LendingTree and Cloudflare: Ensuring zero trade-off between security and customer experience
•Download as PPTX, PDF•
0 likes•361 views
Maintaining the right balance between security and customer experience is always challenging for online businesses. This challenge becomes even more relevant during this crisis as businesses face unprecedented levels of traffic and attacks. Tune in to learn how LendingTree leverages Cloudflare to strengthen their security posture while ensuring a superior online experience for their customers. Listen to security experts from LendingTree and Cloudflare as they discuss: Emerging attack vectors and tactics impacting online platforms Best practices for online businesses to overcome these threats How LendingTree leverages Cloudflare to maintain the right balance between security and business objectives
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to LendingTree and Cloudflare: Ensuring zero trade-off between security and customer experience
Similar to LendingTree and Cloudflare: Ensuring zero trade-off between security and customer experience (20)
More from Cloudflare
More from Cloudflare (9)
Recently uploaded
Recently uploaded (20)
LendingTree and Cloudflare: Ensuring zero trade-off between security and customer experience
- 1. LendingTree and Cloudflare Ensuring zero trade-off between security and customer experience
- 2. Speakers Candice Madruga Knoll Senior Customer Success Manager Cloudflare John Turner Application Security Lead LendingTree 2
- 3. Cloudflare is an intelligent, integrated global cloud network that delivers security, performance, and reliability for all your Internet infrastructure, people and connected devices. CLOUDFLARE’S MISSION: Help build a better Internet Confidential. Copyright © Cloudflare, Inc. 3
- 4. 27M+ Internet properties 200+ Cities and 95 countries 45B Cyber threats blocked each day in Q1’20 99% Of the Internet-connected population in the developed world is located within 100 milliseconds of our network Note: Data as of June 28, 2019. Cloudflare’s network operates at massive scale Confidential. Copyright © Cloudflare, Inc. 4
- 5. PERFORMANCE & RELIABILITY SECURITY Domain Name System (DNS) Firewall AnalyticsWorkers IoT Security Cache Load Balancing SSL/TLS Secure Origin Connection Rate Limiting Bot Management DDoS Protection Intelligent Routing Image Optimization Access CLOUDFLARE FOR INFRASTRUCTURE CLOUDFLARE FOR TEAMS Magic Transit Gateway Workers KV SERVERLESS APPLICATION PLATFORM Stream Integrated, Intelligent Global Cloud Network 5
- 6. Cloudflare Security Product Portfolio Gateway Secure connections to the public Internet Internal app access Illegitimate user access attempt Layer 4 DDoS attacks SYN Flood, UDP amplification Layer 3 DDos attacks ICMP Flood, GRE attacks Layer 7 DDos attacks HTTP flood, DNS service attack Login attacks Brute force logins, API abuse Bot Attacks Credential stuffing, Inventory Hoarding App vulnerability attacks OWASP Top 10 and beyond Gateway WAF DDoS Protection Rate Limiting Bot ManagementMagic Transit Spectrum Access Man in the middle attack Snooping of Data-in-Transit, DNS spoofing SSL, TLS, DNSSEC 6
- 7. Our scale puts us in a unique position 7
- 8. L3/4 DDoS Attacks Increased As World Entered Lock-down 8
- 9. 83% of L3/4 DDoS Attacks Lasted < 1 HR 9
- 10. ‘Smaller’ attacks dominated in Q2 From a packet rate perspective: 76% of all L3/4 DDoS attacks in Q2 peaked up to 1 million packets per second (pps) From a bit rate perspective: Nearly 90% of all L3/4 DDoS attacks that we saw peaked below 10 Gbps 10
- 11. Big attacks are getting bigger Of attacks over 100 Gbps launched since shelter-in-place 88% 754 Mpps Largest L3/4 DDoS attack from a packet rate perspective 11
- 12. The United States is targeted with the most attacks 12
- 13. 57% of all L3/4 DDoS attacks in Q2 were SYN floods 13
- 14. LendingTree Confidential. Copyright © Cloudflare, Inc. 14
- 15. 100+ Millions of customers served 30+ Billions in loans saved 50+ Billions in loans served 22 Years in business 15
- 16. What’s top-of-mind for online platforms like LendingTree Confidential. Copyright © Cloudflare, Inc. 16
- 17. Rising cost pressures Legacy processes and infrastructure are a bottleneck for achieving cost efficiencies as businesses scale into new markets/geographies Confidential. Copyright © Cloudflare, Inc. Multiple forces are shaping the digital transformation of online businesses Rising volume and sophistication of attacks Threats against financial institutions are constantly evolving. Teams need to analyse threat data constantly to upgrade their security posture. Increasing strain on IT resources due to COVID With the closure of physical branches, more customers are servicing their financial needs online. Increasing privacy concerns More and more data is being processed and collected each day. Businesses need to figure out a way make this data secure and comply with the regulatory oversight. High expectations for customer experience Personalized, uninterrupted experience is a must to acquire new customers and satisfy existing ones. 17
