🔒 Welcome to Security Week 2024

Hey everyone, welcome to Cloudflare TV and Cloudflare Security Week. My name is Ankur Aggarwal.

I'm a product manager here at Cloudflare working on Gateway, which is a part of our Zero Trust suite of products.

Today, I'm joined by Grant Bourzikas, our CISO here at Cloudflare and Daniele Molteni, who is a product manager in our application security services based out of London.

Now for Security Week, we love to highlight just a bunch of new features and also just really efforts that we're working on here at Cloudflare during the week related to both application security, Zero Trust and a lot of other topics we have here at Cloudflare.

So I'm going to turn it over to Grant to tell us a little bit more about Security Week.

Thanks, Ankur.

Hi everyone, this is Grant Bourzikas. I'm chief security officer here at Cloudflare and I also run all of the Cloudforce One intelligence platforms.

So I am super excited to be here.

This is my first Security Week here. I have just been here just 10 months and this is something I think is near and dear, special to what we do.

This is one of the reasons I wanted to come for Cloudflare. All the innovation, all the things we do, and I posted a thing on LinkedIn this morning, we have over 20% of the Internet that comes through us, 170 billion attacks, 95% of all people on earth are within 50 milliseconds of our platform.

And when you think about it, what better way to build products when you have a lot of this data and telemetry?

And so I think this is a very interesting way, and you talk about AI, everything's about AI.

We're going to talk a lot about AI today, but I think it's even more important when you start developing and training models and building, choosing the company you want to work with in security, picking one that has a lot of data should be at eye of your list.

It may not be the only thing, but it's going to be high on the list.

So the first thing that I think is very interesting to talk about is really kind of what we've seen from a threat landscape.

And one of the things that we'll talk about working with the product team, Daniele Anker, Netnews, our new chief product officer, is how do we do customer zero?

How do we work internally? And so a lot of things we think about is working with the security team, working with authority teams to build products.

And so one of the first things we saw was kind of five kind of threats and risks that I see that were very relevant to Security Week.

One is denial of service. So we've seen a lot more attacks this year.

We talked about HTTP2 rapid reset a few months back and the amount of incredible attacks that we've seen that were two, three, four times the size.

The amount of thought leadership to Cloudflare also provided from responsible disclosure.

We haven't seen as many of those attacks as we thought because the industry came together and did a very good job of preparing all the businesses together to do it.

The other thing that we're seeing this year, and it's something that is actually relatively easy to determine from an attacker perspective, is what type of DDoS protection are you running?

And so over the years, backdating 10 years, 15 years ago, we saw a lot of network layer attacks, layer three, layer four.

This year we saw a lot of seven, but what was interesting about the seven, layer seven application attacks, we're seeing on APIs.

We're also seeing mixture of layer three and layer seven attacks.

And we're seeing things, mix of on metric and message per second.

So not just one avenue of attack, but we're seeing multiple ones.

So I think that's a very interesting piece for everybody to look at.

Do I have denial of service across the board versus choosing one that we think is most relevant?

The second one that we're seeing from a threat landscape, and this is one that's near and dear to my heart, is the supply chain attacks.

We've talked about internally what is going on with Okta and our Thanksgiving Code Red blog.

Those are great blogs to go on if you go to blogs .Cloudflare.com to talk about.

But again, this is another one to really pay a lot of attention to as you're going through.

Some people are in very large security organizations that are listening to this.

I've worked in organizations of 1500 security people with a billion dollar budget.

Early in my career, I've had five people on my team, and there's a differing variant of things.

But what you know is when you choose a vendor, making sure they have the right security is very key, making sure they have the right sophistication.

But if you get a chance, look, there's actually a video that we did and the two blogs on the Code Red and Thanksgiving incident.

The third one I think is very closely related to is we're seeing very sophisticated attacks from threat actors that are wanting persistent access.

We saw this firsthand. I've talked to a lot of CSOs that ask us how we did it, and they saw very similar things.

You talk about the Verizon data report that's gone on for years and years, and they've done a tremendous job on it that, hey, average time to dwell.

But what we're seeing is a short period of dwell, maintain persistence and access with a lot of reconnaissance.

And then the thing that we're also seeing with this is that the execution is scripted and automated.

