🔒 What Launched Today - Thursday, March 7
Presented by: Chris Draper, Daniele Molteni, Radwa Radwan, Sally Lee, Zhiyuan Zheng
Originally aired on April 22 @ 12:30 AM - 1:00 AM EDT
Welcome to Cloudflare Security Week 2024!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Chris Draper, Daniele Molteni, Radwa Radwan, Sally Lee, and Zhiyuan Zheng.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
- Building secure websites: a guide to Cloudflare Pages and Turnstile Plugin
- Free network flow monitoring for all enterprise customers
- General availability for WAF Content Scanning for file malware protection
- Collect all your cookies in one jar with Page Shield Cookie Monitor
- Advanced DNS Protection: mitigating sophisticated DNS DDoS attacks
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
Good morning, good afternoon, everybody. Welcome to another Cloudflare TV segment. Today we have a full house.
We are like five product managers here. My name is Daniele Molteni.
I'm a product manager for the applications in the application security group.
And with me, we have Chris, which is a PM for Magic Network Monitoring, Radwa, a PM for WAF, we have Zhiyuan, PageShield and Sally, a turnstile PM.
So very, very excited to have you here guys today. Again, this is part of Security Week.
So we have a series of segments, all covering the launches and the announcements for this week, Security Week for 2024.
And today we're going to go over a few of the new features and stories we have talked about on Thursday for this week.
So we're going to cover a little bit of the Magic Network part, turnstile application security and also PageShield.
Let's start from Zhiyuan. So you have launched a very exciting feature for PageShield for our client-side security solution.
Can you tell us a little bit more about what we launched, but also what is PageShield?
Very good question. Thanks, Daniele. And thanks for joining us at Cloudflare today.
PageShield, we launched as a rather young new product two years ago, focusing on the client-side security.
As many of you know, Cloudflare is very famous for the protection on the applications.
So we have mitigated DDoS a lot and many kind of attacks against the server side.
But thinking about the content transmitted to the end users, a lot of times we trust the content itself.
But given the attack surface is changing the client environment, basically what you're watching right now in the browsers tends to be compromised.
And what that means is that it will damage both the brand, the company that's serving the content, but as well as you as the end user.
And that's very important. Therefore, we start to look into how can we help our users to protect their users as well.
And that's why we launched PageShield. And go back to the first question about what we actually launched today.
We have announced a new feature called Cookie Monitor, and that we will be launching in a few weeks from now.
And Cookie Monitor allows you as an existing Cloudflare user, if you haven't tried Cloudflare, definitely start onboarding to it.
We will be able to capture the cookies used by your application, as well as the dependencies the application relies on.
And Cookie is especially important because that captures a lot of information about end users as well.
It's less risky in terms of the security compromises, but it's a huge risk in terms of privacy aspect.
Therefore, we have launched the feature for all the existing PageShield customers, and you will be able to monitor the cookies in and out used by your application.
Yeah. And I guess cookies is super relevant, right?
So we have a lot of also some legislation in some geographies, like in Europe, we have GDPR, where they dictate strict requirements on what type of cookies you serve, but also what you tell people about, okay, we are tracking you somehow.
But what is the challenge of monitoring cookies? Well, that's a super good question.
Monitoring cookies is a challenge in itself, in the sense that along the way from the content being sent from server to the client, anything can decide to add a cookie to the end user.
And the famous example is the Facebook like button.
And it was actually quite a very good invention in the past years of that like button is something that users would like to interact with, but embedding such a widget will actually save a cookie to the end users.
And that, of course, information will be shared to us back to the common advertising networks, and therefore that poses the risk.
So it's because of the dependency also along the way what systems can decide to add a cookie without even your notice of your as an application owner.
But on the other side, there's a huge challenge is about how can you actually get to know the applications that's behind, say, authentications requires username and password.
A lot of times it's very difficult to audit the cookies for such application.
And this application also uses cookies.
And because of the reverse proxy system that we built, we will be able to capture cookies very transparently, even for the applications that require authentication.
And I think that'll be really helpful once you start using it in a few weeks from now to be able to see what actually cookies are being used.
And a lot of times when you see the data, that will surprise you. So basically, if I have a page and I proxy to Cloudflare, I click, okay, I want to monitor cookies.
And then after a while, I just see the list of cookies that I've been serving to the end user.
Is that how it works? Yeah, indeed. That's very similar to the existing script monitor and connection monitor on PageShield.
So if you're already using PageShield, you'll be able to basically, once the feature is launched, you just wait.