- 18. What are some of the best practices to deliver a secure online experience Confidential. Copyright © Cloudflare, Inc. 18
- 19. Strengthen your security posture Get a security solution that offers agility, visibility, and control Confidential. Copyright © Cloudflare, Inc. 1 19
- 20. Actively leverage threat intelligence to close the blind spots Using the right scale and mix of security data is key Confidential. Copyright © Cloudflare, Inc. 2 20
- 21. Get a security provider that understands your business objectives Both sides of the coin matter — the cost and customer experience Confidential. Copyright © Cloudflare, Inc. 3 21
- 22. Ensure that there is no trade-off between security and performance Every millisecond of latency or interruption impacts customer experience Confidential. Copyright © Cloudflare, Inc. 4 22
- 23. Get a security provider that enables you to remain ahead of the curve. Existing capabilities and future product vision matter equally Confidential. Copyright © Cloudflare, Inc. 5 23
- 24. Thank you Confidential. Copyright © Cloudflare, Inc. 24
- 25. Q&A Confidential. Copyright © Cloudflare, Inc. 25
Editor's Notes
- Candice: Thank you for joining our webinar. I love participating in these webinars as a way to stay close to our customers. Today I am particularly excited as this is such a relevant theme. We will be talking about how to optimize your security without compromising customer experience. I am also excited to be talking to LendingTree, a customer with whom I have been working for a couple years now. Candice: As we continue our conversation please remember to submit any questions using the chat functionality. We’ll send the recording today after the webinar.
- Candice: I am Candice, Senior Customer Success Manager here at Cloudflare. My favorite part about my job is that I get to work with and learn from some great customers, including the one we will be speaking with today. I would like to introduce you to our Guest speaker of the day, John Turner. John has an impressive background in the security front and I will let him speak about that in more detail. John to introduce himself - Jon: As far as my role here goes, I was brought on about 2.5 years ago to help develop the information security program and lay the groundwork for future growth. At that time, we had three security engineers, including myself, and the IS Manager. Since that time, we have built a world class security program consisting of SecOps, GRC, AppSec, IR, and IAM verticals, while growing the team to 15 members. I was instrumental in the migration from our previous WAF vendor to Cloudflare, showing measurable improvements in performance, uptime, and security while lowering costs. Candice: Thank you, John, and thank you for agreeing to be here with us today and share some helpful tips.
- Candice: Before we dig into that part of the conversation, I would like to give you all a quick background of our commitment to keeping the internet secure as that is key to building a better internet Cloudflare is a global cloud platform that delivers a broad range of network services to businesses of all sizes around the world—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing and integrating individual network hardware. We provide businesses a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability across their on-premise, hybrid, cloud, and SaaS applications. Our mission is to help build a better Internet.
- Candice: The way we do that is through our massive network, which is now present in over 200 locations around the globe. This places us and your content closer to your customers, also in every single one of these points we run all of our products, so security is at the edge. Because we see so much of the internet we are able to leverage this intelligence to enhance our security layers
- Candice: Our comprehensive Platform includes purpose built products for security, performance, reliability in one unified solution. The platform also makes it easy to build serverless applications using edge computing, developing Cloudflare applications while providing meaningful insights and analytics on web activities.
- Candice: This is our comprehensive suite of security products. We are passionate about creating security solutions that protect our customers apps and data regardless of where it resides - on-prem or in the cloud. Our offering includes WAF, L3, L4 and L7 DDoS protection, Rate Limiting, SSL/TLS, DNSSEC, Cloudflare Access and Bot Management. Comprehensive protection for our customers applications and data, against the most sophisticated attack vectors.
