As bot activity is impacting consumer trends, it is important for brands to be agile with technology.
Welcome to today’s episode where we’re diving into the challenges and opportunities presented by the rise of bot activity in several key industries with Nanhi Singh, Chief Customer Officer & GM Application Security, Imperva a Thales company. We’ll explore the implications of the 2024 Imperva Bad Bot Report and discuss strategies for staying agile amidst these changes.
About Nanhi Singh
Nanhi Singh is responsible for application security products and all functions that enhance customer experience and value for Imperva customers. This includes customer support, consulting, training, customer success, managed services, and renewal sales. Prior, she was SVP, Customer Retention and Renewals at Symantec. Nanhi’s career spans more than decades in cybersecurity and technology, always leading customer-facing functions.
Nanhi also serves on the Board of Directors of Franchise Group and serves as a member of the Audit Committee on that Board. She serves on the Board of Directors of Peninsula Open Space Trust (POST), a nonprofit public benefit corporation. She is passionate about | supporting women and minorities in the Technology industry and was previously a mentor in the Tech Women program.
Resources
Thales website: https://www.thales
Imperva 2024 Bad Bot Report: https://www.imperva.com/resources/resource-library/reports/2024-bad-bot-report/
Attend the Mid-Atlantic MarCom Summit, the region’s largest marketing communications conference. Register with the code “Agile” and get 15% off.
Register now for HumanX 2025. This AI-focused event which brings some of the most forward-thinking minds in technology together. Register now with the code “HX25p_tab” for $250 off the regular price.
Connect with Greg on LinkedIn: https://www.linkedin.com/in/gregkihlstrom
Don’t miss a thing: get the latest episodes, sign up for our newsletter and more: https://www.theagilebrand.show
Check out The Agile Brand Guide website with articles, insights, and Martechipedia, the wiki for marketing technology: https://www.agilebrandguide.com
The Agile Brand podcast is brought to you by TEKsystems. Learn more here: https://www.teksystems.com/versionnextnow
The Agile Brand is produced by Missing Link—a Latina-owned strategy-driven, creatively fueled production co-op. From ideation to creation, they craft human connections through intelligent, engaging and informative content. https://www.missinglink.company
Transcript
Note: This was AI-generated and only lightly edited
Greg Kihlstrom:
As bot activity is impacting consumer trends, it’s important for brands to be agile with technology. Welcome to today’s episode, where we’re going to dive into the challenges and opportunities presented by the rise of bot activity in several key industries with Nani Singh, Chief Customer Officer & GM Application Security, Imperva a Thales company. We’re going to explore the implications of the 2024 Imperva Bad Bot Report and discuss strategies for staying agile amidst these changes. Nani, welcome to the show.
Nanhi Singh: Thank you so much, Greg. It’s wonderful to be here.
Greg Kihlstrom: Yeah, looking forward to talking about this with you. Why don’t we get started with you giving a brief introduction of yourself and your role at Thales?
Nanhi Singh: Sure. So as you mentioned, I am Chief Customer Officer. And basically what that means is that when it comes to customer experience, the buck stops. And I am accountable for all of the experience that the customer goes through with our technology solutions, starting with when they purchase the solution and look to deploy it and work with our various teams to optimize it. and then through the operational phases and through expanding and adding users and adding more applications and so on. So I am actually new to Thales. I am part of an acquisition that Thales completed on the 1st of December, 2023. And the company is Imperva. And we are most known for our web application firewall solution. So we focus on securing applications and APIs. And of course, along with the entire Thales portfolio, what we do is secure data and all paths to that data. So the promise that we look to deliver to our customers is that when they work with us, we ensure that their data the applications that obviously add to that data, modify that data, and so on, and the APIs, which are a big part of modern applications, are secured.
Greg Kihlstrom: Great, great. Well, yeah, you are definitely the right person to talk about this report with. And so let’s dive in here and we’ll put a link to the report in the show notes as well. But first, could you provide an overview of the 2024 BadBot report and why are its findings significant for businesses today?
