Hi Everyone
A very warm welcome to all of you who’s joining us across countries in APAC. We are all excited to be here with you as this will be giving you a beginner's take on Cybersecurity and how it impacts your business. We will now share the latest trends around this subject so that you know what to look out for and some practical tips on how to mitigate your risks, so we hope you stick around till the end.
Thank you again for joining us with this session.
My name is Sophie and I am the Customer Success Manager for APAC.
Cloudflare is growing really fast in our region and I’m the day to day contact window for the enterprise customers,
responsible for new customer onboarding, service consultancy, QBR , on-site customer engagement and customer event planning and coordination.
And help to drive digital platforms and educational events like this.
On today’s webinar we have Gaurav Mallawat , our Solutions Engineer based in Singapore, Gaurav is a very senior engineer team lead and has been with Cloudflare for almost four years. He will share contents from a more technical point of view. Hey Gaurav , would you like to introduce yourself?
Thank you Gaurav for the introduction and we’re all looking forward to diving into your content. But before we start, I would like to go over some housekeeping items. Since there are so many of you on the call. If you do have any questions, we are going to hold that off until the end of the presentation.
Please write your questions on the Q&A section in your console on the right hand side. We will go through these Questions at the end of the webcast. Also, a recording of this webinar will be available on the Cloudflare Channel and the slides will be shared with you. This session will take around 30 minutes of your time. But we will stay online after that to answer your questions.
And here we go!
“On today’s webinar we will cover these 3 main things
How does the threat landscape look like?
What are challenges to a successful security strategy
How can you protect your web content from these threats?
We will end with the Q&A so please make sure you ask your questions on the chat and we will answer them at the end.
The next 30 minutes is packed with useful tips and insights. Before we get into that, let me take a few steps back to talk about what Cloudflare does. As you can see from our Mission Statement, Cloudflare is helping build a better internet. How do we do that? What is it that we do? In simple terms we help build a better internet by making your websites more secure, more reliable and faster.
And why are these so important? Because if your website goes down or it’s slow to load, for any reason, it will have a negative impact to your business and cause the revenue lost. And we make it our business that that will never happen
So diving into Cybersecurity, In a nutshell, this is our philosophy on how we tackle this issue for our customers.
world-class visibility, controls, and guided configurations
20M customers world wide - huge variety - some tech some not
We will not sacrifice speed and performance for security. We are complete but not complex
So how can Cloudflare help to grow your business?
Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. As of today, our network covers 194 cities and 90 plus countries.
What this means is that we have a very robust, holistic view on global security threats so that we can better help companies mitigate risks as they happen around the world.
With this Global Anycast Network we will ensure that your websites always stays up and deliver faster content to your customers so that you can focus on what you do best and that is growing your business.
Our network offers scale, performance that helps organizations like yours deliver superior application experience while keeping their environments secure.
We are for everyone.
There are benefits from having a diverse set of customers and we have over 20 million Internet properties on our network across geographies, industry verticals, non-profits, and government agencies
There are number of customers that have realized benefits from the integrated security, performance, and reliability. Here are some examples.
Talk Track:
Three factors are leading many of our customers to experience a growing exposure to security threats:
Greater attack surface results from three common trends:
Applications publishing more public APIs
Companies are moving more applications, including production-level workloads, to the cloud
Increasing third-party integrations
Attackers are stronger. Here are three ways:
Greater volume, greater distribution, including IoT devices as sources
Greater motivation through success of holding companies for ransom
Shifting to harder to detect and block “application” layer attacks
A greater attack surface area along with stronger attackers would, alone, be a big concern. But at the same time, there is
Greater scrutiny for security incidents:
Governments are applying greater scrutiny over privacy and data issues
Media reports of breaches and cybersecurity incidents have increased
Individual consumers more are educated and aware with high-profile reporting (a combination of #1 and #2)
Questions:
Do any of these actually sound familiar for your business?
Do you believe your exposure is decreasing, increasing or is the same? In what ways?
Background Reading - you can build this into your talk track:
Companies are facing increased pressures to strengthen their security posture. Three forces contributing to the pressure are:
Attack surface area increases from applications exposing more public APIs, the increase in SaaS adoption, and the integration with more third-party applications
Attackers are stronger, more sophisticated, and highly motivated
Heightened public and government scrutiny of data, privacy, and security
Attackers are increasing their frequency and volume of Distributed Denial of Service (DDoS) attacks. By leveraging botnets and the millions of Internet-of-Things (IoT) devices online, they are able to wage highly distributed volumetric attacks with greater ease and impact.
