Cyber Security Fundamentals Webinar (Cantonese
•Télécharger en tant que PPTX, PDF•
0 j'aime•351 vues
Cloudflare hosted a webinar on cyber security fundamentals in Cantonese. It discussed the current threat landscape, challenges to effective security strategies, and how Cloudflare protects web content from threats. Cloudflare's vision is to provide security controls so customers of any size can keep their internet properties safe without sacrificing performance. It protects over 20 million internet properties from over 72 billion cyber threats daily using a global network across 90+ countries. Cloudflare discussed how it protects customers from DDoS attacks, bots, vulnerabilities, and more through integrated solutions that improve performance, acceleration, and security.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Cyber Security Fundamentals Webinar (Cantonese
Similaire à Cyber Security Fundamentals Webinar (Cantonese (20)
Plus de Cloudflare
Plus de Cloudflare (8)
Dernier
Dernier (20)
Cyber Security Fundamentals Webinar (Cantonese
- 1. Webinar: Cyber Security Fundamentals (Cantonese) Feb 6 @ 2 PM HKT
- 2. Today’s Speakers Sophie Qiu Customer Success Manager @ Cloudflare Sunny Au Solutions Engineer @ Cloudflare
- 3. What you will learn today 3 How does the threat landscape look like? Challenges to a successful security strategy How do you protect your web content from these threats?
- 4. We are helping build a better Internet 4
- 5. 5 Cloudflare Security Vision Provide world-class visibility, controls, and guided configurations so that customers of any size and technical sophistication can keep their Internet property safe and secure without sacrificing speed and performance 5
- 6. 20M+ Internet properties 200 Cities and 90+ countries 72B Cyber threats blocked each day in Q3’19 99% Of the Internet-connected population in the developed world is located within 100 milliseconds of our network Note: Data as of June 28, 2019. Cloudflare’s network operates at massive scale Confidential. Copyright © Cloudflare, Inc.
- 7. 20M+ Internet properties ~10% Fortune 1000 are paying customers 1B+ Unique IP addresses pass through Cloudflare’s network every day Protecting & accelerating Internet applications across verticals Confidential. Copyright © Cloudflare, Inc.
- 8. Customers benefit from integrated security, performance, and reliability 35% performance improvement 50% acceleration in DNS performance 60% reduction in malicious traffic 41k WAF blocks per month 900k login attempts blocked in 2 hours 50% decrease in page load times
- 9. Sunny Au Solutions Engineer @ Cloudflare
- 10. Factors increasing exposure to security risks Greater scrutiny by government and media around data, privacy and security Greater attack surface area from more public APIs, moving to the cloud, and increasing third-party integrations Stronger and more sophisticated attackers
- 11. Customers’ Security Threats SYSTEM DDoS Attack Attack traffic impacts availability or performance Bots Prevent malicious bots from abusing site or application Webpage Vulnerable Applications and APIs Multi-vector attacks that exploit vulnerabilities
- 12. Volumetric DNS Flood Bots DNS Server DNS Server Server Amplification (Layer 3 & 4) HTTP Flood (Layer 7) 1 2 Bots 3 Bots Degrades availability and performance of applications, websites, and APIs HTTP Application Application/Login Types of DDoS Attack Traffic
- 13. 300Gbps // Volumetric Layer 3/4 400Gbps // NTP Reflection 1Tbps // IoT Botnet Layer 7 Attack 1.7 Tbps // Memcached reflection/amplification Attack DDoS attacks are getting larger
- 14. Application and API Vulnerabilities Fake Website Visitors 1DNS Spoofing Malicious Payload eg: SQLi that ex-filtrates PII and credentials 3 Attacker Bots Brute Force 4 Data Snooping 2
- 15. IoT attacks - the new reality A botnet army of IoT cameras and a major attack took out DNS service provider in 2016. Over the last few weeks we've seen DDoS attacks that have switched to new, large methods of bringing down web applications. They appear to come from an IoT botnet (like Mirai and relations) which were responsible for the large attacks against Brian Krebs. 50 Gbps Up to 1Tbps
