🔒 Welcome to Security Week
Presented by: Reid Tatoris, Dan Gould
Originally aired on March 22, 2023 @ 6:00 PM - 6:30 PM EDT
Welcome to Cloudflare Security Week 2023!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Dan Gould, and Reid Tatoris.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
Hey everyone. Hello. Welcome to Cloudflare TV. We are here to kick off Security Week 2023.
Very, very exciting stuff. My name is Dan. I'm with the product marketing team here at Cloudflare and I'm joined by one of my esteemed colleagues, Reid Tatoris, who's effectively the architect for the week.
How's it going, Reid? Hey, Dan, thanks for having me.
Yeah, no, my my pleasure.
Well, really excited to talk to everything that's coming up in Security Week this year.
And Reid, I'll actually pass it over to you. What you know, when you think about Security Week, you know, from a high level, what do we have planned?
What are we thinking about? Um, so I'm on the application security product team.
We talk to customers about security all the time.
I want to start with a story that I think is really interesting.
About a month back, I was at a CISO dinner, so a lot of CISOs, NCSOs across a bunch of companies banking, e-commerce, some gambling, some retail companies.
And so it was an interesting dinner where I was kind of a fly on the wall.
And while I talked to customers a lot, this was really interesting because I got to listen to customers talk to each other.
What were their big problems? What were their big challenges?
And what surprised me is the most common thread that came out of this was at a high level, like, how do I convince my internal teams to do the things I want them to?
I was more expecting someone to say I'm worried about API security, or maybe I'm worried about some of the new advanced Magecart attacks that I've seen, and those really generally didn't come up.
Um, there wasn't even a discussion around like, how do I manage multiple cloud vendors?
It was really over and over again, "How do I get humans to do the secure thing?" or "How do I get humans to not do the insecure thing?" Um, and this brought to mind what happened to Cloudflare in July of last year.
We had a phishing attack, um, where the attacker had duplicated the Cloudflare Okta login page exactly, beautifully branded.
They had a spoofed Cloudflare domain that looked really similar. It was Cloudflare-okta.com, but not a real domain.
Um, and they then sent texts to our employees and we had a couple of employees that clicked on the link because they were human and humans make mistakes, but when they clicked through, we weren't actually breached because of a couple of technical things we'd put in place and then also because we had spotted that this domain was a potentially suspicious domain set up for phishing.
And so we blogged about this last August and the exact same attack hit multiple other companies.
And we had really big -name companies that were breached and that had an exposure to this attack.
And that to me brings to mind the type of modern attack that a lot of our customers deal with.
It is less about which technology do I use to secure my application and more about how do I protect my employees from being a vulnerability.
And we've seen more and more phishing attacks like this get frequent over the last year.
Um, so that's kind of the theme for us, I think.
If any of you recall Security Week last year, probably no one does.
But we talked about Cloudflare making this transition from, uh, you know, a handful of years ago we started with protecting websites and that's really how we thought about security.
We shifted then to protecting applications because no longer were our customers just using websites, but they also had a single page app or they had a mobile app or they had APIs and we needed to protect all of those things.
And I think this year now we're making the shift from protecting applications to protecting customers' organizations and in particular protecting the employees within those organizations from doing things that they don't want to do.
Yeah, and in fact, maybe I forgot to mention this to you. So I'm sitting in this very seat, Reid, this summer when I got that, I actually got one of the texts from that octopus attack you were talking about.
And obviously, you know, fortunately we work in security.
And I thought, hmm, I doubt, you know, Cloudflare is going to text me asking me to log in to this random Okta page.
But I think it does illustrate your point.
Like it's probably no wonder CISOs and security leaders are worried about their employees, given the fact that they're in the crosshairs.
I think attackers have realized, hey, is this you know, if a company is taking their security posture seriously, maybe the easiest way in is trying to target humans and occasionally coax them into making a, you know, a poor decision or just, you know, take advantage of their lack of knowledge here.
So I think it makes sense that they both shared this with you at the dinner and also it naturally has become a theme for us this week.
Well, and Dan, just want to back up, too, and say, I want to point out we had people click on that link, right?
So it's excellent that you didn't. But we're a company where everyone at Cloudflare thinks about security all the time.
We have lots of security trainings.
We're always thinking about this and we had people click on that link.
So you know, it's through no, if you have employees that that click on phishing links, that's just going to happen.
It's not a measure of those employees not thinking through or it's not a measure of you being less secure.
