🚚 Cloudflare Area 1: How the best email security keeps getting better
Presented by: João Sousa Botto, Blake Darché
Originally aired on March 18, 2023 @ 8:00 AM - 8:30 AM EDT
Join Cloudflare Group Product Manager João Sousa Botto and Head of Threat Intelligence Blake Darché to learn about Cloudflare Area 1 and how the best email security keeps getting better.
Read the blog post:
Visit the GA Week Hub for every announcement and CFTV episode — check back all week for more!
English
GA Week
Transcript (Beta)
Hello, everyone. Good morning, good afternoon, wherever you are. I'm João Botto.
I'm a Group Product Manager for Emerging Technologies and Incubation at Cloudflare, which includes Area 1 Security now, and I'm joined here with Blake.
Blake, do you want to introduce yourself?
Sure. My name is Blake Darché. I was one of the co-founders of Area 1 Security, and I'm currently the Head of Threat Intelligence of Cloudforce One.
Thank you for joining me here today. This is awesome.
Great to have you here. So this session is all about the improvements that we've made to products on both sides since you guys joined us, since Area 1 joined Cloudflare.
So first and foremost, let me show you the changes in the Cloudflare dashboard, because, well, that's the first step, right?
We need to go and have access to Area 1 in the Cloudflare dashboard, and so we've added quite a few things.
So first thing, I'm here, I'm on my account here, xmapple.com.
It's a very original one.
And so if I click on my XMapple zone, I can see the email section. The email section used to be exclusively for email routing, which is still here.
Email routing is still available, but now you'll find another section that is dedicated to email security.
And so when you click email security, you'll find that email security is now available.
And this is obviously for Area 1. So here you have the options of requesting a trial, and a trial is what we usually call a phishing risk assessment.
So you get full access to the product for 30 days. So you'll see the dashboards, you can see all the detections, we stop phishing and malware for you, obviously.
And then at the end of those 30 days, you also get a report. Someone from our team will prepare reports for you and tell you what we found, like give you a summary of all the things that you've seen in the dashboard throughout those last 30 days.
Obviously, they'll also help you set it up. But setting it up is super simple.
Area 1 being an entirely cloud-based solution, what you'll see is that setting it up takes no longer than five minutes, maybe 30 minutes tops.
But it's not like someone bringing an appliance and deploying an appliance on your network.
It's none of that. It's entirely cloud-based. We just hook up the connectors and you see emails flowing.
You see them live actually on the dashboard. And so coming back to the landing page here, you have the option to request the trial that I just mentioned, but you also have an option to explore a demo.
And if I click on explore a demo, here you'll see the Area 1 dashboard for a fictitious company.
And so you'll see everything that you would see for your own company, but here for a different fictitious company.
And so, for instance, you see how many emails have been processed, how many attacks have been prevented.
So here there's a very high volume of attacks, obviously.
And you even have a live mode where you see emails coming in and you see how many malicious emails were blocked recently.
So obviously in your environment, you'll see this counter go through.
Bigger companies will see this counter going super, super fast. Other companies will see the increments going up still by quite a bit.
And then you have information about the malicious threat types, what are the most typical attacks that are targeting your company.
You'll see the top BEC targets, so top targets in your company.
Obviously, BEC, business email compromise. Here it shows you the VIPs, if you will, of your organization and who is being targeted the most so that you can see if there's, say, outsized impact on your CFO or other people in your finance team or your CEO or other executives for your company.
Even board members sometimes show up high on the list here.
Then you see domain proximity. So this is constantly updating and seeing new emails that are registered that kind of look like yours.
And so this is something that you want to keep an eye on, making sure that people are not registering something that looks exactly like yours.
So for instance, we've recently found one for ourselves that had just been registered that was www.klafflerblog.com.
It was in ours. Ours is blog.klaffler.com. So it's something that shows up here.
And this information can also be consumed by API.
So you have lots and lots of information that you can explore. You can see spoof detections, impersonations.
You can see where are the threats coming from for your organization versus globally.