They're building these environments in their test labs as they do the reconnaissance, and it's reconnaissance internal, not reconnaissance external, reconnaissance internal to try to pull back systems to be able to script it.

And I think that's another amazing thing that you're seeing these attackers get more sophisticated, being very quiet and then executing very quickly.

AI, we haven't talked about AI yet.

And I think this is the other one. We're seeing an increase in AI power attacks.

Still early, right? I think when we think about deep fakes, that's the big elections we'll talk about here in a second.

But with the deep fakes, we're seeing $25 million wire transaction.

We've seen some Beverly Hills-type team footage that's not good.

We're seeing robocalls. And I think this is something we're going to see more, especially with the elections coming up.

But also, I think there's some things we're not talking about.

So things around model poisoning. How do I inject data as people are developing models to give it a different report?

Model content moderation. So even what's going on in the model? What if I put something in the model that's bad that I don't want to trade secret?

How are we protecting those?

All very interesting things. And so when you look at security, and we're going to talk about, I think we have a really cool announcement coming out, like how do you protect your models?

How do you protect model poisoning? How do you protect deep fakes?

This is all the stuff that's going to be coming up. We'll see a lot of it this year.

But I think over the next 3, 5, 10 years, it's going to get substantial.

And the security companies are going to have to take a big piece of this.

And then API growth. We did an API survey. Over 57% of all traffic on the Internet is API traffic.

So we're moving away from HTTP to API. And then I think 31% of what we saw were APIs that IT didn't know about.

So the old systems that people are developing that nobody knows what they are, what they are.

Easy threat factor for this.

And so I think this is something from a complexity is very hard because DevOps is moving quickly.

There's a lot of clouds capabilities with the providers, even us as a provider with our workers AI is pretty interesting.

So I think that's a key thing as we think about the landscape.

And then the other thing, I think, when we talk about security week and priorities, emerging trends, I was just in Davos and spent a lot of time with some world leaders.

I've been to all the Cloudflare Connects.

You know, in New York, we were in Sydney, Chicago, London, talked to customers.

I was on a Black Hat. There was also a great survey we did in APJC on cyber readiness.

And then this year, I met with over a hundred customers. And so I always think there's kind of four themes that we were targeting and how are we going to do it?

And what does it look like on what it is? And the first one is AI, right?

What is, how do I respond to the opportunity and risk of AI? What does that mean?

I talked to somebody this morning, you know, that a year ago, we were just stopping.

No AI. Now we're embracing AI. And I think this is going to go forward as we look at it.

And so I think the opportunity is very key. And something that I think that I hear a lot of, but how do we enable AI?

And I always think, well, my first question is what is AI, right?

Are we talking about policy and regulation?

Are we talking about governance of AI? Are we talking about building models?

Are we talking about what data's in the models? Are we talking about deployment and inference of models?

Or are we talking about data sovereignty, which is closely related to policy?

And I think as we look at this, it's going to be, you know, AI security means what?

And it's a whole process with how we do things just as a, you know, kind of a development lifecycle process.

And that's going to be key.

One of the predictions I made earlier in the year was that we'll have our first model breach this year.

Somebody will start targeting models, right? It's a matter of time before somebody gets into an organization and manipulates key models.

So that's one of the I think is popping up. The other one is how do you protect the complex attack surface with, you know, economic restraints?

And so I'll kind of put complexity in this one too, because you know, it's hard that, you know, budgets, what we're seeing are flat, maybe a little bit more, maybe a little bit less.

But I just said, we have all these AI risks, right? So how do I fund, you know, new AI initiatives if my budget's only going up a little bit?

And I think this something we're seeing every CISO, every security organization I'm seeing has this.

I'm going to Australia next week and I'm going to talk to some people.

I'm sure this will come up. I have too many tools. You know, I've seen organizations have 50, 60 tools.

And so there's a lot of cost. And so when you're a security organization and you have 1500 people, 50 tools may be okay.

But if you're a smaller organization, you have 10, 20, 30, 40, and you got 50 tools, you won't scale.

And I've even worked in organizations that I've gone in, not a Cloudflare where I've had six web application firewalls.

Like how do you manage that?

Do I, you know, you need 10 people across the globe to manage these. And I think that's becoming very constrained.

And what that does is create complexity, right?

You know, how do I create a consistent, you know, Internet security posture or plane if I have six web application firewalls?

