The Bot Mitigation Industry Is In For A Rude Awakening

By Ernie on November 16, 2016

The DDoS mitigation business has become a commodity. The CDN WAF business is the great product of yesterday. And the bot mitigation industry, which also includes the online fraud market, is the hottest segment in our ecosystem. There are winners and losers, with startups comprising most of the winners – we’ll keep their names confidential for the time being. Regardless of who’s leading the industry, every company in bot mitigation has developed technology to defend against bots. The strength of their business models is built on a single premise: bots do not behave like humans.

Therefore, through machine learning and intelligence gathering of signals and patterns, bot mitigation platforms defend by distinguishing bot sessions from human sessions. The bot mitigation industry has also developed features and engines to deal with bots, such as keeping a database of bot signatures, protection via polymorphism, fingerprinting of devices, human-device interaction, mouse-eye coordination, and so on. These features and engines help identify threats such as fraud, scraping, skewing, sniping, carding, card cracking, account take-over, token cracking, and so on.

But let’s be crystal clear: the biggest strength of the bot mitigation industry is also its biggest weakness. Yes, today’s bot mitigation platform are doing an adequate job of detecting bot sessions from human sessions. However, in a few short months, bots are no longer going to act like bots anymore. In fact, bots are going to act more human than humans themselves.

In many ways, the bot business is a chess game of intellectuals, and the ones with the biggest brains will win. For the outlaws using bots, their cybercrimes are paying off to the tune of tens of billions of dollars annually. Bot operators and online bank robbers are more profitable than many security startups. This means online bank robbers have unlimited resources to attract the brightest minds and mathematicians in countries outside the US. And you can bet the threat actors are going to use the same techniques such as machine learning, fingerprinting and big data to find out how humans behave online. Once they figure it out, bots and humans will become indistinguishable.

It’s time for bot mitigation players to start thinking outside of the box. Bot mitigation will need to do more to adapt to this upcoming threat. If not, entire business models and features like the Akamai Bot Manager will soon be rendered useless.

Jimmy Rossi

Well this is just a silly article. You can say this about any security technology in existence. Technology evolves as attacks evolve. This isn’t news to anyone.
- ernie@bizety
  
  Thanks for the feedback. What can I say, I was bored 🙂 Good timing though – about to publish 2017 prediction for the Akamai Bot Manager
  - Jimmy Rossi
    
    Lol. Fair enough. And what’s your prediction to the ABM?
    - ernie@bizety
      
      Akamai Bot Manager = $100M in Annual Sales in 2017
      - Jimmy Rossi
        
        Interesting. You realize they are going up against the guys that started it…Distil Networks. I’ve spoken with many companies that have tested out ABM, and it doesn’t compare to Distil. I don’t think ABM will come even close to $20m, even with their customer base.
      - Jimmy Rossi
        
        This is a pretty good resource. http://www.botnetremoval.com looks relatively knew but they are focusing on this topic heavily.
      - ernie@bizety
        
        Thanks. This is an awesome resource.
      - Jimmy Rossi
        
        Yeah, no problem. I’m looking forward to your next articles!
      - Manny
        
        Great resource @jimmyrossi:disqus
      - ernie@bizety
        
        They will buy 2-3 bot mitigation startups in Q1 2017 to expand this business. One will be a pure-play bot mitigation startup and another will be a client-side malware protection startup.
Manny

Hi @bizety3:disqus

Whilst I agree that the current BOT Mitigation solutions can do very little to tackle human BOTs vs Automated BOTs, I completely disagree that the human element will make solutions like Distil/ABM irrelevant. Of course, ABM is pretty limited when it comes to aspects like brute force attacks, one thing you should not do is underestimate the power of Akamai when it comes to upselling and cross-selling into existing clients. They have featured on MQ purely on the basis of selling Kona into existing clients. And of course, they have just bought a BOT Mitigation startup as per your “prediction”! 😉

More importantly, for the bad boys, BOTs is all about scale! The only way to do that is through automated BOTs. Humans cannot scale for that aspect. 1 Million BOT attacks may cost only $100! How many humans can you get for that kind of money to do your dirty job. I am sure you can do the math! 🙂
- ernie@bizety
  
  Thanks for the great feedback. If you can’t tell by now, my opinions change weekly for the better, as I consume more research and talk to more startup security founders. As of 2 days ago, I believe bot mitigation as a product, WAF, DDoS Mitigation, and every existing point product will die in 2 years due to AI. I’m debating right now whether I should publish this only for paid subscribers or just do a a public post.

Bizety Technologies