And that's, I think, the reason it's really important to put these procedures in place so that even when humans make mistakes, it's okay.
Yeah.
And we have the technology to back it up. And also, it's sort of a, you know, we have a supportive culture and I think that's important in security.
If somebody does make a mistake, help them not to make it again versus, you know, getting them in hot water.
And I feel like that's actually been a very sort of, you know, proactive way to help employees make better decisions and actually the CERT is very active in all of this.
So fortunately, again, it didn't affect us, but it did impact so many other companies, which I think, again is why it's probably not a shock that security leaders share with you that, you know, protecting humans, coaching them, helping them make good decisions is such a priority.
So something else that I think has come up or, you know, we've talked about a little bit where we're thinking about Security Week is the notion of like security sprawl.
Right?
There are lots of tools. There's there's, you know, tools everywhere and so much it's almost a paradox, right?
Like the more tools you have, like, does that actually make you less secure?
Right? Is there some sort of sort of crossover where it's just there's too much to manage?
It actually generates insecurity versus more security? How are we thinking about that this week?
Did that come up with, you know, some of the leaders or how is that reflected in this week?
Yeah, that's a topic that comes up a lot.
And I heard almost an exact quote like just what you said from the CISO of a large online gaming platform that, like the more tools you use, the less secure you are.
Often you can say, well, if I had five different vendors, that is five layers of security.
And everyone in the security world talks about defense in depth all the time.
But I think the thing you have to remember is if you add five vendors, you're also potentially adding five, uh, new vulnerabilities.
And so there was a well, I shouldn't say, there was a recent password manager that had a big breach, and that breach was because a cloud storage vendor they used had a vulnerability.
And so by adding a third party, they therefore became vulnerable and they had a massive breach that we've all, I'm sure, read about.
Um, and so, yeah, the more systems that you can have your employees or your contractors log into, I definitely think the, the more challenging that can become.
And if you think at a high level, adding multiple layers, adding multiple vendors like definitely adds complexity and almost all the time complexity is the enemy of security, right?
If you have one door, it's really easy to make that door secure and make sure it's locked.
If you have 18 doors, you're probably going to forget to lock one of them.
Or maybe you do lock them all, but you just don't pay attention to one of them because there's 18 of them.
And so I think that same principle applies when you're talking about protecting your company or protecting your applications.
Um, and that's actually going to be a big theme for this week.
So we have multiple initiatives where we're going to announce partnerships that make it easier to both deploy and manage Cloudflare Zero Trust tools.
And so we talk to customers every day and think often the biggest challenge we hear is I don't either have the time to migrate to Cloudflare or it's just such a burden.
And so we are now allowing customers to integrate with tools that their teams are already using.
You don't have to ask people to do things differently, but you can manage those tools from within Cloudflare.
Um, we've got, I think 4 or 5 different partnership announcements that are all going to do that same thing to make it easier for you to manage Zero Trust across multiple tools.
Yeah.
And that's something that, that, you know, hopefully people, people watching, people listening won't be surprised by.
Ease of use and ease of management is something that is long been a real principle of Cloudflare and you'll see that this week in terms of making sure we fit into an organization's security workflows versus the other way around.
So, you know, there's there's that. And what's more is we're also continuing to make it easier to streamline your security management, understand your security risk at a glance and quickly address things.
And so there's there's a lot of interesting news and we don't want to, you know, um, blow blow our cover on any of the the announcements for this week.
But tune in this week and I think you'll see a lot of developments as we were just saying, in terms of integrations and also easier ways to better manage Cloudflare security risk.
So really powerful stuff there. Um, something else that we talk about a lot.
You know, I think with the group, we can we can maybe share this a little bit more about what we'll see this week.
But we think about ways to automate security a little bit more, make it, you know, hopefully a little more automatic, maybe take the burden off of those teams who are already stressed out and they're trying to stitch together their security elsewhere.
You know, how would you think about the ways we'll bring automation into Security Week?
Um, yeah.
When I hear customers talk about automation, I think there's two things they're trying to do.
One is they want to free up time from their, their employees. For every company, employees are a huge investment and you want to have as much time available.
But then I think even more specifically is making sure that humans can do the things that humans are really good at.
Um, and I think that generally boils down to critical thinking.
If you think of something like filling out a vulnerability ticket like that is kind of a task that anyone can do, right?
You don't want your smartest people spending their time filling out tickets all the time.
You want them looking at a problem and then thinking about how do I solve this unique problem?