How do I think about things if I don't have all my users being routed into one central place?

How do I not know, or how do I have concerns around what models are being produced if I can't protect them?

And I think this is the thing that we're saying is with simplicity comes good visibility.

And without visibility, you're going to, you're leaving yourself in the dark for these advanced attacks.

And then, you know, the other one we're hearing a lot of is, you know, the geopolitical conflict, we're seeing an increase in cyber activity.

We've seen it, in the last years with Russia and Ukraine and the conflict, we saw, and there's some amazing blogs that we've written from the Hamas and Ukraine conflict with what's going on.

There's a rise in attacks tied to it.

We saw them ourselves with what happened with Okta.

And if we kind of tie this all back together, 4 billion people are going to be voting.

And I think that's going to be, you know, something that's very key, especially with AI deep fakes.

And something I think that, if we take a step back and think about, you know, the elderly, how are the elderly going to respond to deep fakes, you know, robocalls when it sounds like somebody is talking on this.

So I think these are things that, you know, when we look at and when we go, it's something to be very close to attention.

We're hearing this globally, we're seeing it globally.

And so we're going to talk today, I'm going to turn this over to Ankur, and he's going to bring back and talk about what we're doing here at Security Week.

Thanks, Grant. It was really helpful to walk through kind of why we're doing this.

And the reason why we're kind of putting all of these posts out.

So I want to turn it over to Daniele to kind of just walk through the different areas we're going to hit during the week.

Yeah, thanks. So we have a lot of launches, a lot of new stories that are going to be released throughout the week.

We have a total of 34 posts over the next four days, or five days, including today.

And we're going to touch upon all the product families here at Cloudflare.

So security here for us is security everywhere.

So this includes protect applications, protect employees and protect networks.

So any PMs in security at Cloudflare has been working very hard to ship new features and improvements for during Security Week.

And we have four main areas where we're going to launch new features and blog about.

Of course, AI, as Grant mentioned and discussed, length, also application security.

We have Zero Trust, blog posts, and also network security.

And then we have one extra area, which is a bit broader, is about more total leadership.

So we're going to also talk about how we do things at Cloudflare, what type of activities we are also spinning up to help make the Internet better across the globe.

So there's also very interesting stories there. So don't miss them.

And I know there are a bunch of blog posts that we announced today, especially related to AI.

Do you think you could walk us through some of those and maybe some of the additional application security ones as well?

Yeah, absolutely. So yeah, AI is super exciting, right?

It's the cutting edge of technology right now. Everybody talks about that.

And as Grant was mentioning, one of the key problems is securing LLM, securing AI.

Of course, it's very broad, so you can consider securing AI as a very, like you can take it from different angles.

But of course, from my perspective and application security PM, I've been working on a new way to secure LLMs from a traditional application security perspective, which means protecting the user and also the model by abuses.

So for example, if you think about a user that can send a prompt injection or trying to abuse a model to perform or try to trick the model to perform actions or exfiltrate data, for example.

So we are announcing the firewall for AI today, which is basically an additional layer of protection that can be deployed in front of LLMs.

So very excited by that. Other AI launches is, one is an AI assistant for our security analytics.

And basically, the assistant is a new way for our customers to interact with our product.

So we're basically using AI to power our tools and allow customers to better interact with our security analytics, draw dashboards and analyze the data just with natural language, basically.

So you can ask questions to our dashboard, and then you get the data printed or displayed on our dashboard.

And finally, we have the defensive AI blog, which is more like a framework.

We describe the framework we adopt when using AI in security products.

So we go over all our security tools and security solutions, and we discuss how we embedded AI to identify attacks more efficiently and also more effectively.

Because the problem we are witnessing in general is that attackers can tap into those new technologies and also they become more sophisticated, right?

So attacks now, they can leverage AI to become much more effective.

And one example is, for example, phishing attacks, right?

So attackers can now create phishing emails which don't have errors, grammatical errors, where they can look very credible.

And so you need AI to spot those attempts.

Anyway, enough of AI for now. If you're interested, go and check those stories, they're very, very exciting.

I'll just mention a couple of additional blogs on the application security space in general.

So anything that's to do with WAR or our product for client-side security, PageShield, for example, or API security.

