Bot Management: 3 Critical Capabilities Your Vendor Must Deliver

Earlier this year, Forrester Research released their evaluation of the top solutions in bot management in The Forrester New Wave™: Bot Management, Q1 2020 report, in which PerimeterX was named a Leader. Using insights from the report from Forrester, a leading independent research firm, we believe that certain bot mitigation practices are more effective than others.

The Forrester report discusses how “Sophisticated bots can mimic [human] behaviors, evade basic captcha challenges, and even hijack a real customer’s browser and tokens. To combat these most sophisticated bots, security pros need a bot management tool combined with threat intelligence that can layer detection methods such as statistical analysis of user behavior, collect biometrics to detect anomalies, and continuously update reputational scoring. A bot management vendor’s threat research team will keep abreast of new bot trends and feed that data to the development team and to the market.”

The report also says, “The top bot management tools combine extensive signal collection with deep analysis of the bot traffic to detect simple and sophisticated attacks.” Both good and malicious bots are continually increasing in complexity, and the business risks from automated threats are on the rise. According to industry bot data aggregated by the PerimeterX team, legitimate bots constitute 16.75% of overall site traffic, while malicious bots account for 36.17% of site traffic. These threats abuse the business logic embedded in typical web application architecture, and website owners must take note. While CDNs and WAFs can address DDoS attacks and other web application attacks, businesses can only properly address certain automated threats with a robust and holistic application security solution—one that is unscalable if handled strictly in-house.

Top bot management solutions are defined by advanced capabilities that can help companies block sophisticated bots and free up their time so they can focus on growing their digital businesses. These capabilities include high accuracy, low latency and a multi-channel approach to application protection. Bot management solutions should improve website user experience while also accurately mitigating the diverse set of automated threats. As a Leader, PerimeterX Bot Defender embodies these features and is built with the functionality to learn and evolve alongside these increasingly sophisticated threats.

1. Accuracy for All Automated Threats

Attack detection, which we see as one of the foundational capabilities for bot management, is a criterion that is evaluated in the Forrester report. Superior accuracy of detection can differentiate between good bot and bad bots, automatically blocking malicious bots leading to a significantly better website user experience.

Bot attacks vary from high-volume account takeover (ATO) attacks on the login page to high-sophistication web scraping and carding attacks. Addressing every automated threat with high precision is an absolute necessity to reduce user interruptions resulting from excessive CAPTCHAs. The ability to run many machine learning algorithms against a vast, clean data set along with customization for different URL paths provides the best detection accuracy and coverage against all attacks. A constant, real-time feedback loop and advanced accuracy improves web analytics for better business decisions, reduces the risk of attack and increases operational efficiencies.

Bot Defender leverages this exact machine learning (ML) methodology, including behavior-based and predictive analytics, to detect and block automated bot attacks. It is not dependent on pre-configured rules and policies, which often can't distinguish real users from bot traffic—or good bots from bad bots. Bot Defender also collects anonymous, in-depth data about the user to reduce account and payment fraud conducted by CAPTCHA-solving bots, and improves conversion rates and customer satisfaction by reducing user friction.

2. Low Latency Out-of-Band Approach

Latency introduced by bot management solutions is often overlooked by website owners during the vendor evaluation process. Addressing latency requires a new approach to bot management and bot traffic. This includes:

• Processing user traffic metadata out-of-band in real-time
• Performing enforcement inline as close to the edge as possible

This out-of-band approach has the added advantage of enabling bot management solutions to work with existing web technology stacks without adding any additional layers of traffic processing that impacts bandwidth. More importantly, it ensures a positive user experience that can protect a company’s brand and the revenue derived from its applications.

Bot Defender takes advantage of this functionality and can be deployed anywhere with your existing e-commerce infrastructure—no changes required. Over forty pre-built integrations support a wide range of content delivery networks (CDNs), WAFs, load balancers, web servers and application servers. The out-of-band mode of operation is compatible with any cloud-based, appliance-based or serverless infrastructure.

3. Protection Across All Channels: Web, Mobile and APIs

Shoppers are increasingly engaging over multiple channels, so having different levels of detection accuracy for different channels is a non-starter for most digital businesses. They need protection across all channels to ensure their applications are protected and supporting growth. A superior bot management solution should address all automated threats across all channels: web, mobile and APIs.

Bot Defender excels in safeguarding digital businesses with customizable mitigation for web and mobile applications and APIs. It uses a combination of fingerprinting, behavior-based and predictive methods to detect bots and stop hyper-distributed attacks, no matter the vector.

By 2021, m-commerce sales are expected to account for 54% of total online sales. Cybercriminals have followed this trend, deploying bots that target mobile apps and APIs used to support mobile storefronts. Mobile SDKs tend to be less capable at identifying and thwarting bots than average desktop JavaScript sensors, potentially making m-commerce shoppers more vulnerable.

Modern websites are shifting logic to the client side to increase performance and enrich the user experience. They also make extensive use of third-party scripts and open-source libraries to innovate faster and deliver rich new capabilities. In fact, almost 70% of the scripts on a typical website are third-party. A platform approach to web application security includes mitigating client-side attacks that exploit vulnerabilities in javascript leading to Magecart and digital skimming attacks that can leak user data right from the browser.

APIs are of special interest since web application firewalls (WAFs) are not particularly effective at blocking API attacks. APIs can present additional vulnerabilities and web applications need to account for those in their strategy for application security. API bot attacks can compromise web application security by allowing direct access to the back-end infrastructure with the ability to exfiltrate large data sets without the ability to recognize the change in usage patterns. Bot managers that include API Mitigation for these real-time attacks need to implement access control, authentication, and authorization processes as part of the bot management solution.

For more information about bot detection and mitigation, read The Forrester New Wave™: Bot Management, Q1 2020 report and visit the PerimeterX Bot Defender page. The report evaluated 13 vendors in the bot management market on criteria related to product offerings and business strategy. PerimeterX received differentiated ratings, the highest ratings possible, in the attack detection, attack response, threat research, feedback loops, performance metrics, vision, roadmap and market approach criteria. Solutions offered monitor bot activity and include protection against account takeover or credential stuffing, card fraud, skewed analytics, web scraping, content scraping and denial of inventory.