So at Cloudflare, the way we try and do that is by leveraging machine learning.
And that's because machines are really, really good at spotting patterns.
And so at a high level, machine learning is the process of training a machine to recognize what a good pattern is.
Um, and then once you do that, those machines can also recognize a pattern that is an outlier.
Essentially find the bad patterns.
Now, humans are really good at finding patterns as well, but it takes a lot of time and you would need a lot of humans to do that.
Um, and so when, when I think about how do you use machine learning, it's you want to train those models, train computers to find those patterns.
So there's a couple of reasons that Cloudflare has a distinct advantage there.
One is that in order to train any machine learning model, you need a dataset.
Cloudflare sees almost 20% of the Internet.
We have the largest dataset of anyone. And what we do that's unique is all of our detection algorithms, we run on every single Cloudflare request, regardless of whether you are buying the particular tool that we're training.
And so we just have this massive, massive dataset that no one else can train off of.
And so that makes our models really good.
Um, the other thing though, that's unique is that Cloudflare has a really unique network.
Um, we built this network that is super distributed.
We have data centers extremely close to all of the end users. And that's an advantage because since our data centers are close to the end user, we can run model inference in real time really quickly.
And if you think of other big cloud providers, they definitely have hardware that is more high powered than ours.
But usually if you want to run inference on one of those machines, you're going to have to send back to a regional data center.
And you know, in the US, you're talking a few data centers for most of these big companies and that latency is huge when you go, when you're making that extra hop.
And so because of our unique network, we can actually run this model inference really quickly.
And we're talking in a in a matter of a couple of hundred microseconds, not milliseconds.
And so that means the models that we have built today, in the recent past, we've used for a while to catch DDoS attacks, to catch malicious WAF exploits and to identify bots.
Um, this week we have a bunch of announcements that talk about how we are using machine learning to do, to find new types of patterns.
So things like fraud, things like different things with classifying and identifying API endpoints.
But we've got a whole day this week dedicated to that where you can go and see all of the ways we're using this machine learning pipeline that is unique because of the network we have and how we're deploying that in new types of ways.
And I think that's really important because what that means is you're going to be able to protect from new vectors, attack vectors that you couldn't protect against before.
Yeah, indeed.
And something you mentioned I think is really important. And again, people shouldn't be shocked when they hear this.
You know, you were talking about our unique network and the fact we really run all of our machine learning models everywhere at every data center, allowing us to really deliver that that that powerful protection, but basically with no performance trade off.
And that is something, right?
I mean, judging from last year's security week, I'm not saying we will or we won't do it, but we'll we'll you know, performance is something that's very, very important to us, particularly when, you know, organizations need to have a really strong, effective security posture.
So I think people can anticipate seeing some information from us about, you know, our security.
And when it's turned, the powerful performance they get, so there'll never be a trade off for performance when people turn on security.
That's something we're really, really serious about and we'll never ask people to make that compromise.
Yeah.
Dan, one thing, one other story I want to add there is so when I started at Cloudflare a couple of years ago, I have worked in the bot management space before and I knew one of the challenges with bot management is adding latency.
There's a couple of companies that I saw that added 15,20 milliseconds of latency and they advertised all over that.
We're super fast , we only add 15 milliseconds of latency. And when I got to Cloudflare, we were sometimes running two milliseconds of latency and the team was getting crushed for that, saying that is not fast enough, you've got to be faster.
And so now it's under half a millisecond and just I haven't seen any company that has the crazy obsession with performance as Cloudflare does.
Yeah, no, and that's, I think, to the benefit of our customers.
So something that, you know, and I think every Security Week and really actually it seems like every Innovation Week, there's always a performance post.
That's how serious we take it.
Every month or two you'll see us talk about our performance because we hold ourselves accountable here.
So really, really interesting stuff. So something else I wanted to to think about or chat about a bit is enabling employees to sort of be their best, do their best, given the fact that we were talking about this before, they're targeted constantly by attackers.
And so I think that will also be something we'll see throughout the week is, you know, making sure that organizations can best support their employees to make great decisions while they're just trying to do their best at work.
Yeah, we have multiple announcements this week that are designed to prevent humans from making mistakes.
This is probably not going to make sense anyone, but like the idea of Kanban in Japanese manufacturing that started in the late 80s where like, rather than teaching people how to correctly screw on a car part, you make it impossible for them to put the part on the wrong way.
