Leading Online Education App Eliminates Security Gaps with Fastly Response Security Services

The challenge

Duolingo's 83 million monthly active learners count on the app to make studying a language easy and fun, without downtime that interrupts learning or breaks up its motivating gamification. That's a big job for a lean security team, so Duolingo sought a partner to help augment its security operations. But Senior Engineering Manager Matt Brandman didn't want to fully offload security to a third party. He and his security team are the experts on their own application and tech stack, and that knowledge is critical to tailoring security operations to Duolingo's business needs. Duolingo needed a security partner that could provide flexible solutions, add value without being redundant, and provide the extra hands required for rapid incident response.

The solution

Fastly's Response Security Service gives Duolingo priority 24/7 access to its globally distributed Customer Security Operations Center (CSOC), which provides Duolingo with attack support backed by a 15 minute response time SLA for critical security incidents, configuration assistance; and regular security reports and reviews. Duolingo's security team can focus on its technology while Fastly provides scalable, expert support to prevent and mitigate security incidents. According to Brandman, "Our team could do this on our own if we had unlimited time and resources, but a lot of very smart people at Fastly have worked on these things already. Partnering with Fastly’s Response Security Service is a great way to leverage their knowledge and get force multipliers for your team."

The benefits of security automation plus the flexibility of hands-on management

Duolingo enjoys the best of both worlds. Using Fastly's Response Security Service, its security team receives fewer false positives. Duolingo can also customize its own rules for anticipated peak times, such as during special offers, to avoid blocking legitimate users when traffic spikes and without worrying that an automated rule will disrupt business without its knowledge. Fastly’s Response Security Service also regularly reviews Duolingo's logs to identify trends automation doesn't. Duolingo achieves balance between the efficiency of automated security tools and a bespoke solution tailored specifically to the security team's requirements.

A security team that scales plus a knowledge base as big as the web

Duolingo enjoys the benefit of Fastly security experts' knowledge of a wide swath of the public internet: what other customers have experienced, what they've observed in specific verticals, and which attack vectors are on the rise. Fastly regularly shares recommendations about potential issues that haven't reached emergency levels yet. As a result, Duolingo gets the right rules in place and patches vulnerabilities faster, preventing problems that might not be on Duolingo's radar. And when in-house IT teams don't have the time, Fastly's Response Security Service can step in to write those rules. According to Brandman, "Having Fastly cover that work can make the difference between an hour or more of downtime and 10 minutes."

A steady partner under pressure plus 24/7/365 rapid response

After some negative experiences with vendors that unexpectedly deprecated services, Duolingo wanted a security partner with a history of supporting customers long-term and security experts its team could trust when the stakes are high. "At the end of the day, the most important factor for a security partner is how its team interacts with us and how they respond when dropped into a high-pressure environment with active ongoing attacks," said Brandman. "That's a big part of why we chose Fastly."

Plus, operating in Slack is a game-changer for Brandman's team: Communication is quick, it's easy to pull in other team members, and responses come within minutes. A follow-the-sun model means that the Fastly security expert on the other end of the line is always fresh, ready, and less likely to make a mistake.

Key Takeaway: Choosing the right partner

“When considering a WAF and CDN partner, really consider the quality of the team you're working with, and make sure that they're going to be able to keep up with the type of work that your organization does. They're going to be the backbone and your first line defense. A strong relationship will pay dividends for years. That's what led us to Fastly,” concludes Brandman

The Duolingo-Fastly collaboration exemplifies how Fastly and its Response Security Service, can successfully bolster an organization's security. The value of a strong partnership and expert approach can lead to stronger protection, peace of mind, and enhanced operational focus in a rapidly changing threat landscape.