🚚 Cloudforce One - GA Week
Presented by: Blake Darché, Patrick Donahue, Jesse Kipp
Originally aired on June 9, 2023 @ 10:00 AM - 10:30 AM EDT
Join Blake Darché, Head of Threat Intelligence, Cloudflare Area 1, Patrick Donahue, VP Product of Application Security, and Engineering Manager Jesse Kipp for a discussion on Cloudforce One — which is now generally available.
Read the blog post
Visit the GA Week Hub for every announcement and CFTV episode — check back all week for more!
English
GA Week
Transcript (Beta)
Thanks everyone for joining. Today we're kicking off GA Week. As our CTO wrote this morning on our blog, John Graham-Cumming, we ship a lot of products early access.
We can put them in your hands as quickly as possible and get useful feedback.
This week we're announcing the maturation and GA of quite a few products.
And one of these is our CloudForce One offering.
So back in June, we announced CloudForce One, been working with early adopters.
We've learned a lot from them. We're now GA as of this morning, and we're excited to get more and more customers using the offering.
I'm joined today by the head of the team, Blake Darché and Jesse Kipp, our engineering manager for the team.
I'll let them introduce themselves and we're going to have a bit of a conversation here about the offering.
Blake, can you start please? Sure.
I'm Blake. I run CloudForce One. I came from the National Security Agency and after that I worked at CrowdStrike for a couple of years.
Jesse? Hi, I'm Jesse. I've been at Cloudflare for a few years now and I started out an engineering team early on in the Cloudflare Zero Trust offering, delivering threat intelligence data to Cloudflare products, which has now grown and we're taking care of data from CloudForce One as well.
Terrific. Thanks for joining guys. So Blake, let's start with you.
You came over with the Area 1 acquisition closed earlier this year, April 1st, I believe.
What's kind of been most exciting for you so far about coming to Cloudflare as you think about the offering that we've announced?
Yeah. So I think there's a couple of areas.
One of them is just the level of visibility and data that we have.
So we get to see a lot of different interesting attacks on the Internet today because we're a service provider and that gives us an incredible capability to provide some really unique insights to customers.
And how does that differ?
The fact that we operate that infrastructure and protect customers, how does that help us and differentiate from maybe some of the other threat intelligence and offerings out there?
So I think there's a big difference in the market between organic and inorganic data and organic being data that you're able to derive from your own products.
And we're in a unique position to be able to do that.
A lot of other vendors can't do that as much and they're very much dependent on trying to say mine tweets off Twitter or off the dark web and things of that nature that attackers aren't really operating in that space.
That's not where the attack occurs.
That's maybe where they talk about it, but the attacks occur on the real Internet, not in the dark web.
And there's, I think, a lot of focus on the dark web when there should be a lot more focus on the real Internet.
Yeah, the so -called dark web gets a lot of press, but definitely hear you there.
I think one of the things that's interesting is I think about the blog post that we wrote and how we talked about it was we operate large -scale Internet infrastructure largely for the benefit of the Internet, right?
Our message is to help build a better Internet.
And some of the things we do, they're definitely not done for the purposes of helping identify threats, but they happen to do that in sort of a passive way.
And so Resolver 1.1.1.1, of course, certificate transparency logs. So some people might not be aware when a SSL TLS certificate is issued for browsers these days to trust it, that actually gets logged.
And there's some cryptographic functions that sort of make sure that that can't be tampered with.
And so we operate a certificate transparency log.
Obviously, we're processing many, many millions of requests per second for our customers on the website, more recently, the actual network data.
And so we're routing multiple petabytes per day to our customer's network and proxying trillions of those web requests.
And of course, now with Area 1, many millions of emails are analyzed for threat purposes as our customers ask us to protect those.
So let's jump in a little bit to the announcement.
So what are the kind of the key takeaways of the announcement that went out this morning?
I encourage everyone listening to actually go read the post, but what are you sort of most excited about as you think about the offering?
I'm most excited about being able to provide unique insights to customers about what's going on out there so they can understand the risks that they face and make the best decisions on how to mitigate those risks.
Often, you see things in the newspaper, it's very difficult to understand in the newspaper how many of those things are factual or not factual.
We strive to provide actual correct reporting 100% of the time based on data here and make customers aware of what's actually going on on the ground.
It's for them to take the appropriate action.
Yeah. And I think you and I were talking early on when you came on board and you mentioned to me one of the ideas behind Area 1 initially was having a sort of threat intelligence and offering it up.
