Tales from the Front Lines: Large Retailer Achieves Near Immediate Time-to-Value

November 11, 2020 | by Matt Keil

One of our newest customers is a large, community-based retailer that had a mobile application and API account takeover problem. Roughly 12 months ago, they selected a JavaScript and SDK-based bot mitigation solution to address their ATO challenges. The initial focus was to protect the mobile applications and associated APIs – and that’s where the struggles began.

ATO prevention for mobile applications requires SDK integration, which means an increased burden on the development team for third-party app validation, added QA test cases and cycles, and internal coordination to ensure the latest version of the SDK is deployed. Once deployed, multiple versions are often maintained to avoid forcing an end-user to upgrade, which may result in dissatisfaction and lost customers.

Time for a Change

After countless attempts to roll out ATO prevention, the retail customer chose to investigate alternative bot mitigation solutions including Cequence Security API Spartan SaaS. The initial evaluation took the teams a few hours to redirect traffic from Fastly CDN to API Spartan SaaS and shortly thereafter, the management dashboard lit up with account takeover attacks on both the web and API endpoints. Working closely with the CQ Prime Threat Research and Customer Success Teams, the customer quickly came up to speed in navigating the UI, drilling down into the attack behaviors, translating the findings into policy, and onboarding apps without assistance. The customer commented that the difference between API Spartan and the incumbent solution was night and day.

  • The required SDK integration injected delays and obstacles into the deployment and protection of the mobile application.
  • The incumbent was a black box, providing limited to no visibility into attack patterns or analysis without engaging professional services.
  • Policy modification was an equally challenging exercise that often took multiple hours or days to engage professional services.

API Spartan is based on CQAI, a patented ML-based analytics engine that determines the transactional intent, legitimate or malicious, without requiring JavaScript and SDK integration. The platform is open and extensible, providing the customer with full visibility into their web, API, and mobile applications, allowing them to analyze the traffic and separate legitimate from malicious with intuitive policies.

Flipping the Switch

The week-long PoC demonstrated near-immediate value by enabling the rapid onboarding of applications through a simple traffic redirect from their Fastly CDN to API Spartan SaaS. Once completed, the applications were discovered and analyzed with a few clicks of a mouse. Findings included:

  • An ATO against the web login distributed across more than 3,500 residential proxies and was spoofing a Chrome User-Agent string represented roughly 95% of the login traffic over a period of several days.
  • A highly automated “low and slow” ATO attack that evenly rotated through User-Agent strings of multiple browser families and distributed the requests across more than 1,100 residential IPs.
  • An ATO attack against the mobile login API used a single User-Agent string and was spoofing an Android app but appeared to be an iOS device. The attack was distributed across residential IP proxies located in China, Romania & Brazil.

In contrast, the previous solution had struggled to show protection value for more than a year. Moving from PoC to production was equally simple. On the backend, the API Spartan SaaS instance was already created with application traffic flowing through it. The next steps were to formally engage with the CQ Prime threat research team to train the customer’s security team on using CQAI, analyzing threat traffic, and setting policies.

Rapid Time-to-Value

Within a matter of weeks, the customer validated the speed with which new mobile, API, and web application endpoints can be onboarded and the prevention efficacy of API Spartan SaaS. The ease with which the applications can be protected, the openness of the platform, and the close working relationship with the CQ Prime Threat Research Team is a stark contrast to the incumbent solution that was largely ineffective for nearly a year.

Learn more about how API Spartan sets itself apart from other, first-generation bot mitigation alternatives here.

Matt Keil

Author

Matt Keil

Director of Product Marketing

Additional Resources