Q2 Uses Security Automation to Block 97% of Malicious Traffic with F5 Distributed Cloud Bot Defense

Q2’s financial experience platform supports more than 1,200 financial institutions and over 22 million account holders worldwide. With the growth in mobile and digital banking, and the increasing volume and sophistication of cyber attacks on financial institutions and their account holders, Q2 needed a way to provide stronger security without disrupting the customer experience. F5 Distributed Cloud Bot Defense was the answer. 

The Challenge

People and businesses trust financial institutions to keep their money safe and their transactions secure. Yet in today’s digital world, the rapid growth of online and mobile banking has led to a rise in the volume, frequency, and sophistication of cyber attacks.

“We had 54 credential stuffing attacks in 2018, and I thought it was the end of the world,” says Lou Senko, chief availability officer at Q2, a leading provider of digital banking and lending solutions to financial institutions. “In 2019, we had about 1,400 attacks—and then it really took off. In January 2020, we had over half a billion attempted logins, and 82% of those were from credential stuffing attacks.”

As a result of the rapid escalation in cyber attacks, financial institutions find protecting their customers’ information and assets increasingly daunting. Yet, providing reliable and trustworthy security is the crucial element in developing and nurturing loyal account holders, which is key to every financial institution’s long-term success. The same technology that makes digital banking so convenient for consumers also makes it easy for them to seek other options if they begin to question the safety of their assets or lose confidence in the security their bank or credit union provides.

“Our financial institutions and their customers have very short pain thresholds when it comes to being unable to log in to their accounts,” says Albert Hoelscher, senior director of IT security at Q2. “They expect always-on, instant access, so if there's any delay or disruption, they're very sensitive to that. It's one of the first and fastest things that will cause a customer to move their money to another financial institution.”

Enabling financial institutions to attract, engage, and retain customers is Q2’s business. Founded in 2004, with offices throughout the United States and internationally, Q2 designs and delivers software solutions that help financial institutions transform and future-proof their businesses by enabling them to create meaningful financial experiences and support lasting account holder relationships.

At the heart of Q2’s mission to build strong and diverse communities by strengthening its financial institutions is its financial experience platform—a single platform that integrates with a financial institution’s legacy technology and provides one administrative console that organizations can use to manage the same experience for mobile, online, and voice banking. In the U.S. alone, one out of 10 digital banking customers uses Q2’s single platform for their banking needs while more than 40% of the nation’s top 100 banks and more than a third of the top 50 credit unions have made the Q2 platform part of their digital strategy.

“Our financial institutions are looking for customers for life,” says Senko, who leads the teams that are responsible for the availability, performance, and quality of the services that Q2 delivers to its customers and their account holders. “Our platform has all the pieces to help financial institutions understand who their customers are and how to match the right solutions to each customer, depending on where they are in their digital journey.”

As the threat from cyber attacks continued to grow, Q2 found it more time consuming to manage full cybersecurity needs with in-house staff while also providing the solutions that would help financial institutions succeed in a digital world.

“The bad guys were using up all our resources,” Senko says. “We had to scale our infrastructure to 40 times its original size, just to be able to handle the attacks and keep our service available. When we looked at all that money, all that time, all that waste, just so we could keep serving our real customers, we knew we had to change our defense strategy.”

The Solution

To address the rapid escalation of credential stuffing and other automated cyber attacks, Q2 started looking for a bot defense solution that would help it counter the relentless assault that it and its customers were facing.

“The number of credential stuffing attacks we were experiencing was in the billions, and that was putting a significant strain on our staff and infrastructure,” Hoelscher says. “Our security engineering teams were working night and day, 24/7, to try to mitigate these attacks manually, but it was unsustainable. You quickly exhaust your resources. We knew that adding automation was the only way to handle billions of credential stuffing attempts and address the other threats effectively.”

Q2 looked at several options before deciding to implement F5 Distributed Cloud Bot Defense.

“We needed a solution that was easy to implement, could be quickly bolted onto our current infrastructure, and didn’t disrupt the customer experience and degrade log-on times,” Hoelscher says. “We also needed a product that had a very low false-positive rate and would be very efficient in how it handled our users, letting valid traffic through while blocking malicious traffic. Of all the solutions we considered, F5 Distributed Cloud Bot Defense was the one that rose to the top.”

Hoelscher says that Q2 already considered F5 a trusted partner, because the company had been using F5 BIG-IP products like F5 BIG-IP Advanced WAF as part of its security lineup for some time and was pleasantly surprised how implementing Distributed Cloud Bot Defense allowed Q2 to build on that strong security foundation so quickly.

“As soon as we started using F5 Distributed Cloud Bot Defense, we saw a dramatic improvement in our security capabilities,” Hoelscher says. “We reduced the risks for our customers overnight. They were quite relieved and very happy with the outcome.”

According to Hoelscher, it’s not only the F5 technology that makes Distributed Cloud Bot Defense so effective. It’s also the support Q2 receives from F5 engineers and security experts.

“F5 has been amazing,” Hoelscher says. “Our technical account team at F5 is extremely responsive. As the threat landscape changes, as the attacks become more sophisticated, they are right there with us in the trenches, working with us day in and day out, and supporting us as we work through those ever-changing issues.”

The Results

Rapidly detected and neutralized cybersecurity threats

Senko says that when he joined Q2 in 2012 the big threat was distributed denial of service (DDoS) attacks. “You’d get hit with a big DDoS attack once a month, and you’d fall over and have to stand back up,” he says. “Today, the attacks are more mature, but the solutions to defend against them are also mature. Now we have a DDoS attack every 100 seconds, but we don't feel it, and our customers never feel it.”

Reduced malicious traffic and transactions

Q2 credits Distributed Cloud Bot Defense with helping to reduce the transactions on its applications from 18 billion to 2.8 billion in a single quarter by blocking malicious activity. That 85% decrease in quarterly transactions translates into a big value add, saving Q2 money and resources, and creating a safer and more reliable experience for financial institutions and their customers.

“With F5 Distributed Cloud Bot Defense, we’re blocking 97% of all malicious inbound traffic before it even gets to the application layer, which greatly reduces our customers’ risks,” Hoelscher says.

Improved application uptime, performance, and quality

Senko says that Q2 has always been focused on the performance and quality of the services it provides, but the key to both is availability—making sure those services are always available. When Q2 implemented Distributed Cloud Bot Defense to deal with credential stuffing and other automated cyber attacks, availability was no longer a serious problem.

“F5 Distributed Cloud Bot Defense took all those bad actors off of the application load and stopped those threats at the perimeter,” Senko says. “That allowed us to focus on delivering other features and services and not worry about availability and scaling just to be able to handle the nonsense that the credential stuffing was causing.”

“As we continue on this digital journey with our customers and their account holders, we need partners like F5, who are excellent at what they're focused on addressing, in this case bot attacks, so we can remain focused on what we're excellent at–delivering the best digital banking experience to customers and their account holders,” Senko says.

  • Cyber attacks were threatening financial institutions
  • Existing technologies and processes couldn’t address the different attacks and their continuously increasing volumes
  • Battling attacks diverted resources for improving services
  • Rapidly detects and neutralizes cybersecurity threats
  • Mitigates credential stuffing attacks that lead to account takeover and financial losses
  • Reduces malicious traffic and transactions
  • Improves application uptime, performance, and quality