Maintaining the right balance between security and customer experience is always challenging for online businesses. This challenge becomes even more relevant during this crisis as businesses face unprecedented levels of traffic and attacks.
Tune in to learn how LendingTree leverages Cloudflare to strengthen their security posture while ensuring a superior online experience for their customers. Listen to security experts from LendingTree and Cloudflare as they discuss:
Emerging attack vectors and tactics impacting online platforms
Best practices for online businesses to overcome these threats
How LendingTree leverages Cloudflare to maintain the right balance between security and business objectives
5. PERFORMANCE &
RELIABILITY
SECURITY
Domain Name
System (DNS)
Firewall
AnalyticsWorkers
IoT Security
Cache
Load Balancing
SSL/TLS
Secure Origin
Connection
Rate
Limiting
Bot Management
DDoS Protection
Intelligent
Routing
Image
Optimization
Access
CLOUDFLARE FOR INFRASTRUCTURE
CLOUDFLARE
FOR TEAMS
Magic Transit
Gateway
Workers KV
SERVERLESS
APPLICATION
PLATFORM
Stream
Integrated, Intelligent Global Cloud Network
5
6. Cloudflare Security Product Portfolio
Gateway
Secure connections to the
public Internet
Internal app access
Illegitimate user access attempt
Layer 4 DDoS attacks
SYN Flood, UDP
amplification
Layer 3 DDos attacks
ICMP Flood, GRE attacks
Layer 7 DDos attacks
HTTP flood, DNS
service attack
Login attacks
Brute force logins, API abuse
Bot Attacks
Credential stuffing,
Inventory Hoarding
App vulnerability attacks
OWASP Top 10 and beyond
Gateway WAF
DDoS Protection
Rate Limiting
Bot ManagementMagic Transit
Spectrum
Access
Man in the middle attack
Snooping of Data-in-Transit,
DNS spoofing
SSL, TLS, DNSSEC
6
10. ‘Smaller’ attacks dominated in Q2
From a packet rate perspective:
76% of all L3/4 DDoS attacks in Q2 peaked
up to 1 million packets per second (pps)
From a bit rate perspective:
Nearly 90% of all L3/4 DDoS attacks that we
saw peaked below 10 Gbps
10
11. Big attacks are getting bigger
Of attacks over
100 Gbps
launched since
shelter-in-place
88%
754 Mpps
Largest L3/4 DDoS attack from a
packet rate perspective
11
Candice: Thank you for joining our webinar. I love participating in these webinars as a way to stay close to our customers. Today I am particularly excited as this is such a relevant theme. We will be talking about how to optimize your security without compromising customer experience. I am also excited to be talking to LendingTree, a customer with whom I have been working for a couple years now.
Candice: As we continue our conversation please remember to submit any questions using the chat functionality. We’ll send the recording today after the webinar.
Candice: I am Candice, Senior Customer Success Manager here at Cloudflare. My favorite part about my job is that I get to work with and learn from some great customers, including the one we will be speaking with today. I would like to introduce you to our Guest speaker of the day, John Turner. John has an impressive background in the security front and I will let him speak about that in more detail.
John to introduce himself - Jon: As far as my role here goes, I was brought on about 2.5 years ago to help develop the information security program and lay the groundwork for future growth. At that time, we had three security engineers, including myself, and the IS Manager. Since that time, we have built a world class security program consisting of SecOps, GRC, AppSec, IR, and IAM verticals, while growing the team to 15 members. I was instrumental in the migration from our previous WAF vendor to Cloudflare, showing measurable improvements in performance, uptime, and security while lowering costs.
Candice: Thank you, John, and thank you for agreeing to be here with us today and share some helpful tips.
Candice: Before we dig into that part of the conversation, I would like to give you all a quick background of our commitment to keeping the internet secure as that is key to building a better internet
Cloudflare is a global cloud platform that delivers a broad range of network services to businesses of all sizes around the world—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing and integrating individual network hardware. We provide businesses a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability across their on-premise, hybrid, cloud, and SaaS applications.
Our mission is to help build a better Internet.
Candice: The way we do that is through our massive network, which is now present in over 200 locations around the globe. This places us and your content closer to your customers, also in every single one of these points we run all of our products, so security is at the edge. Because we see so much of the internet we are able to leverage this intelligence to enhance our security layers
Candice: Our comprehensive Platform includes purpose built products for security, performance, reliability in one unified solution. The platform also makes it easy to build serverless applications using edge computing, developing Cloudflare applications while providing meaningful insights and analytics on web activities.
