Client-Side Defense

About Client-Side Defense

F5® Distributed Cloud Client-Side Defense (CSD) provides a multi-phase protection system that protects web applications against Formjacking, Magecart, and other malicious JavaScript attacks. This multi-phase protection system includes detection, alerting, and mitigation.

  • Detection. A continuously evolving signal set allows CSD to understand when scripts on web pages start reading PII or exhibit signs of exfiltration.
  • Alerting. CSD generates timely alerts on malicious changes in behavior of scripts, provided by a continuously improving Analysis Engine. The Analysis Engine contains a machine learning component for accurate and informative analysis and provides details on the behavior of malicious script to help troubleshoot and identify the root cause.
  • Mitigation. CSD detects threats in real-time and provides enforcement with one-click mitigation. CSD leverages the same obfuscation and signal technology as F5® Distributed Cloud Bot Defense, delivering unparalleled efficacy.

The diagram below shows the basic data flow for CSD.

csd data flow new
Figure: CSD Data Flow

CSD Data Flow

  1. An end-customer comes to web site protected by CSD and the CSD JS executes. When it executes, it detects actions of other scripts running on the web page.
  2. The CSD JS sends script information (a list of actions of other JavaScripts, i.e. which domains the scripts interact with) as a signal to the CSD Analysis Service.
  3. The script information is analyzed by the Analysis Service and it generates a risk score.
  4. If risk score is greater than zero (which means a suspicious data exfiltration was detected), an alert is raised on the CSD Dashboard (and also raised on the other alerts channels configured by the customer).
  5. The user can take a one-click mitigative action to instruct CSD to immediately block such exfiltration.
  6. If a mitigative action was taken, the F5 JS Service gets updated to ensure that the CSD JS blocks interaction between malicious scripts on the web site and the attacker domain.