- 16. Types of Bot Attacks Credential Stuffing Taking-over an account to abuse the site, to perform fraudulent transactions, steal sensitive data, or compromise personal information. Content Scraping Stealing public information on the website such as prices or valuable SEO content Resell itemBots Bots Inventory Hoarding Bots automate the purchase of inventory to resell or keep them out of hands of customers Bots Website with stolen content
- 17. Comprehensive Protection from Bad Bots Stop take-over of user’s account from automatically applying previously stolen account credentials. Protection from scraping and stealing information from a website Identify and stop bad bots from adding malicious content to web properties such as forums and registration forms Credential Stuffing Content Scraping Content Spam Block bad bots that fraudulently purchase goods to deprive legitimate customers or resell for a higher price Inventory Hoarding Credit Card Stuffing Shield from attempts to validate stolen credit cards to then make fraudulent purchases Application DDoS Prevent bad bots from slowing sites, wasting bandwidth and compute resources
- 18. Not All Bots Are Malicious PartnerSearch Engine Crawlers CopyrightSite Monitoring Feed Scraper Spam Click Fake Googlebots Botnet Good Bots Good Bots Bad Bots
- 19. Lost customer trust and degraded brand value Lost revenue from site downtime or higher costs from bad traffic Business Impacts Business Impact ● $100,000 is the average hourly cost of an infrastructure failure ● $141 average cost for each lost or stolen record containing sensitive and confidential information ● $3.62 million is the average total cost of a data breachCost categories: Remediation costs (hardware, services, and software), lost revenue, lost future revenue from customer churn, wasted marketing spend, negative brand impact, help desk costs, increase IT staffing costs, loss of user productivity IDC March 2015, and Ponemon Institute, June 2017
- 20. Cloudflare DDoS Solution Scalable, easy-to-use, and high-performance solution to address availability challenges Stay online Global Anycast network with 180++ data centers absorbs highly distributed attack traffic so customers stay online Protect origin infrastructure Detect and drop at the edge volumetric attacks: layer 3 & 4, DNS, and layer 7 Identify anomalous traffic Fingerprint HTTP requests to protect sites against known and emerging botnets with automatic mitigation rules Protect applications with control Rate Limiting gives more granular control to block harder-to-detect application-layer attacks Origin Server DDoS attack Anticipate attacks Shared intelligence across 6M websites proactively blocks known bad signatures Stop origin server attacks Argo Tunnel establishes a direct, encrypted tunnel for traffic between the origin server and Cloudflare's nearest data- center, protecting origin web servers from targeted attacks
- 21. Industry Legacy Scrubbing vs. Cloudflare Always-On 21 Industry Legacy Scrubbing - Long propagation times (up to 300 sec) - Asynchronous routing - Adds significant latency - Typically requires manual intervention Always-On - Zero propagation time - Synchronous routing - No added latency - Immediate, automated mitigation, with no “cut over” required
- 22. Cloudflare Solution to Secure Applications ATTACKS Attackers try to forge DNS answers to intercept customer credentials Snoop unencrypted sensitive data entered by customers Brute-force their way into login pages Inject malicious payloads through forms and APIs Resilient DNS and DNSSEC prevents forged answers Encryption through SSL/TLS blocks snooping Log-in protection through rate limiting Block OWASP Top 10 and emerging application-level attacks through the WAF ● Layered defense to protect against sophisticated attackers ● Single control-plane for more robust and agile security policies ● Learning from attack profiles across 20M websites to keep yours safe 1. 2. 3. 4. CLOUDFLARE SOLUTIONS
- 23. Cloudflare Rate Limiting Precise DDoS Mitigation • High precision denial-of-service protection through robust configuration options Protect Customer Data • Protect sensitive customer information against brute force login attacks API Protection • Set API usage limits to ensure availability and protect against abuse. Cost Protection • Avoid the unpredictable cost of traffic spikes or attacks by setting thresholds which only allow good traffic through. Requests per IP address matching the traffic pattern 23© 2018 Cloudflare Inc. All rights reserved.
