Cloudflare Innovator Program Fireside Chat
Presented by: Alaina Kretchmer, John Turner
Originally aired on March 23, 2022 @ 11:30 AM - 12:00 PM EDT
We are very excited to announce the launch of the Cloudflare Innovator Program! The Innovator Program provides a platform for our customer advocates to share and amplify their achievements, inspire others and network with their peers.
To celebrate the launch, please join us for our very first Innovator Spotlight, where we'll discuss Innovation with John Turner, Application Security Lead at LendingTree , and how it plays a role in his life - both inside and outside of work.
You can find more information on the Cloudflare Innovator Program on our website https://www.cloudflare.com/innovator-program/
English
Transcript (Beta)
Hi, everyone. Welcome to our very first Innovator Spotlight on Cloudflare TV. I'm Alaina Kretchmer and I'm on the Customer Advocacy team over here at Cloudflare.
And we're very excited to announce that today is the official launch of the Cloudflare Innovator Program, which provides a platform for our customer advocates, a.k .a.
Cloudflare Innovators, to share and amplify their achievements, inspire others and network with their peers.
The Innovator Spotlight celebrates those Cloudflare Innovators and showcases how innovation, creativity and thinking outside the box plays a role in their everyday lives, both inside and outside of work.
And this morning, we are joined by Cloudflare Innovator, John Turner. John, I will pass it over to you to introduce yourself.
Thank you, Alaina. And it's good to be back.
I think the last time that we were we were doing this was about a year ago this week during the last security week.
Exactly. And a lot has changed since then.
I think we were still deep in the throes of lockdown mode. And now we're trying to get back to normal.
So it's great to be back with you. And thanks for having me.
And for everyone else, as Alaina mentioned, I'm John Turner. I'm the application security lead here at LendingTree.
And LendingTree is an online marketplace for financial products and services.
Started about 20 years ago and now we're expanding into different areas, including insurance, business loans, student loans and all of that.
So it's a really dynamic place that requires a lot of innovation.
And that's what we do here every day. So I'm glad to be here. And thanks for having me.
Awesome. It's always great to have you. And it has been almost exactly a year.
So, yeah. So as you know very well, a huge part of what makes Cloudflare Cloudflare is this deep dedication to innovation.
And our customers are a big part of why we continually strive to always be innovating.
Obviously, why we're calling this the Innovator Program. But you said once before that you help LendingTree innovate at the speed of business.
Can you talk a little bit about that and how the importance of always thinking outside the box and staying one step ahead plays a role in your everyday as application security lead?
Yeah, absolutely. You know, thinking outside the box, innovating, coming up with new and clever ways to provide security services and really any service to the business is critical now.
And as the last couple of years has shown us and even the last couple of months, the world can change very, very quickly and in ways that we don't anticipate when we sit down and try to solution long term things for to serve business need.
So for, you know, for us and that, you know, providing these services at the speed of business, what that means for me is partnering with the right with the right companies that have the right vision and really trying to not address a specific problem, but address specific areas that could be concerned down the road.
It's really easy for us to come up with a solution to a known problem at any fixed point in time.
But what is really difficult in our biggest challenge is to select, you know, product solutions and deliver these solutions to the business in a way that scale in any way that needs to need to happen, regardless of whatever the environment might be.
And so, you know, that's, you know, our partnership with Cloudflare and other vendors has enabled us to be able to provide that assurance to the company that, you know, we have frameworks in place that will scale in any direction that we need to.
And the, you know, the nature of the Cloudflare platform, providing, you know, people like myself and other, you know, innovators that use the service, the ability to interact with every layer of the product is something that really provides us a lot of flexibility to, you know, to provide custom solutions for any situation.
So it's kind of like the Swiss army knife, if you will, of security solutions.
Yeah, we love that you use that term, the Swiss army knife.
It's very cool. And like you just said, so much is always going on in the world, you know, both good and bad.
I imagine current events and this, you know, always changing landscape of security protocols must, you know, really keep you on your toes.
You always got to stay one step ahead of the game.
Can you tell us about any security trends that you're seeing in the industry and how you're adapting to them?
