Dominick Fuccillo
vp of corporate
development

"The harsh reality is every website today is being inundated by bad bots."

Enterprise Securityt
Summitt

Secure Apps, Data and End Users for the Digital Enterprise

REGISTER

An Online Conference

Distil Networks has published an innovative  Bad Bot Risk Calculator, an interactive tool designed to help organizations understand and quantify the economic risk posed by bad bots.

Distil’s latest tool lets users to conduct a custom analysis on how (and how much) they are under threat of ‘bad bot’ attacks. Analyses can be calculated from a variety of factors, including their company's industry, website traffic, number of data records, and website revenue, according to Dominick Fuccillo, Distil’s vice president of corporate development. The baseline impact analysis provided by the tool is based on data modeling and analytics from the Aberdeen Group.

Those using the calculator will receive a report with

• An estimate of annualized risk from malicious bots for your site size and industry
• How an incremental investment in an advanced bot defense solution can quantifiably reduce risk
• How investments in web application firewalls (WAFs) vs. Distil Networks compare

The release of the bad bot risk calculator comes as many in enterprise IT and security are looking for ways to better understand and minimize – their risks from attacks growing more sophisticated and long-running.

“Incidents of bad bot attacks have taken off over the last three years,” Fuccillo told IDN. “The harsh reality is every website today is being inundated by what we call bad bots. Estimates are as high as 20% of all traffic hitting your website comes from these.”

Under the covers, Distil uses a combination of techniques to safeguard apps and websites from automated bad bot attacks.

First, Distil’s technology looks to make sure any visitor – human or bot – is who it says it is. By monitoring each page request and building a fingerprint of each incoming connection, Distil can accurately detect bots in real time and then provide mitigation options. As an example, when a browser request comes in, Distil interrogates the headers to see if the visitor is lying about their identity.

 

To thwart more sophisticated attacks, Distil also offers machine learning-based capabilities to tell the difference between legitimate (human) visitors, friendly bots (such as search engine spiders) and bad bots that intend harm. Distil is also designed to catch any intercepted proxies bad bot hackers use to automate malicious or unwanted requests.

 

Bad bots can steal user credentials and identities, commit commerce and click fraud, kick off DoS (denial of service) attacks, slow down website response times and even steal content from websites that can cost a company money, according to Fuccillo. There are even examples where bad bots will conduct a web scraping attack an ecommerce site to steal product pricing information and send that data to a competing firm, he said.

 

Another factor that makes bad bot attacks so nefarious is that your company’s website doesn’t even have to be the original target.  Fuccillo points to the example of where a bad bot attack steals thousands (or hundreds of thousands) of user credentials. “What makes this bad bot attack particularly profitable is once a user’s credentials (e.g. username and passwords) has been captured from one website, the hackers will use that captured credentials to infiltrate a user’s account at other websites,” he told IDN.  This can happen because many users will re-use the same username/password info at multiple sites, Fuccillo added.

Distil, Verizon Partner on 'Bad Bot' Protection, Mediation 

The ‘bad bot’ attack has grown so big in fact that OWASP, known worldwide for its OWASP Top 10 list of web security threats against web application firewalls (WAFs), has taken up arms.  The organization recently published the OWASP Automated Threat Handbook for Web Applications, in large part to underscore that the ‘bad bot’ threat is completely different from WAF threats, and just as hazardous.

Distil offers protection from each of the 20 threats listed in the OWASP Automated Threats report.

One of the men behind OWASP’s expanded attention to ‘bad bots’ (aka ‘automated threats’) is Tim Zaw, director of security solutions at Verizon Digital Media Services.

Today, digital security starts with what Zaw called “a deep understanding between WAF and bots.”  He shared the distinction.  OWAPS top 10 threats are WAF-focused and are about exposing the web code and attacking “code vulnerabilities,” Zaw explained.  On the other hand, bad bot attacks are about the “misuse of valid [website] functionality” such as registration, log-in and databases for customers, inventory and pricing information, Zaw said during an online security conference earlier this year. 

Such bad bot attacks are responsible for as much as 20% of unauthorized traffic to any given website. Beyond stealing information, bad bots can rapidly multiply and infest a system or network, and trigger a barrage of calls or requests that can hurt performance and even take sites down, he added. 

Perhaps not surprisingly, Distil and Verizon Digital Media Services are partnering on bot detection and mitigation. The technology will deepen Verizon’s multi-layer approach to web security and defense, according to execs at both companies.

Under the partnership, Verizon is bringing Distil-based bot protection to its Edgecast Content Delivery Network (CDN). Edgecast CDN’s bot protection will be the latest addition to a security portfolio that already includes a cloud -based WAF, automated anti-DDoS and real-time traffic monitoring.

This spring’s news that Verizon is selling its cloud and manage hosting service to IBM, does not impact the Distil/VDMS partnership. "Today, we are working with their CDN, WAF, and website delivery side of the business (Verizon Digital Media Services), so this [Verizon / IBM] news doesn't appear related to anything we are currently working on." according to a statement given to IDN from Distil.

Check out the Bad Bot Risk Calculator here.