- 24. Cloudflare Next Gen Bot Management One-Click Deployment ● With a single click, deploy rules with Cloudflare recommended bot score thresholds ● No instrumentation with third-party JavaScript required Control and Configurability ● Scope rules by path or URI pattern, request method, and bot score thresholds ● Select mitigation methods, such as log, CAPTCHA, or block Rich Analytics and Logs ● Time-series graphs with drill-down tables ● Logs bot management rule, action, and rich request meta-data for every request Detect and mitigate bad bots by leveraging intelligence from over 13 million Internet properties. All with one click.
- 25. Cloudflare Bot Management Methods Machine Learning Cloudflare’s ML trains on a curated subset of 425 billion requests per day across 13M+ Internet properties to create a reliable “bot score” for every request. Behavioral Analysis Behavioral analysis detects anomalies in site-specific traffic, scoring every request on how different it is from the baseline. Automatic Whitelist Because not all bots are bad, the solution automatically maintains and updates a white list of "good" bots, such as those belonging to search engines. Mobile SDK The mobile SDK prevents attacks against mobile application APIs by impersonation and emulation bots. 25 Detection Protection
- 26. Rate Limiting SSL L3/4 DDoS Protection ` We secure traffic end-to-end, providing a layered defense Request Passed! Bot Management WAFDNS/DNSSEC Argo Tunnel 2626 L7 DDoS Protection Orbit Spectrum EXTEND WorkersAccess CONTROL
- 27. We are helping build a better Internet 27 Q&A
Notes de l'éditeur
- 歡迎大家參加今日的Webinar,Cloudflare 在綫分享與互動會議。 我們會從比較基礎的角度同大家分享網絡安全以及對你的業務造成怎樣的影響。來緊,我們會分析有關網絡安全的最新趨勢,甘方便你地瞭解到底你們會需要點樣的解決方案,服務以及有關如何減輕網絡風險的一些實用技巧和解決方式。所以希望大家可以堅持到最後。 我們這個會議分三個環節:第一個就係我這邊做一個全面的公司Update,第二個就是今日的重點環節,由我們的solution engineer Sunny更多從技術上同大家分享相關内容,第三個環節,會讓大家在右手邊的Q&A提問窗口,歡迎大家提出自己的疑問,我們會在綫解答。
- 我係Sophie,Customer Success Manager 。 係enterprise客戶的day to day contact window,負責的内容包括新的客戶Onboarding training, 服務咨詢,QBR,客戶探訪和區域客戶見面會。同時都會為公司策劃適合區域客戶的在綫知識和產品分享會議和活動。比如今日的Webinar. 今日的Webinar 有Sunny Au, Cloudflare的Solution Engineer. Sunny 主要覆蓋香港和台灣客戶,為客戶提供針對性的解決方案咨詢和協助,同最佳方案Best Practise. 他會從更技術的角度同大家分享今天的重點内容。 Hi Sunny, 後者,您再介紹一下自己? 接下來 同大家再分享一下今日的流程,整個分享會占用大概30分鐘的時間,同時這個Webinar會做recording, 我們會將這個recording 放到Coudflare Webinar Page,這個文件都會分享比大家。如果有任何問題,請在右手邊的Q&A 度寫出來,我們會在Sunny 分享結束後,逐個回答大家的問題。
- 今天的Webinar 會cover 以下三個内容: 1)今時今日的網絡威脅趨勢是點樣的? 2) 設立一個成功的安全策略一般會遇到怎樣的挑戰 ? 3)你可以怎樣去保護你的網絡資產而不受這些網絡威脅? “On today’s webinar we will cover these 3 main things How does the threat landscape look like? What are challenges to a successful security strategy How can you protect your web content from these threats? We will end with the Q&A so please make sure you ask your questions on the chat and we will answer them at the end.
