CTO Perspectives on the Cyber Threat Landscape
Presented by: John Engates, João Tomé
Originally aired on November 25 @ 7:00 AM - 8:00 AM EST
Join host João Tomé and Cloudflare Field CTO, John Engates for a comprehensive episode of "This Week in NET". As Cloudflare's annual Birthday Week approaches, get an exclusive preview of the upcoming innovation announcements and how the company continues to evolve its services for the AI era.
The episode explores critical cybersecurity developments, examining Cloudflare's expanded global connectivity, advancements in SSL/TLS security, and the implementation of post-quantum encryption standards. Learn about the latest White House initiatives in routing security and discover how Cloudflare is revolutionizing API protection through sophisticated machine learning techniques, including sequence learning and variable order Markov chains.
English
News
Transcript (Beta)
Hello everyone and welcome to this week in net is this September the 20th 2024 edition in this week program We're coming directly from our newsman office, so that's not the Golden Gate Bridge in San Francisco.
That's actually the 25th of April bridge in Lisbon.
In one of the coming weeks, we're going to show you more about our new Lisbon office.
But today, let's do a recap of recent announcements and news.
But first, because our birthday week, one of our innovation weeks is just around the corner next week, let's give you a teaser on what to expect.
Hey, Brooks, I'm Brendan.
I lead the workers product team here at CloudClare.
Next week is going to be birthday week.
We're really excited about this, Cloudflare launched 14 years ago, and every year we celebrate our own company's birthday by giving back to the internet.
And that's what we call birthday week.
And so every year we announced things that further that mission are missioned to help build a better internet.
And so this year we're really excited.
We're always working at Cloudflare to make the internet faster, safer, and more private.
But AI is changing the internet quite a lot right now.
And we're gonna be announcing some updates that help you navigate some of those changes into build AI applications yourself.
We're also hosting a big developer day called Builder Day.
It's gonna be a live stream event on Thursday.
It has all kinds of new ways to deploy your own code to Cloud clair into kind of build full stack applications.
And lots in between, we're working with partners all over the world to kind of do things that further making the internet better.
So definitely check it out, followed Cloud Flair.
and everywhere in such a cloud flare blog for updates, we're going to be going super, super deep into some technical details to explain a little bit of like, you know, peeling back the layers of the onion and how it works.
On Monday, we're going to be talking a lot about AI and some of the things that you can do is somebody who has a website on cloud flare to kind of navigate this new environment.
On Tuesday, we have so much coming, especially around, you know, things that we want everybody who has a cloud flare account to be able to use.
I'm really excited about some of the updates that we're making there.
On Wednesday, we're really excited.
We have a big surprise.
I'm not going to blow it right here, but it involves something around making the internet faster without you as a person with a cloud player.
I can't really have it do much other than click a button.
Then on Thursday, our developer day, our live stream, there's too many announcements for me to even try to go into and introducing this to everybody.
I'm really excited about this and I'm excited about everybody who's building application on top of Cloudflare.
And lots more to come.
I think we have a fun surprise, another fun surprise on Friday here.
But please tune in on joining us and we'd love to hear what you think.
I'm your host, Juan Tumet.
And with me, I have our Phil CTO, John and Gates.
Hello, John. How are you?
Hello, I'm good.
How are you? I'm good too.
Getting used to every day in the office.
I've been doing it for almost two weeks now.
And it's a good feeling actually.
It's so neat to see the new office there in Lisbon and in the spirit of transparency.
This is my relatively new house in Texas where I'm coming to you from.
I haven't had a chance to decorate.
You can see pictures sort of hanging out back there, but I've seen pictures of your new office and it looks like an amazing place and I would be proud to go to that office every day.
It is and we have birthday week coming and the office at Lisbon office will have a a set of events, even a building one related to developers next week.
It will be interesting.
It's always interesting when we have an innovation week like birthday week.
It's, you know, it's, it's amazing to see all the innovations that are going on, all the product announcements, lots of stuff that's, you know, kind of ready and getting primed to announce during birthday week.
So we're excited.
In terms of what you do at, at call for, you have been in the show before, but for those who don't know what a field CTO does.