We want to do that same thing. And very recently there was a large mobile cell phone provider that had an attack where they had an API that was exposed that was supposed to be a private API.
And that's an example of, you know, there's a mistake where a developer doesn't realize that an API is exposed.
It's an accident. But if you can prevent that from ever happening, I think you're going to make all of your employees lives a lot easier.
And so we've got multiple announcements about, for example, like how you can give companies, give employees alerts before they click on an email link that might be malicious, or if companies do click on an email link, how you prevent that link from ever hitting a website that's malicious.
Um, and then similarly like on the API side, we have products now that are going to allow you to detect APIs that are exposed as soon as a developer might accidentally expose it.
And so you get an alert and you don't have to go searching for them.
You can just see them all in one place.
So yeah, that's another big focus for us is taking some common mistakes that people inherently do and then just preventing them from doing that so that their lives become easier.
Love it, I love it, I love it.
And you know something else I wanted to quickly mention.
We'll see continued enhancements to our data localization suite. It's something that actually we take very seriously and I know our customers' prospects appreciate it, particularly those in the EU.
But we'll bring additional controls to our data localization suite to, you know, just ensure organizations have as many choices as possible when they're deciding where their data is processed and handled.
So I think that is something we continue to enhance.
So, you know, with that said Reid, you know, before we wrap up here, anything else you wanted to share with the group?
Any other highlights that, you know, we want to have people be on the lookout for for this week?
Um, I think you covered all the big categories.
I should say we have more than 30 announcements, so there are a lot of them.
I hope people read all of the blog posts.
There's tons of detail on all of them. Um, yeah. And if you're a security professional, any part of your job involves trying to make an organization more secure, I think and I hope that by the end of the week you'll read through these announcements and Cloudflare will have made your job a little bit easier.
And so really that's our goal for this week is making it simpler and more efficient for you to do your job, which is protecting whatever company, organization, application, website that you're trying to protect.
That sounds great.
Well I'm really excited Reid. Thanks for all of your hard work getting the, getting the week in place.
And we look forward to seeing everybody else in other Cloudflare TV sessions and please check out,keep your eyes on the blog this week for all of our news and innovations.
So, thanks for joining us. Thanks a lot, Dan.
The real privilege of working at Mozilla is that we're a mission-driven organization.
And what that means is that before we do things, we ask what's good for the users as opposed to what's going to make the most money.
Mozilla's values are similar to Cloudflare's.
They care about enabling the web for everybody in a way that is secure, in a way that is private and in a way that is trustworthy.
We've been collaborating on improving the protocols that help secure connections between browsers and websites.
Mozilla and Cloudflare collaborate on a wide range of technologies.
The first place we really collaborated was the new TLS 1.3 protocol, and then we followed that up with QUIC and DNS over HTTPS and most recently the new Firefox Private Network.
DNS is core to the way that everything on the internet works.
It's a very old protocol and it's also in plain text, meaning that it's not encrypted.
And this is something that a lot of people don't realize.
You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.
When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.
The idea was that Cloudflare would run the server piece of it and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.
Cloudflare was a great partner with this because they were really willing early on to implement the protocol, stand up a trusted recursive resolver, and create this experience for users.
They were strong supporters of it. One of the great things about working with Cloudflare is their engineers are crazy fast.
So the time between we decide to do something and we write down the barest protocol sketch and they have it running in their infrastructure is a matter of days to weeks, not a matter of months to years.
There's a difference between standing up a service that one person can use or ten people can use, and a service that everybody on the Internet can use.
When we talk about bringing new protocols to the Web, we're talking about bringing it not to millions, not to tens of millions.
We're talking about hundreds of millions to billions of people.
Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it.
And they've also been willing to throw those logs away. Really, users are getting two classes of benefits out of our partnership with Cloudflare.
The first is direct benefits. That is, we're offering services to the user that make them more secure and we're offering them via Cloudflare.
So that's like an immediate benefit the users are getting.
The indirect benefit the users are getting is that we're developing the next generation of security and privacy technology and Cloudflare is helping us do it and that will ultimately benefit every user, both Firefox users and every user of the Internet.
We're really excited to work with an organization like Mozilla that is aligned with the users' interests and in taking the Internet and moving it in a direction that is more private, more secure and is aligned with what we think the Internet should be.
Cloudflare es uno de los proveedores COO utilizamos dentro de telefonica tech para proporcionar servicios avanzados de seguridad en la nube hacia nuestros clientes.