Candice: This is our comprehensive suite of security products. We are passionate about creating security solutions that protect our customers apps and data regardless of where it resides - on-prem or in the cloud. Our offering includes WAF, L3, L4 and L7 DDoS protection, Rate Limiting, SSL/TLS, DNSSEC, Cloudflare Access and Bot Management. Comprehensive protection for our customers applications and data, against the most sophisticated attack vectors.
Candice: And because of our scale we see so much of the internet including some attack trends we would like to share with you.
Candice: The total number of global L3/4 DDoS attacks that we saw in Q2 doubled quarter over quarter. We also saw a spike in the number and size of attacks. Over 66% of all global DDoS attacks in 2020 occurred in the second quarter (nearly 100% increase). May was the busiest month in the first half of 2020, followed by June and April. Almost a third of all L3/4 DDoS attacks occurred in May. Including 63% of all L3/4 DDoS attacks that peaked over 100 Gbps occurred in May.
Candice: In terms of duration, 83% of all attacks lasted between 30 to 60 minutes. That number in Q1 was 79%. This may seem like a short duration, but imagine this as a 30 to 60 minute cyber battle between your security team and the attackers. Additionally, if a DDoS attack creates an outage or service degradation, the recovery time to reboot your appliances and relaunch your services can be much longer; cresulting on downtime and costs.
Candice: Most L3/4 DDoS attacks we saw in Q2 were also relatively ‘small’ in terms of scale of Cloudflare’s network. In Q2, almost 90% of all L3/4 DDoS attacks that we saw peaked below 10 Gbps. These attacks can still cuse outage to most of the websites and Internet properties around the world if they are not protected by a cloud-based DDoS mitigation service.
Candice: From a packet rate perspective, 76% of all L3/4 DDoS attacks in Q2 peaked up to 1 million packets per second (pps).
Candice: We also saw an increasing number of large scale attacks; both in terms of packet rate and bit rate. 88% of all DDoS attacks in 2020 that peaked above 100 Gbps were launched after shelter-in-place started in March. From the packet perspective, June took the lead with a whopping 754 million pps attack. Besides that attack, the maximum packet rates stayed mostly consistent throughout the quarter with around 200 million pps
The 754 million pps attack was automatically detected and mitigated by Cloudflare. The attack was part of an organized four-day campaign that lasted from June 18 to the 21. As part of the campaign, attack traffic from over 316,000 IP addresses targeted a single Cloudflare IP address.
Candice: Looking at the distribution of these attacks by country, our data centers in the United States received the most number of attacks (22.6%), followed by Germany (4.4%), Canada (2.7%) and Great Britain (2.6%). However looking at the total attack bytes mitigated by each Cloudflare data center, the United States still leads (34.9%), but followed by Hong Kong (6.6%), Russia (6.5%), Germany (4.5%) and Colombia (3.7%). The reason for this change is due to the total amount of bandwidth that was generated in each attack. For instance, while Hong Kong did not make it to the top 10 list due to the relatively small number of attacks that was observed in Hong Kong (1.8%), the attacks were highly volumetric and generated so much attack traffic that pushed Hong Kong to the 2nd place.
Candice: An attack vector an identified vulnerability of attack method.We saw this number of vectors for L3/4 DDoS attacks go up from 34 in Q1 to 39 in Q2. Of these, SYN floods formed the majority with over 57% in share, followed by RST (13%), UDP (7%), CLDAP (6%) and SSDP (3%) attacks. SYN flood attacks that exploit the handshake process of a TCP connection. By repeatedly sending initial connection request packets with a synchronize flag (SYN), the attacker attempts to overwhelm the router’s connection table that tracks the state of TCP connections. The router replies with a packet that contains a synchronized acknowledgment flag (SYN-ACK), allocates a certain amount of memory for each given connection and falsely waits for the client to respond with a final acknowledgment (ACK). Given a sufficient number of SYNs that occupy the router’s memory, the router is unable to allocate further memory for legitimate clients causing a denial of service. The goal is to drain computational resources.
Candice: Now that we have looked at the macro security trends, let’s learn more from LendingTree — what are some of the security challenges that online platforms like LendingTree are witnessing and how do they go about strengthening their security posture.
John introduces LendingTree — What the company does, his role and responsibilities
John — I was brought on about 2.5 years ago to help develop the information security program and lay the groundwork for future growth. At that time, we had three security engineers, including myself, and the IS Manager. Since that time, we have built a world class security program consisting of SecOps, GRC, AppSec, IR, and IAM verticals, while growing the team to 15 members. I was instrumental in the migration from our previous WAF vendor to Cloudflare, showing measurable improvements in performance, uptime, and security while lowering costs.