Of course, well, look, I have been a CTO for most of my career and what I've come to realize is that there are stages in a company where you're very focused on building, you're building the product, you're building services, you're focused inwardly in a company.
There are also phases of a company where you have to focus externally.
And sometimes the CTO is tapped to go spend time with the significant customers, the growing customers, the strategic customers.
And so most of time spent as field CTO and the field implies this is outside of the walls of Cloudflare and you know in the field talking to customers.
So last week for example I was at a cybersecurity summit in Latin America and Costa Rica specifically and we were talking to CISOs and government leaders around cybersecurity for you know Latin American countries and basically it's a lot of conversation.
So the C and CTO is conversation it's the T I would say is for travel And so we do a lot of traveling and talking in terms of trying to explain the value of Cloudflare and building strategic relationships with those kinds of customers.
Sure. And as a field CEO, it's in your responsibility that connection with customers.
What have has been happening this year in terms of feedback as you've been getting?
Like what worries most of the customers in 2024, really?
Well, I think I think it's oftentimes reflected in a lot of the messages that Kavler is putting out.
And it's the cyber threat landscape.
It's the global tensions and the crisis that are happening around the world.
It's the unpredictability of where the next threats going to come from.
It's the attacks on critical infrastructure.
It could be airports, could be hospitals, it could be cities or municipalities, could be countries.
These countries are concerned that they might be the next target of a cyber attack or a fishing campaign or malware, ransomware attack.
And so I think it's just the uncertainty around where the next attack is going to come from, which sector it's going to be because it tends to rotate from one to the next to the next.
And just the pace of innovation of trying to keep up, I think AI puts a new wrinkle in all of this in terms of augmenting the skills of the cyber attackers or the toolkits that they use or AI enabled or AI enhanced.
And so therefore companies are trying to counter that and trying to aggressively figure out what they need to do to be in a good spot in terms of defense.
Sure, makes sense.
On that regard, there's different products that have been in use by customers.
Is there like a new product in town, not new or at least new features that have been resonating more in a sense?
Well, I think zero trust is not new, but it's resonating.
Everyone is talking about adopting zero trust principles inside their organizations.
They're adopting tools to make those zero trust principles tangible.
You know, cloud flare is in that space competing with other people in the area to try to get that implemented or rolled out.
We use it ourselves to defend cloud flare every one of our employees.
You'll all get in the morning where basically leveraging Cloudflare Zero Trust Platform, multi -factor authentication, a series of checks to make sure that our machine is up to date in terms of security posture and that we're physically present behind the keyboard.
All those things are important to McGurinty security and a lot of companies are adopting that.
I think also from the outside perspective, the attacks we just mentioned are sometimes coming from all over the world in terms of DDoS attacks.
And so companies want to be protected.
And that's Cloudflare's bread and butter is protecting websites and applications and APIs.
And I think we'll talk through some of that today in terms of the property announcements.
But this is what concerns people is where are they vulnerable?
Where is the attack going to come from?
How do I protect my users from the threats in their inbox and on their devices?
And then how do I protect the outside looking in from DDoS attacks bots?
another kind of internet facing threats.
Sure. We have a bunch of blog posts to go over.
The last episode that we recorded was in mid to late August regarding the Olympics with Michelle or those who want to hear about trends, internet trends regarding the Olympics.
You can see that episode, but now we can go over some of the recent announcements because there was an episode for a few weeks.
So let's start potentially here with the backbone behind call first connectivity, connectivity, cloud.
That's early August, the blog post.
Okay. Well, this blog post was quite interesting because I got a look at it before it came out.
I was kind of asked to go through it and sort of read over and make sure it made sense.
And so I feel a little connected to this one.
But this was a good, overview, a good snapshot and deeper insight into Cloudflare's backbone.
And I don't know if everyone knows Cloudflare runs a global backbone.
They know that we have locations all around the world.
They know we have points of presence in 330 cities maybe and lots of countries, 120 countries.
But in between, there's a global backbone that this blog post really tries to dive into and talks about how our network is architected, combination of different peering and transit models, the fiber that underpins that global backbone, the partnerships that we have, the reasons for that backbone, why does the backbone exist?
