🔒 Customer Cloudversations: Security Week Edition
In this Customer Cloudversations segment, Alaina Kretchmer will chat with John Turner, Application Security Lead at LendingTree on a list of security-related topics.
Transcript (Beta)
Hello, everyone. Thanks for tuning in. We are very excited for today's Security Week edition of Customer Cloudversations.
For those who don't know, Customer Cloudversations is a Cloudflare TV series where we showcase our customers, learn a little bit about who they are, what brought them to their current roles with their current companies.
We chat about industry trends, best practices, you know, all the good things, all the good and fun things that you want to hear about.
So we're very fortunate to have with us today John Turner, Application Security Lead from LendingTree.
But before we get into it, we'll do some quick introductions. I'm Alaina Kretchmer, Customer Advocacy Manager here at Cloudflare.
Thank you, Alaina.
I'm Candice Knoll. I'm a Senior Customer Success Manager here at Cloudflare.
I've been with the company for a little over two and a half years. And during most of this time, I've had the chance to work with John Turner and the LendingTree team as well, and also learn a lot from John Turner.
John, I know everyone wants to hear from you.
So I will pass it over to you. I think a good place for us to start would be if you could just tell us a little bit about your background.
And I don't mean your Zoom background, but your actual background. Tell us about yourself.
And also, how did you end up in the security space? Yeah, thank you.
So I'm phase shifting between realities right now. So you might see the background kind of fuzz out a little bit, but don't pay any mind.
I assure you that most of me is here at all times.
So thank you everybody for tuning in. And thank you, Candice and Alaina for having me.
It's always a lot of fun to talk to you guys.
So as I said, I'm the Application Security Lead at LendingTree. I'm responsible for making sure that the applications, the software, the services that we push out to the public are safe and secure and readily available.
So my background is fairly varied.
I've done things such as be a veterinary assistant. I actually sold cemetery plots and death and dismemberment insurance on the telephone in a younger time.
But now I've been in IT for a good 20, 25 years now, focusing in security for about the last 10.
So I've got a very wide range of experience across all verticals in IT.
So I'm really happy to be here today and looking forward to a great conversation.
So are we, and never a dull moment with you, John.
I try to keep it lively. Yes, you do. So great. So you said, obviously, we are at LendingTree now.
I can only imagine how important security is in the financial services space.
Can you tell us a little bit about what LendingTree does and why security is so important to not only the organization, but to your customers as well?
Sure. So LendingTree is an online marketplace for consumers to get the best rates on financial products.
They could be mortgages, it could be credit cards, any number of financial products that are offered by the hundreds of partners that we represent.
We provide a single stop shop for people to come and find the best rates.
We use advanced algorithms, data science to match people with the best lenders for the best prices, for the best result for whatever it is that they are looking to achieve.
Security for us is paramount. It's critical. It is actually the thing that makes us viable as a company because we're in the business of trust.
Consumer trust for us is everything. And any sort of event that would call that trust into question, a security event, a breach of data exposure could have severe negative impacts to our brand and to our business and obviously to our customers.
So we have to build security into everything that we do at every possible step.
So for us, security is not a bolt on. It's not something that we try to factor in at the end.
It's something that we integrate from the very beginning of every product discussion and everything that we do.
So that's the bottom line for our business, which is I'm sure that people that are listening to this now and watching this now can identify with that and say the same things because that's the way that it is now.
Yeah. Thank you. Thank you for your answer, John.
And I can definitely attest to the highest level importance that you and your team place at security at LendingTree.
One question that I have for you is how did LendingTree decide to switch to Cloudflare at first?
And how are you currently using our security products?
So we came to Cloudflare from another provider.
And sorry, as I move from one parallel universe to the other there. Still glitching.
We came to Cloudflare from another provider that many security products was kind of stuck in the past.
And by that, I mean standard static rules, the old way of thinking, not cloud native, not looking at dynamic marketing programs, flows, ebbs and flows of consumers coming in different marketing opportunities that we might roll out at any given time.
So we were running up against a lot of problems with the static nature of the old generation of cloud-based WAF solutions.
The reason that we came to Cloudflare was because of the approach that Cloudflare takes to this.
It's the amount of traffic that Cloudflare proxies across the network allows visibility to you guys and you guys capitalize on that and create rules and products and functionality that allows us to not have to think about what we're going to do tomorrow or next week or next month.
We can enable a base set of rules. We can enable a base process and it can scale intelligently with what we do.
So I don't need to have my marketing department come to me and say, we're going to be launching a new campaign and I need you to adjust your DDoS thresholds so that we don't block traffic.
It just flows with it. It's intelligent enough to compensate for that.
So that was the main draw. We were previously capped on certain parts of that infrastructure.
