also HTTP filtering, I think, is a big one.
And I think here's where we offer a lot of customization, where you can really filter through HTTP traffic.
You can look at things like domain, URL.
There's a plethora of stuff that you can kind of churn through.
But again, it's the flexibility of, I have this maybe a unique policy that I want to institute within my organization.
The Cloudflare DLP solution gives you those levers to make sure whatever you're trying to prevent from getting out within the organization, you have the ability to do so.
And I think the next tenant that we'd like to think about is kind of enforcing data security between partners.
Having a strong TLS setup is very key in today's day and age of making sure that the information that's coming in is encrypted.
So just in case you have a malicious actor who's kind of sitting in between, that they're not able to gather as much information as they're able to.
So within the Area 1 solution, you can set up a strong TLS within it and enforce kind of partner domain TLS as well.
So I think those are the first two tenants.
But the last two that I'll talk about I'm very kind of passionate about, which is another kind of blindside that people don't think about, which is stopping passive data loss.
So if we step in the shoes of an account that's been compromised, they won't be able to gain any signals.
So let's actually set up ways that we can detect if someone is there, where it's going to be difficult.
So let's just make sure that the account isn't compromised in the first place.
And stopping ransomware, as we brought up before, let's just make sure that attachments are what they say they are.
So those are kind of the four tenants that we think about when it comes to Cloudflare security and Area 1.
And that's all bundled into this Cloudflare 1 platform.
So as you can see, we're moving closer.
All of our products are kind of working in line. And this thing we have internally, which is 1 plus 1 equals 3, the sum of its parts are not greater than the sum of itself.
So if you haven't been able to check out, please go to Area 1. You can set up a phishing risk assessment, or you can go to the Zero Trust roadmap and see our roadmap there.
But thank you again for watching. But this has been the DLP and Area 1 showcase.
Thank you all.