15 Things We Learned from the Bot Defense Council Summer 2016 Summit

August 21, 2016 Edward Roberts

When you spend a day in a room with ten people who battle the same problem every day, you come away with an increased appreciation of the expertise involved in protecting the websites of some of the world’s most well-known brands.

The Bot Defense Council (BDC) comprises security professionals from StubHub, Glassdoor, B&H Photo, Sabre, Whitepages, Guidestar, Amadeus IT, Graphiq, Manta, Autodesk, and TravelBrands. Collectively, its members protect billions of dollars of revenue from fraud. They arrived in San Francisco from all over the country to discuss problems, share experiences, and learn about the latest thinking related to protecting and mitigating automated bot threats.

Here’s what we learned.

  • It’s not about bots – The BDC members don’t consider that they have a “bot problem.” Instead, they have a fraud problem involving malicious traffic on their websites that is performed, using automation, by bots.

  • The problem never stops – Automated threats are part of BDC members’ daily lives. Their websites are under constant bombardment from web scraping of prices and content, account takeovers through brute force attacks, sniping, and denial of service attacks. And what’s worse, the threats never stop.

  • Stop fraud, please – The single biggest problem for all BDC members is fraud committed on their site(s).

  • A shared problem, different industries – The BDC members come from different industries and would otherwise have no commonalities in the challenges their respective companies face—with the exception of their shared bot problem.

  • Distributed attacks are the norm – Members have discovered that cybercriminals are favoring a ‘low and slow’ attack method. Instead of making thousands of requests from a few IPs, perpetrators leverage hundreds and even thousands of IPs, from globally-distributed proxies, to make fewer requests.

  • Ransom attacks are common – Before putting controls in place, many BDC members experienced at least one DDoS attack that attempted to coerce a ransom.

  • It takes a village – There are entire teams, including IT security, IT infrastructure and fraud, within these organizations—not just individuals—charged with dealing with the problems of automated threats and nefarious website traffic.

  • Law and order – Not all BDC members contact law enforcement once they identify a fraudster. But those that do actively prosecute an identified criminal.

  • No false positives – E-commerce companies in particular cannot tolerate any false positives or any other friction that prevents a customer from making a purchase. All BDC members consider false positives to be a problem. Accuracy of detection and certainty pertaining to non-human users are paramount.

  • APIs are under attack – APIs are the next frontier for fraudsters. API protection and security solutions are currently entering the market.

  • Distil is a major piece of their defense – BDC members all said that Distil removed between 20–50% of their traffic, identifying it as malicious.

  • Going beyond the device fingerprint – BDC members use the granular Distil device fingerprint to inform other security solutions in their security stack.

  • To CAPTCHA or not – Some members were vehemently opposed to CAPTCHA insertion in any workflow, because they can be easily circumvented and can affect sales conversion rates. Others are willing to deploy them as an effective test to prove a user is human.

  • Akamai is the CDN of choice – All members use a CDN, with Akamai being the most popular. And all use Distil as their bot mitigation solution. (Comparison of Akamai v Distil here.

  • Ten members, one BDC – All BDC members were actively engaged and wanted to learn. They shared their pain and how they’ve dealt with particular attacks. And during one of the most animated discussions, all shared solutions and vendors they’ve used to solve different problems.

BDC members care about job performance and about stopping fraud. They’re also smart enough to balance the need for tight security while providing the best possible customer experience.

 

About the Author

Edward Roberts

Edward Roberts leads Product Marketing and has over twenty years experience in technology marketing. Previously he worked for Juniper Networks, heading up Product Marketing for the Counter Security team. Before that he ran marketing for Mykonos Software, a web security company.

More Content by Edward Roberts
Previous Article
Applied Behavior Analytics – A New 451 Research Whitepaper
Applied Behavior Analytics – A New 451 Research Whitepaper

A recent whitepaper from the 451 Group named us as the only company with positive feedback about the effect...

Next Article
Black Hat USA 2016 Round-Up
Black Hat USA 2016 Round-Up

After a full week in Las Vegas at Hacker Summer Camp, the Distil team learned from the best about upcoming ...