In-depth

Malware protection in the 21st century

CloudFlare's CEO talks security with Steve Cassidy

There are some very peculiar tribal divides in our business. Even though security is these days much more about education than it is about arcane and ever-changing automated attack and detection software, it's still thought of as being "what firewalls do" or "that's in anti-virus on the PC". Even though lots of businesses have the web running through the whole of their daily lives, from business model to server setup and more besides.

Advertisement - Article continues below

So why, then, do we think of stuff on the web as being at arms length from "IT" and - certainly in the minds of most cloud salesman - as a replacement for it?

I don't see that distinction at all. Especially at the very worst of times, when the chips are quite literally down and various fantasies about running a light-out business with everything up the wire evaporate in as long as it takes for someone who knows their stuff to confirm that yes, the link's gone cold or the servers are not responding.

This is normally the point at which in one especially painful scenario that of the Distributed Denial of Service attack the cloud or hosting-dependent business has a sudden introduction to the business of web server security and attack responses. Some of this is treated as arcane knowledge within the hosting business, with dark comments about good and bad hosters for vulnerability to attack but that can all be filed under puff-chested industry self-delusion, because affected businesses tend to jump rapidly back to the people they know they can trust, and that starts with the internal IT people, many of whom do not deserve the inefficient or difficult label they are landed with.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

My impression is that the general hosting environment is in many ways less securable, and as a result actually less secure, than a well-run Company Windows LAN. Tight control of user roles and logging of activities is only really maturing now, which is why web hosting toolkit makers Parallels wanted everyone to understand what could be done to minimise risk provided that you were starting with the new release of their Plesk control panel application platform.

To do this, in true Parallels style, it invited various businesses and individuals with long security track records to come and make up a panel session at the recent Parallels summit in New Orleans. I know, it might sound as if sitting in a freezing over-airconditioned room listening earnestly to opinions on security would be poorly attended with the French Quarter only a 10-minute walk away but trust me on this if there's ever a topic on which the inside track is quite literally company-saving stuff, it's this one.

Advertisement - Article continues below

For me the most interesting presentation and answers to questions from the floor were from Matt Prince, CEO of Cloudflare. Even a few minutes talking to him showed me that my somewhat traditional, Windows mindset as to what makes up good security and how to form a response to an attack whose source you can't contact, whose motives are hidden, and whose end is nowhere in sight.

It seemed to me that one practical outcome of the difference between "IT guy" security and "Web Guy" security is that the Web Guy Stuff is all post-facto. You wait for something to go bang, and then you apply the kind of traffic redirection and gateway filtering that  Cloudflare offers. Hey presto as happened with pathe Film and the Eurovision Song Contest sites the minute they even tick the basic service offering at $20/month, the botnet simply goes away. Matt agreed that this is the traditional approach (there were some funny stories in there about Eurovision too), but took the whole concept and turned my head inside out just using these simple examples.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The first gold-plated aside was that apparently, if you go into the Dark Net and look around with some care, the open market in hack capacity available to hit targets on receipt of payments is essentially a gargantuan product review system. Matt likes this because the verdict on Cloudflare is extremely simple. Price for taking down a non-Cloudflare site: $50. Price for with-Cloudlfare: $2,000.

More subtly, though, the Cloudflare approach of routing all your site traffic through their homegrown, non-standard, proprietary analysing smart traffic gateways allows them to break rules which underpin not just the ease of entry for a hacker and their army of home-alone drone PCs: The gatewaying system also cheapens your hosting traffic charges, by cutting out inefficiencies inherent to plain old HTTP over IP.

(in case you think I am in the thrall of Cloudflare here, I should point out that all the answers coming from the Wordpress security expert on the panel started with him jerking his thumb at Matt Prince and saying "hire these guys, then do this")

Advertisement - Article continues below

The final semi-accidental aside that I thought worthy of thinking about under the heading of "pause for thought for IT types with web roles" was Matt's justification for the sunny day signup option. Yes, DDOS attacks are relatively rare, though they do tend to crop up as a result of high growth or public attention. Yes, after the attack starts the 90 percentile quick fix is easy to apply and doesn't have to involve web host people or HTTP jockeys. However; if you are already signed up even just to the free version of Cloudflare's services then its custom gateways can collect web traffic analystics and metrics, and thereby come up with a reasonable summary of what your legitimate site traffic looks like.

The longer they have doing this, the more accurate their division of good and bad traffic can be when the fell day dawns that you are (as seemed to be the case with Pathe News) the end-of-course exam target for a hacker school somewhere in China.

As quick views into the heart of a massive body of expertise gained out on the front line of a desperate problem, I thought that was definitely worth your attention. It surely got mine.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020