Obviously, it's helping cloud flare reduce latency, improve performance, give customers in more places that are accessed to the internet, our goal as a company is helping to build a better internet.
And I think this is not replacing the internet, but it's certainly augmenting the way that customers leverage the internet using Cloudflare as their, you know, sort of ingress and egress points.
And so this fiber backbone that we've built continues to expand, it continues to evolve.
And I think this blog post does a really good job sort of diving into that in a very detailed way.
So if you're curious about how we connect everything, this is the post to check out.
There's actually a very interesting number here in terms of comparison, in terms of capacity, terabytes for a second.
There was a 500 % increase since 2021, which is a lot.
This should not be a result.
That is quite a lot.
Yeah. I would just, you know, basically say cloud players constantly expanding our global network.
We don't always report on that.
like every day how many locations we have.
But on relatively regular basis, quarterly, perhaps, we announced either the number of cities that we're located in.
We talk about sort of the stats behind our network.
And when you think about expanding all those locations around the world, this is really referencing sort of the capacity in aggregate, you know, or sort of the edge capacity customer facing and then also the internal capacity between those locations.
And this is talking about traffic control.
And if you want an analogy, this is sort of like the highway system that's connecting different cities, different locations.
And a highway is certainly important for global connectivity when it comes to moving goods and services.
But this is where moving packets, we're moving data.
We're moving large amounts of internet traffic.
And so this is where that There's also some mention here regarding our go smart routing, this specific service that the users will first portfolio of buckbone transit and period connectivity.
It's about finding that it's about speed, right?
The efficiency, finding the optimal path between the data center where user request lands and your backend origin server.
So yeah, I was in I mentioned I was in coast the reek the last week.
And when you're in a place like that, you're using the upstream local ISP, whoever that might be.
Traditionally, you were at the whim of that ISP as to how you routed from that point to to the destination.
If you were to using a SaaS service or a cloud, it was up to that ISP to use their own routing tables to route you to the next hop and to the next hop after that.
But in this case, with Argo Smart routing cloud cloud player can take control.
As soon as we get to an edge location, wherever that might be in the world, Cloudflur steps in and takes control of that routing and can route much more efficiently than most of the global ISPs.
Because just that sheer amount of connectivity and interconnectivity that we have, we're connected to Cloud providers.
We're connected to SAS providers.
We're often protecting SAS providers.
And so therefore, we have a very high performance low latency connection to those services.
And then the other end being and end user perhaps on the laptop or a device, we can make that as efficient as humanly possible and take sort of that latency out of the equation as much as possible.
Let's move on to introducing automatic SSL TLS, securing and simplifying origin connectivity.
This is a different topic, very close to heart in terms of quality.
Are we already security too, right?
Right.
Well, that mean part of the origin story of Cloudflare was really enabling this kind of capability across the internet, giving people an easy way to enable SSL.
And in this case, TLS in the modern era, in terms of securing the traffic to their website, you know, from end to end.
And this is again, another foundational technology that makes it possible for us to do business on the internet.
We need to encrypt.
We need to keep data private and secure.
And this is again part of Cloudflare's mission.
And what we've done here with this blog post is really We've talked about a new capability, automatic SSL TLS.
You know, again, we've always made it easy, but now we're making it even easier.
We're simplifying the use of encryption automatically configuring the most secure connection between Cloudflare and the origin servers.
We're maximizing security by using the best possible algorithm automatically.
And, you know, we're sort of just closing down a potential gap where a user or a customer of Cloudflare might have traditionally had to manually configure the encryption mode that they wanted to use, but now we're basically adjusting those settings automatically based on the origin servers security capability.
So we just want to optimize for the best possible advanced security capabilities around SSL TLS.
And we have a capability called recommender, which is basically scanning and analyzing and then using that to determine what the best and most efficient and most secure form of SSL TLS would be.
There's this element of call for our history back 10 years ago.
So it was back in 2014.
We launched specifically Universal SSL.
Actually, it's going to do this birthday week 10 years exactly 10 years.
And this was really important, right?
be and it will it just provided more more security in a free version for a big part of the internet.
