AppsFlyer Automates Malicious Activity Detection on AWS


Global attribution leader AppsFlyer provides marketing analytics services to more than 12,000 customers worldwide—including leading brands like Macy's, Nike, NBCUniversal, and Wayfair—that want to measure the success of their marketing campaigns to promote their brands’ mobile apps. To protect its customers’ data and budgets, AppsFlyer detects and prevents attribution that originates from fraudulent activity, such as bots that install apps. Providing these services for major brands requires AppsFlyer to maintain tight security. The company processes over 100 billion events per day.

To detect malicious activity on its existing Amazon Web Services (AWS) infrastructure, AppsFlyer came up with a novel solution: it combined AWS Lambda, a serverless compute service that enables users to run code without provisioning or managing servers, and Amazon GuardDuty. The latter is a threat detection service that uses machine learning to protect companies’ AWS accounts, workloads, and data stored on AWS by continuously monitoring for malicious activity and unauthorized behavior. This combination of Amazon GuardDuty, AWS Lambda, and other AWS security solutions—powered by a fast, cost-effective serverless architecture—enables AppsFlyer to monitor security with ease.

internet, internet delle cose, iot, connessione, mano

Amazon GuardDuty reduces the noise. We can fine-tune the alerts so that we only get the most precise detections. Then we can react to each alert with great confidence.”

Michael Kolotov
Security Operations Team Leader, AppsFlyer

Strengthening Infrastructure Security on AWS

When a company runs a campaign across multiple media sources—for example, across Facebook, Google, and Twitter—AppsFlyer can determine from which source each installation was derived and measure each user’s app usage and lifetime value. The company can then measure the campaign’s return on investment and help customers make informed decisions, such as whether to invest in campaigns on specific networks or target specific audiences. AppsFlyer also uses AWS to protect the campaigns against fraudulent installations that could harm marketing and advertising data reliability.

To further protect its customers’ data and campaign performance, AppsFlyer decided to build a solution to proactively monitor its AWS infrastructure and detect malicious activity. It also wanted to configure and manage its environment and stay resilient and aligned with best practices. Because AppsFlyer provides mission-critical services to its customers, any impact on AppsFlyer’s service could cause technical issues, create service downtime, and harm the customer experience.

Since its founding in 2011, the cloud-native company has been on AWS. “Maintaining our ability to comply with the General Data Protection Regulation and the California Consumer Privacy Act in regard to protecting customer data is much simpler on AWS,” says Michael Kolotov, security operations team leader at AppsFlyer. AppsFlyer was also attracted to the scalability, maturity, and built-in data security that AWS offers. Building an AWS-native solution on its existing AWS serverless architecture provides AppsFlyer with additional security. “I don’t need to give another server permission,” adds Kolotov. “Anything contained in one environment is much more secure and needs less configuration, and fewer things break on the way.”

Developing a Cloud-Native Security Solution Using an AWS Partner

In 2018, AppsFlyer began building its security solution, which it completed in mid-2019. In this solution, Amazon GuardDuty inspects data from AWS Config, Amazon Route 53, the Domain Name System logs, and AWS CloudTrail event logs that record AWS API calls. Amazon GuardDuty then automatically identifies activity that can be associated with malicious reconnaissance or a compromise of an account, instance, or bucket on Amazon Simple Storage Service (Amazon S3). “Amazon GuardDuty reduces the noise,” says Kolotov. “We can fine-tune the alerts so that we only get the most precise detections. Then we can react to each alert with great confidence.” And because the alternative would require AppsFlyer to use additional services to enable streaming and analytics, the Amazon GuardDuty solution cuts its costs nearly in half.

The company then built an automated response to Amazon GuardDuty alerts, using AWS Lambda in conjunction with Cortex XSOAR, a service that is part of AWS Advanced Technology Partner Palo Alto Networks. Cortex XSOAR specializes in security orchestration, automation, and response technology. For example, if Amazon GuardDuty detects a suspicious user, it triggers an AWS Lambda function to assign a ‘deny all’ policy to the user. The AWS Lambda function clears the user’s session, locks the user out of the system, and sends an alert to the user and their manager. “With a serverless architecture, everything is adjusted on the fly, so you don’t need to worry about whether you gave your server enough hard drive space, storage memory, or compute capacity,” says Kolotov. “The scalability of an AWS Lambda function is automatic and virtually endless. We can set one up with minimal configuration or operational maintenance.”

AppsFlyer monitors the configuration of its environment using AWS Security Hub, which provides a comprehensive view of security alerts from across all AWS accounts so that AppsFlyer’s security operations can organize and prioritize response actions in one place. “On AWS Security Hub, we are detecting when some buckets are inadvertently made public, resources are not configured properly, or security groups are opened to the world,” says Kolotov. “Proactively knowing this makes our lives so much simpler.” AppsFlyer also uses Amazon Inspector, an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector detects vulnerabilities and automatically remediates them to prevent exploitation by external attackers.

Setting up the security solution on serverless architecture was faster and simpler than it would have been on a dedicated server. “The maintenance is practically nonexistent, and there’s no overhead from the endpoint onward. It gives you peace of mind that things are going to run smoothly,” says Kolotov. “You might invest more time in the beginning, but you gain more confidence in the system in the long run.”

Adding More Layers of Security and Forensics

AppsFlyer will continue to update its security solution, with a focus on adding more layers of security and forensics and improving incident response. “Detecting abnormal activities is super important for us,” says Kolotov. “That’s why Amazon GuardDuty was an amazing addition to our capabilities. The more high-value capabilities we get like that, the better off we’ll be.”

Using AWS security services and serverless architecture, AppsFlyer built a solution that bolsters its security posture, saves money, and removes the burden of provisioning and managing servers. It also accelerated time to market for its solution. “AWS provides seamless support and security with virtually zero downtime,” says Kolotov. “You can do things on the fly on AWS.”

About AppsFlyer

Founded in 2011, AppsFlyer is a software-as-a-service mobile-marketing analytics and attribution service. Operating out of 18 offices worldwide, AppsFlyer helps more than 12,000 customers track how users interact with brands through various services, channels, and devices.

Benefits of AWS

  • Reduced cost of security solution by almost 50%
  • Scales with ease
  • Removes burden of provisioning and managing servers from staff
  • Accelerated time to market of its solution

AWS Services Used

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

Learn more »

AWS Lambda

AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.

Learn more »

AWS Security Hub

AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.

Learn more »

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Learn more »

Get Started

Companies of all sizes across all industries are transforming their businesses every day using AWS. Contact our experts and start your own AWS Cloud journey today.