And you can see for other people in the same industry what's typical.
You can compare yourself to others. Also, looking at the threat detection, you can see a breakdown.
You can go and deep dive into a timeline. And you can even go and explore more things like more details on your emails, more details on the web.
And then you have the fish guard that is our top of the line product that has some unique features into it.
So this is just the first step is giving you a flavor right from within the Klaffler dashboard, giving you the ability to request this trial, to get engaged with us, and also to explore a demo where you can see the full product in action with demo data, if you want, before hooking up your own.
Now, I have a few additional questions for you, Blake. So being an Area 1 co-founder, you probably noticed quite a big difference since joining Klaffler.
So the first question is, what benefits did you see maybe in terms of data or otherwise since you joined Klaffler?
How has it improved? How has Area 1 improved since joining Klaffler?
Sure. Yeah. I think Klaffler had some different data than what Area 1 had.
And Area 1 had some different data than what Klaffler had. So one of the benefits of the merger was being able to bring a more unified data plane to our different products.
So enriching, say, some data we might have seen from email, say, some new domains that were registered that were just seen, and enriching those into the Klaffler product, and then looking for, say, new domains that Klaffler has seen on the Klaffler side, on WAF, or on DNS, or things of that nature, and then enriching that on the Area 1 side.
And so when you look at that over time, you see that a common data plane really can help improve products and help improve detection across product suites.
And today, customers expect generally a more unified detection plane to begin with.
They really want to stop the attack wherever it's occurring without having to take manual actions.
And in the past, we saw a lot of cases back in the days of on-prem appliances and on-prem managed software throughout the 90s and mid-2000s where a security person would have to go out there and deploy a detection or deploy this block.
And that takes a lot of time.
A lot of companies don't have the resources to be able to do that, especially on the small and medium market businesses.
And even on the enterprise side, the level of threats comes in so fast, it's really hard to keep up with that stuff.
So there's a lot of value in being able to provide a common data plane for detections and indicators of compromise across product suites, and it provides a much better level of protection for customers.
Yeah, that's fantastic.
It's one of the biggest advantages of being cloud-based, right? It's not just that quick five-minute deployment when you first buy the product, but it's also that all indicators of compromise, all the data that you process, all the malicious attack vectors that you find, you can instantly deploy to every customer around the world, right?
That becomes available to everyone. And also, like I mentioned the numbers in the blog post earlier today, it's pretty incredible because, well, you guys were sitting on a treasure trove of data already, like nine years of existence as cloud native, you have accumulated a lot of data, threat intelligence at area one.
But even at Cloudflare, at Cloudflare, the numbers are impressive, and I'm reading from here, it's 124 billion cyber threats that Cloudflare blocks every single day.
And if we think about the DNS queries and the resolver data that actually powers identifying new domains and identifying this proximity that helps with all of that, as you mentioned, that's 1.7 trillion DNS queries a day that we process.
That's data you won't find anywhere else.
And adding that to, giving that data, putting that data to the disposal of the best engineers in the field that are sitting on your team and that are sitting on our engineering machine model, machine learning teams, it's pretty incredible.
So you mentioned Cloudflare also benefiting from area one, from this data.
Where have you seen these improvements happen on the Cloudflare side?
So today, we were able to, working with Jesse Kipp's team, we were able to bring in all of that data from the area one side and bring it to the Cloudflare product.
So across gateway, across WAF, across all those different solutions, across resolver, and across all those different solutions, those services are now empowered with the data that area one had.
And in totality, this really provides a much better Zero Trust coverage for customers.
And so if we look at how the network edge has evaporated over the last 10 years, and specifically over the last 36 months since the onset of COVID-19, networks have really shifted a lot.
And users are more mobile, they're more not in their office.
And so you look at where Zero Trust is heading and Zero Trust has really been accelerated by the pandemic and pretty much is not going back.
And having data enriched across these different product suites provides really much better Zero Trust coverage, unified views of your users.