And then sort of the fact that it's actually, there's data and making it actionable and easy to use.
I think we talk a lot about our customers being inundated with data.
They subscribe to all these data sources and like, what do you actually do with that data?
And so as I think about this offering, it seems like making that actionable and reducing the burden, not just sort of inundating with people is one of the key takeaways there.
The other thing is, if you think about the offering we've talked a lot about, we're taking security data and sort of threats, but also tooling, which we'll get to in a little bit as we talk to Jesse and people.
And so access to people, this is a new thing for us at Cloudflare.
We've long sort of been asked, hey, can you give us a briefing on this particular topic?
Or can we make requests to investigate something? Can you talk a little bit about what an RFI process looks like and why that's important?
Sure. Yeah. So we built the RFI process or the request for information process.
So customers could ask questions and say, hey, this thing occurred and we're trying to get some more insight on it.
What can you share? And then we could have someone on our side, look into what kind of data we could pull on it and then assemble some information about it and then share it back with the customer so they can understand what's going on.
Sometimes these are used for an incident response investigation.
Sometimes they're used for a issue that they think they might have a vulnerability in.
They have some legacy payment system maybe, and they're concerned about it.
Are we seeing anything about that system being used or targeted on the Internet today?
Things of that nature. So being able to provide that unique insight from the Cloudflare side really provides a lot of value to a lot of customers.
And how, as you think about your team, how have you structured your team?
Is it sort of one big CloudForce one team or there are sub teams? How are you organizing it to kind of effectively answer those questions for our customers?
Yeah.
We tend to organize into kind of specialized areas. So like malware analysis, reversing is an area, as well as cryptography.
And then an area like just threat analysis, just looking at the threat and then eventually Intel analysis, kind of looking at a set of threats and figuring out what they say together about maybe where intent is moving from various actors or an actor group over a series of reports.
And can you tell me a little bit about the team that you've assembled or these people you've worked with in the past?
Like what is the profile that you sort of look forward to build out your team?
Sure. Yeah. We have an awesome team. Everyone on the team is pretty much from the NSA or has some NSA background at some point, and then has various other backgrounds after that.
So we have people that have a background in cryptographic analysis.
We have people that have background in tracking threats for the government.
We have people that have background in malware analysis.
We have people that have background in kind of like more special operations, data sharing, Intel sharing, things of that nature.
So kind of the full gamut of what you need to run a successful Intel organization.
Cool. And excited to open up that RFI process available today. If anybody listening is interested, you can make those requests.
We'll soon be in the portal under Security Center in the Cloudflare dashboard to make those requests and kind of have a history there to provide that information and make it referenceable.
So Jesse, I want to jump to you for a little bit. Can you just tell me a little bit about your role and what you're doing today and kind of how it fits in with Cloudflare SWAN?
Yeah. So my team, our goal is really to take all of the threat intelligence data that we get both from Cloudforce ONE and as well as from engineering efforts and from curated partnerships and make them available in across Cloudflare suite of products.
So whether we're talking about application services and making data available in the WAF, the paid shield and bot management, or Zero Trust and making it available in gateway or our network services like magic firewall, plus things that span across services like logging, dashboards, security center and radar.
And so the idea is we're taking in all this threat data and we want to be able to disseminate it to all Cloudflare products, to the products that it's relevant to in a way that is similar across all the products as well.
So the vision is really about taking the toil out of building and maintaining your network security infrastructure and enable you as the practitioner or the person operating your network to focus on what's the policy that's appropriate for your company.
And then let Cloudflare take care of, all right, how do we execute that policy?
How do we get all the data that comes in to the right products to be executed in the right way?
That's a really good point. And one, I think I glossed over at the outset is like from a purpose and function perspective, the team is first and foremost to make the Cloudflare products more secure and better.
And so we've got offerings that you can buy and deploy to your team.
Blake and his team, of course, are getting sometimes advanced notification of threats.
They're identifying threats organically themselves and building those back into the product first and foremost.
If we can automatically block something and prevent some sort of threat, you don't need to ask questions about it later.
We can just give you a report that says, here's how we're able to do it.
So really important part of the team for sure.
Can you talk a little bit about Jesse, the types of data that we are both building into the product, but also starting to expose in the investigations portal within Security Center?
Sure. Yeah. So a big focus from the start of the product and continues to be threat indicators and both indicators of compromise and I guess potential threats.
And so the idea is for domains, we provide a large set of categorizations that include both different types of security threats, either by tactic or by over a source, and then manage lists for IP addresses.