Nanhi Singh: Yeah, so our BadBot report, which we have been releasing for the last few years, This year has shown that bad bots are just continuing to increase in the percentage of total traffic of the internet traffic. And one of the main things that I think has led to this is actually Gen AI. because it’s become simpler now to write simple bots. So a large number of simple bots are being written by people with very little technical skills. They’re able to very quickly create a little bot and release that and basically create a lot of chaos and confusion. for many of our customers, particularly those who have focused on building a digital experience, especially during this COVID experience that we all went through, a number of companies decided that they had to have a digital presence or had to enhance their digital presence. And a lot of them did it in a bit of a rush, perhaps. and didn’t really account for all of the various risks that they need to think about when it comes to web applications and mobile applications. So I think that a lot of the bad actors are taking advantage of that and we see an increase in bot traffic.
Greg Kihlstrom: Got it. Yeah. And we’re going to dive a little into the AI aspect. We talk a lot about the positives and kind of the optimistic perspective on Gen AI a lot on the show as well, but definitely want to talk through that in a minute here. But, you know, first I wanted to talk through, you know, the report highlights some significant bot activity in some very specific sectors, law, government, entertainment, financial services, some others as well. Can you maybe elaborate on, you know, what are some of the types of threats that these industries are facing and maybe some impacts as well?
Nanhi Singh: Yes, certainly. So I think that what’s really important to understand is that obviously there’s so many different kinds of security threats But when it comes to bots and specifically automated threats by bots, that’s a very specific set of threats. And some of the most common ones that we see are scraping and account takeover. And account takeover, for instance, is common across all industries. So login functionality on websites, they basically exist, whether you’re a ticketing application, or you’re a grocery store, or whatever it might be, you have login functionality. And account takeover is one of the most common bot threats that we see. When it comes to specific industries, then you start to see very specific types of threats. So one example I can give you is the entertainment industry and specifically ticket sales. So we see a lot of ticket scalping. What we saw also, going back to my comment about COVID, is that a lot of people really took a look at their lives and decided that they wanted to live life to the fullest. And so they spend money on experiences. And this has led to a lot of ticket applications doing very well, and a lot of concerts and entertainment doing really well. But it’s also led to an explosion. in ticket scalping. And so what happens there is that the bots are basically used to create an unfair advantage over humans, over real human users. And the other problem is that the sheer volume of bot requests can just overwhelm the application infrastructure. And this can just slow everything down and maybe even cause downtime. And obviously, you know, downtime is something that, you know, most businesses are measuring that because of the operational costs that are associated with it.
Greg Kihlstrom: Yeah. Yeah. So what does a business do then? I mean, maybe even just to use the ticketing example, you know, what does a company do to mitigate some of these risks here?
Nanhi Singh: So I think that certain industries like the ticketing one I described or travel, they are particularly susceptible to bot threats. And I think what is really important is for the security teams and the business. And usually, you know, it is somebody who’s accountable for the e-commerce site, or it’s somebody accountable for the digital experience. I know that a lot of our customers now have chief digital officers. So it’s really important for security and the business teams to work together to understand what are those key business metrics that are important to them with the whole digital customer experience, and then start to identify and evaluate the risks that are presented on their websites or on their mobile applications, and identify all of those vulnerable points, like login endpoints, like pages where you’re creating an account, or payment pages, and other kinds of forms, and then The other important thing is to understand what is the traffic that you have on your websites, and how do you look for unexplained spikes in this traffic, and how do you then implement the security solutions, like Flink or Advanced Bot Protection solution, that can then help control and manage that.
Greg Kihlstrom: Yeah. And so I want to talk a little bit about, you know, we, we talk a lot about aspects of the retail sector on the show quite a bit. And I want to bring this to that, that realm as well. And, you know, with over a quarter of retail website traffic coming from bad bots, which I did not know until I was prepping for the show. You know, we’ve got holiday shopping. You know, by the time the show airs, we’ll be we’ll be in full swing with the shopping season, believe it or not. And, you know, during critical times like Black Friday and others, what challenges does this pose for retailers in particular?
Nanhi Singh: Oh, our BadBot report actually highlights that ETO attacks or account takeover attacks actually, during the holiday season, it spiked to 85% on Black Friday. And malicious login requests start to soar between October and November as you know, These days, companies are also trying to get shoppers in early. And so you start to see this happening. And the other thing that’s really important to note is that whenever there is a data security breach, we see that the account takeover attacks start to really spike right after a data breach, because these bad actors have been able to get access to credit card information. And they are essentially trying to either go for card cracking or use account login to take over the customer’s account. So yeah, retail, I think suffers a great deal during Black Friday, Cyber Monday. And in Asia, we see that also during, I believe it’s called Singles Day. In fact, some of our retailers, we also see that during Super Bowl, which is when a lot of them are investing a lot of marketing dollars and they’re trying to get users and customers to their websites. That’s the other event where we see a lot of bad bot traffic.
