The DDoS mitigation business has become a commodity. The CDN WAF business is the great product of yesterday. And the bot mitigation industry, which also includes the online fraud market, is the hottest segment in our ecosystem. There are winners and losers, with startups comprising most of the winners – we’ll keep their names confidential for the time being. Regardless of who’s leading the industry, every company in bot mitigation has developed technology to defend against bots. The strength of their business models is built on a single premise: bots do not behave like humans.
Therefore, through machine learning and intelligence gathering of signals and patterns, bot mitigation platforms defend by distinguishing bot sessions from human sessions. The bot mitigation industry has also developed features and engines to deal with bots, such as keeping a database of bot signatures, protection via polymorphism, fingerprinting of devices, human-device interaction, mouse-eye coordination, and so on. These features and engines help identify threats such as fraud, scraping, skewing, sniping, carding, card cracking, account take-over, token cracking, and so on.
But let’s be crystal clear: the biggest strength of the bot mitigation industry is also its biggest weakness. Yes, today’s bot mitigation platform are doing an adequate job of detecting bot sessions from human sessions. However, in a few short months, bots are no longer going to act like bots anymore. In fact, bots are going to act more human than humans themselves.
In many ways, the bot business is a chess game of intellectuals, and the ones with the biggest brains will win. For the outlaws using bots, their cybercrimes are paying off to the tune of tens of billions of dollars annually. Bot operators and online bank robbers are more profitable than many security startups. This means online bank robbers have unlimited resources to attract the brightest minds and mathematicians in countries outside the US. And you can bet the threat actors are going to use the same techniques such as machine learning, fingerprinting and big data to find out how humans behave online. Once they figure it out, bots and humans will become indistinguishable.
It’s time for bot mitigation players to start thinking outside of the box. Bot mitigation will need to do more to adapt to this upcoming threat. If not, entire business models and features like the Akamai Bot Manager will soon be rendered useless.