And we also label URLs for customers that use like gateway and page shield, those products that have visibility into layer 7 HTTP traffic.
And so we apply the labels and put the IP addresses in lists and then they get surfaced up in the dashboard and in your logs for you to take access to.
And then logging, that allows you to take the data and your logs and integrate them into your seam or however you monitor your applications.
Yeah, that's a good point. I think one of the requests I've gotten over the years is, can you allow us to treat traffic differently that's coming from open proxies, which may be indicative or more likely to be abused?
Or can we deal with traffic coming from behind VPNs in a different way?
And so it's been great to see you and team working with Blake and crew to identify methodologies for us to surface this and identify that and give customers control of those lists and say, I want to by default, maybe not treat it any differently, but these endpoints or I need to handle this a little differently.
And so I talk to customers about adding tools to the toolbox of our rules engine and giving them the ability to leverage those however they see fit.
I think one of the things to ask you about too is from a UI perspective, obviously we're letting people go and type an IP address in or a domain name, or even these days a URL.
And I want to get to the phishing and malware detection in a second, but what about API access?
Is that something that people can use to kind of integrate into their internal systems?
It is, yes. So we have an API that is available to look up different facts or even ask us to go out and scan a particular URL.
So you can go in and you can ask, what is our classification for a domain name?
What is our classification for an IP address?
Hey, scan this URL. We saw this suspicious URL in our logs, scan it and tell us what you think is on it.
And we give all that back and give all the answers back to you for you to do what you with your own security automation that's appropriate for your company.
Yeah, absolutely. And Blake, I have to imagine on the area on email security side, you probably see a lot of links being sent to our customers and those links have to be some sort of threat that you would want to analyze.
Can you talk a little bit about how threats may be sent via email and how we can use those models to help protect our customers?
Sure.
Yeah. Over the last 20 years or so, threats have really moved to link-based threats.
Everything's become a link. By like 2010 or so, files started dying as the main delivery vector.
And today, everyone is just trying to send files via links.
So you'll see like a file hosted on a SharePoint site or on a Google Drive or some other third-party sharing site that's generally legitimate.
And they're taking advantage of that legitimacy in order to try to distribute a piece of malware.
So yeah, it's really tough out there with files and links in particular going to files.
And so you need to do a lot of different scoring on those with a lot of different machine learning models to really understand what they look like.
There's always an attacker trying to take advantage of some sort of esoteric file format, something from like Windows 3.1 timeframe that still works on Windows for whatever reason that no one's sure about.
I was more of a fan of 3.11 for workers, but 3.1 was a favorite as well.
I think the thing that is kind of hit home for me is you're not sending attachments these days, right?
And that are sort of easy and obvious to scan.
Like if somebody shares a file with me on Google Drive, that file's not coming in, but I'm getting a link to that file, right?
And so one of the things that's really cool on another part of the business that kind of the Cloudflare Zero Trust, Cloudflare One side is those links that come in via email, you may want to route those requests through a remote browser isolation product like we have.
And so just seeing kind of the email and then threat intelligence getting married with the remote browser isolation product is really cool.
And customers seem to be excited about that.
So I'm great to see that rolling out. I want to move a little bit to the other tooling that we're announcing as part of the product.
So if you're a security team today and you're running, whether it's a SOC or just a group of security analysts, there's a lot of tools you need to be productive in that environment, right?
And so one of the things that we talk about in the blog post is how do we build those tools and give them to security teams to make their jobs easier?
And so Jesse, one of the ones that I'm really excited about, I want to hear from you on is the Sinkhole API.
Can you tell me a little bit about that? Sure. Yeah.
So the Sinkhole API is a new API that we are launching as part of the Cloudforce One offering, and it gives our customers the ability to start up a sinkhole, which is going to be a server that responds to HTTP.
And you choose your ingress method to it, which at the moment is going to be an IP address.
And for example, the gateway product allows you to override a DNS response.
And instead of sending whatever the DNS that would have come back from the authoritative server, you can send back the address of your sinkhole.
And what happens is then if your users get that response back and say a piece of malware is running on their device, they will reach out and contact your sinkhole and that request and what metadata and potentially any body that's part of that request will get logged instead of going to the command and control server or whatever endpoint that was targeting.
So this is a feature we're really looking at useful, thinking of as useful for investigation and incident response.
As kind of the network perimeter, the traditional network perimeter has eroded and people are all over the place because of COVID or just because of the way that devices are just now ubiquitous.
This really puts some capabilities back in the hands of security teams that maybe were lost over the years.