It should be very instant to capture the cookie for you. And of course, similar to the script and connection monitor, we will let you as the site owner, whenever we observe a new cookie that's being served.
And you probably have to look into why that cookie is being served and what's the purpose, et cetera.
Yeah. And I guess this is very useful for reporting, for example. So if I have a website, then legally I can show what cookies I've been serving to users, which is probably very useful.
Yeah, that's great. And who gets access to this as a PageShield customer?
Yes. So we have decided to include Cookie Monitor to all the paid plans, similar to the script monitor itself.
So if you're already on the paid plan of Cloudflare, once we launch it, you will get it for free.
That's great.
So anyone with PageShield, just head to the dashboard and test this out.
Thanks a lot, Sian. Let me move to Radwa. So Radwa, welcome again. So you work on the WAF and you're launching a very interesting feature, or you are expanding the capabilities of a feature in the WAF.
Can you walk us through content scanning?
Definitely. So let me start with a background on why we have built content scanning at the beginning.
So most of the large enterprise environments have files and content stored on multiple places on their web servers.
And attackers know this fact.
They can upload malware to a website anywhere if the website can accept file uploads, such as a chat box, job application, if it's like a profile picture, anywhere, basically, if you are uploading a PDF, et cetera, et cetera.
So if an attacker is successful in uploading this malware to your website, then it can compromise the entire organization and it can open a backdoor.
So attackers can simply gain access to the entire enterprise network.
And of course, we don't want that to happen.
So last year, we started to build a solution to be able to enable organization to scan file uploads to their web applications in transit and to control what to do with the uploaded files through the web application firewall, where they can simply create rules to limit the specific size of a file or specific types of files and block any other types of files.
And they can also specify endpoints and have all of the flexibilities of the WAF simply to do this.
So content upload scanning is really cool for two reasons. First, it avoids having to build an anti-malware file scanning within every file storage solution that any customer use.
And the other thing is organizations can, instead of centrally scan files uploaded to their website or malware, they can do it in transit and they can block any files before they reach the web server itself.
So this is the whole story of why we have built WAF content scanning.
So far, WAF content scanning has been an early access feature where I think we announced it last year in 2020.
And this month, basically, we have worked on the feedback that we have heard on the early access version.
And most of the feedback was, please make the file size larger.
And we did that. We increased the scanning file size. So now it's 15 times larger than the first version.
It was one mega. Currently, it's going to be 15 MBs, which is really cool.
And we are excited to try out and roll out on our customers.
And simply, this is what - Which, by the way, which sounds like, I mean, it doesn't sound like a big deal, right?
Oh, we were already scanning one megabyte.
I mean, you could just do 15, but actually, it was a pretty complicated engineering challenge.
So this is why it took us a little longer than probably people expected.
Exactly. So the initial solution that we have built for the one meg, it was very simple.
And basically, it was an MVB. So we wanted customers to be able to scan their files.
And if we continued with this first solution, we were about to add 15 times the latency for each request that had content or had files for our customers.
That's why we had to spend so much time to try to overcome this latency issue and be able to overcome any added latency.
So instead of adding 15 times the latency, we would like to keep the latency as is, which is what we have tried to do with a new design or the GA version of that feature.
Yeah, because this is a problem with everything at Cloudflare, right?
So we are in the hot part of our request, which basically means a request comes in, we do some magic security, whatever we apply to the request, and then we send it to the server, the origin.
And whatever we do in that period of time, it should be extremely fast, performant.
And I guess when you start canning big files, then, of course, you have a challenge in terms of latency.
Of course, yeah, that's true. And can you tell us a little bit about, here we talk about detection mitigation internally, but how does the customer use this tool?
So do they have to create a rule?
Or yeah, how do they use the content scanning feature? So that's a very excellent question, because internally, or not only internally, in Cloudflare, we are adopting this concept, which is called detection and mitigation.
That's an important concept where we simply have been trying to adopt actually for a few years in our WAF, where we want to give our customers more power to create better decisions on their traffic from a security perspective.
So we enable customers to see data signals, and we inspect the traffic, and we show you signals.
And then we call this detection, the detection phase.
And then you, as a customer, find out your need, and it helps you to see what you didn't see before and take an action to either mitigate or not mitigate this type of traffic.
This is a new concept that we have been adopting with different products as well, like with bot management or with WAF attack score.
We give you the signals, and you create the rule in the WAF to block the bad stuff that you see in this.
We also enabled security analytics, which is a very cool view where you are able to see all of these signals together in one place.
