With the global pandemic continuing to catalyze digitalization, we’ve seen two years worth of digital transformation take place in a mere two months, according to Microsoft CEO Satya Nadella. Clearly, bad actors are capitalizing on the opportunities that digital transformation creates, as more data and business information are now available online. One stand out example of this are automated threats: bad bot attacks have become more sophisticated. It’s not all bad news, however: the tools to thwart these attacks have become more advanced, too.
The volume of bad bots is increasing
One particularly worrisome change we have recorded is an increase in the percentage of bad bot traffic in 2020, as 25.6 percent of all internet traffic was made up of bad bots. The reason for concern here is that regardless of the significant increase in human traffic on the internet, the bad bot traffic ratio has increased alarmingly compared to previous years. This indicates that bad bot operators have identified more opportunities, and made sure to double down on their efforts in order to make even bigger profits than in the past.
The outcomes of this increase in bad bot activity are very noticeable across many organizations in various business sectors. According to the State Of Online Fraud And Bot Management, a Forrester thought leadership paper commissioned by Google, 71 percent of companies experienced an increase in the number of successful bot attacks since the start of the pandemic.
If the digital transformation process has accelerated, why aren’t we seeing a shift in perception regarding bot management yet?
The future of bot management
In 2019, Forrester has stated that “security pros should expect to see a complete flip of the market, where instead of WAF tools providing bot management to augment their OWASP Top 10 defense, bot management tools will garner the most customer interest, and OWASP Top 10 protection will be a secondary, add-on benefit.” This begs the question, if the digital transformation process has accelerated, why aren’t we seeing a shift in perception regarding bot management yet? Evidently, there are still common misconceptions regarding the bot problem in many organizations today. In fact, many of them are either not doing enough or not handling it correctly.
Traditional tools aren’t sufficient
According to Google, many companies are using the wrong set of tools and technologies to protect themselves: 78 percent of organizations use DDoS Protection, WAF, and/or CDNs for bot management while only 19 percent are using a complete bot management solution. Traditional tools like the ones mentioned above may be able to cope with basic automated threats, but those are just the tip of the iceberg. Bots nowadays are highly sophisticated and more difficult to detect, with over a half of bot activity that we monitor classified as Advanced Persistent Bots (APBs). These cycle through IP addresses, use anonymous proxies as well as peer-to-peer networks and have the ability to change their user agents. They use advanced techniques to evade detection while remaining persistently focused on their target.
The bot problem is cross-functional
It is vitally important to understand that bots affect multiple functions and teams across the organization. Some examples include fraud prevention, marketing, e-commerce, security, network and more. Thus, all relevant teams should be taking part in decisions regarding bot management. This isn’t the case in reality however, as on average, only two teams are involved in the bot management decision-making process, according to Google. Collaboration and the adoption of a holistic approach are critical in creating a successful bot management strategy for your organization.
What to look for in a bot management solution
In the ever-evolving landscape of fighting automated threats, future proofing is crucial. Look for a solution that is adequately equipped to handle the most sophisticated bad bots. It must incorporate machine learning that is capable of identifying real-time bad bot behavior and adapt. It also helps establish a baseline for normal behavior, as well as enable automated detection and response.
You want a solution that can block bots from the very first request they make, and protect all your access points: websites, mobile apps and APIs. Your bot protection needs to include device fingerprinting, allowing it to track bot activity across IP addresses and detect browser automation tools. Such tools are capable of processing JavaScript and emulating legitimate browsers, making them more difficult to identify and block.
The solution has to contain cutting-edge techniques, such as injection of active challenges and honeypots into HTTP traffic, per-URL customization and security controls to fine tune protection; graduated controls for rate-limiting, such as by client, device, authentication token or simple IP address; and enable community-sourced threat intelligence to help customers learn from one another. Read our Buyer’s Guide: Ten Essential Capabilities of a Bot Management Solution for more recommendations.
Your partner in the fight against bad bots
Imperva’s industry leading Advanced Bot Protection is capable of mitigating the most sophisticated automated attacks, including every OWASP automated threat. It leverages superior technology to protect all potential access points, including websites, mobile applications and APIs, providing you with various response options for bots. And it does so without imposing unnecessary friction on legitimate users, maintaining the flow of business-critical traffic to your applications.
Flexible deployment options include:
☐ Imperva’s WAAP (Web Application and API Protection) stack, including our best-of-breed CDN, WAF, DDoS and Advanced Bot Protection working together
☐ Coming soon: full integration into WAF Gateway (version 14.4 – click here for additional details)
☐ Available connectors for F5, NGINX, Fastly, Cloudflare and AWS lambda users
Advanced Bot Protection is a part of Imperva’s Application Security platform. Start your Application Security Free Trial today to protect your assets from automated threats.
Try Imperva for Free
Protect your business for 30 days on Imperva.