According to Breach Level Index (breachlevelindex.com), more than six million data records are stolen each day. Most of the damage is caused by the major data breaches that seem to get all the headlines. During the last few months of 2018, for example, Marriott, Facebook, and Quora have all suffered serious data breaches.
Unfortunately, the damage doesn’t end with the breach. Often, that’s just the beginning of a long tail of collateral damage that rarely makes the news. Credentials stolen from these breaches – for example, username and password combinations – eventually find their way to the Dark Web. From there, bad actors acquire tens of millions of these credentials, then orchestrate massive automated bot attacks to see if the same user name and password combination will provide them with unauthorized access to accounts on other web sites (financial services, retail, gaming, social media, etc.)
So how pervasive is this problem, and what is the impact on organizations being targeted?
Cequence and Osterman Research recently published the results of detailed research in the report “The Critical Need to Deal with Bot Attacks” to get some answers. Researchers gathered data from 211 large enterprises across the US to learn more about their experiences with bots, as well as their attack defense strategies. The results have been published in a new report accessable here. Among interesting and informative nuggets:
- 100% of these organizations have been victims of bot attacks
- They experience more than 500 bot attacks each day
- Attacks target web/mobile apps and APIs deployed on premises and in the cloud
- They have an average of 482 applications deployed across the organization
- Greatest damage is from account takeover, app DDoS, and API abuse attacks
- 91% rely on web application firewalls for defense (clearly, they’re not working well)
- Average bot attack detection/mitigation time exceeds 96 hours
- The cost for each IT security team to deal with attacks exceeds an average of $175,000/year
There’s a lot to unpack in this report, but three themes emerged that organizations need to address:
- Application Discovery – DevOps teams are doing a great job accelerating application development, deployment, and updates to keep pace with the business. However, the security teams responsible for protecting these apps are often unaware of all the apps being developed and deployed. An effective bot defense strategy must begin with full visibility into the web, mobile, and API application assets being targeted. Visibility into APIs are especially important in today’s hyper-connected organization, because if they are compromised, they can affect other members (partners, suppliers) of the digital ecosystem.
- Bot Attack Detection – Since 100% of organizations have suffered bot attacks, and 90% have a WAF (web application firewall) deployed, it is safe to assume that these tools aren’t doing a great job detecting automated bots. That actually makes sense because bots are not injecting malware; they’re just trying to login to a web application like any legitimate human user. That means these organizations need to find a better way to figure out the behavior and intent of the login requests associated with 500+ bot attacks they experience each day. Otherwise, if these attacks go undetected, the organization must deal with issues of account takeover, financial fraud, fake reviews, and overall business disruption.
- Effective Mitigation – The data from the research indicates that these organizations spend an average of 48 hours to mitigate a bot attack. That’s two days, assuming one person works non-stop to solve the problem, but more likely that’s about a week’s worth of interrupt-driven effort. Given the chronic lack of skilled IT security personnel, plus the loaded cost of $175,000 per employee, it points to a cost/productivity/security issue that must be solved. One potential solution is for organizations to address this challenge by finding ways to automate the mitigation (and detection) process in a way that saves time and also strengthens the security posture of the organization.
Various research has been done in the last couple years that indicates malicious bot traffic is growing, and likely accounts for more than 30% of all Internet traffic. It’s a problem that won’t go away anytime soon. Every organization that relies on web, mobile, and API application services to connect with partners, suppliers, and customers should consider itself a potential target.
Michael Osterman, CEO of Osterman Research, will share more details on this research during a live webinar on January 30. If you download the report now, you’ll receive an invitation to the webinar as well.