So as Grant was mentioning, one of the key trends is increase in API traffic.

So 57% of all cloud traffic is API. So we're investing heavily in API security with our API gateway.

So during this week, we're going to have an announcement about additional feature for our API gateway about authentication.

So if you're interested in that, don't miss that. Another feature we're launching is about a new dashboard to track the deployments of security tools on Cloudflare.

Again, Grant was mentioning that sometimes companies have too many tools at their disposal.

That's also true for Cloudflare. So we want to make it easy for security practitioner, but also CSO to get a bird's eye view of what's deployed on Cloudflare, I mean, on their infrastructure based on our product.

So it's a single dashboard where you can get insight and recommendation of what to deploy.

And finally, one more release is about the client-side security. So again, the problem here is supply chain attacks.

So trying to reduce those attacks, more visibility on what's happening on your browser environment.

So very, very excited about application security launches as well.

We're going to have blogs throughout the week.

Thanks, Daniele. And I want to take some time to highlight some of the blog posts that we're going through for network security, Zero Trust, and just a few other topics here.

So for network security in particular, we have a few announcements queued up just about cloud connectivity and how we're making that easier for network admins.

So as Grant mentioned, as companies adopt additional tools and vendors, it can get very complex.

So we just want to make sure things that are easier to connect are also easier to secure.

So we'll have a lot of announcements kind of going towards those topics.

They both involve both cloud connectivity and physical connectivity.

And then on the Zero Trust side, we have a few announcements queued up, one of which was today, which was user risk scoring.

It's a great kind of platform for us to build and add features on top of.

Basically, it allows us to provide admins with a risk score to highlight any sort of behaviors that we see across many kind of events that a user might have.

So one example is something like impossible travel.

It's if a user logs in from two different locations in a close amount of time in which they could not have traveled in between.

And we want to use that to essentially build additional risk behaviors on top of.

That's just our first one that we're launching today. We have a few more announcements during the week as well, concerned around kind of more advanced filtering, and then also just an update on how we tunnel traffic from the Zero Trust client to Cloudflare.

Also for enterprise customers, we'll have a few campaigns related to those efforts to make it easier to migrate from any sort of current vendor over to Cloudflare.

Next, I want to highlight just some efforts we're doing or really helping make the Internet better.

So one is election security. So we're going to do a bit of a deep dive into our efforts around election security and maintaining and protecting democratic and free elections.

Also in the US, it's going to be Super Tuesday tomorrow.

So we'll have some good insights into what we see around that traffic and really what that looks like on the Internet.

And then also I know something that's near and dear to my heart as well as many other people is our lava lamps.

So we use lava lamps and a few other things to inject the randomness into our security here at Cloudflare.

And we'll have a great update into kind of what we're doing there and just some neat nerdy facts about it.

And then with that, I actually just want to turn it over to Grant just for some last closing words before we end here.

Yeah, I think that lava lamps and people are excited about the lava lamps.

And I think what we have to announce is going to be really cool.

So if you think lava lamps are cool, this is three times cooler. So something to stay tuned for.

And I think right as I look at the amount of blogs that we're producing, the amount of thought leadership we're providing, it's something this is a great week for security people, non-security people, network people, IT people to kind of look at what we're seeing, how we're writing blogs, how we're trying to solve the problems, how we're doing it with products.

And so I'm thoroughly excited I've been part of this process and how we built Security Week from inception.

And so I'm super excited to see where this goes. We get lots and thousands and thousands of hits and videos in the blog.

So people are interested in this and please read, please read because I think it's something that security is not a one person sport.

It's a team sport and we all need help. And I think as we look at this, and I think I kind of was thinking about it again, the same thing I started with, 170 billion attacks a day we stop, over 20% of the Internet comes through us.

The tools, the products that we're building, the engineering that's supporting is cutting edge to what is there.

I think Cloudflare is uniquely positioned in the future.

That's just going to be amazing things. And so I came here, I chose to bet on Cloudflare and it's been amazing and I can't wait for my second year.

So I'll turn it over to Ankur, but wonderful to see everyone and this is an amazing week.

Thanks, Grant. And thank you, Danielle, as well.

And thank everyone for joining for Security Week and Cloudflare TV. We have a bunch of blog posts still coming up for the next four days.

Please stay tuned and take a look at our blog.