Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

How Bot and Fraud Mitigation Can Work Together to Reduce Risk

Onions are great for analogies, as are buckets full of stuff from the beach. In this piece, I’d like to take a look at how both of these analogies can help us understand how bot and fraud mitigation can work together to help enterprises both improve their security postures and lower their fraud losses.

Onions are great for analogies, as are buckets full of stuff from the beach. In this piece, I’d like to take a look at how both of these analogies can help us understand how bot and fraud mitigation can work together to help enterprises both improve their security postures and lower their fraud losses.

The obvious analogy when it comes to an onion is that of peeling away different layers. When we look at the digital channels (web and mobile) of online applications, we find a whole host of different activities. Some of it is desired, while much of it may be undesired. Yet, more often than not, we try to defend our online applications as a whole, without trying to peel away individual layers of activity that might help us see and understand what is actually going on a whole lot better.

Similarly, say I give you a bucket of water, sand, and rocks from the beach, and I ask you to pull out all of the rocks. You could certainly put your hands in the bucket and attempt to pull out all of the rocks one by one. Or, you might run and get some sort of a strainer, pour the contents of the bucket through the strainer, and find yourself left with all of the rocks. The first method is a brute force of sorts – diving right in without considering whether tools may help complete the job more efficiently. It is equivalent to looking at the onion without peeling away any of the layers. The second method, on the other hand, uses tools to more efficiently complete the work. That is akin to peeling away layers of the onion to better understand it.

When looking to detect security breaches and fraud events within our online applications, we must first understand that we most likely have a combination of automated traffic (bots), manual fraud (fraudsters), and legitimate customer traffic (what we want). Having all three of these mixed together creates a large volume of data, much of it noise. It is extremely difficult to identify, analyze, and investigate any traffic of interest when looking across the entirety of the traffic, noise included.

Thus, to more effectively protect our online applications from security and fraud threats, we must revisit our analogies. We must peel away the layers of the onion, and we must filter the bucket of beach stuff. Or, to put it another way, we can take a three-pronged approach to more effectively monitoring our online applications for security and fraud issues with far less noise:

1. Automated traffic: Bots, whether good or bad, are not the legitimate human customers we desire. In some cases, bots can comprise 80%-90% of the traffic an online application sees. As such, the first step to improving security and fraud monitoring is removing all of the automated traffic. Rules and signatures aren’t enough here – understanding how to differentiate the intent and behavior of bots vs. humans is key. Successfully filtering out the automated traffic reduces both the noise level and the risk level tremendously and allows the security and fraud teams to focus on what remains – mainly manual (human) traffic. Some of that traffic will be legitimate and wanted, while some of that traffic will be fraudulent and unwanted.

2. Manual fraud: Fraudsters are highly motivated, creative, and clever.  They make their living figuring out how to abuse the business logic of your online applications in order to cause you fraud losses.  They learn how to hide amongst your legitimate users.  When you figure out how to detect them, they change their behavior.  Here again, rules and signatures are not enough – an understanding of how to differentiate the intent and behavior of fraudsters vs. legitimate users is a must.  Successfully doing that results in the ability to filter out and block the majority of fraud.  This results in greatly reduced fraud losses, as well as a further reduction in the noise clouding visibility.  In addition to those incredible benefits, it opens up the doors to another possibility.

3. Reduce friction: Reliably filtering out unwanted automation and fraud gives us another possibility. If we can reliably identify the traffic we don’t want, we can also reliably identify the traffic we do want. If we can do that, then we can stop piling on the user experience friction for our known good users. In other words, if I can reliably tell that a given user is both human and a legitimate user, then why hassle them with friction, such as MFA challenges and otherwise?  The conventional wisdom that the introduction of those friction points is essential to stopping security breaches and fraud attacks breaks down when we can accomplish that without the need to burden the user. The ability to reliably identify unwanted traffic (whether bot or fraud) opens up an entirely new realm of possibilities when it comes to reducing user experience friction. That, in turn, mitigates another risk that is often overlooked – the risk of lost revenue due to users abandoning the application.

In recent years, advances in the ability to reliably detect automation (bots) and fraud have opened up new possibilities for security and fraud teams. By understanding how to identify, isolate, and remove unwanted bot and fraud traffic, enterprises can remove the noise clouding the visibility they have into their online applications. This, in turn, allows those enterprises to focus on better protecting their online applications and on optimizing the user experience for their legitimate users.

Related: All About the Bots: What Botnet Trends Portend for Security Pros

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...