And some of us remember those days when it was very difficult, very painful to get SSL on your website or your web application.
It was not easy.
It was usually a multi -step, multi -day, sometimes multi -week process to go back and forth and get those certificates and get them set up and there were always incompatibilities and there was always difficulty and it just created this huge hurdle for a lot of companies to secure their websites.
And I think Cloudflare did an amazing service for the industry at large for the world at large to turn on SSL basically for its customers and for free.
And it was a huge jump in terms of what amount of traffic was at, well, there it is.
It's basically the number of encrypted traffic doubled at the times.
Again, it's a huge part of our story.
And obviously you can see based on what we're doing here, we're continuing to evolve that.
And those who want to read more about it, they have the blog with some explanations on how it works and things like that.
A typical blog, technical blog post from Cloudflow dives right into the details.
Of course. Let's move on to post quantum internet, post quantum encryption.
So this was an announcement in mid -October.
August, the US National Institute of Standards and Technology NIST published the first three cryptography standards designed to resist an attack from quantum computers.
This is important thinking of the future, but also in a way, the past and the way, because if quantum computers arrive in the next few years, they will have the possibility to go back in times in terms of decrypting what the internet was before.
So having standards already in place goes a long way.
Yeah, what's your describing a sort of this idea of harvest now and decrypt later, right?
The idea that the data is out there.
It's flowing across the internet.
It happens to be encrypted today with a particular form of cryptography, but future quantum computers, it will be trivial for them to break some encryption standards that are considered modern today, right?
So if we think about what takes, you know, millennia to crack an encryption key today, it will take minutes or hours in the future with quantum computers because there's so much more effective at factoring prime numbers and prime numbers tended to be the underpinning of a lot of encryption algorithms.
So coincidentally, I just mentioned I was at a cybersecurity conference.
I was on a panel with someone from NIST, the National Cyber Director, Harry Koker was on stage not too long after.
And he was talking about this specific thing, which was putting in place and adopting, aggressively adopting these emerging encryption standards because of this threat.
You know, we know that quantum computers are evolving quite rapidly.
Lots of research being done by very large companies around this.
There's huge promise in terms of quantum computers, but we have to act now because there's a a stat that said, you know, the survey that 25 % of experts surveyed expect those computers to arrive within the next decade.
And so it sort of emphasized the urgency around adopting this kind of encryption.
You know, this, what we've been doing at Cloudflare is just really being an early adopter, right?
The early adopter of the preliminary standards, the emerging official standards will be an R in place today.
And it provides you a very significant level of protection based on what Cloudflare is doing.
And it just dovetails right into the last conversation where we were talking about SSL and TLS.
This is just an evolution of the types of standards and protocols that go into that kind of level of security.
This chart here that shows the evolution of post quantum encryption adoption.
Right now it's close to 17%.
So a good evolution in terms of the post quantum encrypted chair of 80 TPS request traffic.
Yeah, I saw that stat in some, I think it maybe it was in the blog post, but it's at over 16 % of human generated requests to Cloudflare servers are already protected by post quantum encryption.
And that's a great number.
And we're going to grow that over time.
I mean, with the automatic capabilities of adopting the better security standards this will sort of be one of those things where little by little and hopefully hopefully rapidly it will actually improve the amount of data flowing across Cloudflare that's encrypted with quantum safe encryption.
Let me move on to routing security.
This is quite important currently right now in a sense.
There's a new White House roadmap regarding routing security.
Why is is routing security important.
As you know, we already talked about the internet and the routing protocols I mentioned, BGP, which is border gateway protocol.
It's one of the main underpinning routing protocols for the internet itself.
The challenge with BGP is when it was designed and it was rolled out many years decades ago, it was never really meant to be secure mechanism for transmitting routing information.
It was sort of a trust that was just between peers, you know, Telco A, Telco B, they assumed that the people inside those different network operators were trusted.
And so therefore they trusted the data flowing across via those protocols.
But the trouble is today we have so many more networks.
We have so many more people running those networks.
Some of them are good people and some of them are not so good people.
Some of them are doing their best and some of them make mistakes and to mitigate the risks associated with BGP insecurity and what does that mean?