- 這裏,我先同大家介紹一下Cloudflare 。相信很多人都在用緊Cloudflare的服務。 大家應該在我們的的網站看到了Mission Statement , Cloudflare is helping build a better internet. 我們係做些什麽, 以及怎樣去做的呢? 簡單來講,我們致力於提供給大家一個更加安全,可靠同埋快速的網絡使用體驗。 點解這個那麽重要? 因爲如果你的網站down左,或者運行很慢,無論哪一種原因,你的業務都會受到影響從。我們就是致力於不另這些情况出现。 The next 30 minutes is packed with useful tips and insights. Before we get into that, let me take a few steps back to talk about what Cloudflare does. As you can see from our Mission Statement, Cloudflare is helping build a better internet. How do we do that? What is it that we do? In simple terms we help build a better internet by making your websites more secure, more reliable and faster. And why are these so important? Because if your website goes down or it’s slow to load, for any reason, it will have a negative impact to your business and cause the revenue lost. And we make it our business that that will never happen
- 深入到網絡安全這個話題, 我們會為客戶提供高可見性,管理控制能力同埋提供專業和針對性的設置指引, 在不影響客戶訪問速度和性能的情況之下保障網絡資產的安全 So diving into Cybersecurity, In a nutshell, this is our philosophy on how we tackle this issue for our customers. world-class visibility, controls, and guided configurations 20M customers world wide - huge variety - some tech some not We will not sacrifice speed and performance for security. We are complete but not complex
- Cloudflare 的網絡提供給用戶足夠的廣度和規模去運行他們的網絡程序。 我地獨特的架構可以令所有的產品和服務都可以在每個數據中心的每一個server去運行,從而通過每一個新的colo為我們的客戶提升網絡速度。我們的網絡擁有足夠的規模為企業提供一個安全和高速的應用程序體驗。 Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. Organizations benefit from our unique architecture has all products and services running on every server, in every data center, improving our network for our customers with every new colo. Our network offers scale, the performance that helps organizations deliver superior application experience while keeping their environments secure.
- Cloudflare 的服務和解決方案適用於所有人。 目前有超過2千萬網絡資產通過我們的網絡去運行並受Cloudflare保護的。包括各個行業比如非营利组织和政府机构等。 We are for everyone. There are benefits from having a diverse set of customers and we have over 20 million Internet properties on our network across geographies, industry verticals, non-profits, and government agencies
- 這些是我們的一些客戶。 There are number of customers that have realized benefits from the integrated security, performance, and reliability. Here are some examples.
- 從這裏開始,將由Sunny 為大家分享更多内容。 I will hand over to Sunny for his in-depth sharing with more insights
- Talk Track: Three factors are leading many of our customers to experience a growing exposure to security threats: Greater attack surface results from three common trends: Applications publishing more public APIs Companies are moving more applications, including production-level workloads, to the cloud Increasing third-party integrations Attackers are stronger. Here are three ways: Greater volume, greater distribution, including IoT devices as sources Greater motivation through success of holding companies for ransom Shifting to harder to detect and block “application” layer attacks A greater attack surface area along with stronger attackers would, alone, be a big concern. But at the same time, there is Greater scrutiny for security incidents: Governments are applying greater scrutiny over privacy and data issues Media reports of breaches and cybersecurity incidents have increased Individual consumers more are educated and aware with high-profile reporting (a combination of #1 and #2) Questions: Do any of these actually sound familiar for your business? Do you believe your exposure is decreasing, increasing or is the same? In what ways? Background Reading - you can build this into your talk track: Companies are facing increased pressures to strengthen their security posture. Three forces contributing to the pressure are: Attack surface area increases from applications exposing more public APIs, the increase in SaaS adoption, and the integration with more third-party applications Attackers are stronger, more sophisticated, and highly motivated Heightened public and government scrutiny of data, privacy, and security Attackers are increasing their frequency and volume of Distributed Denial of Service (DDoS) attacks. By leveraging botnets and the millions of Internet-of-Things (IoT) devices online, they are able to wage highly distributed volumetric attacks with greater ease and impact. In addition to higher volumes, attackers are shifting their focus from the network layer to the application layer. Application-layer or "Layer 7" attacks are harder to detect, often require fewer resources to bring down a website or application, and can disrupt operations with greater impact. Attackers are able to monetize their attempts to bring down sites or steal sensitive data, for example, by holding sites for ransom. As a result, because of the successful ransom payouts by their enterprise targets, the attackers are more motivated, organized and pervasive.