Greg Kihlstrom: And so I want to get back to a point that you made earlier about kind of go back to visibility. And so, you know, again, with the ticket sales scenario, it’s like from the ticket sellers perspective, it’s like, oh, yay, you know, we sold out all our tickets, but, you know, turns out, you know, 75% of them were sold to bots, you know, same with retailers here. It’s like, Not all bots are bad bots, right? So that’s why I think it’s called the bad bot report, right? So there’s harmful bot traffic that you mentioned. There’s also, you know, more beneficial bot traffic, like price comparison crawlers, things like that. How does a retailer differentiate between the, you know, all bots are not created equal, in other words, like, how do you differentiate between these? And so you can let the right ones in, basically.
Nanhi Singh: Absolutely. Actually, more than half the internet traffic today is bots. Not all of it is bad bots because we have obviously looked to get a lot of automation benefits using bots in the technology focused industries. So it’s very important to be able to distinguish between the good bots and the bad bots. And that’s actually why in our advanced bot protection solution, we take a very, what we call multi-layered detection approach. And we combine reputational analysis with also looking at behavioral analysis. So we really focus on identifying very accurately the bad bots so that we don’t impact legitimate users and we don’t impact the good bots because the good bots are actually useful. So it’s really important that our customers are able to identify those bots that they want to allow on their sites and really block only the bad ones.
Greg Kihlstrom: Yeah. So to go to the you talked about account takeovers, and I wanted to touch on one more point about that briefly and just to definitely not a good thing. What do what do companies do to help manage or combat these ATO attacks effectively?
Nanhi Singh: Well, the short answer is you need to have an advanced bot protection solution, especially if you are in an industry that is prone to these ATO attacks. So, for example, one of the largest recorded ATO attacks that we protected against was with a digital banking service provider. And they were targeted with over 500 million malicious login requests over a span of three weeks. And they were peaking at over 25 million requests per day. But it was our solution that automatically prevented that. In a lot of cases, we are able to show our customers through the reports that we provide in our console that we protected them and they didn’t actually even know that the attack was happening because we protected them against the attack.
Greg Kihlstrom: Wow, that’s a significant number there. To go back to the AI topic, we talked about this briefly, you mentioned it in your introduction there. Generative AI, like I said, we talk about it quite a bit and there’s certainly a lot of benefits. And one of those benefits is kind of democratizing access to information and data and for marketers to be able to do things that they might have relied on engineers before. But as you mentioned, democratizing, creating bots and malicious actions and things is also one of those things that it allows as well. So, I know you kind of touched on it, but what do companies do to stay ahead when not only is it You know, it’s always been a threat, right? But now it’s seemingly becoming easier for anyone. Again, it’s just like there’s citizen data scientists now because of Gen AI. Now I guess there’s citizen hackers or whatever you will. What does a company do to stay ahead of this?
Nanhi Singh: Yeah, so I think what I’ll say first, Greg, is that I am an AI optimist. I would like to believe that there will be more good coming out of AI than bad. But like everything in life, there are enough bad actors who try to take advantage of a good technology for their own personal gains. So as I mentioned, there is a rise in simple bots, simple bad bots that we have seen. So we know that Gen AI is definitely contributing to that. And I think that there is another concern, which you kind of like alluded to in your question there. That’s really the ethical and legal complexities of web scraping for AI training. I think it goes back to the point about protecting data and protecting privacy. And so I think that there is definitely privacy and copyright infringement concerns from web scraping to pull proprietary information to train AI models, which is obviously a big concern. But I think that at this time, it’s an evolving field. It’s growing by leaps and bounds every single day. And I think that What we can do now is really advise our customers to focus on a dedicated bot management solution that can fight against all of these bots that are being created, whether they’re being created by humans or created by AI, and really focus on safeguarding websites, mobile applications, as well as APIs. And there are a lot of sophisticated bot attacks too. And I think it’s really important to understand that where specific industries start to see the initial attack could be some simple thing started off with something created using AI. But then as you start to fight back and block those bots, then the bad actors come in and start to make adjustments, and we call them persistent bots. They keep coming back with trying to fight against the solutions that we have put in place. And in fact, I use the word fight because one of our customers, who’s also a huge partner because we work with them in a B2B2C approach, and they have a security operations center that has a dedicated group within the SOC that is focused on fighting bots. And they call it the Bot Fight Club. And we actually also have our experts, who we call our security analyst services experts, work with that Bot Fight Club. So we are sort of their escalation point whenever they run into things that they’re not able to solve with our solution directly. they reach out to us and we jump in and really fight the bad actors.
