SHAPE ADVANCED APPLICATION DEFENSEHarden your web and mobile applications against automated attacks

Automated attacks on enterprise web and mobile applications have dramatically increased over the past few years.Prominent attacks, including the Uber account hijacking and the IRS/Intuit tax fraud, highlight the new reality ofweb security: a breach anywhere is a breach everywhere. When a site is breached, cyber-criminals will useautomation to attempt to validate customer credentials on other websites. With password reuse bycustomers a common occurrence, it's not a question of whether they'll gain access to user accounts on other websites -- it's how many accounts can be accessed. Automated attacks are the #1 web security threat, according to Verizon’s 2015 Data Breach report, and these attacks are evading existing security protections.

How Does Shape Defeat Automated Attacks?The Shape solution comprises a high performance security appliance and a sophisticated machine-learning back end.Shape’s world class team of security and web experts develops and deploys countermeasures that deflect automated attacks at all three levels of the web application.

How Do Attackers Use Automation to Succeed?Automated attacks on web and mobile applications are commonly enabled by automation and AI techniquesaimed at mimicking human behavior to successfully defeat existing defenses.

User InterfaceThe attacker simulates interaction with the user interface. Example tools: Selenium and Sikuli.

Browser/AppAttacker uses a headless browser to interact with the target webpage. Example tool: PhantomJS.

NetworkThe attacker automates HTTP(S) GET or POSTrequests. Example tools: cURL and Wget.

• Credential Stuffing & Account Takeover–The attacker tests a list of authentication credentials, taken from a secondary marketplace or large-scale breaches, to discover where users have reused the credentials. Credential stuffing attacks lead to account hijacking and online fraud activities.

• Content Scraping–The attacker scrapes valuable information from an enterprise website and sells it to the enterprise’s competitors or to industry aggregators. An example is when an attacker uses content scraping to aggregate information about certain fare codes from an airline website, and then sells that information to passengers who can use those special fares.

• Application DDoS–The attacker launches a large number of transactions that exercise resource-intensive business logic. For example, automated transactions that add items to a shopping cart on an online retail website can often slow down or completely deny access to the website.

• Man in the Browser (MitB)–In banking, MitB malware residing in the browser waits until a user has authenticated, and then automates the creation of new payees, checks account balances, and automatically transfers funds to accounts controlled by the attacker

Shape Security is the best defense against these and many other automated attacks on web applications and API services.

Automated Attacks Defeat Existing Web DefensesAutomation, in conjunction with distributed bots, enables cyber-attacks that defeat traditional security controls.Existing technologies such as Next-Generation Firewalls (NGFWs), IDS/IPS, and Web Application Firewalls (WAFs) do not address the underlying mechanisms used to carry out these advanced automated attacks. Common techniques such as IP-based blacklisting and rate limiting pose no challenge for today’s sophisticated attackers, who use distributed bots, web proxies, and careful timing to evade such controls.

Introducing the Shape Advanced Application Defense SolutionThe Shape Solution (a Security-as-a-Service offering) protects web applications and mobile APIs from automated attacks. Once operational, Shape deflects automated attacks, with virtually no effort on the part of enterprise employees.

The Shape solution is offered as a subscription service:

ShapeShifter Element • ShapeShifter Elements (physical or virtual appliances) co-located with the enterprise’s protected website or service • Threat assessment – Pre-deployment threat modelling to identify protected assets, attack workflow, and attacker entry points • Software and hardware upgrades provided free of charge as part of the subscription service

Shape Protection Manager • Configuration, monitoring, and management of the ShapeShifter Elements • Dashboards, visualization, and reporting for automated threats against the protected website

Shape Security-as-a-Service • Provides 24/7 monitoring, incident response, and access to expertise and guidance from security professionals • Offers visibility and actionable intelligence into automated attack traffic • Threat research – Access to Shape's expert threat research team and threat intelligence collected across global deployments

ABOUT SHAPE SECURITYShape Security has deflected over $1B in fraud losses for major retailers, financial institutions, airlines, and government agencies. Shape provides best-in-class cyber-defense for Global 2000 enterprises against sophisticated automated attacks.

Please contact Shape Security for additional details: info@shapesecurity.com (650) 399-0400

www.shapesecurity.com