Yeah, absolutely. You know, the thing, you know, everything that's going on right now, we have, you know, war in Europe, there's a lot that, you know, there's a dynamic there that is, that is very interesting.
You know, Russia is known for being a safe haven for cyber criminals and threat actors.
And now that the balance of power is starting to shift and things are getting a little weird over there, we're starting to see a difference in attack trend coming out of there.
And also seeing what I think is something we'll see more of.
And that is some of these threat actors that, you know, they do this for a job.
It's not like they're, you know, criminal syndicates in a basement somewhere that are just, you know, this is what they wake up and want to do evil.
But it's a job for them. And what I think that we're starting to see now is those folks are starting to transition out of working for criminal organizations and trying to get legitimacy through, you know, providing their hacking services under the umbrella of penetration testing services, participating in bug bounty programs and things like that, trying to, you know, just to make that transition and become legitimate.
I think it's a lot kind of like during alcohol prohibition here in the United States, when, you know, the bootleggers and the people were, you know, souping up cars and making them go fast so they can out, you know, run people and do all of this and those people went on to, you know, form NASCAR and other hot rod associations and build billion dollar industries out of the things that they were doing and I see it, you know, kind of shifting in that way with cybersecurity.
And, and I think that, you know, it's, it's overall that I think it's a good thing if this trend is something that is actually happening and it continues, because as you know, you know, there's a real shortage with, you know, talent and resources in the security field so we, you know, there's not enough people that have the skill sets, there's not enough, you know, people that we can hire so we, you know, we try to offload that to tools and third party providers.
And that's just because of the, you know, the threat landscape, you know, we've got so many things that we're fighting against that we need those people so you know it's an interesting thought that they if you know a measurable percentage of the threat actors go legitimate and join the you know the right side of this fight.
You know what does that, you know, mean for the rest of the cyber landscape, does it, you know, become less of a, you know, user to user or business to business war or does it get relegated back to nation state and that's how you're the only real, you know, measurable cyber incident come from, you know, come from governments under the banner of a war of some site, so it's, you know, there's a lot of stuff really, really happening now that we're seeing and having to adjust to.
And which is, you know, again, where we have to leverage our tools and our, you know, out of the box thinking and you know really start coming up with and innovating some, you know, some clever solutions.
We've had, you know, we've been able to do that with Cloudflare.
And in a number of ways. One, one area I can you know kind of point people to if they're having issues with, you know, people scanning their sites or, you know, trying to, you know, find vulnerabilities or things like that that are causing problems, you know Cloudflare will do a really good job of blocking malicious requests, but you know these people can throw a million requests at your site and blocks, you know, 99.9% of them but that one gets through and that might be the one so using clever rules, it's, it's possible and we've done this with great success to create a honeypot of sort, and, you know, basically put markers out in the, in the Cloudflare system that once they are a file with access a request is made towards that resource we can trigger a rate limiting rule and block that IP address for 24 hours.
And that's a really effective way because we don't have to rely on, you know, catching everything we can really slow down the attacker and keep them from you know going all over everything and finding that one, because everyone that's in this, you know, this job knows that, you know, we have to be, you know, we've got to be perfect all the time we have to stop everything they only have to find one they can fail every single time but that one is all it takes.
And in that event can cause, you know, significant brand damage, it can, you know, you know financial economic damage.
We deal with a lot of consumer information here so you know we're a big target and we have to, you know, we have to really be creative about how we go about securing things and, and Cloudflare lets us, you know, absolutely do that with great success.
Yeah, that's awesome. I mean, you, you're not happy with just out of the box I love it you you know you take things and you you you innovate and you're creative and how you and how you solve problems and, and I love the, the analogy with, you know, these bad guys turning good with the, you know, prohibition, who knew that they're, they're the ones who started NASCAR I mean, again, a wealth of information.
And, you know, and we're going to have to get to a point where, you know, we're going to have to make a change and how we see everybody that's in this, this fight right now, the people that are trying to break in and the people that are trying to protect it we all have to shift the way that we think about security and and how we go forward because one thing that's just very obvious is that this can't continue.