In addition to higher volumes, attackers are shifting their focus from the network layer to the application layer. Application-layer or "Layer 7" attacks are harder to detect, often require fewer resources to bring down a website or application, and can disrupt operations with greater impact.
Attackers are able to monetize their attempts to bring down sites or steal sensitive data, for example, by holding sites for ransom. As a result, because of the successful ransom payouts by their enterprise targets, the attackers are more motivated, organized and pervasive.
Talk Track:
In light of this growing exposure to security risks, what are those primary threats you may encounter?
We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting:
Site is unavailable because of denial of service attack
Customer data is compromised, (e.g. breached or stolen)
Increasingly, abusive bot activity
For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like.
Questions:
Which, if any, of these are most important for you?
For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why?
If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
Talk Track:
This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well.
The important take-away is that these attacks are layered.
In other words, a DDoS can attack different parts of your infrastructure.
Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable
Amplification: using a DNS to amplify requests and overload yours server over UDP
HTTP Flood: volumetric HTTP attack to bring down the application
All of those attacks impacts availability and performance of of websites, applications and API’s.
Questions:
This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that?
Which have you experienced in the past, if any? How did you respond to them if you did?
Talk Track:
When it comes to compromise of sensitive customer data, you may be most familiar with malware.
While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft.
The take-away for this slide is that attackers can take advantage of different vulnerabilities.
DNS Spoofing: visitors are directed to a fake site instead of your site
A compromised DNS record, or "poisoned cache," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts.
Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire
Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers.
Brute Force: attackers are repeatedly trying credentials to take over an account
Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data
Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application.
The risk is that sensitive customer data, such as credit card information, might get compromised.
Talk Track:
The third attack: increasingly, bots are becoming more common forms of attack.
The three most common we have seen and blocked are:
Content scraping: which essentially steals website content and hurts SEO or revenue
Check out fraud: the most common is the “sneaker bot” which takes limited inventory and buys before actual customers can get them
Account takeover: the result typically of a brute force login to then use a compromised account
Talk Track:
So what happens when you experience one or more of these problems we just discussed? Many of our customers shared with us they have both intangible and tangible costs.
You can see some of the potential cost categories and, if you are interested, we can schedule time with your team to get a better handle on the costs if you don’t know details right now.
However, for the purposes of this conversation, we’ve found it’s often helpful to think about and to discuss the potential costs. The areas of cost can range, as you can see on the list, from remediation costs to loss of user productivity. It doesn’t need to be accurate. But reviewing these can reveal whether the problem is a one-hundred dollar a month problem, or a one-hundred thousand dollar a month problem.
Some questions include:
What is the cost for an hour of downtime due to a DDoS in lost customers?
What would be the cost if just one customer record were breached in terms of remediation or customer churn?
What happens to revenue or your brand when malicious bots abuse your site?
Source:
IDC, March 2015: “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified”, Stephen Elliot. This was commissioned by AppDynamics
Ponemon Institute, 2017
Internal background reading - Enablement:
These are discovery/conversation slides
This is very important. You will have a more difficult time ultimately doing the sale or upsell without it unless the customer’s hair is on fire to buy something.
On the right hand side are the types of costs to explore with customers. Potential responses from customers and options for responses:
If the customer responds: I don’t know
“That’s fine. I could imagine the person who would know would be interested. Could we include him in future meetings as a way to help you get the answers?”
“I understand. Who would know about these numbers in your organization?”
“Sure. Do you think you could make an educated guess? Is this $5 per incident or $50,000 per incident?”
We have found that it’s valuable for companies to quickly get a sense of the business impacts you most care about.
These two were consistently what customers shared as big concerns, whether they use Cloudflare or not.
Which of these are important to you?
What connection do you see between these and downtime from DoS and breached customer data?
Who in the org care about these impacts?
Here are some examples from conversations with existing customers:
Trust
A financial services customer said lost of trust would directly impact customer and revenue
A medical ecommerce customer said losing trust would be “game over” as a business
A hospitality company values the brand as key to their business and downtime hurt the brand
A media site said losing trust of readers as a news site by being down would impact short-term ad revenues and long-term brand (which impacted advertisers)
Trust goes down, Revenue goes down in every case
If you had to give a dollar amount of the impact, what would it be?
