Every organization wants the same thing from their applications: the best performance for their users and exceptional security to prevent losses and harm. It's a simple concept, but delivering comprehensive security that doesn't slow the speed of innovation isn't easy given the complexities of the modern digital business.
At F5, we combine leading multi-cloud application security and delivery with bot mitigation, a robust web application firewall, and cutting-edge API security and anti-fraud technologies to help customers meet users’ growing expectations for seamless digital experiences while protecting both organizations and individuals from increasingly sophisticated security threats. In parallel with today's security-themed announcement from Agility 2021, I'll tell some real-world stories that show how consistent, high-efficacy, and easy-to-deploy security helped F5 customers solve some of their biggest challenges.
In 2020, one of the largest U.S. banks experienced a massive credential stuffing attack. Cybercriminals assembled a list of more than five million usernames and passwords harvested from data breaches, and then used a distributed botnet consisting of more than one hundred thousand real machines—with real IP addresses and valid browsers—to submit those usernames and passwords to the login form of the bank’s webpage.
Shape Enterprise Defense blocked this attack very quickly. But what happened next is where things got interesting. Realizing they couldn’t get through the defenses on the webpage, the criminals reverse-engineered the APIs that powered the mobile app and proceeded to emulate legit mobile devices to test the stolen usernames and passwords.
F5 pivoted just as fast, and immediately enabled our API defense, which then caught and blocked the credential stuffing attack in the new channel. In the end, out of those five million credentials, the criminals were only able to access about 100 accounts—instead of the 20,000 to 50,000 compromised accounts typical for an attack of this size.
So what does this tell us? Namely, that security must protect not just the application but the APIs that access it. Plus, protection must be continuous and able to adapt in real time to developing threats.
According to F5's 2021 State of Application Strategy Report, 75% of organizations agree that collecting telemetry about application security is important for meeting business-level requirements. But the real challenge is getting to that data and exercising security controls in real time. The sooner you can start collecting data, the better prepared you will be to handle future incidents.
That's where F5 Device ID comes in. It takes the signal from web traffic and helps customers identify returning computers and mobile devices on their site. The best part about it is that we're making it available for free to all F5 customers. Which means that you can start collecting data now without having to invest in yet another tool—and then when an incident occurs, you'll have a repository of data to help you analyze and respond to the attack.
It's clear that complexity is an enemy of security. For example, the explosion in the use of APIs to build applications is fantastic in terms of increasing speed of development, but it is also a gift to attackers because of the expanded attack surface.
There's also infrastructure complexity. Many of our customers are dealing with a completely mixed environment—with traditional and modern applications that span on-premises data centers as well as multiple clouds and even edge locations. While implementing consistent security across all this complexity isn't as simple as just clicking a button, a stable partnership with F5 brought one company closer to realizing that ideal. Over the years, one of the largest telcos in the U.S. acquired other carriers, which led to expansion (good) and a whole lot of infrastructure complexity (bad).
At the beginning of our relationship, we protected the company's largest application from bots, fraud, denial-of-service, and many other application-level attacks. A year later, they acquired another competitor and F5 expanded our security coverage into that completely separate environment, with totally different technology stacks—and still provided a single control plane, with unified and uniform policies. This past year, the pandemic changed everything, and we’ve started working with them to build out a whole new kind of network, one that optimizes the end-to-end delivery of their applications.
This is more than a security story—it's a story of partnership. Businesses are always evolving, and new threats emerge every day. By teaming up and leveraging a platform that ensures consistency across all environments, we can optimize for today while preparing for wherever that next evolution takes us.
The latest research from the State of Application Strategy Report confirms a trend that's been developing for a number of years: organizations face serious skillset challenges in the field of security. Many businesses simply don't have the in-house skills to effectively manage a growing portfolio of applications across an ever-expanding attack surface.
F5's managed security services—Shape and Silverline—take the complexity out of security deployments and ensure that applications and users are automatically protected. This leaves your in-house teams free to focus on improving processes and driving innovation.
We've learned from our customers that simplicity is a top priority—they want all the technologies they need in a single offering. At F5, we are here to help you secure your apps and your digital experiences—wherever you are in your digital transformation journey.
Our vision is simple, clear and comprehensive:
F5 helps you to secure your applications and APIs by providing visibility and control wherever you need it from L4 to L7—and across clouds, data centers, and a growing set of edge locations.
We do it through continuous, real-time, and high-efficacy security powered by data and AI/ML that protects your organization's most important assets from a range of sophisticated attacks. F5 security is natively built for APIs and modern apps to improve protection and ensure compliance while accelerating innovation and speeding time to market. Finally, our platform-based security portfolio can be used from the data center to the edge and allows customers to collect, share, integrate, and analyze data generated throughout their organization.
Great security outcomes are driven not just by technology but by the people who support it. Behind the scenes, our world-class product, engineering, and services teams are always vigilant and always innovating. They are truly dedicated to customer success and protecting the modern digital experience, which is so critical to every organization's future success.
Together, we can remove the high friction and silos that make today’s application security controls overly complex and create a predictive and adaptive security environment that accelerates your business—and enables you to secure your apps and APIs. Everywhere.