- Talk Track: In light of this growing exposure to security risks, what are those primary threats you may encounter? We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting: Site is unavailable because of denial of service attack Customer data is compromised, (e.g. breached or stolen) Increasingly, abusive bot activity For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like. Questions: Which, if any, of these are most important for you? For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why? If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
- Talk Track: This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well. The important take-away is that these attacks are layered. In other words, a DDoS can attack different parts of your infrastructure. Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable Amplification: using a DNS to amplify requests and overload yours server over UDP HTTP Flood: volumetric HTTP attack to bring down the application All of those attacks impacts availability and performance of of websites, applications and API’s. Questions: This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that? Which have you experienced in the past, if any? How did you respond to them if you did?
- Decrease in the unit cost of DDoS attacks, Pick a solution that scales well with the attack sizes. It should not be limited by the a few network interfaces.
- Talk Track: When it comes to compromise of sensitive customer data, you may be most familiar with malware. While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft. The take-away for this slide is that attackers can take advantage of different vulnerabilities. DNS Spoofing: visitors are directed to a fake site instead of your site A compromised DNS record, or "poisoned cache," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts. Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. Brute Force: attackers are repeatedly trying credentials to take over an account Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page. Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application. The risk is that sensitive customer data, such as credit card information, might get compromised.
- Some recent news to help bolster the point further: https://www.zdnet.com/article/hackers-are-hijacking-smart-building-access-systems-to-launch-ddos-attacks/
- Talk Track: The third attack: increasingly, bots are becoming more common forms of attack. The three most common we have seen and blocked are: Content scraping: which essentially steals website content and hurts SEO or revenue Check out fraud: the most common is the “sneaker bot” which takes limited inventory and buys before actual customers can get them Account takeover: the result typically of a brute force login to then use a compromised account
- , , Prevent,, security from
- with 40% of the Internet traffic being bot, it’s a certainty that your external facing digital asset is getting some bot traffic. The biggest challenge when dealing with bots is that not all bot traffic is malicious, so you cannot just block all bot traffic… that would have been easy…. There are good bot like search engine crawler which are operated by search engines like Google, Bing, Baidu… These bots help with search engine optimization, so that a website shows up higher in web search results. Partner bot – for traffic coming from partners like ticketing booking service such as Expedia or Priceline trying to book airline tickets or hotels Site monitoring bots: monitoring system outages –alert users of major changes or downtime. Copyright: Monitors copyright law violation. looks for duplicate text, music, images, or even video. Feed bot: These bots crawl the Internet looking for newsworthy content to add to a platform's news feed. Content aggregator sites or social media networks may operate these bots BAD BOTS: on the other hand you have the bad bots that impact your sales, revenue, end user experience or disrupt your service and these bad bots need to be blocked Scraper Bots: Scraper bots will steal original content from a site and reprint it on various sites throughout the internet without permission. Usually, victims of scraper bots don’t even know their content’s been stolen unless they’re actively searching for it. These bots are executed with malicious intents - to steal content. Scrapers program these bots to scrape prices and product catalog so that they can undermine the pricing strategies of the target website. Competitors use third-party scrapers to perform this illegal act, and the unprotected website’s competitive advantage is usurped by the scraper and competition. Spam bots - Spam bots primarily target community portals, blog comment sections and lead collection forms. They come in the middle of user conversations and insert unwanted advertisements, links and banners. This frustrates genuine users participating in forums and commenting on blog posts. Often times, these spam bots insert links that may be malicious in nature - like for