Deep in the internet's plumbing, the "bots” are hard at work.
These aren’t all bad bots – Google, for example, uses them legitimately to “screen scrape” websites to best match a search. But hackers also write code that employs thousands of bots pretending to be humans hunting for an easy pay day across a range of websites, such as chasing arbitrage opportunities across gambling sites or guessing gift card numbers.
“Among our customers, we see everywhere from 30-70 per cent of their web traffic is made up of bots -- and that’s just malicious bots,” said Sam Crowther, the founder and chief technology officer of Sydney-based cyber security start-up Kasada.
“It’s pretty terrifying.”
As cyber security cements itself as one of the biggest issues facing institutions, Kasada’s technology was today given a major endorsement through a $2.5 million investment from the David Shein-backed Our Innovation Fund and fellow venture capital group Reinventure. The cash is slated for extending Kasada’s US presence and ongoing upgrades to Polyform, its real-time bot detection and mitigation technology for websites and applications.
Mr Crowther, 22, described his skills as “security engineer with the ability to code and salesperson”, based on his time in the Department of Defence during high school. Side-stepping university, he leveraged that experience to get in the door at Macquarie Group after writing a letter to a senior executive asking for a job, which he left to start Kasada in 2015.
Developed with primary school friend and software engineer Tyrone Dougherty, the technology works by ascertaining malicious bots seeking to take over people’s online accounts or scrape for data. It reduces costs and distortion to marketing and web analytics, Mr Crowther noting bots can consume the majority of a company’s bandwidth and computing resources. Screen or data scraping is how applications communicate with each other when they aren’t connected via consensual application programming interfaces, or “APIs”.
Mr Crowther said at its core, Kasada’s technology works by “blocking the bad bots and letting the good ones through”, which ultimately makes attacks too expensive for hackers. “By stopping someone from automating an attack, you reduce their ability to scale which reduces the economic viability because at the end of the day the reason the majority of hackers do what they do is monetary motivations,” he said. “The problem for many companies is they’ve just had no visibility into it so they do nothing. And this is part of what we’re helping people do -- you can’t solve a problem that you don’t know exists.”
Mr Shein, a long-time entrepreneur and technology industry player, said Kasada’s ability to immediately lower customers’ infrastructure costs and improve marketing was a key attraction along with how it “stays ahead” of attackers, unlike traditional web application security products that “struggle to distinguish legitimate users from adversaries”.
Danny Gilligan, co-founder of Westpac-backed Reinventure, said security and governance demands were only rising as the “nascent data economy” further develops, noting estimates that spending on enterprise firewalls and cloud security was forecast to reach $17.2 billion annually by 2020. It marked Reinventure’s latest deal out of its second $50m fund, following its recent investment in Melbourne-based background screening and verification platform Everproof.
Westpac’s head of strategy and capability, Information Security Group, Simon Brown, whose team conducted some due diligence on Kasada, said more organisations could consider using the technology as legitimate uses for screen scraping decline once data sharing increases under an “open banking” regime.
“As APIs become more and more developed and available, the reasons to use screen scraping as a primary integration technology go down,” he said. Mr Brown added that while Kasada’s technology makes a “pretty big claim”, testing and case studies from existing clients proved it out.
“One of Kasada’s best use cases, which was quite compelling, is they were working with an online betting company who saw a lot of their accounts kind of coming under attack, people were trying to guess the passwords of their customers,” he says. “But when they dug into it what they found was a lot of their web traffic was actually other organisations screen scraping in order to get data to support betting arbitrage.”
Mr Crowther said real estate listing businesses, media companies or any others that expose their intellectual property are susceptible to screen scraping by competitors. It offers a “user pays” model rather than a flat fee, charging clients website requests that need verifying.
“It’s a huge market (that will only grow as data opens up) and there’s a lot of solutions which solve pain points, but the cause is the automation. So by stopping the automation you’re chopping the head off the snake,” he said, adding demand would only rise as economies open up the flow of data.