🔒 What Launched Today - Monday, March 4
Presented by: Ankur Aggarwal, Himanshu Anand, James Chang, Kristina Galicova
Originally aired on September 18 @ 1:30 PM - 2:00 PM EDT
Welcome to Cloudflare Security Week 2024!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Kristina Galicova, James Chang, Himanshu Anand, and Ankur Aggarwal.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
- Changing the industry with CISA’s Secure by Design principles
- Introducing behavior-based user risk scoring in Cloudflare One
- Navigating the maze of Magecart: a cautionary tale of a Magecart impacted website
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
Hey everyone, welcome Security Week. My name is Ankur Aggarwal. I'm based out of San Francisco and I'm a product manager here at Cloudflare.
Today I'm joined by a couple of our blog authors for topics we talked about today on our blog and we wanted to deep dive into each one of these.
So to start off, I'm going to turn it over to James to walk through user risk scoring.
Thanks Ankur. Hey everyone, I'm James.
I'm a private marketing manager based in New York City covering the Cloudflare One portfolio and specifically that's our Azure Trust and SC security platform.
Today I'm going to be telling you about the launch of a set of new capabilities, user risk scores, which is our way of detecting risk in an organization based on user behavior and the activities that we see going on within an organization.
This is a great way to help improve security posture throughout your organization.
The problem that we really try to keep in on is that in most traditional IT and security organizations, staffers spend a lot of time, a lot of intensive labor, a lot of money going to analyze log data to figure out how risk is changing within their business.
And of course, modern organizations, that really can't be the case.
The risks are evolving so quickly. And so with the launch of risk scoring, Cloudflare is able to really simplify that process of doing that risk assessment in a contextual way in a real -time way so that organizations can adapt to risk as it evolves within the organization.
So here's a little bit about how it works.
We apply a lot of machine learning techniques and analytics techniques and some AI to help analyze the telemetry of user activities and behaviors that pass through our network to figure out what activities we are seeing that could be abnormal, potentially suspicious, or that could indicate some compromise that could lead to danger for your organization, whether that's a data leak or something worse.
So based on the behaviors that we're classifying as suspicious and risky, we can then assign that individual user with a risk score of high, medium, or low.
So for example, one of the detection policies that we have in place is something called impossible travel.
And if we see, for example, that a user has a successful login from two different locations that they could not have realistically traveled in during the time period, then we can flag that as potentially high risk.
Similarly, if we see users triggering a lot of DLP policy violations within a narrow time frame, we can frame that as risky as well.
So when I'm referring to DLP violations, I'm referring to data loss prevention policies.
So for example, if a user is interacting with or moving sensitive data like personal information or health information, financial information in ways that they really shouldn't.
So those are just a few of the examples of detections that we have in place today.
And this is an area we're going to continue to invest in going forward.
User risk scoring is very easy to set up within the Cloudflare 1 dashboard.
And it's available as part of our entire portfolio. These types of risk posture detections are also known as user entity and behavior analytics.
This is increasingly important in the world of SASE and Zero Trust where organizations are trying to be more identity centric, trying to be more contextual in how they are identifying different pockets of risk in their organization.
And it's our priority to continue building on some of the foundational elements that we introduced today with this broader host by building up more models that evaluate risk across an organization and making it even easier to enforce policies based on the risks that we're seeing.
So in a nutshell, that's what we've launched today. Yeah. Anything you want to add there, Ankur?
Actually, yeah. This is actually something that's super near and dear to my heart.
I'm a product manager on the Zero Trust side.
So seeing user risk scoring put onto the platform, I think will be super helpful for administrators in just getting kind of like what you said of like the contextual risks being flagged and then filtered for their user traffic.
Because it truly is a pain to kind of go into say each individual log line and kind of do the analysis yourself.
But making that easier for administrators by flagging it for them up front in the dashboard, in the UI for them, it just simplifies the whole process.
So thanks, James. Thanks for walking us through user risk scoring there.
Next, I want to turn it over to Christina to kind of walk through our secure by design principles.
So over to you. Thank you, Ankur. Hello, everyone. So my name is Christina.
I'm a product manager and I work with some of the internal services here at Klavler.
And I'm currently based out of Lisbon. So as Ankur mentioned, we released a blog about changing the industry with CISA secure by design principles.