example, phishing sites, targeting unsuspected users into divulging sensitive information like bank accounts and passcodes. These bots spread spam content and advertising links all over the internet. They’ll also collect email addresses, phone numbers, and other personal information submitted by users through forms filled out online. Click Bots. Click bots are the ad fraud bots that advertisers have grown to know and despise. These bots set out to intentionally engage with your advertising, therefore skewing your data incorrectly and costing you money for fraudulent clicks. Scalper bots - These bots target ticketing websites, and make bulk purchases. The modus operandi is to purchase hundreds of tickets as soon as the bookings open, and sell it to reseller websites at many times the original cost of the ticket. The original unprotected ticket selling website stands to lose genuine customers because of their inability to purchase tickets at the original cost. Botnets: DDoS, short for Distributed Denial of Service, is an attack that attempts to make a website unavailable by overwhelming it with traffic from multiple sources. DDoS attacks are often performed by botnets. A botnet (the combination of robot and network) is a network of private computers infected with malware……. https://www.cloudflare.com/learning/bots/how-to-manage-good-bots/ https://www.shieldsquare.com/what-are-the-different-types-of-bots/ https://www.ezanga.com/blog/good-bots-bad-bots-and-what-you-need-to-know https://areyouahuman.com/downloads/GoodBotsvBadBots_FINAL.pdf
- Talk Track: So what happens when you experience one or more of these problems we just discussed? Many of our customers shared with us they have both intangible and tangible costs. You can see some of the potential cost categories and, if you are interested, we can schedule time with your team to get a better handle on the costs if you don’t know details right now. However, for the purposes of this conversation, we’ve found it’s often helpful to think about and to discuss the potential costs. The areas of cost can range, as you can see on the list, from remediation costs to loss of user productivity. It doesn’t need to be accurate. But reviewing these can reveal whether the problem is a one-hundred dollar a month problem, or a one-hundred thousand dollar a month problem. Some questions include: What is the cost for an hour of downtime due to a DDoS in lost customers? What would be the cost if just one customer record were breached in terms of remediation or customer churn? What happens to revenue or your brand when malicious bots abuse your site? Source: IDC, March 2015: “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified”, Stephen Elliot. This was commissioned by AppDynamics Ponemon Institute, 2017 Internal background reading - Enablement: These are discovery/conversation slides This is very important. You will have a more difficult time ultimately doing the sale or upsell without it unless the customer’s hair is on fire to buy something. On the right hand side are the types of costs to explore with customers. Potential responses from customers and options for responses: If the customer responds: I don’t know “That’s fine. I could imagine the person who would know would be interested. Could we include him in future meetings as a way to help you get the answers?” “I understand. Who would know about these numbers in your organization?” “Sure. Do you think you could make an educated guess? Is this $5 per incident or $50,000 per incident?” We have found that it’s valuable for companies to quickly get a sense of the business impacts you most care about. These two were consistently what customers shared as big concerns, whether they use Cloudflare or not. Which of these are important to you? What connection do you see between these and downtime from DoS and breached customer data? Who in the org care about these impacts? Here are some examples from conversations with existing customers: Trust A financial services customer said lost of trust would directly impact customer and revenue A medical ecommerce customer said losing trust would be “game over” as a business A hospitality company values the brand as key to their business and downtime hurt the brand A media site said losing trust of readers as a news site by being down would impact short-term ad revenues and long-term brand (which impacted advertisers) Trust goes down, Revenue goes down in every case If you had to give a dollar amount of the impact, what would it be? Notes: Are costs critical to the buying decision? Costs could be the increased costs of backend servers during attacks -- For example, the service HaveIbeenPwnd, saw a 5x increase in Azure services due to attacks -- A media company customer saw bandwidth costs increase 1000x from attack traffic Revenue could be the impact during an outage Downtime for many companies, from e-commerce, to SaaS, to ad-driven businesses, can be in the tens of thousands of dollars, due to lost customers, lost ad dollars If you have to pick an area with the biggest potential impact, which would it be? RESEARCH from competitors: The average global cost of data breach per lost or stolen record was $141. However, health care organizations had an average cost of $380 and in financial services the average cost was $245. Media ($119), research ($101) and public sector ($71) had the lowest average cost per lost or stolen record. 