In 2024, attackers didn’t need phishing emails to compromise enterprises — they just waited for the latest zero-day in your firewall to be weaponized. Mandiant’s M-Trends 2025 report reveals that most intrusions now start with exploited vulnerabilities in edge security devices. Meanwhile, credentials are stolen by malware faster than MFA can save you, and security vendors themselves are being turned into initial access brokers — unintentionally. This talk is a call to get back to basics. We’ll walk through the top 10 ways organizations are still failing at foundational security, and provide a clear, no-nonsense roadmap for how to fix it. Aligned to NIST, PCI DSS, and C2M2 frameworks, this approach avoids complexity, avoids buzzwords, and avoids blaming users. You don’t need another vendor — you need to configure what you already have properly, document it, and follow through. Because at the end of the day, no one wants to explain to leadership how your “security box” was the reason you got owned.

1. You Had One Job
Suzanne Aldrich
Senior Solutions Engineer
Cloudflare
A K.I.S.S. Guide to Security
That Doesnʼt Suck
FutureCon Seattle 2025

2. You Had One Job
2
FutureCon Seattle 2025 You Had One Job
● 2024: Another year of preventable
breaches
● 3 of 4 top exploited vulns were in security
appliances (M-Trends)
● Most orgs still haven't turned on basic
protections

3. K.I.S.S. Principle
3
FutureCon Seattle 2025 You Had One Job
● Keep It Secure & Simple
● Complexity is the enemy of consistency
● If you can't deploy it quickly, it won’t help
when it matters

4. 4
The 2024 Threat Reality
● Exploits = 33% of breaches
● Stolen credentials > phishing
● Security appliances targeted
more than apps
FutureCon Seattle 2025 You Had One Job
“33% began with
exploitation of
a vulnerabilityˮ
▏ Initial Infection Vector, 2024  Mandiant MTrends 2025 Report

5. 5
The most exploited vulnerabilities in 2024 werenʼt in forgotten web servers; they
were in the security appliances we rely on to protect our networks. From zero-days
to post-patch persistence, the defenders became the weakest link.
Recent Network Device
Vulnerabilities:
● F5 CVE20221388
iControl RCE
● Fortinet CVE202242475
persisted post-patch
● Citrix CVE20234966
session hijacking
● PAN CVE20249474
root access for admins
● SonicWall CVE20205135
remote overflow
● PAN CVE20243400
command injection
● Ivanti CVE202346805,
CVE202421887
chained auth bypass
● Fortinet CVE202348788
sql injection→ remote access
Edge Devices Became Front Doors
Modern attackers arenʼt tunneling through
backdoors; theyʼre walking through the
front, using zero-days in firewalls, VPNs,
and load balancers. The very tools
designed to keep threats out are
introducing them.
Patch ≠ Prevention
In multiple incidents, attackers maintained
access even after patches were applied.
Whether due to persistence techniques or
slow adoption cycles, the damage was
already done, and the architecture offered
no containment.
“The most frequently exploited vulnerabilities affected security
devices, which are, due to their function, typically placed at the
edge of the network.ˮ
– MTrends 2025
Edge
Device
Security
Advisory

6. The Myth of the Magical Box
6
FutureCon Seattle 2025 You Had One Job
● The edge is the new exploit surface
● You can't fix architecture problems with
more appliances
● Resilience comes from simplicity, not
spending

7. Top 10 Things You Still Haven't Done
7
Lock down admin interfaces
Enable WAF and customize it
Validate API schema, use mTLS
Enforce TLS (everywhere)
Rate limit sensitive endpoints
Monitor & restrict 3rd-party scripts
FutureCon Seattle 2025 You Had One Job

8. Top 10 Things You Still Haven't Done (contʼd)
8
Classify & block bad bots
Harden DNS and log access
Require FIDO2 or strong MFA
Push logs somewhere useful
FutureCon Seattle 2025 You Had One Job