So we can now go over what this really means. What is the secure by design that we are mentioning here?
So secure by design describes a product where the security is baked in rather than just bolted on.
So rather than just manufacturers addressing security measures reactively, and as they come, for example, with security incidents, they take actions to mitigate those risks beforehand.
Another part of the secure by design is also secure by default, which means that products are built to have the necessary security configurations come as default and without additional charges.
So why is this important and why do we want to talk about it?
As nowadays, we know that technology has become a big part of our lives, particularly after COVID-19, which allowed for remote work and remote education, which essentially everyone started spending more time online.
And this is particularly tasty for those attackers that could come and without proper safeguards, they can get access to a lot of sensitive information such as user information, financial records, or logging credentials, and so on, where they can be used for really malicious activities.
And yet, despite these dangers, security is treated more as an afterthought rather than an integral part of a software's design.
So when a customer buys a product, they are not guaranteed security.
And oftentimes, it becomes the user's responsibility to ensure that their product is secure instead.
While users, we still think that users should have some degree of awareness for security and they should take some precautions, it should not be fully the user's responsibility to handle it.
So this is why the secure by design principles are important to bridge that gap and bring sort of like a change to the technology industry.
So CISA presents us with three principles, which are first of us, take ownership of security outcomes.
This one is pretty straightforward.
We want to take ownership and responsibility of the security outcomes for our customers.
So we evolve the products in a way where security is integrated from the start, and the security burden does not fall solely on the customers.
Particularly in Cloudflare, we can see this, for example, with our Zero Trust security, or we're moving to more memory safe languages, such as with the HTTP proxy Pingura, which moved us from the unsafe C to the more memory safe Rust, or we have the secure by default, where we have unmetered DDoS, or ML computed WAP attack score.
So those are all kind of like examples from Cloudflare, how we adhere to this principle.
Next principle by CISA is embracing radical transparency.
This means that we take pride in our security and our safety of products, and we're being transparent with it, and we share information.
So that is kind of built on a belief that by sharing information with each other, we can learn from each other, and that way create a more safer Internet or safer world, as we would want to say.
So for example, with Cloudflare, again, we have the Cloudflare block where our customers can see not only the good stories of our improvements, but also our more failed attempts or some backlashes that we had, for example, like some security incidents, such as the one we had in Thanksgiving 2023, which was a pretty big one.
Or we also submit transparency reports to gain the trust of our customers to really report on what requests to our customer information we get, we have received from law enforcement or other government entities.
And the last principle is leading from the top, which this again means that we build organizational structure and leadership to achieve the goals of secure by design products.
So that means not only just incentivize to build secure products, but to really make it a part of our business goals for the company.
So for example, for Cloudflare, our chief security officer reports to the CEO and presents at every board meeting, which really makes it a part of our security, like a connection where everyone knows what is going on with the same security and everyone knows that it is important to us.
Also, our security engineers are part of the main research and development organization, with their work being as integral to our products as our system engineers.
With these three principles and how Cloudflare adheres to them, we encourage also every other software manufacturers to be a part of this change to the industry and to familiarize themselves with these CISA principles and work to implement them themselves.
And for individuals, they can of course as well help.
They're highly encouraged to spread the word about cyber security, but also it would be great if they would participate in, for example, the public bug bounties, such as the one that Cloudflare has.
You can find it on our blog that we blogged about.
And there you can help us discover our security vulnerabilities and also get financially rewarded for their efforts, for your efforts that you're providing.
So yeah, that's what I would say about these secure by design principles.
This is encouraging. That's awesome, Christina. It's always been a really cool thing to see here at Cloudflare of how we truly abide by these principles and really bake these into the products.
But not only baking them into the products, we're also now baking them into the organization and how we really attack each one of these things.
So that's awesome to hear. Thank you for sharing that.
Now, the last thing I wanted to kind of touch on or we want to touch on today here is just a brief overview on kind of Magecart and how we've added some protections to both Highlight and Protect our users from this.
So over to Himanshu to tell us a little bit more.
Hey, thanks, Ankur. So let me start with my introduction.
I'm Himanshu. I'm working for Cloudflare a little over two years. I'm located in London and I'm working as a firewall security analyst.