Notes: Are costs critical to the buying decision?
Costs could be the increased costs of backend servers during attacks
-- For example, the service HaveIbeenPwnd, saw a 5x increase in Azure services due to attacks
-- A media company customer saw bandwidth costs increase 1000x from attack traffic
Revenue could be the impact during an outage
Downtime for many companies, from e-commerce, to SaaS, to ad-driven businesses, can be in the tens of thousands of dollars, due to lost customers, lost ad dollars
If you have to pick an area with the biggest potential impact, which would it be?
RESEARCH from competitors:
The average global cost of data breach per lost or stolen record was $141. However, health care organizations had an average cost of $380 and in financial services the average cost was $245. Media ($119), research ($101) and public sector ($71) had the lowest average cost per lost or stolen record.
2017 Cost of Data Breach Study Global Overview Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC June 2017
https://www.theatlantic.com/technology/archive/2016/10/a-lot/505025/
https://www.ponemon.org/blog/2014-cost-of-data-breach-united-states
https://security.radware.com/uploadedFiles/Resources_and_Content/Attack_Tools/CyberSecurityontheOffense.pdf
https://www.corero.com/company/newsroom/press-releases/market-study-indicates-ddos-protection-is-a-high-priority-for-data-centres-hosting-providers-and-network-services-providers/
https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/ddos/2015-oct-ddos-report.pdf
Talk Track:
Cloudflare’s DDoS Solution has several components.
First, our infrastructure scales to address the growing size of DDoS attacks. It does this through an Anycast network which creates a larger surface area to absorb highly distributed attacks.
Second, we put in place automatic detection and mitigation. This leverages our visibility across 20M customers and 10% of HTTP traffic.
Lastly, we give customers control for those layer 7 attacks which may not look like DDoS attacks to us, but for your environment need to be blocked by on customized rules you create.
The big message is: The DDoS solution is:
Scalable
Easy to Use
Fast
Our protections are layered:
Global Anycast absorbs distributed traffic
The Argo tunnel stops attack traffic to the origin server, without the hassle of opening up firewall ports and configuring ACLs
Drop at the edge high volume of ¾ and layer 7 traffic
Fingerprinting looks at patterns in traffic attributes to respond quickly to dynamic threats
Share intelligence across all to proactively identify threats
Give granular control to users for harder-to-detect Layer 7
Before we go further, could we talk about which, if any, of these are things you’d like to ask about?
Talk Track
Earlier we discussed four common vectors for attacks to compromise or steal sensitive data.
The take-away for this slide is this: when there are multiple vectors, you need a layered defense.
To defend against malicious payloads, you need a Web Application Firewall - WAF checks the payload against malicious OWASP on the application
To mitigate damage by malicious bots you need to be able move the attack surface closer to the attacker - Cloudflare Workers lets you apply custom security rules and filtering logic at the network edge. This helps in early detection of malicious bots and prevents them from consuming resources
To prevent unintended snooping of data, you need easy to manage and deploy encryption - TLS encrypts the content so protects against sniffing
To block brute force logins, you need rate-based log-in protection - Rate Limiting checks against threshold volume to protect against DDOS, brute-force or scraping
To prevent forged DNS answers that can send customers to a fake site, you need resilient DNS and DNSSEC - DNS tells us the address the request goes to and secure DNS protects against phishing
To protect your origin web server from targeted attacks that directly use the server IP address, you need an easy way to expose web servers securely to the internet. The Argo tunnel stops attack traffic, without the hassle of opening up firewall ports and configuring ACLs by ensuring that requests route through Cloudflare’s WAF and unmetered DDoS before reaching the web server
All these work seamlessly and are easy to set up and configure through the Cloudflare UI as well as through a rich set of APIs.
The high level takeaways are:
Multiple attack vectors
Cloudflare has layered defense
Easy to configure across all services
Learn across 9m websites
Background Reading - you can build this into your talk track:
Reduce risks of data compromise through layered defense
Attackers often use several attack vectors when attempting to compromise customer data. To protect themselves, companies need a layered defense.
REDUCE SPOOFING THROUGH SECURE DNS
Cache poisoning or "spoofing" tricks unsuspecting site visitors to enter sensitive data, such as credit card numbers, into an attacked site. This type of attack occurs when an attacker poisons the cache of a DNS name server with incorrect records. Until the cache entry expires, that name server will return the fake DNS records. Instead of being directed to the correct site, visitors are routed to an attacker's site, allowing the bad actor to extract sensitive data.