We ended up paying to prevent DDoSes from legitimate customers and traffic that we were driving to the system because of the old antiquated system.
So it was a pretty easy switch for us to, an easy decision for us to move into a next generation protection partnership with Cloudflare to enable us to scale at will on marketing campaigns and traffic.
So that was the real driver of the move to Cloudflare.
But I can say that that's not what kept us here, if that makes sense.
So I guess I'll leave it there and we can continue on to another question maybe.
Yes, definitely. I think I remember very well from our earlier conversations also discussing the importance of all these topics for you as well.
I think one thing that I would like to still hear a little bit more on is about how are you and the Lending Tree team currently using the existing products?
Sure. So that's a really interesting question because at one time I believed that we were using most of your products, but the development pace of products at Cloudflare has far outpaced our ability to use them.
So there's so many things that have come out that we've yet to have been able to capitalize on because they come out so quickly and they're also great and we need to capitalize on those things.
But the basics of the WAF protection, the automatic rules, workers for us, as you know, is a huge thing.
And for anyone that has not yet tried Cloudflare Workers, you need to get in there and check those things out.
I mean, that is a platform that allows you to run JavaScript asynchronously at the edge, Cloudflare's network, and they're constantly improving this, but I can't underscore the power of just that one thing.
A-B testing, any kind of interaction that you want to have with a user session as data traverses the network is possible through Workers and it's done so asynchronously so it does not mess up anything with the flow of the user.
There's no latency introduced and it's an extremely powerful thing.
I think you called it your Swiss Army knife at one point.
It is. That is my go-to because it's so powerful, so easy to use that it's my go-to.
And over time, we've been able to actually offload a lot of our functions that we would do natively inside of our own infrastructure with the same exact type of process, but we've been able to offload that into the Cloudflare network and that reduces latency, it improves performance, and actually reduces spend inside of our cloud environments because we don't have to scale up on certain things.
We can leverage Cloudflare's infrastructure. Definitely, yes. I remember hearing from you about the very valid advice of not seeing security as an island, but seeing it as an integrated piece of the business.
That speaks really well to that.
John, another question for you. As you know, this is our security week, and we're curious, what are your thoughts on the theme of today?
Today's theme for our security week is data loss prevention.
Could you talk a little bit about the importance of the theme to you and to Landing Tree as a company as well?
Sure.
DLP is, I mean, that's a huge concern, especially now with everyone being remote with COVID.
We've got everyone working from home, and it's been a real challenge.
In a standard environment where everyone comes into an office that we control and everything is kind of a perfect scenario, DLP is a standard challenge.
We can put things in place, whether it's an agent on an endpoint, which is not ideal, but we've got single control of ingress, egress, those kinds of things.
Now, that's completely changed, and we have to provide those types of controls across any environment, across any device, for any number of things.
We don't know, and what we learned over the past year is, we don't know what's coming around the corner.
We don't know what's coming next. So as security practitioners that are advising businesses, we have to implement products and technologies and partnerships that enable us to shift very, very rapidly.
So that's a real challenge now more than ever, because we have systems and people and processes that have been taken out of central control and moved into other places.
So DLP is a real challenge for every organization and us included. And we're all kind of struggling to figure out how that works, how we work around the dynamic nature of how we're doing business now.
I do really, really like how you guys have approached this.
This is pre -pandemic. You guys have created processes and systems and technologies that allow you to be remote, to be disconnected, yet stay connected, but also put those controls in a very transparent and portable way that does not require agents on endpoints, that doesn't require a lot of the traditional infrastructure or technologies that we would be normally looking at.
So it's been a real challenge for us. I think it's been a real challenge for everyone.
And it kind of reminds me, I watched this Netflix thing on Blockbuster. I don't know if you guys have seen that, but there's one Blockbuster store left.
It's in Oregon, in Bend, Oregon.
And it got me thinking about that, that there's a lot of nostalgia in certain things.
And we kind of tend to get stuck in a mindset of this is the way that it is.
And these new technologies are not good. They're not normal.
They're not what we know. We're not comfortable. We get scared of them. But then we have people like Cloudflare and others that are pushing that to say that, no, it's different, but it's the same.
And we can still do that. And I think that that's where we're getting to in not only technology, but also people and also business, that we can see this change.
And now we start to embrace these technologies of portable technologies, and especially in regards to DLP, where it's a real challenge to maintain compliance and also enable portability across whatever.
Because we don't know what it is.
I don't know what's coming out tomorrow or next week or next month.
What I do know is that these types of technologies enable me to tell my leadership that we're good.
We got this. Awesome. And I know as humans, we don't necessarily like change until we see the change.
And then we're like, well, that's pretty great.
Exactly. Then we change. Then we look back on things and go, oh, I want Blockbuster back.