So you've got somebody who's in Italy, checking in from a coffee shop, Cloudflare has a pop in Milan and that pop will enforce your DNS traffic and it will capture sinkhole traffic.
I think what's most exciting about this offering is it really lowers the barrier to entry in the sinkholing world.
A lot of customers and a lot of clients, if you don't have a really large security team, you couldn't do things like this before because you didn't have the staff to create these things and man them.
And we're basically have shrink -wrapped a sinkhole here and made it accessible to the masses, which is really cool and will help defenders worldwide improve security.
Yeah, absolutely. And I think one of the things that's really cool about building products at Cloudflare and launching them is we talk a lot about one plus one equals three.
How can we take two products that may be unrelated in some way, put them together and get something that's greater than the sum of those two parts.
And one thing that's kind of fun here is we've got this bring your own kind of IP range offering, which we initially did for layer seven traffic, HTTPS traffic, and then enhanced that quite a bit for a magic transit product where we're taking layer three and routing that and providing security protections there.
You can automatically do that with the sinkholing traffic, right?
So if you want to use your own IP space, maybe you have your firewall set up to have these egress filtering rules and say, I'm only going to allow traffic out to an IP that is within this range owned by me.
You can do that automatically with the sinkhole.
So that was really cool to see how easy it was to take that existing offering and pair that together.
Blake, what are some of the things, why is it useful to have the data maybe that a compromised device is trying to send out?
What would you actually do with that from a research perspective and sort of trying to figure out the threats there?
Yeah, so you can look at that data in bulk.
There's payloads associated with that data. You can run detections on the payloads and look to see, Hey, is this a compromised asset?
Is there information about my assets going out here and things of that nature?
It's super useful for doing a response investigation and just general security hygiene.
And I think the way we've shrink wrapped it and put it into logging format will really allow customers to explore that data in mass looking for say callback beacon intervals, things of that nature automatically without having to really struggle to do that.
So it's a really great capability. Well, and one of the things that we also announced in the post was we're doing a briefing coming up that normally is reserved for Cloudflare's one customers or subscribers to the offering.
But for this one, we're going to open it up to everyone.
And can you tell me a little bit about that?
Obviously a large part of what your team does is track threats, whether they're trying to use the Cloudflare network or elsewhere and focusing on our customers.
But can you tell me a little bit about what we're going to talk about on, I think it's October 12th.
Yeah. So we're going to talk about a new threat group we're calling Yakking Yeti, which is a Russian threat group that is targeting entities in the Ukraine, as well as entities elsewhere and discovering their TTPs, looking at victimology, things of that nature over the last couple of months since they've been active.
Cool. So if you're interested in learning more about the types of briefings that Blake and his team conduct, definitely go sign up for that webinar.
The link is in the blog post, and we are excited to share a bit about that.
And there's going to be a lot of research published right in the dashboard.
And this is going to be one of the new kind of finished Intel reports. But we're also putting out advisories there and then other deep analyses of threats.
What about from a briefing perspective, like what can customers expect?
Are we going to do anything that's industry specific? Obviously, this is kind of very broad focus, but what about like threats facing particular industries?
Yeah, I think over time, we will be doing industry specific briefings focused on or event based briefings as well.
Right. So like the Ukraine invasion was a big event or an industry like a lot of targeting, say, during coronavirus of pharmaceutical industry or something of that nature.
So I think industry and event based briefings make a lot of sense and will be a great value to customers.
Cool. And what about we talk about external threats?
And a lot of this is what you're tracking. But what about insider threats?
Like how does that fit into the Cloud Force One offering? So I think insider threats are a great example of what can fit into a great Intel product.
And you know, through our FishGuard team, FishGuard team that was part of the Area One acquisition, we have some visibility into insider threats and we seek to distill that visibility into Cloud Force One reporting to provide customers a view of what's going on in the insider threat that's affecting different organizations.
Oftentimes, customers are blind to the insider threat unless they had that exact insider threat or they didn't even know they had that insider threat.
So we're trying to provide more visibility under the types of insider threats that are occurring out there and the types of espionage campaigns, whether they be human or SIGINT based.
Yeah, I thought it was really interesting to see that some of these threat actors are targeting employees of companies like directly via LinkedIn and that sort of thing.
I think those are probably threat factors that most people don't think about, right?
Is somebody going to reach out to try to recruit somebody in your company via LinkedIn and how might you be able to protect against that sort of thing?
Absolutely. And I think it kind of falls within the lapsus area as well, where we saw the lapsus attacks where they were trying to recruit people via email or different messaging platforms.