We can't, you know, we can't tool our way out of the situation we can't buy enough products there's just, there's not, you know, it, it's not going to work the way that it's going, even in the cyber crime world.
The things that used to pay very well do not pay very well, everyone's information has been stolen it can already be purchased for, you know, sometimes you know $1 or less, depending on how much PII is in there.
So, you know, the value of the information that's been stolen has gone down the value of everything is is decreasing it's no longer as profitable as it used to be.
And, you know, with the shifting government dynamics and you know regulations and laws.
It's not sustainable for businesses either to be able to comply with any regulations that might be coming down the road because, you know, just the overhead associated with it so there's one thing that you know I can see very clearly is that the way that things are going right now, it's not sustainable.
And I think that we're on the edge of a real shift in the way that you know everyone views things and I see that as a good thing.
Yeah, well, so it's not so much that you know the regular Joe Schmo the individuals and getting smarter with not, you know, putting our information on the web it's that is just valued less.
Absolutely.
And you know it's it that's a great point because it's the exact opposite of that we are consumers you know the the average user has gotten worse about, you know, digital hygiene, they share more they put more things into more places and they you know, it's so easy now to, you know, from a phone be anywhere and say I need this I need that and go and click click click click auto fill and the next thing you know you've put your personal information out and you don't know where it goes.
All the systems are connected with, you know, you know tracking privacy all of this stuff is, you know, it's, it's just proliferated everywhere.
So yeah, it's actually gotten worse I believe. Cool. They see that. Yeah.
All these breaches all of this stuff and, you know, but they, but they still just continue to just put information everywhere.
What are you going to do. I mean so I guess sort of on that same note, you've mentioned before that you know the role of security engineers in general is is a difficult one is you know you all try to keep your organization safe from all of these outside threats you know super, super easy stuff.
But changing the perception of security engineers is really important, you know, as we all continue down this path of making everything more secure.
What is that current perception of security engineers and why is it important that we change it.
Yeah, that's, that's a great question there and you know really this goes back to again the kind of the, you know, the transformative phase that we're going through right now, you know, historically security has been driven by best practices policies compliance objectives, you know, if you do this, you must do that.
Just black and white. That's the end of the story. And, you know, it was it's always been a pain it's always been a blocker for business security is generally known as the Department of know that's that's our job.
We don't generate income we don't you know do anything we just we slow the business down we put roadblocks in place and we frustrate people and we're just known as you know as more of a hindrance to business.
And again, for all the reasons that I mentioned earlier about you know businesses having to be agile and be able to, you know, change direction to meet the current environment.
The old way of thinking about security is no longer relevant in fact it can be a detriment to a business, because, you know, with the speed of the way that everything is the changing threat landscapes and everything that's going on if you're simply looking at a black and white, you know, thing that says we're doing this so we must do that.
It's not only is it not going to be an effective control most likely because it's older thinking and our adversaries are highly creative, and they are innovating faster than we are.
So if we're still in that monolithic you know here it is is the way that is we create ineffective controls, we, and probably, you know, more damaging is that we hinder the growth of the business, and that's just no longer, you know, acceptable so you know what I try to convey to you know to others in the industry, especially, you know, folks that are just getting started in it is to understand the business understand what it does, how you make money, what the headwinds can be, and see yourself as a provider of solutions.
We're here as a security organization to provide an environment where the business can, you know, can move in any direction as quickly as they need to, and do so as safely as we can, you know, as we can enable them to do that.
So it's not that you know security is injected at the back of that process, we build it in, you know, at the front by, you know, leveraging partnerships and creating frameworks that scale and all of the things that I've talked about, so that we can, you know, provide the company the assurance that they need to continue to innovate new products and go into new markets and seek new revenue streams, and they know that they can do so safely and we know that you know our job is to again facilitate that keeping it safe and seeing ourselves really is as the trusted advisors and partners for all areas of the business to, you know, so that they can sleep better at night knowing that the products that they're pushing are going to be safe and that we're on top of it and that, you know, even know the threats are going to change the landscape is going to change.
We're going to change with them at the same speed, if not faster. You're not the bad guys.