Greg Kihlstrom: Yeah. Yeah. And so, I mean, you know, it sounds like part of training AI, I mean, you know, I know a little bit about this, but, you know, how the team that won against Go, you know, and all that kind of stuff, you know, they trained AI against AI, right, to do this stuff. So, you know, in a sense, that’s how you That’s how you do the good stuff as well as how you do the bad stuff as well. To the overall point, the threats are not going to stop, but it sounds like it’s not just AI against AI. It takes humans with AI to combat. The Fight Club isn’t just an AI running autonomously, right? What’s the balance here? You know, there’s definitely AI versus AI, but there’s also the human component. How do you look at that human component and the transparency of what’s going on? Like, how critical is that part of it?
Nanhi Singh: Okay. Yes. So, let me start by actually talking a little bit about how the security industry in general, and specifically in Purva and Thales, have actually been using AI for a long time. And for a long time, we have been talking about machine learning models, right? So a lot of our security solutions are basically dynamically trained machine learning models. And that was what we referenced as AI before Gen AI came along. So there’s a little bit of history there, which I think sometimes people don’t fully understand because of all the hype around Gen AI at this point. And then I want to go back to the point I made earlier about being a AI optimist, because I think that the power of AI is to enable humans to be able to do more than we could ever do. Wildest dreams. And so that brings me back to being able to combat some of these bad actors who are using AI with AI means that you also need humans that are using the AI to to fight against bad actors. So I think the human component will really never go away. There is obviously a lot that can get automated, which is what has happened through these machine learning models. It has happened through Gen AI. But I think that as we understand human behaviors, there is some judgment that a human sitting in a sock can start to apply and can start to scale in a crazy amount of beyond our wildest imaginations because now they have AI tools to do it.
Greg Kihlstrom: Yeah, yeah, absolutely. And I share your optimism there. It’s I think it’s, it’s good to have a dose of realism in there. You know, once in a while as well, but definitely, definitely agree. I think there’s the benefits outweigh the drawbacks for sure. As you think of the months and years ahead, you know, how do you see the landscape of, you know, to go back to bot activity? How do you see that landscape evolving over over the next few years?
Nanhi Singh: I think it’s going to be rapidly evolving. I think one of the main things that we’re already starting to see, and a lot of our customers are talking to us about this, is basically bots being used to target APIs. I briefly talked about this at the start, that with digital transformation, basically we have this proliferation of APIs because that’s how modern applications are developed. And a lot of these APIs are, you know, being targeted by bots. And I think that we will start to see this continue to explode. We are starting to see it right now And I think that we will continue to see this because there were just so many little holes in how APIs were used in the applications that were hurriedly created during the COVID situation that we all went through.
Greg Kihlstrom: Yeah, yeah. Well, thanks so much for joining today. One last question before we wrap up here. As I mentioned, we’re going to put a link to the Bad Bot report in the show notes. But, you know, just wondering, I know we touched on several of the themes within the report, but, you know, are there any, you know, either additional or to kind of highlight some key insights from the report that you’d like to close with?
Nanhi Singh: So I think one of the key insights that I hope our listeners will take away from this is that bad bots are a cross-industry concern, and they are a cross-functional concern. It isn’t just about the security teams that need to care about bad bots. It is the business teams. It is marketing and e-commerce and fraud. It really goes across all aspects of an organization. And in order to have an effective advanced bot protection solution, it is important to align the cross-functional resources within the organization to understand what are those metrics that really matter, that you need to be focused on so that you can then prevent those fraudulent activities and prevent the service disruptions to your business.