Recently, we had several prospective customers tell us that they have created their own bot mitigation solution and it was working for them. Without an opportunity to see their solution in operation and the results, we have to believe them. Building your own security solution has always existed with the use of Snort for IDS and IPS as the most well known. As a longtime do-it-yourselfer, I can attest to the value of doing it yourself instead of paying someone else. Many of the criteria you or I might use to make a build vs. buy decision – expertise, time, money, and what I need to give up (the opportunity cost) to complete the project – are applicable when it comes to bot prevention. Let’s take a look at a few of them.
Expertise & Core Competency
Several factors come to mind when considering if your team has the expertise to prevent bots. First, how much of a target is your organization? The general rule of thumb is that if you have assets of value behind a login, you are a target. The more in demand those assets are, the more highly targeted you are. If you are a financial services firm, social media, or a high demand retailer (e.g., game consoles, video cards, shoes), then I believe your team will be overmatched if you try to build your own bot prevention offering. Here’s why. The assets are of high value to and bots have become highly sophisticated. For example, automated retail shopping bots itself a big business as they try to cash in on a merchandise resale market slated to be $30B by 2030. As shown in the figure below, bots have evolved from basic scripts found only in the nether regions of the dark web to Bot-as-a-Service. Supported by their own marketplaces and communities, these offerings are accessible by anyone and represent the continued commercialization of bots.
So, if you have a high demand item (or other assets that bad actors could profit from), and are building your own bot prevention solution, your team, no matter how large, is up against a very large community of smart, sophisticated bot operators who are making money in the resale market. This is their job. So when we prevent their purchase, they lose money. Are you prepared to assign your team to focus solely on bots, keeping up with the latest tools and techniques?
Assuming you have built a solution to detect bots, how will you respond? Rate limiting is an obvious first step, but bots can easily move to a low and slow approach. Blocking is the logical next step but there is a high risk of blocking a legitimate customer as bot managers commonly use compromised, residential IP addresses readily available from Bulletproof proxy vendors. Prior to deploying our Bot Defense solution, customers with homegrown solutions inadvertently blocked large swaths of legitimate IP addresses, leading to many unhappy customers.
Getting Help & the Network Effect
When building your own bot prevention offering, you will need to rely on community support. Unlike Snort for IPS, which had strong, passionate community support, the bot prevention space has limited open-source tools which means the community support is going to be limited in nature. When your homegrown offering is pummeled by a determined set of bots, you may struggle to find help fending them off. Most of the bot prevention vendors have a threat researchers and data scientists who analyze bot attacks across all of their customers, taking what is learned, sharing it with our customers and using it to improve defenses. In some cases, they’re working in real-time as an attack is ongoing. As an example, one of our retail customers faced a series of bots totaling more than 150 million requests in a 24 hour period. The bots continually retooled, trying different tactics to succeed. The depth of knowledge gained from supporting a wide variety of customers and attacks provided immeasurable value. Do you trust that your team has the knowledge and time needed to fend off an attack of this scale?
Automated malicious bots impact your entire business. They don’t just impact security. Here are a few examples:
- IT is impacted with mobile app, web site outages and cost overruns for scaling to meet malicious demand.
- Fraud teams are impacted with user account validation and reset efforts.
- Customer support teams have to deal with upset customers.
- Brand and PR efforts are hurt by negative customer feedback who cannot buy their favorite widget.
- Marketing departments make skewed decisions based on fictitious traffic generated by bots, not humans.
Every organization makes build vs. buy decisions across all their departments. The shortage of security and IT professionals is well known and something organizations everywhere are struggling with, so if you’re building your own bot prevention offering it means that you’re also making the choice to NOT work on something that might be more core to your business.
Bots have rapidly evolved and will continue to do so – it’s big business and they impact all aspects of your organization. If you’re making a bot prevention build vs. buy decision, or struggling to keep bots at bay and want to learn more, please join Ameya Talwalkar, our co-founder, and Sandy Carielli, Forrester Risk and Security analyst for a webinar where they will discuss the true impact of automated shopping bots.