They're all kind of an insider threat related issue and it's good to have visibility on what those are.
Cool. And one of the things we also are including in the security tools to go back to you, Jesse, for a second is the what we call insights, right?
So I talked to a lot of customers that say, it's great that you give us all this data and what threats are blocking, but what I really want is, what is that order checklist that I need to go through to kind of iteratively improve the security posture of my organization?
And so we as part of the security center did some of the insights that were really focused on things that you had told us about, right?
So if you've added a DNS entry and we know of a particular server we're protecting or you've configured a WAF in front of it, by the way, you can do it account wide as of today with the account wide WAF, we can give you a lot of insight to that.
But one of the things I'm really excited about as we look forward to kind of what's coming next from your team is the ability to go actually progressively scan the Internet and find assets that may not be either known as security team or not yet sort of under the Cloudflare umbrella from a protection perspective.
Can you tell me a little bit about what this scanning project is looking like and how might that fit into security center?
Yeah. So this is a project that really has a lot of different applicability across different types of things, different types of security research, but one area is definitely identifying assets that are part of your own network that you as an IT administrator might not be aware of, or like a development application that somebody has spun up, for example.
And so given an IP range or an ASN, we're going to have the ability to go out and scan that and look for open ports, what's running on port 443, what's running on common development ports like 8080 or 8888, 8443, and just provide a view in security center.
And if you have a IP network and we go out and scan it and we find services, for example, HTTP services that are not protected by Cloudflare, not proxied by Cloudflare application services, protected with access, we can raise those as a security insight for your security team to go track down and figure out how to protect those.
Cool. And one of the other things that I'm really excited about too is the ability to identify sites out there that are purporting to be your organization, right?
So we're going to find stuff that is your stuff that you haven't told us about yet and help you sort of bring that under a good security posture.
The other thing we're going to do is point out stuff that, hey, this might be, excuse me, somebody trying to fish your users.
And we could spend a lot of time talking about the recent phishing attacks, but can you tell me a little bit about how we're actually identifying what might be phishing and what's not?
What are the actual methodologies we're using to determine that?
Yeah. So we, as Cloudflare, have a big stream of host names coming in to us from passive DNS, from gateway, from resolver, from certificate transparency logs.
And we're launching the customers to be able to put in a pattern or a brand name that's relevant to them and look for domain names that have that pattern appearing in it or near replicas of it, right?
Like the classic thing is replacing an L with a one or something like that.
But also there are also Unicode homograph attacks where there's multiple letters that actually look exactly the same in in Unicode.
And we'll raise an alert on the Cloudflare dashboard to you about that.
And that might be something that you want to go in and block in your gateway configuration or go and get that taken down if it's something that is that serious.
And yeah. Cool.
Yeah. And I think obviously today we're going to expose that in the dashboard, but a number of people have asked about, is there a way to access that via API?
They have maybe a tool that they're using on premise and they want to pull in and enrich their data sources.
And so we're, as part of the offering now, we have very high volume API limits.
And so if somebody wants to integrate this into their platform for their internal security team, definitely open and interested and would love to chat with you.
Just as a PSA, if you'd like to learn more, there's a form in the blog posts.
If you go to blog.Cloudflare.com, there's a form you can fill out and we'd be happy to give you details on the offering, let you know sort of what's available today and what's on the roadmap.
As with any Cloudflare product, we're continuing to sort of build and enrich and release tool after tool as we get feedback from early adopters.
So really interested in hearing what is useful, what is not, and where would you like to see us focus next?
There's going to be more reports that are going to start to appear in the security center for CloudForce One subscribers.
And so you'll see a little bit of excerpts of those. If you're interested and you're a customer today, please contact your account team.
We can get you some more information.
And to take us home here and wrap this up, I think the one thing that everyone's asking about is when is the CloudForce One t -shirt coming?
And so I know Blake has some ideas on that, but one of the ideas we were just throwing around is we're going to get some cool new t-shirts.
Obviously, this is kind of the traditional Cloudflare t-shirt.
We're going to get a team-based t-shirt and all new customers, we're going to send some shirts out too.
And so I'm excited to see that happen.
With that, I want to thank everyone today for listening in.
And I want to thank Blake and Jesse for explaining a bit more about CloudForce One.
If you'd like to hear more from them or you'd like to talk to them directly, please reach out and we'd love to set up some time.
And so with that, thanks guys.
I appreciate your time. Thank you. Thank you. Bye.