DNSSEC verifies DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative name server and not a man-in-the-middle attacker.
STOP ATTACK TRAFFIC TO THE ORIGIN WEB SERVER
If an attacker knows the server's IP address, they can attack it directly and bypass existing security solutions. To address this problem, most companies use a solution called Origin Protection. We call it BGP Origin Protection, Incapsula calls it IP Protection and Akamai calls it Site Shield. The underlying technology is often a GRE tunnel and it's slow, expensive and only available as an on-demand service.
What exactly does Argo Tunnel do?
exposes web servers securely to the internet, without opening up firewall ports and configuring ACLs
ensures requests route through Cloudflare before reaching the web server, so attack traffic is stopped with Cloudflare’s WAF and Unmetered DDoS mitigation and authenticated with Access
Every server has an internal firewall that controls what can connect to that server. The firewall decides what connections can reach the server. (Note: Firewall only controls what can get in, not what can get out). By default, Firewall says no connection can reach the server. Usually you have to change the firewall so that connections to port 443 (HTTPS) can reach the serverWith Tunnel, you keep the firewall totally locked down. Nothing can get in. The Tunnel client installed and running on the server makes an outbound connection to Cloudflare. That's allowed – remember the firewall only cares about what establishes an inbound connection. Outbound is allowed. Because there is an outbound connection from the server to Cloudflare, Cloudflare can communicate with server.But if anything else tries to connect to the server, the firewall drops the connection. Someone trying to get the origin server’s IP by doing a scan of all IP's will not get a response from the server behind Tunnel – it is like the server is not there, or offline.
REDUCE SNOOPING THROUGH ENCRYPTION
Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. In the case of a "man-in-the-middle" attack, the browser thinks it is talking to the server on an encrypted channel, and the server thinks it is talking to the browser, but they are both talking to the attacker who is sitting in the middle. All traffic passes through this man-in-the-middle, who is able to read and modify any of the data.
Fast encryption/termination, easy certificate management, and support of the latest security standards enable customers to secure transmission of user data.
BLOCK MALICIOUS PAYLOADS THROUGH AUTO-UPDATED, SCALABLE WAF
Attackers exploit application vulnerabilities by submitting malicious payloads that can extract sensitive data from the database, the user's browser, or from injecting malware that can compromise targeted systems.
A Web Application Firewall (WAF) examines web traffic looking for suspicious activity; it can then automatically filter out illegitimate traffic based on rule sets that you ask it to apply. It looks at both GET and POST-based HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge or let pass. It can block comment spam, cross-site scripting attacks and SQL injections.
The Cloudflare Web Application Firewall (WAF) updates rules based on threats identified because of its 6M customers, and can protect customers without hurting application performance because of its low-latency inspection and integration with traffic acceleration.
REDUCE ACCOUNT TAKE-OVERS THROUGH LOGIN PROTECTION
Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Cloudflare enables users to customize rules to identify and block at the edge these hard-to-detect attacks through its rate-limiting rules
Cloudflare has protected its customers against some of the largest DDoS attacks which ever occurred. In fact, our 10 Tbps global anycast network is 10X bigger than the latest and largest DDoS attack, which allows us to protect all internet assets on our network even against the new, massive IoT-based DDoS attacks.
With the addition of Rate Limiting Cloudflare complements the existing services DDoS and Web Application Firewall (WAF) Services. Rate Limiting protects against layer 7 denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer. It provides the ability to configure thresholds and define responses by IP. If traffic from a specific IP exceeds the threshold, than those requests get blocked and timed out for a defined period. Cloudflare does not charge for blocked traffic, so that our customers only pay for good traffic but not attack traffic. Rate Limiting also provides customers to gain analytical insights into endpoints of the website, application, or API, and they can monitor their good and bad traffic.
The main benefits of Rate Limiting include:
Precise DDoS Mitigation: Rate Limiting provides simple to use but powerful configuration capabilities to protect against denial-of-service attacks
Protect Customer Data: Rate Limiting is the right service to protect sensitive customer information against brute force login attacks
Enforce Usage Limits: Enforce usage limits on your API endpoints by limiting HTTP requests
Cost Protection: Avoid the unpredictable cost of traffic spikes or attacks by setting thresholds which only allow good traffic through.