2017 Cost of Data Breach Study Global Overview Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC June 2017 https://www.theatlantic.com/technology/archive/2016/10/a-lot/505025/ https://www.ponemon.org/blog/2014-cost-of-data-breach-united-states https://security.radware.com/uploadedFiles/Resources_and_Content/Attack_Tools/CyberSecurityontheOffense.pdf https://www.corero.com/company/newsroom/press-releases/market-study-indicates-ddos-protection-is-a-high-priority-for-data-centres-hosting-providers-and-network-services-providers/ https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/ddos/2015-oct-ddos-report.pdf
- Talk Track: Cloudflare’s DDoS Solution has several components. First, our infrastructure scales to address the growing size of DDoS attacks. It does this through an Anycast network which creates a larger surface area to absorb highly distributed attacks. Second, we put in place automatic detection and mitigation. This leverages our visibility across 20M customers and 10% of HTTP traffic. Lastly, we give customers control for those layer 7 attacks which may not look like DDoS attacks to us, but for your environment need to be blocked by on customized rules you create. The big message is: The DDoS solution is: Scalable Easy to Use Fast Our protections are layered: Global Anycast absorbs distributed traffic The Argo tunnel stops attack traffic to the origin server, without the hassle of opening up firewall ports and configuring ACLs Drop at the edge high volume of ¾ and layer 7 traffic Fingerprinting looks at patterns in traffic attributes to respond quickly to dynamic threats Share intelligence across all to proactively identify threats Give granular control to users for harder-to-detect Layer 7 Before we go further, could we talk about which, if any, of these are things you’d like to ask about?
- Talk Track Earlier we discussed four common vectors for attacks to compromise or steal sensitive data. The take-away for this slide is this: when there are multiple vectors, you need a layered defense. To defend against malicious payloads, you need a Web Application Firewall - WAF checks the payload against malicious OWASP on the application To mitigate damage by malicious bots you need to be able move the attack surface closer to the attacker - Cloudflare Workers lets you apply custom security rules and filtering logic at the network edge. This helps in early detection of malicious bots and prevents them from consuming resources To prevent unintended snooping of data, you need easy to manage and deploy encryption - TLS encrypts the content so protects against sniffing To block brute force logins, you need rate-based log-in protection - Rate Limiting checks against threshold volume to protect against DDOS, brute-force or scraping To prevent forged DNS answers that can send customers to a fake site, you need resilient DNS and DNSSEC - DNS tells us the address the request goes to and secure DNS protects against phishing To protect your origin web server from targeted attacks that directly use the server IP address, you need an easy way to expose web servers securely to the internet. The Argo tunnel stops attack traffic, without the hassle of opening up firewall ports and configuring ACLs by ensuring that requests route through Cloudflare’s WAF and unmetered DDoS before reaching the web server All these work seamlessly and are easy to set up and configure through the Cloudflare UI as well as through a rich set of APIs. The high level takeaways are: Multiple attack vectors Cloudflare has layered defense Easy to configure across all services Learn across 9m websites Background Reading - you can build this into your talk track: Reduce risks of data compromise through layered defense Attackers often use several attack vectors when attempting to compromise customer data. To protect themselves, companies need a layered defense. REDUCE SPOOFING THROUGH SECURE DNS Cache poisoning or "spoofing" tricks unsuspecting site visitors to enter sensitive data, such as credit card numbers, into an attacked site. This type of attack occurs when an attacker poisons the cache of a DNS name server with incorrect records. Until the cache entry expires, that name server will return the fake DNS records. Instead of being directed to the correct site, visitors are routed to an attacker's site, allowing the bad actor to extract sensitive data. DNSSEC verifies DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative name server and not a man-in-the-middle attacker. STOP ATTACK TRAFFIC TO THE ORIGIN WEB SERVER If an attacker knows the server's IP address, they can attack