Yo soy RUM soy el Director de ventas para mercados emergentes o Internacionales and Telefonica Cybersecurity and Cloud Tech.
Hola mi Nombre es SEO Munoz.
Soy Venta Especialista Dentro del Tech. Grupo Telefonica es un Grupo de Comunicaciones y con una base de Clientes Aproximadamente three millones.
Telefonica Tech es parte de la estrategia de la nueva Telefonica para ayudar a los clientes transformacion Digital realidad proporcionando servicios digitales tal como ciberseguridad Cloud iot e bigdata a todos sus clientes.
Confiamos en nuestro sistemas integrate Cloudflare dentro de nuestras medidas de seguridad no proporciona una manera.
Additional es muy efficient tanto de monitoring los ataques COO contra los portales proporcionar una continuidad en el servicio asegurado y sobre todo mejorar la calidad de las acciones con los usuarios COO en el portal con la activation de Cloudflare en otros sistemas.
La velocidad de acceso a la recursos Web incremento en mas de un 20 por ciento con respecto a la velocidad sin el uso de Cloudflare es por esto COO entre los ataques COO recibimos se puede estar de cualquier the delegaciones de servicio intento de de negocio de servicio distribuido hasta el uso de malicious malware, ransomware, etcetera.
Solo se han conseguido detectar y para mas de mil eventos relacionados con la seguridad de eventos provocado por votes hasta posibles ataques intentaban atacar a recursos dentro de los Portales de Telefonica CTO varios problemas en la Web en la navigation se pudieron monitoring arreglar solucionar gracias a la Cloudflare.
We have seen malicious foreign actors attempt to subvert democracy.
What we saw was a sophisticated attack on our electoral system.
The Athenian project is our little contribution as a company to say, how can we help ensure that the political process has integrity, that people can trust it and that people can rely on it.
It's like a small family or community here.
And I think elections around the nation is the same way.
We're not a big agency. We don't have thousands of employees.
We have tens of employees. We have less than 100 here in North Carolina. So what's on my mind when I get up and go to work every morning is what's next?
What did we not think of and what are the bad actors thinking of?
The Athenian project, we use that to protect our Voter Information Center site and allow it to be securely accessed by the citizens of Rhode Island.
It's extremely important to protect that and to be able to keep it available.
There are many bad actors out there that are trying to bring that down and others trying to penetrate our perimeter defenses from the Internet to access our voter registration and/or tabulation data.
So it's very important to have a elections website that is safe, secure and foremost accurate.
The Athenian project for anyone who is trying to run an election anywhere in the United States is provided by us for free.
We think of it as a community service. I stay optimistic by reminding myself there's a light at the end of the tunnel.
And it's not a train.
Having this protection gives us some peace of mind that we know if for some reason we were to come under attack, we wouldn't have to scramble or worry about trying to keep our site up, that Cloudflare has our back.
Security is paramount at Outdoorsy because our entire platform is built on trust and safety.
People are literally handing over the keys to a super expensive RV. There's a massive element of trust.
My name is Nathaniel Hill. I am the director of engineering at Outdoorsy.
Outdoorsy is an online RV rental marketplace with the goal of reconnecting people with the outdoors.
Prior to Cloudflare, Outdoorsy was repeatedly scraped by competitors and bad actors, and we found it extremely difficult to prevent.
It's an unfortunate situation where we don't want to cause friction for our renters browsing inventory, but we also don't want people to be able to download the entire inventory.
At Outdoorsy, since implementing Cloudflare Bot Management and WAF Protection, we have been able to focus more on the customer and our product, and we spend far fewer engineering resources configuring and maintaining those.
Since Outdoorsy has been using Cloudflare, we have 4X'd the size of our engineering team, but we actually spend less time now, I would say less than half of the time configuring our security rules.
Prior to Cloudflare, we did not have a strong security posture for our self-hosted resources.
We began to realize it was only a matter of time before we had a data breach or an attacker was successful.
And so we were looking for a solution to secure those resources.
So Outdoorsy has always been a digital native company. We've never had any on-premise servers.
Adding a VPN would seem almost like going backwards.
Our access users are located all over the globe. They're all using access for our self-hosted resources.
Cloudflare Zero Trust has eased employee and contractor onboarding and made it much simpler to access our internal tooling.
I would say that Cloudflare Zero Trust has made it at least 25 to 50% faster to grant access to our internal tooling to new team members and contractors.
The security landscape is difficult enough.
I think that I feel like I have a fighting chance there with Cloudflare.