And based on that, you can take the decision. Content scanning is one of these products.
So if I am today, if I turn it on content scanning, I will be able to see in the analytics what's going on.
If I have any uploaded files, are these files malicious or benign?
They are, okay, something that I accept or not. And based on that, I take an action to mitigate or block bad traffic.
That's great. Yeah. And I mean, also, because I work on the WAF and talk to other customers, I've heard the feedback.
We really want 15 megabytes. So this is going to be good news for our customers.
Thanks a lot. And let me change a little bit gear and I'll jump to, I'll move on to Chris.
And can you tell us a little bit about your announcements of today?
Yeah. So today I'm super excited to announce that there's a free version of Cloudflare's NetworkFlow monitoring product that's going to be available to all enterprise customers.
And yes, you heard that right. There's a free version, which is really, really exciting.
I'm working to give as many enterprise customers as possible access.
And if you go into the blog post, you can fill out a form, get access within 24 hours, and I'll even send you a welcome email.
Oh, that's great.
But can you tell us a little bit what is NetworkFlow monitoring and why enterprise customers should care about this?
Yeah, I'd be happy to talk about that.
So oftentimes enterprise customers need better visibility into their network traffic, and they need better visibility into their network traffic that's going through Cloudflare as well as traffic that may not be going through Cloudflare.
So sort of like an end-to-end visibility solution.
And end-to-end visibility is really important when you're talking about security.
It will help you identify how are your policies working?
Do you have any ports that are open unexpectedly? Are there any strange traffic patterns going on in your network?
That's kind of like the base of making sure that you have a secure network is understanding everything that's going through the network itself.
And in terms of what is NetworkFlow monitoring, it's actually nice and straightforward.
Customers can generate either summarized data or sample data of their network traffic at their routers.
They can then send that router traffic data from their routers to Cloudflare's network.
Cloudflare will parse all of that data and then provide customers analytics on it.
You can get lots of great insights like the traffic volume over time in your network as well as the different protocols, source IPs, destination IPs, all that other fun stuff.
It's really, really helpful and it gives customers a lot of insight into the exact details of their traffic that's going through their network.
That's great. And like everything in security, when you get visibility, that's the first step to understand your attack surface area or like see if there is any blind spot in your security posture.
So I guess, yeah, we all recognize the need for visibility.
But then of course, part of this is making it simple and easy for customers, right?
And so can you expand on why is this easier? How do we make this easier for customers?
Yeah, absolutely. So today, if you set up network flow monitoring across your entire network, internally or on your own, things can start to get really complicated really quickly.
You may have some issues with the sampling rate that you need to set when you're collecting that data based on the amount of traffic that goes through your network.
You can also run into other problems.
You start having to store the data that you're sampling and cloud storage fees can start rising faster than you expect and it can get really difficult to manage that storage.
Finally, after you get all the data stored, you actually have to make sure you can analyze it.
So you have to create a data pipeline into a seam or some sort of other visualization tool and get an engineer to actually build all of those visualizations.
And it can take a lot of time internally to build this thing.
And improving your network visibility is really important, but it can be hard to set aside that time for a project like this if you don't necessarily know what you're looking for.
You just know that you need to improve visibility in general.
Cloudflare identified this problem with our customers. And so now we're offering all of this as a cloud service.
So customers can skip all the data storage worries and all of the analytics building steps.
You can go straight to looking at the data that you need by using Magic Network Monitoring in our free cloud service, which we're really excited about.
Yeah. And can you just mention a few examples of what those use cases are?
Yeah, absolutely. So I think one of the most powerful parts of Magic Network Monitoring is that it will give customers end-to-end traffic visibility.
That includes traffic that doesn't go through Cloudflare's network.
And in particular, there are actually a lot of use cases for Magic Network Monitoring.
One of the things that I want to call out first, though, is we actually use Magic Network Monitoring internally.
So recently, Cloudflare had a security incident over Thanksgiving where an unknown malicious actor was trying to gain access to our network.
And one of the things that we were able to do was identify the source ASNs and the destination ASNs of this threat actor.
And we were using Magic Network Monitoring to make sure that that threat actor didn't get access to our network and wasn't causing any problems.
This is a really exciting project. We were actually able to deploy Magic Network Monitoring within 24 hours of the project being kicked off.
And we improved the visibility into our own network significantly in a short amount of time, which was really cool and rewarding.
Very cool. Very impressive. And well, hopefully, this can be used by other customers to keep them more secure.
Yeah, thanks a lot.
