Why Security Teams Are Adopting Bot Management At Pace
Businesses are realizing the value of bot management as part of their application security strategy, with the control set expected to mature towards mainstream adoption in less than two years. This is according to the latest Hype Cycle™ for Application Security by Gartner®, released this month.[1]
The Gartner analyst acknowledges that adoption and usage of the technology is coming to maturity, set to reach mainstream adoption within 2 years, giving it a ‘high’ benefit rating for users.
In this blog, as a Sample Vendor within the report, we’ll reflect on some of the findings and give our own perspective on how they contribute to the development of this risk mitigation category overall.
Why is adoption of bot management tooling accelerating?
Awareness of broader business impacts is growing
One of the drivers for bot management identified by Gartner is “Leaders’ increasing recognition that bot management crosses multiple use cases and business units makes these capabilities more sought-after.”
In simple terms, organizations are starting to understand the risk posed by malicious automation to the entire business. This is a key trend amongst our customer-base. Mitigation might land in the lap of security departments, but the financial and reputational damage is felt acutely, and often initially, across customer service, marketing and infrastructure teams as attacks harness a variety of techniques to strip business value.
For example, a scalping attack targeting high-demand concert tickets creates costs amongst brand and customer services teams as loyal customers, dismayed at being price gouged or unable to get tickets, flood support and social channels to air grievances. Credential stuffing is another good example; the attacks impact infrastructure teams as resources are eaten up by abnormally high traffic – which then skews analytics for marketing teams. The resultant breach of customer accounts ultimately ends up on the radar of fraud and customer services departments.
The words ‘increasing recognition’ are also illuminating as part of bot management’s wider maturity journey.
Such attacks typically accumulate business impact over time, rather than hitting with the immediacy and impetus provided by a ransomware incident or data breach. A more gradual leaching of value, the recognition of bot attacks tends to manifest over time in the wider cyber risk equation.
Because of this, some businesses still need clarity on ownership of the issue, providing the forward looking CISO with an opportunity to educate the board on the business impacts and proposed mitigations.
Detection capabilities are maturing
When bot management was in its infancy, vendors mostly relied on rules-based lists of IP addresses linked with malicious automation.
Static lists of “known-bad” sources are still prevalent within the bot management solution space. While these do provide some value in quickly blocking IP addresses with the worst reputations, we agree with the recommendation from Gartner to “select solutions based on their ability to detect malicious bots via various techniques rather than relying primarily on reputation controls to detect “known-bad” sources, such as IP reputation or attack techniques” because it highlights how malicious automation has evolved in response to the rise in sophistication of bot management capabilities. Bots are now built to easily cycle through IP addresses, often using residential proxies to mask their identities as real users with good reputations.
AI has become a powerful instrument against attackers wise to static rules and block lists. At Netacea, we use a suite of machine learning models (Intent Analytics®) to detect a wide range of automated attack types. Although we assess every single web request received by our clients, instead of merely looking at individual characteristics, we put this in context of how the entire web visitor dataset behaves. This allows us to dynamically react to attacks as they evolve and change, often in response to threat actor tactics, techniques and procedures.
This approach has earned us plaudits from analysts such as Forrester, who assessed our threat detection capability top of the pack in their Wave for Bot Management in 2022.
The need to trust automated response on the web attack surface
The Gartner report cites “The fear of blocking a single legitimate user is often higher than the perception of the damage being caused by malicious bots” as a potential impact.
This is a thorny issue for highly trafficked web presences. In a very competitive business environment predicated on volume and UX, false positives are a huge concern. As some high-profile ticket sales have shown, overly prescriptive controls can have as much of a reputational impact as bots themselves.
However, with the pace and volume of modern automated attacks, manual intervention is just too slow to be of much use. Automated response on the web attack surface which is capable of both blocking attacks and identifying genuine users is critical.
Netacea co-founder and CPO Andy Still addressed this in a recent episode of the Cybersecurity Sessions podcast. “I’ve talked to people who were working in SOC environments who were getting 10,000 alerts an hour; there is no way that a human can respond to that. So, they need to use automation and AI wisely to make sure that they can keep up with the attackers, get the expertise from the humans and use that to control the AI defenses.”
“The idea of auto blocking was unpalatable to some of our early customers because they wanted to approve any changes that we were making. But by the time any changes could be approved, the attackers were long gone. So, the only way we can stop these attackers is to build that trust relationship with our customers that we will be making wise decisions, and by making those decisions, we’re making their sites safer.”
This philosophy has paid off as Netacea Bot Protection delivers extremely accurate detection – around 0.001% false positive rate – giving clients the confidence to trust our automated mitigations and respond instantly to attacks whilst protecting customers.
The importance of specialized controls
The report states: “The growing perception among the most targeted B2C mega brands is that no single bot management solution can mitigate all bot attacks.”
For us, this perception is tied to a recommendation made in the report: “Evaluate the capabilities of bot management solutions that come with your WAAP or CDN platform. If these are sufficient, they represent a quick win in terms of implementation ease and vendor rationalization. If the chosen bot management solution doesn’t meet your requirements, evaluate stand-alone solutions.”
In our experience, settling for bundled solutions can lead to the misconception that the bot problem is too complex for just one vendor in isolation. However, these can lack technical capabilities that come from more focused pure play or standalone solutions. Read our Buyer’s Guide for Bot Management for more information.
In practice, not all solutions are equally effective. We’ve evidenced this repeatedly in proof of value engagements running head-to-head with CDN-based bot management solutions. Thanks to our dedicated data analysis and threat research functions, which feed directly into our data science models, we detect as many as 30 times more malicious requests than these solutions.
What’s next for bot management?
Gartner predicts that within two years, bot management will achieve mainstream adoption, the time required for the innovation to reach the Plateau of Productivity. What will the space look like by then?
With the AI “genie” well and truly out of the bottle, defenders will have no choice but to ramp up their use of artificial intelligence as the web attack surface is hit by an increased volume and complexity of threats. Offensive AI is still in its infancy but the potential for exponential harm, with barriers to entry for adversaries lowering, is alarmingly close.
For organizations, this increased volume of malicious automated attacks will compound the already mounting impact on reputation, revenues and customer relationships, as well as adding to infrastructure costs and skewed analytics. To reach full maturity, this attack type needs to be protected by a similarly sophisticated automated detection and response capability.
To read more Gartner recommendations about application security and the maturity of tools and solutions within the Hype Cycle, click here for complimentary access to the report.
[1] Gartner, “Hype Cycle for Application Security, 2023”, Dinisio Zumerle, 24 July 2023
Gartner Disclaimer
Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.