I would kill for a Blockbuster. We're not going back to VHS.
It's not going to happen. This pandemic has definitely taught us to be adaptable to changes.
A lot of the notions that we had of things that we couldn't do remotely have been completely destroyed and replaced at this point.
Exactly.
Now we can do everything remotely. Yeah. And throughout history, it's these types of events that are the catalyst for meaningful and lasting changes, because it forces us to think outside of what we're comfortable with and to get us outside of that box, get us outside of the comfort zone and show us that a lot of the limitations that we experience as business leaders and security professionals and technology folks, it's just internal.
It's comfort and fear of the unknown and that kind of stuff.
And these are the events that push us forward in a meaningful and lasting way if we have the right partnerships, if we have the right attitude and we have the right perspective on it.
Yeah. And, you know, we're talking about it, so we might as well, you know, excuse me, ask it now.
I mean, with the pandemic and COVID, how has that really affected, you know, the cybersecurity landscape and what have you and LendingTree really done to navigate it?
It's, you know, this has been, you know, I've been I've been doing this for a long time and and this has been the the most significant event in my career, for sure, in terms of trying to protect, you know, my organization, my consumers, our data, because it's presented so many different challenges that we've just never, you know, it's been theoretical up to this point.
Well, you know, what if we did have to shut all the offices down and go remote?
You know, we can plan for those kind of things in a whiteboard session.
But, you know, we didn't have that opportunity and we all had to adapt to it.
And at the same time, the cyber criminals, they adapted to it as well.
They just did it a lot faster than I think a lot of businesses did.
And, you know, what we've seen is that there's been a massive shift to, you know, to our remote workforce.
That is the weak link in the chain. They're at home.
They're distracted. We're schooling kids. We've got all of these things going on.
So it's really easy for me to send a barely convincing email to you and get you to click on it because it has the right words in it.
It might have the logo.
And if we don't have, you know, defense in depth, if we do not have a layered approach to security that also covers people at their at their homes or their coffee shops or wherever it is that they're working from, then we're going to end up in trouble because we've enabled them to do business as they would in the office from wherever.
And the amount of attacks has stepped up markedly. It's really been, you know, it's something that I've never seen before.
We used to have, you know, attacks that were, you know, infrastructure, corporate based that were we were used to defending against.
And now we we're we're faced with trying to secure every device in every location at every time and every circumstance.
And it's it's been really, really difficult to meet that challenge.
But because we were, you know, forward looking in the way that we did it, because the way that we approach security, which is not a static thing, we've looked at security as partnerships, as you know, and you've heard it, I've said it before, right security at the speed of business.
That's, that's our goal.
That's what we try to provide. So the only way we can do that is through partnerships with with with organizations that also feel the same way, and are developing technologies for problems that do not exist, because eventually those problems will exist.
And with for us, fortunately, we were able to pretty much make our entire organization remote through a lot of hard work from a lot of people on my team and others in the organization, we were able to take things that up until this pandemic were never even considered possible for being remote.
And we did that in a very short amount of time.
We never missed a beat. We've maintained security.
And in fact, we've increased security. And, and we've grown as a company, we've we've done better.
And that's a testament to, you know, that approach of security at the speed of business and our partnerships.
So it's been difficult, but we've risen to the challenge.
But it's it's not just because of us.
It's because of partnerships like Cloudflare and others. John, John, thank you.
You mentioned security at the speed of business, right? And that is bringing back some of our conversations in the early days.
I know that security has always been top of top of mind for you and for your team.
But there was a very strong concern with how do we keep things as secure as possible without compromising the speed side of business or the user experience, right?
Could you speak a little bit to that and how how that process has been for you over the last few years?
So you know, that's, that's the thing, right? So we can we can secure things easy peasy.
It's really simple. We can unplug everything encapsulated in concrete thrown in the ocean and it will never be hacked.
We can provide adequate security by layering things on and consuming resources, introducing latency and impacting customer experience and employee experience and usability.
But, you know, those things aren't that's that's not a that's not a workable solution in these days where we're at right now.
You know, our our success is truly measured in milliseconds as everyone else.
We are in the business of serving content quickly, giving people what they want, when they want it on whatever device that they want it on.
That's a that's a difficult ask. And when you start factoring performance into that, it gets even more difficult because of the, you know, and not to be too cloud player centric here.
I know we're on TV, but this is not a sales pitch.
But you guys have made me look pretty good in several instances.
And one was specific to performance on our pages, page page speed metrics from from Google, where we were able to leverage the performance optimization features, pretty much click of a button and increase our performance.
So we've decreased latency, we've decreased the amount of time that pages load and all of that stuff by a an incredible amount, in some cases, you know, upwards of 60%.