You no longer have to have the user in the office behind some legacy firewall.
Some of the legacy firewalls have struggled in the past. They might have a maximum limit of like 9,000, 10,000 domains or IPs they can have in them.
Well, that's not really sufficient in today's world. The attackers create domains and IPs for operations faster than they can add RAM into these legacy devices.
And so when you look at this, this is a really big problem. And we've actually seen this from the area one side back a couple of years ago, area one was pushing a bunch of indicators into Palo Alto network firewall, and we crashed the firewall because we put too much data because it couldn't handle that much data.
And I mean, this is a real problem.
You have to be able to have an infinitely scalable architecture today in order to stop cyber threats.
And when you're limited by RAM on-prem, that's a real big problem.
Yeah. That also reminded me of a conversation that I had with the firewall team just a few days back, where they were saying that, well, most attacks, especially DDoS attacks, some of them, they last...
Your system is already down before you can add the firewall rule. So you need to have it all automated.
You need to really have some algorithms and some ML models probably that take care of all of that for you.
Because otherwise, if you receive a notification and you need to go there and add the rule, or even if all you need is to hit a button that says confirm that you want to add that rule, you've already lost.
Your system is probably already down when someone sends terabits of data your way.
So yeah, this is super critical. Another area is Cloudflare 1.
Yesterday, you had your own session dedicated to Cloudflare 1, your new project within Cloudflare.
So why don't you tell us a little bit about it? Sure.
Yeah. We had a great session yesterday discussing with Jesse Kipp and with Patrick Donohue what Cloudflare 1 is.
If anyone's interested, they should check it out.
But at its infancy, Cloudflare 1 is threat reporting, some product like a sinkhole service, sinkhole as a service, I call it, or SHAs, I've been calling it.
And provide a lot of value to different customers in terms of what you can do with these solutions.
So being able to have unified threat intelligence, Cloudflare's got a great vantage point from a data perspective, as we've just been discussing, and being able to provide those insights across our products and bring them out to customers, they can see what's going on, provides a lot of value to the customer to understand the threat landscape that's been seen across our customer base.
So when we're able to distill down, like, hey, this threat existed, it was targeting these verticals, that can help a lot of other verticals understand the threats that are out there, especially the more novel, unique threats.
So I think that's the main goal of the CloudForce 1 service and team.
So you're not just looking at email anymore.
So now you've created the team that is central to Cloudflare, and that looks at the intelligence data, and that essentially works to protect every single customer of Cloudflare, kind of automatically.
Is that it?
Yes, exactly. So we're not just looking at email, but we also do take email into account, but we're looking at other data that might come in.
We work heavily with our WAF team on the DDoS side as well, to understand DDoS threats.
And so we're condensing, I'll say, different telemetry from different services into a kind of a unified data view, or a unified view of the threat landscape.
And over time, that view will become more and more sophisticated and provide better insight.
Fantastic.
So CloudForce 1 benefits everyone, but there's also a subscription, right?
Besides benefiting everyone, there's something that customers may want for more direct access to your team.
What else do they get when they subscribe to CloudForce 1?
So they get visibility into threat reporting, they get ability to submit several RFIs per year.
So say if a customer had an incident that occurred in their network, or in their organization, and they wanted to get some more information about what we knew about it from our greater telemetry, they could put in a request from that.
This is super useful for incident response professionals, or SOC analysts, things of that nature.
Then there's also the sinkhole service, which is really cool.
It's the first time I think there's been a managed sinkhole in the world, where they can take their hits from gateway, and they can sinkhole them, and then they could actually go review that data that's hitting against there to see, hey, is this anything bad?
Do I need to be concerned about any of these threats that have been sunk over here?
This can help identify compromised assets, things of that nature.
They also get access to briefings. They get the threat reporting.
So there's quite a bit in the service, and we're always adding more.
Oh, and brand protection is going to be a really key and cool thing. We have more coming there.
I won't spoil the future, but we are at least doing brand alerting today.
So you can be alerted if something looks like it's impersonating your brand.