That's right, we are not the bad guys we're here because, you know, we want to, we actually if we do security right we enable faster product development we enable, you know, more rapid changes because, you know, you don't have to worry about well what's that going to you know what are the security implications of that we've already you know you know kind of pre planned a lot of this stuff and set up an environment that gives us room to grow and.
And, you know, and hopefully they do find things that we haven't thought of, because that's another opportunity for us to, you know, to learn and grow and and provide better services to the business.
Yeah.
Awesome. Um, all right, well switching this a little bit to a more personal level.
I know you love camping, you love being in the outdoors, you love learning about a lot of very interesting topics you have taught me so much over the over the past year.
Are there any fun or interesting ways that you use your creativity, your innovation, you're thinking outside the box in your everyday life to you know make things easier, better could be anything.
Yeah, so that's, that's a great question.
I, you know, I'm always doing something, something weird something out of the box making something, you know, I'm pretty big into, you know, robotics and 3d printing and, you know, lock picking or lock sport as they call it like to teach that.
Yeah. Wait, tell us more about lock picking first, please. So, so lock sport is is an activity where, you know, you pick locks, you know for fun.
And, you know, some people you tell them about this and say, you know, I do this and they're like well that's, you know, that's criminal what do you know why do you need to learn how to that.
And, you know, aside from the fact that it's fun it's like a puzzle right every single lock is different, everything is different.
The way that you have to do it is different.
And you have to rely on different senses you know your, you know, a sense of touch as you're feeling things and you know out of the box like, you know, what am I, you know what am I seeing inside of that and visualize again inside of your head but one of the great you know the main reasons that I like to use lock picking as a as a teaching method for you know focus on my team and others really is that it breaks the perception of that we have a security.
When you look at a lock and you see it and you're like oh man that lock looks really really secure it's you know it's got all these dials and you know it might be a different color.
And, you know, whatever the case is and, and, you know, people look at that and say I can't do that there's no way I can open that.
And then within just a you know a few minutes.
I'm able to show them that yes you can. So not only is it a motivator to say you know you know yeah wow you can do this, it also changes the way that you see security, because it forces you to stop seeing security with your eyes on what you see and what's being presented because nine times out of 10 that's not real security that's that's marketing, and that really does nothing, whatever, for, you know, for the security of everything so it's a it's a great teaching method to, you know, build self confidence to show people that they can do things that they think that they cannot do, but also in the context of, you know, what we do here, it shows them that security is not is very rarely what it appears to be, and then you have to come up with new and creative ways to actually provide effective security and not just security that looks great from the outside.
So, yeah. So if a security engineer ever comes over I should just hide my safe.
You know where we're not criminals, although you're not the bad guys, guys, we have to think like the bad guys, because if we can't think like the bad guys, and again, this is why, you know, teaching lock picking is valuable because we have to be able to think like the adversary.
It's really easy for us to think the way that we normally have which is that everything goes in a linear fashion is certain inputs get certain outputs, but our adversaries think the exact opposite of that.
So, they're, they're seeing everything that you're not seeing, which often makes it very very easy for them to go around everything that you put in place because you're just looking at it from one area.
It's a great analogy.
All right. Last question. Can you give us an example of a company who you think is doing a great job at innovating and saying you know one step ahead of the game.
What are they doing why do you think it's important for them to do this in their space doesn't have to be Cloudflare.
Yeah, I mean, I will say Cloudflare too but we've already talked about that.
I would say one of the companies that that we work with closely and are partnered with is a company called lace work.
And they are providing cloud visibility for it just kind of started with containerized environments and now it's kind of spreading out, sort of, you know, some functions the same as a as a Sim, but the bottom line is cloud visibility, regardless of which And, you know, they are, they've been we've been partnered with them for, I think over three years now since early stage of that company and help drive that development, the team behind it is really really solid and they are coming up with some really really creative ways to secure.
What is historically been a very very difficult area to secure which is, you know, is our cloud.
We want to be able to provide our developers and you know product folks and tech teams, the ability to spin up new services and deploy new things without overhead of having to go through 100 gatekeepers to, you know, to do things.
So, you know, as we enable the company you know the business to do that so that we can, again, you know, get things to market quicker.
