F5 Bot Defense for Salesforce Commerce Cloud Security

This article contains references to Shape Security related offerings including Shape Enterprise Defense. Shape Security was acquired by F5 and many of the products and offerings are currently undergoing a rebranding effort.

E-commerce websites are easier than ever to create and deploy. Unfortunately, e-commerce sites are also more attractive than ever for cybercriminals to target with an ever-changing array of threats, most of which are highly automated bot attacks. The good news is that the industry-leading solution, F5 Bot Defense leveraging Shape Enterprise Defense technology, for conducting your business and used by the world’s leading retailers – large, medium, or small – is now available on Salesforce Commerce Cloud LINK Marketplace.

Data from the US Federal Trade Commission (FTC) shows that the agency received more than 2.1 million fraud reports from consumers in 2020. Throughout those reports, imposter scams were the most commonly cited category of fraud, followed by online shopping. In all, consumers reported losing more than $3.3 billion, up from $1.8 billion in 2019. Nearly $1.2 billion of the 2020 losses were from imposter scams, while online shopping accounted for about $246 million in losses. And those are just the ones that were reported to the FTC.

In addition to protecting customers, e-commerce operators also need to protect themselves—from account takeover (ATO), intellectual property theft, sensitive data exposure, checkout abuse, and much, much more as the list of threats grows every day.

Salesforce Commerce Cloud (SFCC)

When it comes to enabling B2C and B2B commerce for businesses of all sizes, Salesforce Commerce Cloud (SFCC) is helping thousands of businesses transact with their customers via a cloud-based platform that “empowers brands to create intelligent, unified buying experiences across all channels—mobile, social, web, and store.”

SFCC reports that its platform processes $21 billion in gross merchandise value annually and supports more than half a billion individual shopper site visits each month. All this activity is happening across large and small companies alike; but no matter the size of the retailer, F5 Bot Defense for Salesforce Commerce Cloud delivers bot and fraud protection solutions that defend the world’s largest retailers, banks, and airlines.

F5 Bot Defense for Malicious Bot Protection on Salesforce Commerce Cloud

Regardless of the platform on which a company’s e-commerce channels are deployed, it’s not unusual for 90 percent or more of daily log-in attempts to be from non-human visitors—i.e., bot-based traffic. In the case of bot-attack traffic, these cheap, rudimentary bots simply cycle through the millions and millions of stolen and leaked credentials that are already in the wild, one after another, over and over, throwing username and password combinations at your e-commerce platform and hoping for even a tiny fraction to make it through

It’s a process known as credential stuffing and it can be costly. All those automated login attempts are a constant, steady drain on bandwidth and application resources. Things can go from bad to worse if one of those bots is able to log-in with stolen credentials leading to Account Takeover (ATO).

F5 has pioneered a suite of innovative solutions that identify all manner of harmful, bot-driven network traffic and block it before it becomes a drain on your resources (or worse). F5 Bot Defense, also known as Shape Enterprise Defense, is perfectly suited to protect e-commerce platforms since it is quickly and easily integrated into Salesforce Commerce Cloud (SFCC) via F5's certified cartridge only for SFCC.

F5 Bot Defense protects web, mobile applications, and API endpoints from sophisticated attacks that would otherwise result in largescale fraud. It determines in real-time if an application request is from a fraudulent source and then takes an enterprise-specified action, such as blocking, redirecting, or flagging the request.

F5 Bot Defense stands out in the industry because it relies on artificial intelligence and machine learning in conjunction with years of experience defending the world’s largest companies—meaning it has gathered vast quantities of highly detailed data from countless attempted attacks. With all this experience, F5 Bot Defense has unparalleled expertise in not just identifying whether any given request was made by a bot or human, but whether the request was made with malicious or benign intent.

Deployment

There are two stages to an F5 Bot Defense deployment: observation and mitigation. In the observation stage, F5 Bot Defense collects advanced telemetry to inform and train the defense engine to detect attacks. These signals are collected via JavaScript on web applications and an SDK on native mobile applications.

The F5 Bot Defense Engine is the decision-making component of any F5 Bot Defense deployment and is key to the entire mitigation stage. It detects and mitigates automated transactions aimed at the e-commerce platform. To deflect fraudulent requests, it processes hundreds of signals to detect automation at the application, network, browser, and user levels.

Figure.1: F5 Bot Defense offers API-based e-commerce security to protect retail sites on the Salesforce Commerce Cloud platform.

Powered by AI and ML, the F5 Bot Defense analyzes all transactions and scrutinizes every attack campaign to proactively recognize future attempts. When an attack campaign tries to bypass the F5 bot protection solution by somehow retooling (typically by updating software or leveraging new proxies), F5 Bot Defense is still able to identify the campaign based on hundreds of other signals. Most importantly, as soon as a new attack technique is observed on one customer, new countermeasures are autonomously deployed, and details are shared so all other F5 customers are immediately inoculated as well.