33. Protect Your Applications from DDoS &
Advanced Attacks (BOT & Credential
Stuffing)
Ryan Lo
Regional Manager, Solutions Engineering
F5 Shape Security
August 2020
35. Confidential / / Part of F5 4
0
You probably have used Shape before
and using Shape NOW.
We’re the reason you login a lot less and see fewer
CAPTCHAs
?
36. Confidential / / Part of F5 4
1
Ridiculous captchas
2FA by trying to remember your favorite pizza
toppings
Password resets
Currently, the burden of proving known good is on
human users
Lots of repetitive logins
37. Confidential / / Part of F5
Security vs User Experience
Confidential 42
38. Confidential / / Part of F5
Cybercriminals Bypass CAPTCHA Through Solver
Service
Confidential 43
39. Confidential / / Part of F5
CAPTCHA Cannot Stop Bad Actors
Confidential 44
40. Confidential / / Part of F5
CAPTCHA Cannot Stop Bad Actors But Block the
Real Users
Confidential 45
41. Confidential / / Part of F5
Currently, the burden of proving known good is on
human users
Confidential
Nintendo suggests users to secure their Nintendo Account by enabling 2-Step Verification
46
42. Confidential / / Part of F5
Fraud occurs when Criminals act like Legitimate
Users
?
?
?
?
Users
(criminals mixed in with good
users)
Web, Mobile Apps and API
Endpoint
(serve good users & criminals alike)
Criminals
(not evident until it’s too
late)
Organisations must be open to anyone, anywhere, on any device
43. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
44. Confidential / / Part of F5
Retail – Reward Program Aggregators
How do fintechs and rewards program operators differentiate good from bad users?
45. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
46. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
47. Confidential / / Part of F5
Retail – Reward Program Aggregators
They provide a valuable alternative
48. Confidential / / Part of F5
Retail - Inventory Lockout
How many Bots are in front of you?
51. Confidential / / Part of F5
Retail - Sneaker Bots
Shape signals can identify device farms
52. Confidential / / Part of F5
Travel - Inventory Scraping
Scrapers are increasing the airline’s infrastructure costs and affecting the airline’s ability to
manage revenue
53. Confidential / / Part of F5
Travel - Inventory Scraping
How to simulate user behavior through Selenium
Attackers started with developer libraries
like Selenium and Puppeteer before
creating custom tools.
54. Confidential / / Part of F5
Results - A Fortune Global 2000 Customer
April May June
6M
5M
4M
3M
2M
1M
0
HUMAN DETECTED & BLOCKEDDETECTED & FLAGGEDPOSTS TO /LOGIN EVERY THREE HOURS
Mitigation Mode (on attacker fingerprints)
Mitigation Mode (on new fingerprint
Attacker Gives Up
Retool Detected in Stage II (update Stage
I)
Observation Mode (flagging only)
55. Confidential / / Part of F5
Multi-stage detection is paramount
Shape provides multi-stage detection as a service
WEB & MOBILE BROWSER
INTERNET
NATIVE MOBILE APPS
Mobile SDK
CUSTOMER ORIGIN SERVERS
24x7
STAGE IISTAGE I
MACHINE LEARNING
ARTIFICIAL INTELLIGENCE
Good Traffic
Bad Traffic
AWS CloudFront
JS
56. Confidential / / Part of F5
Reducing Friction, Fraud and Fiction
61
Identify and mitigate unwanted traffic
Differentiate good customers from bad customers
Create a friction free user experience and increase revenue
57. Confidential / / Part of F5
Multi-stage detection is paramount
Shape provides multi-stage detection as a service
WEB & MOBILE BROWSER
INTERNET
NATIVE MOBILE APPS
Mobile SDK
CUSTOMER ORIGIN SERVERS
STAGE IISTAGE I
LOAD BALANCER
MACHINE LEARNING
ARTIFICIAL INTELLIGENCE
appliance
Good Traffic
Bad Traffic
COMPANY COUNTRY SECTOR FUNDING ($ MIL.)
58. Confidential / / Part of F5
Multi-stage defense enables long term efficacy
Actual Shape customer’s journey to less than 1% automation
2019
78
%
Automated
<1
%
Automated
2018