Yeah, that's great. And okay, let's move on to Sally. You are the last one for today, but not the least interesting blog, because you're actually an example of how we put together two of very interesting products at Cloudflare to make something useful and also to suggest how customers could implement a solution, right, essentially.
So what are we announcing today? Yeah, so you're around point there.
So for Security Week, we launched a blog post that is a how-to guide on how to deploy Turnstile on your website using Cloudflare Pages.
And so it's a perfect example of how Cloudflare Pages and Cloudflare Turnstile can be worked together.
And this tutorial should ideally walk you through a demo so that you can build it yourself.
That's great. And then Turnstile and Pages, for who doesn't know, can you give us a a quick description of what are those two products?
Yes, of course. So Turnstile is a Cloudflare's capture alternative solution.
And so this is a solution where users don't ever have to solve another puzzle to get to your website.
So fire hydrants and stoplights, no more of that. You can protect your website without having to put users through any bad experience.
And Turnstile is Cloudflare's solution to that. Cloudflare Pages is a platform for deploying and scaling your websites just as easily as you would with a click of a button.
And you can get started right away configuring your websites with quick integration with your Git provider.
And you can get us set up with unlimited request bandwidth collaborators and projects.
Okay. So when you merge them together, so what's the end result?
What are we building? Yeah. So today in this guideline, we're building a simple form website, and then we're going to protect it with Turnstile widget using the Pages plugin for Turnstile.
And so you can now just install the Turnstile plugin, use that straight away in your Pages build.
This is just another way of showing how seamless everything comes together on the Cloudflare platform.
And so Turnstile, we are all used to captures, as you said, like fire hydrants or, I don't know, ships, bridges.
So how can I imagine, how can I visualize a Turnstile?
How does it look like when you show, and if you're showing a widget, how does that look like?
Yes. So in this demo, we particularly use a widget that is actually visible.
So you will see a little Cloudflare branded widget square, much similar to like any other capture service.
But the difference between other capture services and Turnstile is that we have non-interactive modes, which means that if our system detects that you're not a bot, you don't have to do any additional actions.
The checkbox will be automatically checked, and then you'll be able to free to go on to whatever it is that you were using the website for.
For the purposes of the blog posts, I had to use the visible mode where I could actually take screenshots to show.
But there is also a invisible mode where this is like the most minimized user experience for visitors, where they won't even see the widget at all.
And so we'll be running that bot check in the background.
And if everything is all go, customers will be able to go on to the website, no problem.
If you are a detector bot, you can configure logic in a way where you can either fail open or show a different page or block the users from doing certain action.
If you want to learn more about these widget modes, they're listed out in the blog post, also in our developer docs for Turnstile.
And as you, I mean, if I own a website, on pages or probably any website, and then I deploy Turnstile, then I probably get visibility on a specific, can I monitor some certain parameters or how that performs?
What are the examples of some things I can monitor with Turnstile?
Yeah, so once you have Turnstile on your website, you'll be able to monitor the visitor solve rates, API solve rate and widget traffic.
And you can see these three metrics on the Cloudflare dashboard under Turnstile.
So let me just quickly give you a run through what these three metrics are.
The first one is the visitor solve rate, which is the percentage of the visitors that have successfully solved the Turnstile widget.
The API solve rate is the percentage of visitors who have successfully validated their token against our site verify API.
And then the widget traffic will show you how many challenges were issued, how many interactive solves there were, how many non-interactive solves there were.
And so if you combine these three metrics together, you can see and monitor how well your websites are protected, or if there are any signs of a bot attack.
Right now, we are working on providing more actionable insights with these metrics to give our customers more insights on what they can do or how to interpret these metrics.
So stay tuned for that release. That's great. And if I want to start today, how do I do that?
Is it like, do I need to sign up for anything, pay any of those products?
This is my favorite question because everything is free. That's the best part.
Both of these products are, you can get started right away for free.
Pages is free to get set up with quick contribution with your get provider, as I said before, and turnstile is free up to 10 widgets.
So core philosophy of these two products is that they're self-serve, where our customers can get started without any help from any support or sales.
So come on to the website and go build something cool.
That's great. Thank you very much. Well, thanks to everyone today on this segment.
Lots of exciting announcements again for security week.
Don't be sad though, because we still have one day to go. So tomorrow we have more blogs and more features.
So if you're interested to learn more, you can go to the Cloudflare blog and read our new exciting announcements for today and Friday, finally.
So thanks again for you guys for joining me today. And with that, well, have a nice rest of the day.
Bye. Thank you.