A recent research revealed that 25% of internet traffic consists of bots, meaning almost every human interacting online has its bot equivalent. Bots are generally used to automate simple and repetitive tasks, but can also be used to exploit vulnerabilities. The good news is that there are solutions which enable companies to protect themselves from malicious bots.
To select a suitable bot protection solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Sam Crowther, CEO, Kasada
First, it’s important to understand what bot operators are attempting to accomplish. Are they trying to deplete inventory from your site? Scrape prices to better compete? Test stolen credentials to commit fraud?
By understanding the full impact bots have on your business, you can make sure the solution puts an end to your specific problems. For example, many solutions are architected to require multiple requests before detecting a bot – if so, it’s not designed to effectively stop scraping and account takeover attempts that quickly move ‘in and out.’
History has shown that attackers will adapt to your defenses. A successful bot mitigation solution has to be effective immediately, stopping new bots and never seen before attack methods. It must also stand the test of time by stopping bots months and years later. You should ask what steps are being taken towards long-term efficacy, such as deterring reverse engineering and R&D to detect new automated threats.
You should seek as little configuration, maintenance and support as possible. Does the solution make your life easier or not? Can it adapt to the latest types of attacks and retooling efforts, or will your security team constantly be refining and updating detection rules? Does the solution essentially run on auto-pilot or does it require dedicated in-house time and expertise to be successful?
Vikram Dhawan, VP & Senior Product Leader, Kount
Historically, businesses have only looked at bot solutions to protect their technology infrastructures — and not to protect the businesses themselves. But, today, businesses need to understand that bots aren’t the cause of their problems. People use and encounter bots every day, and not all of them are bad.
Bad actors can use bots as tools to launch account takeover attacks and make fraudulent purchases at scale. The business problem isn’t bots. It’s large-scale fraud that affects the business’s inventory, revenue, chargeback rate, and brand reputation.
When a business is selecting a ‘bot protection solution,’ they should actually be looking for a solution that prevents fraudulent activity like card testing, credential stuffing, and account takeover attacks. And they should be wary of any solution that promises to fix the problem by blocking all bot activity.
The truth is bots are evolving faster than anyone can keep up with. Instead, they should look for a fraud prevention solution provider that can partner with them to understand the signs of fraud, how to adjust their policies to block or challenge fraud without adding friction, and how bad actors may be using bots for fraud. Together, the business and the provider can work as a team to detect and prevent all kinds of fraud attacks, not just those from bots.
Benjamin Fabre, CTO, DataDome
To get maximum value from your bot protection solution, evaluate the following points:
Detection quality. Accurate bot detection is hard, and some providers do it much better than others. If possible, test your candidates simultaneously against real traffic to see what they block and what they let through. The differences can be eye-opening.
Ease of implementation. You should not have to go through a complex integration project or make major architecture changes. Ask potential vendors which integration options they provide, how extensive their documentation is, and what the onboarding process is like.
Autonomy. Bot management is probably not the best use of your time. Choose a solution that will handle bot attacks without your intervention, but that still offers detailed, real-time analytics and KPIs.
SOC. While your solution should block most attacks on autopilot, some situations may require a more hands-on approach. Ask providers how their bot SOC teams operate, and which services are included in your contract.
Flexibility. Don’t want to submit a ticket just to whitelist an IP address or change a rule for a domain? Check that the solution leaves you sufficient control over your settings.
Latency and scalability. There can’t be a tradeoff between business and security. To ensure zero impact on human visitors, choose a solution with a robust, auto-scaling infrastructure and plenty of PoPs.
Pedro Fortuna, CTO, Jscrambler
A comprehensive defense based on multiple layers was needed. In addition to device fingerprinting and user behavior analysis or even the use of CAPTCHAs, these solutions understood how critical it is to prevent automated tampering to the client-side code, and so started using tokenization for authorization and anti-replay as additional layers.
If that is not enough, the ultimate weapon against bots is adding in a layer that monitors the whole client-side for unauthorized behaviors. This way, it is possible to observe the behavior of client-side code with fine detail, spotting potential rogue code and blocking it before it succeeds.
As with almost everything in security, this triggers a cat and mouse chase, so it is also important that the solution is able to protect itself against code tampering and that it cannot be easily bypassable.
Thomas Platt, Head of eCommerce, Netacea
Start by asking yourself, “am I buying a Black Box?” A Black Box is a generic solution that blocks bot traffic. It’s important to remember that some bots are good. In fact, some businesses are reliant on bots. A solution that blocks all traffic could therefore do more harm than good. Every business has different requirements so having a more tailored solution is advised.