It was so, you know, so such a radical change that the engineers at Google that, you know, saw this were floored.
You know, how do we do it?
Like, wow, that was amazing. We've never seen that amount of transformation in such a short amount of time, made me look great made us all look great.
But, you know, that's what our consumers care about.
That's they want speed, their security is not necessarily at the front of their mind, they want to click a button and have something presented very, very quickly.
So, you know, it's it's a difficult proposition to say, we're secure, but you're going to have to deal with some latency, or it might be this, or it might be that.
And I think that we've hit the perfect, you know, the sweet spot there with your technology to provide security, but also provide a performance boost.
And that's, that's really a, that's a unique thing, because normally our controls, consume resources, introduce latency, and generally are a pain to everyone.
And, and this is one that did the exact opposite.
So thank you. Anytime. Awesome. That's great. All right, on to the next question.
You are the cybersecurity expert. So we would just like to hear from you on what you see as the top security trends happening in the industry right now.
And what would you advise other cybersecurity professionals to really focus on?
So, yeah, that's, we're living in unique times. The challenges that we face as security professionals now have, you know, in some shape or fashion, have been around for a while.
But I believe over the last couple of years, they've kind of all converged and created, you know, the, George Clooney, perfect storm, if you will, right.
And what we're dealing with now are consolidated, organized, highly advanced threats, targeting supply chains, targeting our users.
It's, you know, it's, it's really, if you, if you get bogged down into it, it can be almost paralyzing to try to figure out how to deal with that.
You know, the, the thing that I would say to people is, you know, try to compartmentalize what's, what's going on, we can do some basic, you know, best practice stuff in your data center, egress filtering is going to be key.
All of the servers in your cloud should not be able to touch the Internet.
DNS queries should not be able to be made from a server out to the Internet.
We, you know, command and control traffic, you generally uses, you know, you UDP 53.
So DNS traffic, all of that stuff needs to be controlled.
And we have to understand that we are now facing a threat that we've never seen before.
We have nation state actors. But we also have the commoditization of malware.
We have advanced threat actors that are commoditizing what it is, you know, what they do, they figured out that it's really difficult for them to write the next, you know, killer piece of malware to find the next zero days and get that out to your users.
So they've created platforms, it's malware as a service.
And so now you have people that are really good at distributing spam and doing phishing and doing all of these things.
But they're not good at writing code, they're not good at, you know, finding vulnerabilities, but they don't need to be and these and these teams have paired up.
And, and what's that, you know, what that has done is create an environment of extremely advanced zero day vulnerabilities that are coming in from every different angle.
And, and they're really testing our ability to dynamically respond to threats that we don't know exist.
And, and it's, it's really difficult. So I would, again, say that, you know, it's, it's important that as security professionals, we don't get locked into products, we don't get locked into vendors, we don't get locked into what we know.
And we partner with companies, we partner with our vendors. The most important thing that I've found in my career, especially lately, to preventing any kind of security incident within our organization is partnering with the right with the right people, people who have a vested interest in our success, and that actually depend on our success, right.
So it's a symbiotic relationship, if I win, you win, if I lose, you lose.
And that's the real important thing. Because you can sell a product, you can make a marketing flyer, and you can do a commercial, and it all sounds good.
And everybody feels great. But that's today, it's not tomorrow.
So I would just say that, you know, we know what the threats are.
And that's that we don't know what the threats are. But there is extremely advanced, they're coming from every different angle, you will not see the next one coming.
So stick to the best practices. But most importantly, make great connections, make great partnerships with your vendors, and ensure that everyone has a vested interest in everyone's success.
Yeah, totally symbiotic relationship, you couldn't have said it any better.
I mean, we wouldn't be where we are without you and you know, our customers.
So definitely a good symbiotic relationship there.
And I think we're we're coming up to time, I'm not sure we do have time for another question.
So I will just go ahead and close out. And I just, you know, obviously want to want to thank you so much, john, for for joining us today for you know, customer conversation, security week edition, all chats with you are educational and entertaining.
And we just really appreciate you taking the time anytime and we'll definitely do it again.
At some point, I might do the Carlton.
We'll have some fun with it. And I would say if anyone hasn't checked out that blockbuster thing on Netflix, do it.
It's really informative.
And the manager there, her name is Sandy, she makes these knitted hats.
I ordered one just because you know, why not? It's a blockbuster beanie. I mean, why wouldn't I wear one?
I probably owed them 20 bucks in late fees anyway. So I was like, I figured that's the way I can give it back.
So that's the way you sound. Sorry.
That shall be my next purchase. My next Instagram purchase. Definitely. But thank you both.
It's been a pleasure. I always enjoy, you know, hanging out with you guys and talking and, and I really, really appreciate it.
So thank you. Thanks so much, john.
So