- Candice: And because of our scale we see so much of the internet including some attack trends we would like to share with you.
- Candice: The total number of global L3/4 DDoS attacks that we saw in Q2 doubled quarter over quarter. We also saw a spike in the number and size of attacks. Over 66% of all global DDoS attacks in 2020 occurred in the second quarter (nearly 100% increase). May was the busiest month in the first half of 2020, followed by June and April. Almost a third of all L3/4 DDoS attacks occurred in May. Including 63% of all L3/4 DDoS attacks that peaked over 100 Gbps occurred in May.
- Candice: In terms of duration, 83% of all attacks lasted between 30 to 60 minutes. That number in Q1 was 79%. This may seem like a short duration, but imagine this as a 30 to 60 minute cyber battle between your security team and the attackers. Additionally, if a DDoS attack creates an outage or service degradation, the recovery time to reboot your appliances and relaunch your services can be much longer; cresulting on downtime and costs.
- Candice: Most L3/4 DDoS attacks we saw in Q2 were also relatively ‘small’ in terms of scale of Cloudflare’s network. In Q2, almost 90% of all L3/4 DDoS attacks that we saw peaked below 10 Gbps. These attacks can still cuse outage to most of the websites and Internet properties around the world if they are not protected by a cloud-based DDoS mitigation service. Candice: From a packet rate perspective, 76% of all L3/4 DDoS attacks in Q2 peaked up to 1 million packets per second (pps).
- Candice: We also saw an increasing number of large scale attacks; both in terms of packet rate and bit rate. 88% of all DDoS attacks in 2020 that peaked above 100 Gbps were launched after shelter-in-place started in March. From the packet perspective, June took the lead with a whopping 754 million pps attack. Besides that attack, the maximum packet rates stayed mostly consistent throughout the quarter with around 200 million pps The 754 million pps attack was automatically detected and mitigated by Cloudflare. The attack was part of an organized four-day campaign that lasted from June 18 to the 21. As part of the campaign, attack traffic from over 316,000 IP addresses targeted a single Cloudflare IP address.
- Candice: Looking at the distribution of these attacks by country, our data centers in the United States received the most number of attacks (22.6%), followed by Germany (4.4%), Canada (2.7%) and Great Britain (2.6%). However looking at the total attack bytes mitigated by each Cloudflare data center, the United States still leads (34.9%), but followed by Hong Kong (6.6%), Russia (6.5%), Germany (4.5%) and Colombia (3.7%). The reason for this change is due to the total amount of bandwidth that was generated in each attack. For instance, while Hong Kong did not make it to the top 10 list due to the relatively small number of attacks that was observed in Hong Kong (1.8%), the attacks were highly volumetric and generated so much attack traffic that pushed Hong Kong to the 2nd place.
- Candice: An attack vector an identified vulnerability of attack method.We saw this number of vectors for L3/4 DDoS attacks go up from 34 in Q1 to 39 in Q2. Of these, SYN floods formed the majority with over 57% in share, followed by RST (13%), UDP (7%), CLDAP (6%) and SSDP (3%) attacks. SYN flood attacks that exploit the handshake process of a TCP connection. By repeatedly sending initial connection request packets with a synchronize flag (SYN), the attacker attempts to overwhelm the router’s connection table that tracks the state of TCP connections. The router replies with a packet that contains a synchronized acknowledgment flag (SYN-ACK), allocates a certain amount of memory for each given connection and falsely waits for the client to respond with a final acknowledgment (ACK). Given a sufficient number of SYNs that occupy the router’s memory, the router is unable to allocate further memory for legitimate clients causing a denial of service. The goal is to drain computational resources.
- Candice: Now that we have looked at the macro security trends, let’s learn more from LendingTree — what are some of the security challenges that online platforms like LendingTree are witnessing and how do they go about strengthening their security posture.
- John introduces LendingTree — What the company does, his role and responsibilities John — I was brought on about 2.5 years ago to help develop the information security program and lay the groundwork for future growth. At that time, we had three security engineers, including myself, and the IS Manager. Since that time, we have built a world class security program consisting of SecOps, GRC, AppSec, IR, and IAM verticals, while growing the team to 15 members. I was instrumental in the migration from our previous WAF vendor to Cloudflare, showing measurable improvements in performance, uptime, and security while lowering costs.
