The threats posed by bots to our digital applications and businesses at large are well-known among security and fraud professionals. Earlier, I delved into these threats to aid security and fraud teams in communicating the bot menace in an executive and board-friendly language. Consequently, such discourse has led to increased awareness about bot-related issues.
Predictably, the heightened awareness has given rise to a wave of marketing material targeting enterprise purchasers. Regardless of the risks that security and fraud teams aim to mitigate, they require a method to navigate past marketing jargon to appropriately assess bot solutions. The challenge lies in discerning which bot solutions genuinely deliver on their promises, the strategies that will be effective in specific environments, and the vendors who can stay ahead of the constantly evolving threat landscape.
There might be multiple approaches to this issue, but I’ve outlined a few key factors that enterprises should consider when evaluating bot solutions:
R&D: A multitude of bot management vendors gather telemetry data. However, the analysis, dissection, and investigation of this data greatly impact the effectiveness of their solutions. Regular scrutiny of the telemetry data is essential for a bot management solution to be efficient. Questions that should be persistently asked include: What insights can the data provide? What is the right data to gather? How can we accurately distinguish between human and machine traffic? Successful R&D also encompasses identifying gaps in telemetry data and understanding what additional data needs to be collected for optimal solution performance. Machine learning: An essential component of identifying whether traffic originates from a human or a bot is machine learning. Several vendors boast about their machine learning capabilities and their models’ prowess. Indeed, good models are crucial, and many leading vendors possess them. So, what separates the most effective bot management solutions from the rest? The answer lies in the data – the quality of data fed into a model determines the accuracy and reliability of the model’s predictions. Even the most advanced machine learning model will struggle to differentiate between human and automated traffic without the correct data. Verification: Throughout my tenure in operations, vendors frequently persuaded us to implement their latest detection rules and/or signatures. In numerous instances, this led to a flood of false positives and cluttered the work queue. In an extreme case, the surge of false positives even crashed the SIEM. Top bot management vendors thoroughly test and verify their rules before rollout. For these vendors, overwhelming a customer with a swarm of false positives post-update would be a monumental failure. Obfuscation: Concealing the bot management solution’s Javascript to shield it from attackers is crucial. I’m often astounded by the number of vendors that overlook this, thereby making it significantly easier for attackers to identify a page with a bot management solution and consequently circumvent it. For instance, attackers can simply modify the page, remove the Javascript, and continue their attack unhindered. Obfuscation is an iterative process. Effective obfuscation that can resist attacker bypass tactics involves studying attackers, reverse-engineering their strategies, and frequently deploying new and modified obfuscation. Advanced analysis: Finally, incorporating lessons into the bot management solution greatly enhances its effectiveness. Regrettably, many vendors develop solutions that address a certain level of sophistication, but they fail to constantly study attacker retooling, incorporate these insights into their solutions, and enhance their offerings. This results in bot management solutions that are somewhat effective for a brief period until attackers discover that their target has implemented a solution. The attackers then retool, and if the solution can’t handle the additional sophistication, it becomes entirely ineffective. The leading bot management vendors continuously perform offline or second-stage analysis to ensure their solutions maintain consistent effectiveness. When evaluating bot management solutions, iterative solutions are the gold standard. Vendors who diligently study attackers and continuously incorporate their findings into their solutions tend to have higher efficacy rates. Similarly, vendors who are meticulous about data collection, rule vetting, and safeguarding their solutions from attacker manipulation perform significantly better. Enterprises should bear these points in mind when assessing a bot management solution.