Well, it means people hijack your network.
They could take your IP addresses and route them somewhere else.
And so if they can do that, they could potentially drive traffic to a destination that is not safe.
It's not official.
It's not authentic. And if you can take over DNS records, you can really have a DNS IP addresses, I should say, you can have a real go at security because you can route traffic almost anywhere.
And so this is the threat is the risks associated with hijacking big chunks of internet IP address space.
And the idea of this document from the White House is really a roadmap to improve and enhance that internet routing security, helping drive that resource public key encryption or RPKI, which, you know, the relationships between providers with cryptographic validation and then it just really lays out a long roadmap for adoption of these kinds of standards.
There comes also the RPKI.
That's an important part of this security process, right?
And this is something that I think Cloudflare has been advocating for for a long time.
And I've been here for three years at Cloudflare and I know even before I was here, we already had a website up that was called is BGP Safiet and it was basically trying to name and shame the providers that were out there that were not adhering to some of these emerging standards and just kind of guilt them into adopting what was seen at that time.
Even as far back as three or four years ago as something that we as an industry needed to adopt and now it's gratifying for all of us to see the governments White House and others are starting to advocate for this same security that we all recognize is critical.
Also mentioned the routing page on welfare rate specifically, the some statistics and information including our PQI if it's valid or not folks can also search nothing for the countries but ASN specific ASNs.
That's neat to dive into some of this when you start to understand more about how the internet works ASNs.
other autonomous system numbers, those are the BGP identifiers associated with different telecos and network operators and providers.
And you start to understand the complexity behind what Cloudflare does, right?
You start to see that we interconnect with all of those ASNs, we trade traffic, we peer, we are trying to improve the performance of some of those folks.
I mean, if you think about where these networks are in the world.
Sometimes they're in far flung locations, little tiny countries, little islands, perhaps.
And they don't have a tremendous amount of bandwidth or infrastructure.
And so a cloud flare stepping in sometimes improves the performance for their users and prevents attacks.
And I think this is again just another example of the work that we do every day kind of behind the scenes that makes the internet a better place for everyone.
Next we have a integration related to Blockpost and announcement, customers get increased integration with call for email security and zero trust through expanded partnerships with CrowdStrike.
These partnerships are important for those types of integration of make it easy to use and be secure, right?
Yeah, for sure. Every one at this point knows who CrowdStrike is.
I won't go into any depth there, but we know that they're a leader in cybersecurity they've got a lot of deployment and footprint in terms of their products and services out there in the market.
Building on the relationship that we already had a cloud player with CrowdStrike, we've been working with them for a while.
But this is an increased level of integration and expanded integration between their platform and cloud flares, email security and our zero trust capabilities.
What it's trying to do really is provide deeper visibility into the potential threats and help streamline the process of CrowdStrike users for identifying and responding to risks.
And so they have this product that they call the CrowdStrike Falcon NextGen Sim.
It's the dashboard, if you will, that CrowdStrike users or security analyst engineers might be using on a day -to -day basis.
And this partnership basically helps organizations strengthen the security posture really by just unifying two leading platforms and helps reduce the time to detect and investigate the threats.
And it makes it easier for security teams to protect against a range of different internal and external risks.
These are those little things, especially regarding email that could make a whole world a difference for companies not to be breached.
Volibility is not to happen, or at least to have a limited impact.
Absolutely.
I mean, look, we know that email is the number one source of threats, it's where most cyber attacks begin.
And this gives users the ability, once they identify potential threat that may have come in via email to potentially automatically respond and raise the defenses, raise the force fields around that user or around the organization.
If they're seeing a number of, of these threats coming in and they want to respond to that, it gives them the ability to do that through sort of the security advanced and security information that's coming in, they can detect these threats, they can respond to these threats via the telemetry that we're collecting.
Cloudflare is a massive telemetry network and telemetry just means data, right?
Incoming data that we're collecting all those locations around the world.
And so we are a very interesting source of log information, threat intel information.
And the more of that we can feed into our customers dashboard in an actionable way, something that they can actually take action on and use to improve their security.