It creates a challenge for us because we need a way to monitor that.
And, you know, that's where lace work for us comes in.
We, you know, daily catch people doing things in real time that they shouldn't be doing whether it's exposing something to the Internet that shouldn't be or, you know, setting some setting on a server or something in a way that it shouldn't be.
And we were notified instantly. And, you know, can can go in and correct that.
And it's got a nice little thing called a polygraph feature which maps out communication through hosts so it's it's a really cool tool they're doing a lot of good stuff over there so I would definitely say anybody that would be interested in something like that check out least work.
Cool. All right, john. As always, such a pleasure to have you.
Thank you so much for being a Cloudflare innovator always providing such great insights across the board.
Well, so much I'm, I'm, I'm happy to be here and invite me back anytime.
Yeah, absolutely. And thanks everyone for watching.
If you'd like to know more about the program you can find the link down below in the description.
And you can also join us back here at 230 Pacific today and we're speaking with Eric Pierce director of cybersecurity at mind body.
So thank you john. Thank you. Thank you.
No one is innovating in this space as fast as Cloudflare is. With the help of Cloudflare, we were able to add an extra layer of network security controlled by Allianz, including WAF, DDoS.
Cloudflare uses CDN and so allows us to keep costs under control and caching and improves speed.
Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it.
And they've also been willing to throw those logs away.
I think one of our favorite features of Cloudflare has been the worker technology.
Our origins can go down and things will continue to operate perfectly.
I think having that kind of a safety net, you know, provided by Cloudflare goes a long ways.
We were able to leverage Cloudflare to save about $250,000 within about a day.
The cost savings across the board is measurable.
It's dramatic and it's something that actually dwarfs the yearly cost of our service with Cloudflare.
It's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.
One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.
Like, Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.
We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world-class capabilities in bot management and web application firewall to protect our large public-facing digital presence.
We ended up building our own fleet of HA proxy servers such that we could easily lose one and then it wouldn't have a massive effect.
But it was very hard to manage because we kept adding more and more machines as we grew.
With Cloudflare, we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.
Cloudflare helped us to improve the customer satisfaction.
It removed the friction with our customer engagement.
It's very low maintenance and very cost effective and very easy to deploy and it improves the customer experiences big time.
Cloudflare is amazing.
Cloudflare is such a relief. Cloudflare is very easy to use. It's fast. Cloudflare really plays the first level of defense for us.
Cloudflare has given us peace of mind.
They've got our backs. Cloudflare has been fantastic. I would definitely recommend Cloudflare.
Cloudflare is providing an incredible service to the world right now.
Cloudflare has helped save lives through Project Fairshot.
We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient, and ethical manner.
Thank you. Optimizely is the world's leading experimentation platform.
Our customers come to Optimizely, quite frankly, to grow their business.
They are able to test all of their assumptions and make more decisions based on insights and data.
We serve some of the largest enterprises in the world and those enterprises have quite high standards for the scalability and performance of the products that Optimizely is bringing into their organization.
We have a JavaScript snippet that goes on customers' websites that executes all the experiments that they have configured, all the changes that they have configured for any of the experiments.
That JavaScript takes time to download, to parse, and also to execute, and so customers have become increasingly performance conscious.
The reason we partnered with Cloudflare is to improve the performance aspects of some of our core experimentation products.
We needed a way to push this type of decision making and computation out to the edge, and Workers ultimately surfaced as the no -brainer tool of choice there.
Once we started using Workers, it was really fast to get up to speed.
It was like, oh, I can just go into this playground and write JavaScript, which I totally know how to do, and then it just works.
So that was pretty cool.
Our customers will be able to run 10x, 100x the number of experiments, and from our perspective, that ultimately means they'll get more value out of it, and the business impact for our bottom line and our top line will also start to mirror that as well.
Workers has allowed us to accelerate our product velocity around performance innovation, which I'm very excited about, but that's just the beginning.
There's a lot that Cloudflare is doing from a technology perspective that we're really excited to partner on so that we can bring our innovation to market faster.
Cloudflare.
Microsoft Mechanics www.microsoft.com