And in a suite of so many different security products, we recently are a relatively new product as a patient product, which is more aligned towards the JavaScript injected website or the websites which are infected with unknown or malicious JavaScript.
And that's where the whole Magecart thing is. The idea behind Magecart attack is the attackers inject JavaScript within the website and whenever a customer visit the website and they try to input any PII, which is mostly in this case is credit card information and financial information, what they tend to do, these JavaScript code, they use hooks or they use overlays or they use different kind of attack, TTPs, which is like tactics and practices to exfiltrate that information, that PII from the victim website to their website.
And that's the core concept of Magecart.
And Magecart attacks in itself are not very new because we have been seeing similar kind of attacks since very long and there have been some really big key players within the IT industry who got impacted by these attacks.
And not just the credit card information or financial information, this interestingly can impact all the crypto websites as well.
So interestingly, think of a scenario where the website is infected on a JavaScript which just changes the wallet ID from the real wallet ID to the attacker's wallet ID.
And whenever someone is trying to make a transaction to the wallet ID, they ultimately making a transaction to the attacker's wallet ID and then there is no point of turn back.
And at the end, once they have these PII, these card information, they use it for financial gain.
Either they sell it as dumps within the underground or they test it and use it by themselves.
Once they have the information, all these PII and credit card information, depending upon attacker, how they want to use it.
And at the end, if these kind of attacks are going up and customers are impacted, we at Cloudflare develop this product name we call Payshield.
And how it works is as we know, the Cloudflare is in between the real website and the customer.
So we have the capability to inspect the JavaScript and whenever we get the content which is served by the website, we use our ML model which inspect or analyze the JavaScript served by the website.
And if as per our machine learning model, it comes out to be detected as malicious or suspicious, we alert the website to investigate it and remediate it in terms of the customers won't get impacted and we can protect the customers of the website from any unknown or third party unknown or malicious JavaScripts.
And these attacks are getting more and more advanced recently.
So we are seeing new new TTPs what they are using and new practices what they're using and the JavaScript is getting more and more obfuscated which is hard to analyze and the places where the sandbox browser sandbox protects the website, at the end they are doing an overlays on the website and trying to steal the PII using it.
So our blog post what we did during the security week, which got published today, is all about analyzing one such attack what we found in the wild and we did the deep analysis of what JavaScript is, where the attackers were posting all these children information, how to de-obfuscate that script because the script is like pretty big blob of not easy to understand code.
So we do obfuscated it, we analyze the whole parts of it and we analyze different segments of the script and then we wrote it in the blog post and at the end we have given some guideline to the customers who are either Cloudflare customers or who are not Cloudflare customers what they can do to protect their website or to protect their customers from such kind of attacks.
So that's the whole idea behind Magecart attack.
Thanks Manju. And kind of taking a look at this, how would a customer today go about say setting up PageShield?
Yeah, so setting up PageShield is surprisingly very easy.
As per my experience, most of the Cloudflare product are like super easy to configure.
So it's just like one-click deployment and if a customer wants to use it for their website, there is PageShield segment on the left-hand side in the dashboard and they just have to like, I think it won't take more than three clicks to protect their website against Magecart kind of attacks.
So it's relatively straightforward.
Awesome. And then are there additional points or additional toggles I guess customers can turn on to protect themselves from Magecart style attacks?
Yeah, certainly. So for Magecart specific attacks, what we have observed is most of these attackers target the vulnerable websites.
So Magento websites which haven't got bash and in such kind of scenarios, it's best to use web application firewall, which is another Cloudflare service what we offer to protect from such kind of vulnerabilities.
So whenever an attacker tries to infect, because for injecting JavaScript, they need to access the website and for accessing the website, they exploit such kind of vulnerabilities.
So if they use WoW, essentially we can block the attack at level one, but Magecart would be more of a level two attack if the website is infected because of any attack, then how we can protect the end users or end consumers of the website.
Awesome. Thanks Himanshu.
And with that, I want to just wrap up our segment here. Thank you all for joining us to talk about our three of our highlighted posts from this week, James with user scores, Christina with our design principles, and Himanshu about our protections for Magecart style attacks.
And I want to let everyone know, we'll still have a plethora of announcements coming this week, particularly focused around Zero Trust and our Cloudflare One efforts and community efforts as well.
And with that, thank you all for joining.