That is a benefit and provides just enhanced security operations, streamlines the efficiency and the security of teams that are trying to automate these workflows and gives them better visibility and better control over the kinds of things that are flowing across their network.
Let's move on to another important topic, API.
This is one of the most recent blog posts that we have in our blog.
So it's protecting APIs from abuse, using sequence learning and the variable order Markov chains.
What is this all about?
Well, okay, so APIs, we have to take a step back and say, look, APIs are very important to the functioning of all the services and all the tools and the platforms that we use.
We've seen the scene statistics at Cloudflare that more than half, I think it's upwards of 60 plus percent of traffic flowing across the Cloudflare network is API traffic.
And API's is just really machines talking to other machines over standard protocols when we think about where that's being used today.
It could be one service talking to another service maybe to get, you know, light information or weather data or something, you know, something even more critical maybe business transactions via an integration between a credit card processor and a merchant.
Those are all API conversations.
The challenges APIs can be abused, right?
They are the source of data.
Why do people attack APIs?
That's where the data is.
It's like, why do people rob banks?
That's where the money is, right?
And so APIs become a target of attacks.
And traditionally, people would abuse those APIs by kidding them with a large amount of traffic or trying brute force attacks against those APIs to see what kind of information they could get.
But the challenges we're lying on those sort of traffic volume or sort of traditional mechanisms to detect those abuses is often not enough because the attackers are more sophisticated.
So they're starting to slow down the attacks.
They're starting to make the attacks look more human -like so that they don't appear as if they're abusive attacks.
They're just more natural kinds of interactions with the APIs.
And so what we've done here is it really exposed some of the work that we're doing to improve the algorithms by which we detect and mitigate these attacks.
So sequence learning means we evaluate and analyze the order of API requests that are coming in.
We can identify things that don't look normal.
You know, there is probably a pattern that would, that a user might do if they were authenticating, they were checking maybe their balance on their bank, they were doing certain things.
But if it's going out of order and it's looks abnormally inauthentic then we can take action on that.
The other is just sort of this variable order Markov chains.
I had to look up all that and then I was not an expert on variable order Markov chains, but it's basically looking at things in terms of adaptively assessing the request history and getting deeper into using sort of the machine learning type algorithms to look for patterns and flows that again might not be traditionally considered normal.
And you know, if you have a very low and slow attack, those things might not trigger a traditional detection.
So we have to start to look for different kinds of patterns.
And you can look at this blog post and just see the level of mathematics and statistics and machine learning type thinking that's going into these kinds of detections.
And it's going to be critical to have someone like a cloud flare engineering and product team looking out for your APIs, you know, via a product like API shield or API gateway to help you provide that robust and scalable protection against these sophisticated API attacks.
It's so broadly used. Most folks don't realize how important APIs are for their experience with the service they use every day.
And of course, APIs are popular, But the security aspect also sometimes changes.
So it's really important to be aware of that.
They are going to be even more important again as we enter this AI era because everyone's going to try to integrate some AI into their applications.
And the way you do that today is you integrate with whether the open AI or anthropic or some of the other providers out there of AI infrastructure.
That's via an API, right?
are the ways that you pull in the intelligence of an AI into your chatbot or into your website or into your code or whatever you might be building.
And protecting that is going to be critical because it's going to be everywhere.
Everything is going to be an API in the future.
In fact, AI may talk to other AI via APIs.
And so that becomes so critical for us to wrap those with protections because again, that's where our data, that's where the crown jewels are basically stored.
Exactly.
And it's interesting to see how things evolve in terms of websites and those who build them use differently new tools.
But attackers are aware of that and they also explore the new vulnerabilities that may occur.
So it's evolving sector.
Yeah, it is evolving very quickly.
So it's something to keep an eye on and Cloudflowers doing that for our customers with a lot of these capabilities.
And you can see the work that we're putting into the platforms.
I think this is just really exposing the sophistication of the tools that we're using to defend.
Thank you so much, John.
And next the two weeks, we'll have birthday week, a lot of announcements, a lot of excitement coming.
So well, it's been fun to talk to you.
Congratulations on your new office.
It's good to see you again.
And thanks for having me on.
Thanks for being here.
And that's a wrap. you