And so I think that's a really great service, and I think exploring that further will be really key in the future.
That's fantastic. And expanding that beyond email is so cool.
I still remember being fascinated when I first started working with you guys at Area 1, and seeing that there was...
Someone showed me an example of an email that was caught that looked completely legitimate because it was just an account that was compromised, but the logo was kind of pixelated.
The logo was poor quality, and that email was flagged just because the logo was poor quality.
That thing blew my mind. It was a legitimate account that was compromised that was sending the email.
Everything looked right except for the logo.
That was so cool. I don't understand why the attacker makes the image low quality.
I've never understood that. Just use the real image. I don't understand what they're doing in that case.
I have no idea. During your demo, I was thinking you're at xmapple .com, almost looked like a BEC attack to me because you reversed the end.
Yeah. You would be surprised. So Cloudflare owns that domain.
You would be surprised with the amount of email that we receive and the amount of traffic that we see through xmapple.com.
It's something that we just use for screenshots, for blog posts and stuff.
But still, yeah, it's a popular domain for sure.
So just as a pretty much closing this session, one last thing that I wanted to show you all is the email security configuration wizard.
This is something that...
Let me first share my screen again, and I'll show you that this is something that we've had in the DNS tab for quite a bit.
So I think it was maybe last year that our DNS team released this.
And so right here at the bottom, we have email security and we're bringing all of this.
This was for protect your domain from email spoofing and phishing.
So most of you, when you hear this, you can also think of SPF, DKIM, DMARC, our old friends that protect us against spoofing.
And so when you click there, and this is also accessible now, it's being migrated all into the email security section.
So when you come here, you have a wizard that essentially helps you get started with the basics because it's fundamental.
You don't want domain spoofing.
And so you need to set SPF and we make it super, super easy for you.
So you have additional information, obviously, if you need it. But if you click here, you enter the IP addresses that you want to allow, the domains that are that you want to allow through your SPF records, and then the policy that you want for them, whether you want to allow, whether you want to soft fail because you're still testing things, or if you really want this thing to fail, like emails to not be delivered if they fail the SPF check.
And the same thing goes for DKIM for looking at signatures and DMARC.
We know that customers really care about this.
Area one has been using this forever in the models, not setting the records themselves, but obviously the information about how these emails are signed and what's the SPF that they're set with.
And also, but configuring it separately here, it also helps you protect against other types of attacks, like BEC attacks, for instance, or spoofing attacks, particularly, get reduced by quite a bit.
So this is something that have been available for people on Cloudflare DNS.
This is now being migrated into the email security space. And this will soon also be available to customers that are using, that are area one security customers, but that are using third party DNSs.
On the area one side, though, one thing that we do is we do DMARC reports, right, Blake?
We do do that. I often tell customers, I say, even if you're not ready to do full DMARC, the most important thing you can do is set up DKIM and SPF, because at least with DKIM and SPF, you can validate where an email came from if someone ever has a question about that email.
And it takes a lot of customers a long time to get to a DMARC reject state, but SPF and DKIM are really easy to set up and they can be set up in minutes without any really negative impact on their business.
And so we really try to encourage people to set up SPF and DKIM especially.
And then they start receiving the reports, right?
And then with DMARC they can start receiving DMARC reporting as well.
That's fantastic. And so these were basically the things that I wanted to cover today.
Blake, anything else that you'd like to add? I don't think so, no. No.
So this was great. Thanks for tuning in. These were some of the examples of how Cloudflare and Area 1 have been making each other better and how we have a more robust and essentially we're driving towards having the most complete and a great Zero Trust solution all around.
So stay tuned for more sessions on this topic.
It was a pleasure having you here. Nice. Well, happy to be here. Hello from rainy Singapore and welcome to Cloudflare GA Week.
We have never done a GA Week before, but we're excited about this as a way to take a bunch of products that we have already announced and actually make them available.
And especially to tell the stories from customers about how they are using these products in their production environments today and how you can use them in order to build the fastest, most reliable, most secure, most efficient, and most private applications on the Internet.
