JetBlue grounds unwanted traffic with Fastly Next-Gen WAF and Bot Management

The challenge

More than half of Americans find air travel more stressful than filing taxes or visiting the dentist. Given the heightened anxiety surrounding air travel, the efficiency of airline websites becomes even more critical. And this means there's little margin for error on an airline website: even a tenth of a second can have a 10% impact on conversion rates for travel sites. Unfortunately, airline websites are a popular destination for cyberattackers seeking a treasure trove of PII or a high-profile place to wreak havoc. They're also among the top targets for web scraping bots. While all these bots aren't all necessarily malicious, they steal a significant amount of bandwidth from legitimate customers.

Feeling dissatisfied with its incumbent cybersecurity vendors, JetBlue sought new solutions.

The solution

"When our security leadership looked at the offerings, Fastly really stood out," said Randy Naraine, cybersecurity architect at JetBlue. The Fastly Next-Gen WAF and Bot Management solutions offered the flexibility, visibility, and reliability JetBlue needed to protect its site from attacks and maintain bandwidth for customers. The team moved quickly, migrating 35 sites over 3 days, just in time for the holiday season. "Fastly engineers made that possible. The quality of support we received, and the number of people engaged in solving problems makes Fastly unique," Naraine said.

Keeping customers—and the CISO—happy by preserving bandwidth

A major fare sale can draw millions of visitors, but the look-to-book ratio (ratio between the number of people who visited the website vs the number of people who made a booking) can be crushed by excessive bot traffic. When that happened to JetBlue in 2023, the client fingerprinting feature of Fastly Bot Management helped the company detect and block unwanted traffic. When a software client establishes an HTTPS connection to a website, it communicates indicators that allow Fastly to generate a unique fingerprint for each one, making it easier to identify malicious traffic and problem bots. During JetBlue's fare sale, engineers discovered a wide range of distributed client fingerprints which accounted for 95% of the traffic. They put a block in place against this network of fingerprints, immediately stopping the threat actor with no additional impact on customer traffic.

"Our CISO was very pleased with the mitigation that happened, and we preserved a lot of benefits for customers," Naraine said. In fact, JetBlue's last sale was one of the largest of 2023. "Fastly Bot Management significantly reduced our unwanted bot traffic," Naraine said, "The ease of use in rule building, rapid visualization of signals, and behavioral analysis and mitigation all justified the investment."

Leveraging visibility to prevent false positives and remediate faster

Another factor in JetBlue's swift response time is the granular visibility provided by the Next-Gen WAF and Bot Management. JetBlue ties specific signals to different behaviors and plots them onto its observability dashboard. That visibility has helped the JetBlue teams work together for faster mitigation. "We can expose our metrics and detections through the API, so if, say, the e-commerce team notices deviations, they can quickly check the WAF and Bot Management," Naraine said. Because JetBlue deploys the Next-Gen WAF and Bot Management at the edge, the company has a clearer view of who is attacking and why. "We've seen significant results with observability by looking at the types of attacks coming in as well as the different types of attackers. That helps us lower our false positive rate," Naraine said.

Saving time and resources with "set it and forget it" solutions

JetBlue's legacy WAF was labor intensive, requiring manual tuning and configuration. That's common with legacy WAFs that depend on regex pattern matching to block bad traffic. "Manually updating rules was one of our big pain points," Naraine said. "With SmartParse, it's set it and forget it." Mitigation is faster too: "We've seen very good response times, and we have scripts that can respond in seconds," Naraine said. Add to that a significant reduction in false positives, and JetBlue is reducing not only downtime but also the load on the security team. Because Fastly Bot Management is at the edge, JetBlue has also seen a notable decrease in the requests that make it to the origin. That helps JetBlue's overall performance, and cuts costs as well.

Key takeaway

Airline websites must preserve bandwidth and ensure performance while maintaining the highest levels of security—there's no room for compromise anywhere. With Fastly’s Next-Gen WAF and Bot Management, JetBlue protects bandwidth for legitimate users and stays ahead of security threats without impacting performance or overburdening the security team.