Cloudflare unveils email security tools, free WAF ruleset, and API gateway

Cloudflare has announced a slew of new products, including a suite of email security tools for phishing and malware detection, a free WAF ruleset and a machine-learning powered API gateway.

incoming emails / DNS security / locked server / parked domain
Thinkstock / Imaginima / Getty Images

Cloudflare is bolstering its suite of web infrastructure and security offerings with a free WAF (web application firewall) managed ruleset service, a new API management gateway, and — once it closes its recently announced acquisition of Area 1 Security — a set of email tools designed to thwart phishing and malware attacks.

Cloudflare announced at the end of February that it would pay $162 million to acquire Area 1, which has developed a cloud-native security platform designed to use machine learning to detect and block phishing and malware attacks. The deal is expected to close at the beginning of the second quarter.

"Email continues to be one of the biggest security threats that organizations of all sizes face," says Patrick Donahue, product vice president at Cloudflare. "By adding Area 1 Security's email security to our Zero Trust suite to stop phishing, malware, and business email compromise, we are closing one of the biggest security risks our customers have."

The new email security tools will be integrated with Cloudflare's suite of zero trust solutions, and will be able to use email data to trigger additional security actions like automatically routing suspicious links through remote browser isolation or displaying phishing insights within the recently launched Cloudflare Security Center.  

The Cloudflare Security Center offers a single dashboard to manage IT assets, security risks, and vulnerabilities.  With the addition of Area 1 capabilities, Cloudflare says it aims to replace expensive and difficult-to-deploy legacy email security solutions.

 "Cloudflare and Area 1 will leverage each company's extensive threat intelligence sources to enhance threat prevention efficacy," says Patrick Sweeney, CEO of Area 1. "Area 1's intelligence typically identifies phishing campaigns 24 days before launch, which is the earliest in the industry. With Cloudflare, we'll extend this lead within cloud-native email security solutions. 

Free WAF managed ruleset

The Area 1 capabilities were part of the slew of announcements Cloudflare made this week.

"Cloudflare has added a trifecta of strong security solutions and, given the state of the global cyberrisk environment, the timing couldn't be better," says Gary McAlum, an analyst at TAG Cyber.

Cloudflare also revealed that it plans to provide a Cloudflare WAF (Web Application Firewall) Managed Ruleset to all of its customers, free of charge.

Cloudflare offers a Free Zone security plan, which allows organizations to use basic services offered by Cloudflare's network of reverse proxies —servers that sit in front of an organization's web servers and do performance enhancement and security tasks, such as screening browser requests. Customers pay for more advanced services. 

The new ruleset, which provides rules to screen requests to web servers, will work on top of Cloudflare's new WAF engine, first announced in March 2021. 

"This will particularly benefit small and medium-sized enterprises (SMEs) who lack the staffing and resources to deal with the next Heartbleed or Log4j vulnerability, which are increasingly targeted by cybercriminals," McAlum says.

 The ruleset is designed to reduce false positives to a minimum across a wide range of traffic types. Customers will be able to disable the ruleset, if necessary, or configure the traffic filter or individual rules.  

  As of launch, the ruleset will contain three types of mitigation rules:

  • Log4J rules matching payloads in the URI and HTTP headers 
  • Shellshock rules
  • Rules matching very common WordPress exploits

The WAF rulesets are designed to guard against vulnerabilities arising from unpatched or compromised web applications. Upon deployment, if a specific rule matches a request to a web server, an event is triggered in the Security Overview tab on the WAF user interface dashboard, allowing the users to inspect the request.    

The new managed ruleset is designed to be a basic level WAF asset that will be updated by Cloudflare whenever a relevant wide-ranging vulnerability is discovered. The updates will be published on the company's changelogs for the customers to view and deploy them directly when they appear.  

To access Cloudflare's broader set of WAF rulesets (Cloudflare Managed Rules, Cloudflare OWASP Core Ruleset, and Cloudflare Leaked Credential Check Ruleset) along with advanced WAF features, customers will have to upgrade to Pro or higher plans.

New AI-powered API gateway  

 As the final leg in the series of announcements, Cloudflare on Wednesday unveiled a new API gateway to help its customers protect and control all of their APIs (application programming interfaces). 

 An API gateway is essentially a tool that sits between a client and a collection of back-end services that serves as a reverse proxy to accept all the API calls, aggregate services to fulfill the call, and then return the response to the requesting client.  

"Cloudflare's new API Gateway is designed to simplify the experience of managing and securing APIs," Donahue says. "API traffic is automatically identified and flagged for customers during the onboarding process. Because it is built on the same network that powers all other Cloudflare services, there is no upper bound to the amount of traffic or requests it is capable of handling."  

The new gateway is powered with a mix of AI and machine learning engines to automatically detect new APIs and prevent threats. To this end, Cloudflare claims to learn from the 32 million requests per second served at its global edge to refine its model for API traffic.  

The model can identify threats, suggest rate limits based on observed traffic patterns, and build a schema of API infrastructure that works in real-time to immediately adapt to new anomalies and traffic patterns, according to Donahue.  

The features of the new API gateway include the ability to auto-detect unmanaged APIs; allow users to create and manage APIs directly with Cloudflare's workers; support industry as well as Cloudflare's authorization protocols; and route, log, and measure API requests.   

"Cloudflare is raising the bar for one of the fastest-growing areas we've seen, API security," says McAlum. "With more public cloud adoption, APIs continue to grow exponentially in number across the complicated web and mobile app ecosystem. The new gateway could provide a single hub allowing businesses to quickly discover APIs they weren't aware of and easily secure them in just a few clicks."

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022