9. The Security Maturity Ladder K.I.S.S. Edition)
9
● DDoS mitigation L3/L7
● WAF with default managed
rules
● Basic auth or IP restrictions
● Block known abuse patterns
● Heuristics and challenge
pages
● CSP monitoring (report-only)
● None or basic event logging
Stop the flood
● Rate limiting on sensitive
endpoints
● Custom WAF rules per
app/API
● Path-level access control
● Rate limit and block sensitive
verbs
● Targeted mitigation on
high-risk paths
● Script source allowlists
● Enable log collection for key
events
Control the surface
● Identity-aware rules
● Context-based challenge
logic
● MFA FIDO2 preferred),
session management
● mTLS + schema validation
● Device fingerprinting,
behavioral checks
● Page Shield enforcement
policies
● Centralize logs + alerting on
triggers
Verify everything
● Anomaly detection based on
baselines
● Logging of all WAF/bot
events
● Re-authentication on
risk/change
● API anomaly logging and
schema drift
● Bot score correlation +
alerting
● Alert on new/dynamic
third-party assets
● Automated alerts,
dashboards, SIEM feed
Watch & adapt
FutureCon Seattle 2025 You Had One Job

10. Compliance Alignment – Security Maturity Ladder
10
● DDoS mitigation, WAF
● Rate limiting, auth,
endpoint defense
● Zero Trust, MFA, mTLS,
schema validation
● Logging, alerting, anomaly
detection
Primary Controls
● PR.IP Protective Tech),
DE.CM Detect
● PR.AC Access Control),
PR.DS Data Security)
● PR.AC, ID.AM, PR.DS,
PR.AT
● DE.CM Monitoring),
RS.AN Response
Analysis)
NIST CSF Functions /
Categories
● Req. 1, 6, 11
● Req. 6.4.3, 7, 10
● Req. 8, 10
● Req. 10, 11, 12
PCI DSS
● Protective Tech, Event &
Incident Response
● Access Control, Risk
Management
● Identity/Access
Management,
Cybersecurity Arch.
● Event & Incident
Response, Cybersecurity
Program
C2M2 Domains
FutureCon Seattle 2025 You Had One Job

11. You Donʼt Have the People
11
FutureCon Seattle 2025 You Had One Job
● Most teams are under-resourced, not
negligent
● Security tools should reduce toil
● Adoption friction = abandonment risk
● ROI matters: easy > best-in-class point
tools
● Consolidation and ease of use = 2025 table
stakes

12. Broken by Design
🔥🔥🔥

13. What You Can Actually Do
13
FutureCon Seattle 2025 You Had One Job
● Start with one thing per quarter
● Use what you already have (but turn it on)
● Track maturity like a program, not a
checkbox

14. You Had One Job Again
14
FutureCon Seattle 2025 You Had One Job
● Get the basics right
● Assume you’ll fail
● Build smaller, smarter, simpler

15. 15
Suzanne Aldrich
Senior Solutions Engineer
Cloudflare
Suzanne is a Senior Solutions Engineer at Cloudflare, where she helps
enterprise customers design secure, high-performance, and resilient
architectures. With over a decade of experience in the tech industry,
Suzanne originally joined Cloudflare in 2014 and rejoined in 2024 after
serving in engineering leadership roles at other fast-paced startups. She
brings a deep background in computer science and human-computer
interaction, with a passion for simplifying complex systems, aligning
stakeholders, and delivering solutions that drive real-world impact. Based
in Washington, Suzanne works closely with organizations to bridge
technical gaps and accelerate their transformation with Cloudflareʼs
connectivity cloud.
FutureCon Seattle 2025 You Had One Job

16. 1 888 99 FLARE
enterprise@cloudflare.com
cloudflare.com
Thank you
©2024 Cloudflare Inc. All rights reserved.
The Cloudflare logo is a trademark of
Cloudflare. All other company and product
names may be trademarks of the respective
companies with which they are associated.