The prescribed solution is one that gives visibility over the entire estate. Bots are intelligent and if you’re only protecting your website, malicious bots can redirect themselves to your mobile app for example. With many businesses expanding their digital presence, it’s important to see where the most bot traffic comes from and work with your supplier on how best to protect against it.
You should also consider using a solution powered by machine learning. In the fight against malicious bots, we’re dealing with enemies that are experts on automation, and many bot providers still believe the best solution is human monitoring. This is a futile attempt – humans can never be as quick or as intelligent as bots. You need to fight fire with fire and the best protection against an automated threat is an automated one.
Tushar Richabadas, Sr Marketing Manager – Applications and Cloud Security, Barracuda
Bot detection, especially using machine learning, has become quite important for organizations across verticals. This adds to the current list of security solutions that an organization needs to operationalize and manage, leading to another addition to the existing sprawl.
Our first suggestion is to look for a suitable solution that integrates with their existing web application protection/WAF solution. This typically will mean that the management plane is the same for adjacent functions, making operationalizing easier.
One thing to look out for here is to see if you need a CDN plugin – especially in the publishing industry, with articles being served from the edge, you want edge protection. One needs to also make sure that they solution they purchase covers all their application types – if they have web, mobile and API applications, the bot mitigation solution should be able to handle attacks against all these application types.
Machine learning is important when it comes to bot detection, but one should look at the ability of the system to learn and react to new bots while ensuring that there are few false positives. A solution that does all the detection and protection without resorting to CAPTCHA’s or issues CAPTCHA’s minimally is best for the customer experience – no one likes having to click through a large number of difficult to decipher pictures, and bots find such puzzles easy anyway!
Lastly the solution should allow you to drill down deep into traffic and bot details with great visualization and reporting, and also allow you to quickly and easily whitelist misclassified traffic.
Edward Roberts, Application Security Specialist, Imperva
Bots today are more sophisticated and harder to detect, with more than 50% of bot activity that we monitor categorized as Advanced Persistent Bots (APBs). Companies need to protect their assets from such automated threats across web, mobile and APIs.
When evaluating a vendor’s solution, look for capabilities that are equipped to stop sophisticated bots and block the first bot request.
Machine learning must be built in to help establish a baseline for normal behavior and automate detection and response, easing the burden on security analysts. The solution must involve the latest, most innovative practices like injecting active challenges and honeypots into HTTP traffic to trap bots, while also offering per-URL customization and security controls to fine tune protection; graduated controls for rate-limiting, such as by client, device, authentication token or simple IP address; and enable community-sourced threat intelligence to help customers learn from one another.
Joakim Sundberg, CEO, Baffin Bay Networks
The most useful and effective qualities of a bot protection service can really be boiled down into two things: intelligence and cost-efficiency. Intelligence, meaning that the bot protection solution needs to have built in intelligence for automatic recognition of which bots are friends and which are foes.
Because not all bots are bad, and you’ll need to make sure that e.g. your website is available for scraping by “good bots” (such as search engines) to not limit your customer experience. Cost-efficiency, meaning that you should be able to find a synergy effect between your threat protection solution and your traffic costs.
A bot attack is bad enough on its own and should not affect your traffic fees, so make sure that you only pay for clean traffic to avoid cost peaks after the occurrence of an attack.
Lastly, a good bot protection solution should contribute to freeing up capacity for legit users and that is too dependent on the use of AI to some extent, allowing you to spend your money where it makes the most sense to your business.
Ben Zilberman, Director of Application Security Solutions, Radware
Since bots affect various business arms in different ways, make sure your selection criteria is comprehensive and includes the following:
Capability to detect large-scale distributed humanlike bots: The rise of highly sophisticated humanlike bots requires more advanced techniques in detection and response than conventional solutions.
Your evaluation criteria should focus on the various methodologies that a vendor’s solution uses to detect bots. This includes behavioral intent analysis, device and browser fingerprinting, collective bot intelligence and threat research, continuously adaptive bot detection engine, and other foundational techniques.
Basic features: Organizations should evaluate the range of possible response actions — such as blocking, limiting, ability to outwit adversaries by serving fake data, and to take custom actions based on bot profiles and behaviors.
Any solution should have the flexibility to take different mitigation approaches based on various sections and subdomains of a website. Also make sure that your solution integrates with popular analytics dashboards to provide granular visibility into nonhuman activity.
Key questions to ask your bot management vendor:
- Does the solution cover all threats including account takeover, web scraping, fraud, DDoS & inventory holdups?
- How does it detect bad intents of human-like & distributed behaviors?
- How does it secure my legitimate bot traffic?
- Does it provide maximum security for all properties: websites, mobile apps and APIs?
- What are the deployment options to assure a positive user experience and avoid unnecessary latency?