Cequence Security prevents business logic abuse with our AI-based Application Security Platform that discovers all of your public facing web, mobile and API-based applications, then detects
any malicious transactions targeting those applications, allowing you to then apply policies to prevent the attack. As co-founder and CTO, I wanted to take a moment to highlight what I think are some of our key advantages.
What is Business Logic Abuse and why do you need protection?
The security market we participate in is defined by industry analysts as Bot Mitigation. A more accurate description is business logic abuse which is an automated attack that targets your public facing web, mobile and API-based applications with transactions that appear to be legitimate or syntactically correct. Bad actors will use stolen user credentials, infrastructure (e.g., proxies, compromised servers and devices, etc), and management toolkits (e.g., SNIPR, BlackBullet, SentryMBA, etc) available on the Dark Web to deliver the attack. Using bots, the attack will attempt to repeatedly complete account sign up forms, account logins, partially execute online purchases, travel or lodging reservations, etc. Their goals are to validate credentials for resale, steal something (e.g., goods, money, IP, data), or commit fraud by using the value of the of their target for their own purposes (e.g., loyalty points, airline miles). In many cases, bad actors will deconstruct the web or mobile app itself to find the APIs in use and target those directly to complete the attack.
Since these attacks appear to be legitimate, your existing security infrastructure (e.g., firewalls, IPS, WAFs, Security Gateways, etc.) cannot see or stop these attacks, yet research shows that roughly 35% of all internet traffic is from malicious bots. For some highly targeted customers in retail, financial services and social media, malicious bots represent 90% or more of their web traffic. The impact of these attacks is wide-ranging and includes infrastructure costs to handle the higher traffic volume, loss of revenue from stolen goods, loss of user confidence from lost loyalty points, and increased manpower for fraud and security teams.
Gaps in first generation solutions
Web Application Firewalls
Web Application Firewalls (WAFs) cannot protect against business logic abuse attacks because the traffic appears to be legitimate. WAFs look for anomalies in the web requests and there is nothing wrong in the structure of the request when someone tries to do login to an account or create a new account. In addition, WAFs are focused primarily on web applications, and often times bad actors will bypass the web form, targeting the mobile client or the back end APIs directly.
First Generation Bot Mitigation Tools
The Cequence Story
Cequence takes a unique approach to prevent business logic abuse that sets us apart from all first generation solutions. At the heart of our Application Security Platform is our patented CQAI engine, a multi-dimensional machine learning analytics engine that characterizes all of your public facing applications, differentiating between human and machine interaction. But it doesn’t stop there, CQAI is also able to determine the intent of the interaction. The result of the analysis is a behavioral profile that provides very high efficacy with low false positives in preventing business logic abuse. CQAI requires zero application instrumentation or SDK integration and continually analyzes all of your applications, detecting when updates or new versions are published. Every month, Cequence stops millions of credential stuffing, fake account creation, scraping, fake likes and other such business logic abuse attempts for our customers.
Here are three reasons why this approach is superior compared to the first generation Bot Mitigation solutions.
Impact on application user (customer) experience
Cost of application development
Anytime an application is changed, it will go through test and QA cycles to ensure it works as designed. Adding 3rd party code that your team did not develop to introduces additional risk and testing cycles. As organizations move towards more rapid, iterative application development methodologies, this is an additional tax that the development team has to pay to make sure that the third party code has no impact on the functionality of the core application. An additional tax is the process of re-certification for all your applications when the third party code is updated.
Cequence, on the other hand, uses CQAI to intelligently analyze the applications, eliminating the need to change the original application. That means that new applications and updates can be rolled out rapidly, without any added risk. CQAI passively and continually analyzes all your application traffic and determines if the traffic is generated from a human or machine. Once it identifies it is a machine, it then goes a level deeper to identify the intent of the automation – all without the need for any application instrumentation.
Keeping up with the ever-changing attack surface of Web, Mobile and APIs
In the last few years, enterprises have gone from connected to hyperconnected – many applications each with multiple entry points. For example, a login application can be invoked from the home page, shopping cart, a mobile app or a rest API for partners. Every entry point needs to be protected from business logic abuse attacks. If any entry point is left unattended, bad actors will find it and rapidly exploit it. As applications are updated, new entry points are created by the application teams; sometimes without the knowledge of the security team.
Cequence does not require any instrumentation to protect applications. The CQAI engine continuously discovers new applications across all of your web, mobile and API application channels allowing you to apply policies to prevent Business Logic Abuse. When the application team rolls out a new application, even without the knowledge of the security team, it is automatically discovered by CQAI and protected by our security platform.
To learn more about Cequence API Spartan and how it can protect your public facing web, mobile and API-based applications, please check out this on-demand presentation:
Never miss an update!