Transition: Candice — When we talk to our customers, some of the common challenges that we keep hearing
Candice: These are the different themes that we hear from our customers
Rising pressure to maintain a seamless customer experience, since all the customers are now accessible only digitally
Rising volume and sophistication of attacks — People are falling prey to phishing attacks even more as everyone works from home
Rising privacy concerns — more and more data is being collected
Increased strain on IT resources
Rising cost pressures esp during this time of crisis
Candice — John, as a security professional, do you see similar challenges on the ground as well?
John: Increased regulation and regulatory concerns that Cloudflare can help address this added complexity/ Flexibility of multi cloud environments. This allows us to leverage pricing opportunities.
Transition: Let’s discuss some of the best practices to deliver a secure online experience
Candice: Strengthening the security posture with a security solution that offers agility, visibility, and control is key. As a large B2C Company that deals with such delicate information and transactions, how do you go about strengthening your security posture?
Suggested points to cover:
The economics of launching DDoS attacks has dramatically changed and now launching a DDoS attack against a web-property has become easier and cheaper than ever! How are you protecting your web assets and how has Cloudflare been effective in helping you?
It's important to have layered defense when it comes to protecting applications that are hosted in the cloud against Application attacks - SQLi, Command injection or CVEs, or even zero-day attacks.
Came to CF for WAF. Had been using Cloudflare’s WAF previously
Extended use to rate limiting, workers, rocket loader
Candice: Threat intelligence is instrumental for security professionals — to close any blind spots in their security perimeter. John, how do you leverage threat intelligence and analytics in day-to-day operations.
How important is scale and heterogeneity of security data for you?
Suggested points to cover:
Homogenous data is of no use to security professionals. What they need is a diverse set of data — so they can identify and mitigate the threats before anything hits their business.
Cloudflare vast network — more than 25 million Internet properties on our network, more than 8 billion unique IP addresses pass through our network every day — offers that heterogeneity that security professionals look for
John: Transforming threat intelligence into actionable items/ Getting through analysis paralysis
Candice — It is key for a security provider to understand a customer’s business objectives. John, how do you maintain the balance between security and business objectives? Especially the marketing objectives.
Suggested points to cover:
Important to ensure that adding security layers does not impact critical business metrics such as conversion rates etc.
In the process of blocking malicious traffic, the experience of real users should not be ruined. Ref: showing captchas, false positives, etc
Conversation between the security and marketing team is always about how to maintain the right balance
Important for the security team, in partnership with whichever security solution that you’re using, to showcase that the experience of real users will not be impacted
Realized cost benefits of over $250,000 in the first four months of using rate limiting
Candice — It was obvious from our first conversation that security was a key objective but since then you have also realized some performance benefits as well with Cloudflare. Could you speak a little about the importance of the performance of your web properties to you and your team?
Suggested points to cover:
Delivering the best ‘End to end customer experience’ involves both security and performance. While John is not personally responsible for the performance of web properties, it is extremely important for the company
Realized significant performance improvements — page load times and conversion rates improved significantly
The reason why we extended the number of properties behind Cloudflare
Candice — John, you have been doing this for a long time — while choosing a security provider, what are the top 3 things that you would advise our audience to consider while choosing a security provider
Suggested points to cover:
‘Ease of use, onboarding and management’ - Ensure that you don’t have to train an army of people to use security products and it's intuitive to onboard and manage.
Get an integrated solution that offers security, performance, and reliability
Rely on a massive network that allows us to curate threat intelligence at-scale to protect your customers
Seed questions:
Any suggestions for smaller organizations that are looking to upgrade their security but are constrained on resources -- both manpower and budget
As we come out of this crisis period, what are the key security learnings for Cloudflare and LendingTree?
For John - In your view, how has this crisis impacted the life of a security professional? How is it any different?
Question for LendingTree and Cloudflare - Are there any new security features that your customers or other stakeholders are requesting lately?
Seed questions:
Any suggestions for smaller organizations that are looking to upgrade their security but are constrained on resources -- both manpower and budget
As we come out of this crisis period, what are the key security learnings for Cloudflare and LendingTree?
For John - In your view, how has this crisis impacted the life of a security professional? How is it any different?
Question for LendingTree and Cloudflare - Are there any new security features that your customers or other stakeholders are requesting lately?