it directly and bypass existing security solutions. To address this problem, most companies use a solution called Origin Protection. We call it BGP Origin Protection, Incapsula calls it IP Protection and Akamai calls it Site Shield. The underlying technology is often a GRE tunnel and it's slow, expensive and only available as an on-demand service. What exactly does Argo Tunnel do? exposes web servers securely to the internet, without opening up firewall ports and configuring ACLs ensures requests route through Cloudflare before reaching the web server, so attack traffic is stopped with Cloudflare’s WAF and Unmetered DDoS mitigation and authenticated with Access Every server has an internal firewall that controls what can connect to that server. The firewall decides what connections can reach the server. (Note: Firewall only controls what can get in, not what can get out). By default, Firewall says no connection can reach the server. Usually you have to change the firewall so that connections to port 443 (HTTPS) can reach the server With Tunnel, you keep the firewall totally locked down. Nothing can get in. The Tunnel client installed and running on the server makes an outbound connection to Cloudflare. That's allowed – remember the firewall only cares about what establishes an inbound connection. Outbound is allowed. Because there is an outbound connection from the server to Cloudflare, Cloudflare can communicate with server. But if anything else tries to connect to the server, the firewall drops the connection. Someone trying to get the origin server’s IP by doing a scan of all IP's will not get a response from the server behind Tunnel – it is like the server is not there, or offline. REDUCE SNOOPING THROUGH ENCRYPTION Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. In the case of a "man-in-the-middle" attack, the browser thinks it is talking to the server on an encrypted channel, and the server thinks it is talking to the browser, but they are both talking to the attacker who is sitting in the middle. All traffic passes through this man-in-the-middle, who is able to read and modify any of the data. Fast encryption/termination, easy certificate management, and support of the latest security standards enable customers to secure transmission of user data. BLOCK MALICIOUS PAYLOADS THROUGH AUTO-UPDATED, SCALABLE WAF Attackers exploit application vulnerabilities by submitting malicious payloads that can extract sensitive data from the database, the user's browser, or from injecting malware that can compromise targeted systems. A Web Application Firewall (WAF) examines web traffic looking for suspicious activity; it can then automatically filter out illegitimate traffic based on rule sets that you ask it to apply. It looks at both GET and POST-based HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge or let pass. It can block comment spam, cross-site scripting attacks and SQL injections. The Cloudflare Web Application Firewall (WAF) updates rules based on threats identified because of its 6M customers, and can protect customers without hurting application performance because of its low-latency inspection and integration with traffic acceleration. REDUCE ACCOUNT TAKE-OVERS THROUGH LOGIN PROTECTION Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page. Cloudflare enables users to customize rules to identify and block at the edge these hard-to-detect attacks through its rate-limiting rules
- Cloudflare has protected its customers against some of the largest DDoS attacks which ever occurred. In fact, our 10 Tbps global anycast network is 10X bigger than the latest and largest DDoS attack, which allows us to protect all internet assets on our network even against the new, massive IoT-based DDoS attacks. With the addition of Rate Limiting Cloudflare complements the existing services DDoS and Web Application Firewall (WAF) Services. Rate Limiting protects against layer 7 denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer. It provides the ability to configure thresholds and define responses by IP. If traffic from a specific IP exceeds the threshold, than those requests get blocked and timed out for a defined period. Cloudflare does not charge for blocked traffic, so that our customers only pay for good traffic but not attack traffic. Rate Limiting also provides customers to gain analytical insights into endpoints of the website, application, or API, and they can monitor their good and bad traffic. The main benefits of Rate Limiting include: Precise DDoS Mitigation: Rate Limiting provides simple to use but powerful configuration capabilities to protect against denial-of-service attacks Protect Customer Data: Rate Limiting is the right service to protect sensitive customer information against brute force login attacks Enforce Usage Limits: Enforce usage limits on your API endpoints by limiting HTTP requests Cost Protection: Avoid the unpredictable cost of traffic spikes or attacks by setting thresholds which only allow good traffic through.