Hi Deepak, please tell us your role and the team you handle at PerimeterX.
I serve as a Security Evangelist at PerimeterX. My team of cybersecurity experts work closely with Research and Product teams to consistently uncover and combat novel cyberattacks. At PerimeterX, we analyze the full gamut of cyberthreats related to Websites, Mobile apps and APIs, DevOps and Governance, and we work with digital businesses to protect them and liberate them of worry in each of these categories.
Recommended AI: AiThority Interview with Rohan Chandran, CPO at Infogroup
From your vantage point, what have been the most impressive and important changes to your industry, and how has it changed the way you work?
Without a doubt, COVID-19 is having the most prominent effect right now. The PerimeterX team has been tracking surges in traffic and cyberattacks on industries including food and food delivery, e-learning and travel, and fashion and home goods.
Levels have been surpassing even the highs of holiday shopping, with account takeover (ATO) attacks most commonly trending. These attacks are far from new, having incurred roughly $10 billion in losses over the past two years. My team is at the forefront of educating Retailers and Financial Service companies to strengthen their mitigation efforts even further.
Digital skimming attacks such as Magecart have continued to rank among the top cyberattacks as well, with ramifications rising for businesses due to compliance regulations such as GDPR and CCPA. Additionally, cybercriminals are now intercepting web and apps by attacking the APIs that connect them. Educating businesses on risk factors continues to be critical here.
How are App Attacks different from Website attacks? What kind of technology does one rely on to thwart such attacks?
Website attacks can be classified as typical attacks that go after the vulnerabilities of the protocol. We are defining web applications as applications that provide a user with a login and allow the user to make a purchase or obtain something of value. Web Application attacks abuse the business logic – like using the login page to validate stolen credentials or using the gift card balance checks to guess gift card numbers with a balance.
ATO attacks, carding attacks, and scraping attacks are just some of the attack types that are shared between the two. In fact, the primary way that apps are built today is with APIs. APIs are increasingly being targeted by malicious hackers. Our research has found more than 75% of login requests from API endpoints are malicious. The growth in API attacks is driven by the simple fact that they are easier and more economical to mount while being harder to detect than legacy browser-based botnet attacks.
New forms of Cyber threats are emerging. Healthcare and Financial institutions are the primary targets? How do you analyze these threats at PerimeterX?
We take a proactive approach and monitor for these threats as they arise, with Machine Learning trained by a real-time feedback loop to keep up with evolving attack methodologies.
Recently, Bird Bot pushed the pricing higher for Nintendo Switch, poaching resellers to hoard the console. What kind of bots are we dealing with here?
These open-source bots are fairly sophisticated and have a workflow for top e-commerce sites that repeatedly adds console listings to a ledger and automatically presses the buy button. This follows a similar model to bots used by streetwear and sneaker enthusiasts to snatch up inventory for the sake of resale profits.
These tools have become quite popular in street fashion markets, have been sold openly, and are even advertised on the growing number of sites covering shoe culture and sneaker releases.
Who benefits from deploying these kinds of checkout bots/reselling bots?
Secondary market hosts and resellers are the direct beneficiaries of these. Bird Bot was publicly available to anyone with access to the distributor’s Discord server, allowing consumers to access the tool without even paying a premium.
On the opposite end, there are huge repercussions to the businesses from whom products are bought using these tools. For these brands, checkout bots that deny users access to products are seriously damaging their reputation. These bots are very sophisticated, change rapidly, and are tuned live during the launch of such limited edition products, making it really challenging to detect and mitigate them.
AI, Blockchain, low-code DevOps, and RPA techniques are making a huge impact on the current security tech markets. Where is the overall AI-ML market heading to in the next 4 years?
As cyberattacks are becoming increasingly sophisticated, Machine Learning-based solutions are going to become a core aspect of any content security policy.
Users now create staggering amounts of data per year, and novel algorithms are necessary to differentiate user behavior to solve new use cases. To do that, website owners need a new defensive Machine Learning-driven methodology, sophisticated behavior modeling, and a constant real-time feedback loop.
What kind of skills and abilities does one need to be part of your security product development team?
Members of my team must focus on putting customer needs first, understanding the true value of our products from a market perspective, and being able to nurture innovations that meet demand.
We have to prioritize the features that customers mainly rely on, and the main reasons customers are using our products. Building and Marketing innovations into Products that match market demand at the right time are key for driving strong adoption and satisfaction.
Apart from offering Bot Defender, what other ways can businesses leverage automated cyber threat management to sustain growth?
We additionally offer PerimeterX Code Defender and PerimeterX Page Defender, which protect against other prominent attacks that threaten business growth. Code Defender proactively monitors client-side code for websites and apps and protects against Magecart attacks, digital skimming, formjacking, and sensitive data-harvesting attacks by detecting malicious script execution to safeguard user data.
Page Defender is a browser malware protection solution that blocks unwanted ads and scripts from redirecting web visitors so they can complete their intended path, resulting in more revenue for e-commerce sites and better brand experience.
Is it safe to say that AI and Machine Learning development have finally outgrown their IT predecessors? Is it now an industry and a service in itself?
Yes. Previous approaches didn’t act in real-time and didn’t have automated feedback loops to continuously improve. Machine learning (ML) does all of this. Smarter fraudsters are now taking fuller advantage of Cloud Computing and Distributed Networks to mount attacks that are both harder to detect and are constantly evolving.
ML is required to get ahead of the cat-and-mouse game and spot new, more sophisticated threats that can evolve by the hour. The biggest advantage with ML is that it helps the industry deal with the increasing volume of security alerts and false positives. This enables the Security Analysts to get to the newest threats and stay ahead.
What is your opinion on the “Weaponization of AI technologies”? How do you promote your ethical AI ideas in the modern Digital economy?
While there are exciting innovations to be achieved using our wealth of data, the invasion of privacy that comes along with it can be scary. The ensuing debate is both troubling and necessary. At PerimeterX, we collect a lot of user activity data, but no personally identifiable information (PII), since we can stop attacks without it.
Tag the one person in the industry whose answers to these questions you would love to read:
Sandy Carielli, Principal Analyst at Forrester.
Thank you, Deepak! That was fun and hope to see you back on AiThority soon.
Deepak Patel is a Security Evangelist at PerimeterX.
Deepak Patel has over two decades of experience in leading product, sales engineering and marketing teams in the security and infrastructure space. He is passionate about helping customers solve complex challenges in application security. He holds an MBA from Santa Clara University and a Bachelor’s in Computer Engineering from the National Institute of Technology, Karnataka, India.