As some of you may know, September 27th of 2010 was the day that Cloudflare launched.
And so every year around that date, we celebrate our birthday with a series of new announcements around what we call Birthday Week.
And we're doing that again this year, next week actually. But what we realized as we were looking at Birthday Week was we've announced a bunch of stuff and it's time for a lot of it to go GA.
And so we're taking this opportunity a week before Birthday Week in order to hold our what we call GA Week.
And so you're going to see a bunch of products that we've already announced now become available for anyone to use and be able to use in a way that you can trust and that they are production ready, enterprise grade, and ready to do whatever it is to build those applications of the future.
And so if you've been waiting for better user account controls, that's coming out GA this week.
If you've been looking forward to some of what we've done around the amazing acquisitions of Area One and Vectrex in CASB and email security, those are products that are going to go GA this week.
And even some of the products that I know a ton of people are excited and just waiting to go out, watch this space because over the course of this week, we're going to be GAing those products too.
At the same time, we're going to be sharing stories of how customers are using those products in order to make their production environments as efficient as possible.
And all this just sets the stage for next week, which is our Birthday Week, where we're going to do what Cloudflare always does, which is hopefully surprise and delight the entire Internet, releasing products that make the Internet a better, faster, safer, more reliable, more efficient place.
So stay tuned. This week is GA Week. Next week is Birthday Week. We're super excited for everything that we're going to be announcing.
The About You fashion platform has become the number one fashion platform in Europe in the generation Y and Z.
It has been tremendously successful because we have built the technology stack from a commerce perspective, then decided to also make it available to leading fashion brands, such as Marco Polo, Tom Taylor, The Founded, and many others.
And that's how scale was born. What we see in the market is that the attack vectors are becoming increasingly more scaled, distributed, and complex as a whole.
We decided to bring on Cloudflare to ultimately have the best possible security tech stack in place to protect our brands and retailers.
We use the Cloudflare bot management, rate limiting, and WAF as an extra layer of protection for our customers by tackling the major cyber threats that we see in the market.
DDoS attacks, credential stuffing at scalping bots. What we see with a scalping bot here is that they're targeting high-end products and then buying them up within a few seconds.
That leaves the customer dissatisfied. They will turn away and purchase somewhere else the product and thereby we have lost a customer.
Generally before it could take maybe up to half an hour for a security engineer to handle DDoS attacks.
Now we are seeing that Cloudflare could help us to stop that in an automatic way.
Cloudflare helps us to bring the site performance to the best and ultimately therefore create even more revenue with our clients.
Q2's customers love our ability to innovate quickly and deliver what was traditionally very static old-school banking applications into more modern technologies and integrations in the marketplace.
Our customers are banks, credit unions, and fintech clients.
We really focus on providing end-to-end solutions for the account holders throughout the course of their financial lives.
Our availability is super important to our customers here at Q2. Even one minute of downtime can have an economic impact.
So we specifically chose Cloudflare for their Magic Transit solution because it offered a way for us to displace legacy vendors in the layer 3 and layer 4 space, but also extend layer 7 services to some of our cloud native products and more traditional infrastructure.
I think one of the things that separates Magic Transit from some of the legacy solutions that we had leveraged in the past is the ability to manage policy from a single place.
What I love about Cloudflare for Q2 is it allows us to get 10 times the coverage as we previously could with legacy technologies.
I think one of the many benefits of Cloudflare is just how quickly the solution allows us to scale and deliver solutions across multiple platforms.
My favorite thing about Cloudflare is that they keep development solutions and products, they keep providing solutions, they keep investing in technology, they keep making the Internet safe.
Security has always been looked at as a friction point, but I feel like with Cloudflare, it doesn't need to be.
You can deliver innovation quickly, but also have those innovative solutions be secure.
Are you okay?
I'm okay.
Because Cloudflare is protecting me. Do you want to come with me? Cybersecurity protects your security.
Cloudflare.