- Transition: Candice — When we talk to our customers, some of the common challenges that we keep hearing
- Candice: These are the different themes that we hear from our customers Rising pressure to maintain a seamless customer experience, since all the customers are now accessible only digitally Rising volume and sophistication of attacks — People are falling prey to phishing attacks even more as everyone works from home Rising privacy concerns — more and more data is being collected Increased strain on IT resources Rising cost pressures esp during this time of crisis Candice — John, as a security professional, do you see similar challenges on the ground as well? John: Increased regulation and regulatory concerns that Cloudflare can help address this added complexity/ Flexibility of multi cloud environments. This allows us to leverage pricing opportunities.
- Transition: Let’s discuss some of the best practices to deliver a secure online experience
- Candice: Strengthening the security posture with a security solution that offers agility, visibility, and control is key. As a large B2C Company that deals with such delicate information and transactions, how do you go about strengthening your security posture? Suggested points to cover: The economics of launching DDoS attacks has dramatically changed and now launching a DDoS attack against a web-property has become easier and cheaper than ever! How are you protecting your web assets and how has Cloudflare been effective in helping you? It's important to have layered defense when it comes to protecting applications that are hosted in the cloud against Application attacks - SQLi, Command injection or CVEs, or even zero-day attacks. Came to CF for WAF. Had been using Cloudflare’s WAF previously Extended use to rate limiting, workers, rocket loader
- Candice: Threat intelligence is instrumental for security professionals — to close any blind spots in their security perimeter. John, how do you leverage threat intelligence and analytics in day-to-day operations. How important is scale and heterogeneity of security data for you? Suggested points to cover: Homogenous data is of no use to security professionals. What they need is a diverse set of data — so they can identify and mitigate the threats before anything hits their business. Cloudflare vast network — more than 25 million Internet properties on our network, more than 8 billion unique IP addresses pass through our network every day — offers that heterogeneity that security professionals look for John: Transforming threat intelligence into actionable items/ Getting through analysis paralysis
- Candice — It is key for a security provider to understand a customer’s business objectives. John, how do you maintain the balance between security and business objectives? Especially the marketing objectives. Suggested points to cover: Important to ensure that adding security layers does not impact critical business metrics such as conversion rates etc. In the process of blocking malicious traffic, the experience of real users should not be ruined. Ref: showing captchas, false positives, etc Conversation between the security and marketing team is always about how to maintain the right balance Important for the security team, in partnership with whichever security solution that you’re using, to showcase that the experience of real users will not be impacted Realized cost benefits of over $250,000 in the first four months of using rate limiting
- Candice — It was obvious from our first conversation that security was a key objective but since then you have also realized some performance benefits as well with Cloudflare. Could you speak a little about the importance of the performance of your web properties to you and your team? Suggested points to cover: Delivering the best ‘End to end customer experience’ involves both security and performance. While John is not personally responsible for the performance of web properties, it is extremely important for the company Realized significant performance improvements — page load times and conversion rates improved significantly The reason why we extended the number of properties behind Cloudflare
- Candice — John, you have been doing this for a long time — while choosing a security provider, what are the top 3 things that you would advise our audience to consider while choosing a security provider Suggested points to cover: ‘Ease of use, onboarding and management’ - Ensure that you don’t have to train an army of people to use security products and it's intuitive to onboard and manage. Get an integrated solution that offers security, performance, and reliability Rely on a massive network that allows us to curate threat intelligence at-scale to protect your customers
- Seed questions: Any suggestions for smaller organizations that are looking to upgrade their security but are constrained on resources -- both manpower and budget As we come out of this crisis period, what are the key security learnings for Cloudflare and LendingTree? For John - In your view, how has this crisis impacted the life of a security professional? How is it any different? Question for LendingTree and Cloudflare - Are there any new security features that your customers or other stakeholders are requesting lately?
- Seed questions: Any suggestions for smaller organizations that are looking to upgrade their security but are constrained on resources -- both manpower and budget As we come out of this crisis period, what are the key security learnings for Cloudflare and LendingTree? For John - In your view, how has this crisis impacted the life of a security professional? How is it any different? Question for LendingTree and Cloudflare - Are there any new security features that your customers or other stakeholders are requesting lately?