Protecting Sites from Bots

Fifty million. That’s roughly the number of people who die each year around the world (ouch). It’s also roughly the number of automobiles produced annually around the world. And it’s also pretty close to the number of children who attend public schools in America each year. So, fifty million is a large number in most contexts – even in computing, where we’ve tended to become numb when presented with such magnitude.

Imagine my horror then, when shown back in 2007 how a new botnet called Cutwail had the ability to generate roughly fifty million Spam emails per minute. And its design was clean and simple: Each bot in the harvested army was told to send out Spam. Statistics, including success rates, were then passed back to the command and control server for analysis and subsequent action. I remember Cutwail resurfacing later in 2010 as a DDOS generator. Ugh.

As we approach 2020, the botnet threat posed by descendants of Cutwail to eCommerce sites and other Internet-facing resources not only remains, but is actually more intense. I’m asked about this issue daily during keynotes, lectures, classes, and other discussions. The comment I offer, in short, is that the only way to stop an automated offense is with an automated defense. SOC teams watching screens and tapping commands will not work.

So, it was a delight to catch up earlier this month with my good friend Kim DeCarlis from San Mateo-based cyber security company PerimeterX. I wanted an update on the state-of-the-art in protecting websites and applications from automated attacks, and I knew that PerimeterX offered a fine platform in this area. Our discussion did not disappoint, and I’ll try to summarize below what I learned from DeCarlis.

“The suite of solutions offered by PerimeterX is designed to identify and stop automated attacks, such as from botnets, before they can cause problems,” she explained. “The primary targets of these attacks are websites, applications – including mobile, and also APIs. Existing solutions use signatures and simple profiles, neither of which work, so we’ve been busy helping enterprise teams upgrade their protections.”

The PerimeterX suite starts with its flagship product called Bot Defender, which identifies and blocks inbound automated attacks using machine learning algorithms and tools. The learning data for Bot Defender is comprised of hundreds of billions of web, application, and mobile site visits. As one would expect, this approach allows the platform to adjust to changes in attack methods, which is not possible with static profiles.

The PerimeterX platform also includes a web application solution called Code Defender, which addresses client-side, third-party scripting attacks such as Magecart. The suite rounds out with Page Defender, which also addresses client-side weaknesses associated with advertising script redirects of the user browser to nefarious sites. This type of threat can interrupt eCommerce sales and seriously degrade one’s customer experience. Luckily, PerimeterX integrates with existing web technologies to make it easy for customers to get up and running quickly.

I asked DeCarlis for some insights into the technical approaches used to advance the state-of the-art. Her answer was rooted in analytics: “Our Bot Defender for Analytics is the secret sauce to how we identify human versus bot traffic,” she said. “Every visitor to a site is profiled in real-time using advanced behavioral fingerprinting technology. The results can be integrated with the analytics platforms being used by our customers.”

I also asked DeCarlis about the challenges of dealing with abuses targeting APIs. She explained that the PerimeterX platform includes API request profiling, where the fingerprinting focuses on the nature, usage patterns, and other attributes of API requests. “We include scoring of API requests to help differentiate between normal and potentially malicious activity,” explained DeCarlis. “Based on analysis and score, access control enforcement happens at the API sensor.”

From an analyst perspective, it’s hard not to see the obvious cyber security benefits of installing, integrating, and operating an automated detection scheme for botnets and related attacks. This is good news for PerimeterX, but of course, there are many options in this marketplace, with several machine learning-based offerings, and many different commercial solution options for client-side security. So, there is competition.

But I think DeCarlis and the PerimeterX team are up to the task. The company has Series C funding in place, and brags an experienced management group led by Akamai veterans Omri Iluz and Ido Safruti (post acquisition of Cotendo). In fact, this impressive Akamai legacy provides a valuable security differentiator for PerimeterX, especially when one considers the intimate nature of CDN design with inbound eCommerce interfaces.

My advice is to contact Kim DeCarlis and grab some time to hear more about PerimeterX. I can vouch for her technical (and marketing) competence, and you’ll not only hear about the platform, but you’ll also enjoy a useful overview of an important and growing part of the enterprise cyber security ecosystem. As always, please share your experiences with us after you’re taken the time to learn about PerimeterX. I look forward to hearing from you.