What’s up Bot? 10 Questions to Ask a Bot Mitigation Vendor

So, you think you solved your bot problem, but now you are unsure.

Or perhaps your contract is up for renewal, and you are doing due diligence to see if you are getting the best ROI from your bot management vendor partnership.

While performance, analytics, and logs look good, all your efforts to improve your digital experiences and delight your customers have not borne fruit. Revenue has not followed. Chargebacks are at an all-time high. Customers are calling the help desk and complaining about difficulty transacting on your site and are moving to competitors in droves. Your security and risk teams are complaining about an onslaught of false positives that are distracting them from strategic business initiatives.

Here are ten key questions to ask your bot mitigation vendor.

1. How does the vendor measure success?

The name of the game is efficacy… or is it?

When considering factors such as false positives, user friction, opportunities to personalize or improve the customer experience, and maintaining resilience no matter how criminals retool their attacks, we are talking more about effectiveness.

2. Does the service protect apps and APIs across different environments and clouds?

Are you able to run your business the way you see fit, leveraging the appropriate business continuity and ecosystems that streamline your operations and give you the highest competitive advantage, or are you required to rearchitect your environment and move your digital footprint into the vendor’s proprietary platform? What if that platform experiences degradation, or even an outage?

It is now possible to deploy bot defense anywhere to protect apps and APIs everywhere, with insertion points across clouds and architectures that enable rapid and robust protection—reducing complexity, increasing reliability, and supporting innovation while effectively managing risk.

3. Are you able to maximize your existing security investments?

Most security and risk teams have deployed complex tools to run their business and combat ever-evolving threats. For example, web application firewalls, application proxies, and as-a-service application platforms for e-commerce.

Leveraging existing investments while bolstering defenses against bots and malicious automation are ideal for practitioners that have limited time to learn the operational side of a new security tool or platform. This also helps align teams that otherwise focus on different parts of the attack lifecycle.

The ideal vendor can maximize existing security investments and minimize the operational burden on security and fraud teams.

4. What type of controls does the vendor use to prevent tampering and bypass?

Bad actors will leverage reconnaissance and reverse engineering to bypass anti-automation defenses and evade detection. Dark web forums are filled with examples of how to evade popular bot management platforms. Automation frameworks continue to evolve and can emulate or even exhibit human behaviour.

The best defense? Base detection on a variety of advanced network, device, environmental, and behavioral signals using durable and heavily encrypted/obfuscated telemetry that is essentially spoof-proof. For example, F5’s JavaScript leverages bespoke, per-customer implementations, and frequent bytecode randomizations within machine-level opcodes, making it computationally unrealistic to reverse engineer. This results in accurate detection and security countermeasures that are resistant to attacker manipulation.

Additionally, AI-based retrospective analysis and continuous monitoring by Security Operations Center (SOC) team members can uncover unusual traffic patterns or tampering.

Disrupt the ROI of cybercrime by making success impossible, or so impractical that it’s unfeasible.

5. Does the service provide controls to prevent attacks through third-party APIs and aggregators?

Bot management needs to support business opportunities enabled through third-party integrations without introducing risk of compromise through such integrations. How? By leveraging policies with fine-grained control of allowed/legitimate aggregators and associated permissions instead of employing a false dichotomy of allowing or disallowing aggregators globally.

6. How many stages of detection does the vendor provide?

If the motivated bad actor is sophisticated, you better prepare to enter the war room for some good old-fashioned “battle of the bots” exercises.

It is imperative to employ multiple stages of detection based on accurate and durable telemetry, highly trained artificial intelligence within a diverse collective defense network, as well as both real-time and retrospective analysis. A two-stage approach that uses AI and “carbon units” (humans) provides optimal protection and agility to deploy countermeasures autonomously and/or deliberately to confuse, and ultimately, deter, motivated adversaries.

7. Is the service able to adapt to your desired security posture and operating model?

Do you want to deploy robust but self-sustaining bot mitigation quickly. Do you want to control your security posture but extend your security and fraud teams’ expertise with a trusted advisor? Are you unsure how to proceed but want to evaluate options and avoid being tied to any particular deployment or operating model?

In all cases, a bot mitigation vendor needs to have your back, ready to jump into the war room when necessary to defend your business from compromise and abuse.

8. What types of mitigation does the service perform?

The appropriate action could mean silently monitoring the attacker’s canary account or it could mean optimizing authentication for a trusted customer.

If malicious intent is suspected, bot management can transform requests in-transit to deceive attackers through misdirection, limit access to specific application functions, throttle traffic, or flag requests for follow-up actions and watchlists.

Security teams should be able to apply granular mitigation controls by traffic type, source, and target, and countermeasures should be dynamic and adaptable.

Remember, effectiveness is more than efficacy.

9. Can the vendor use security controls to improve business outcomes?

Organizations can improve business outcomes by employing effective bot mitigation to protect critical apps and APIs. The three important questions: Are you human? Are you who you say you are? What is your intent? By consistently answering these questions for every interaction in the digital journey, you are well on your way to using security technology to improve business outcomes.

10. Is the vendor battle-tested against sophisticated and motivated cybercriminals and nation states?

By partnering with the right bot mitigation vendor, you can protect critical applications, regardless of architecture, cloud, or CDN, with effective, easy-to-use, and battle-tested security.

It makes sense to consider vendors that protect the world’s most valuable brands from the most sophisticated cybercriminals with outcome-based defenses centered on effectiveness.

About the Author

Byron McNaught is Senior Technical Marketing Manager at F5. F5 is a multi-cloud application services and security company committed to bringing a better digital world to life. F5 partners with the world’s largest, most advanced organizations to optimize and secure every app and API anywhere, including on-premises, in the cloud, or at the edge. F5 enables organizations to provide exceptional, secure digital experiences for their customers and continuously stay ahead of threats. For more information, go to f5.com.