SBN

Behind the Scenes: The Journey to Defensive Security & Kasada v2

We’ve been on a journey to rebuild a defensive security solution against highly skilled, motivated, and persistent adversaries. Our new v2 platform development has been years in the making. Over this time, we’ve focused on adversarial thinking in all phases of the v2 design by understanding tactics, identifying common pitfalls, and analyzing every bot we’ve ever seen. 

In many ways, it’s highly advantageous for Kasada to have entered the bot mitigation space after the first generation of providers. The rise of new automation frameworks and long-term challenges with other providers’ efficacy has influenced our V2 architecture in order to avoid the pitfalls that others have made. For these reasons, long-term efficacy is a central pillar of our company strategy and roadmap. 

Time: A Defender’s Enemy

“Time is your only enemy, it disappears very quickly and never gives you a second chance.” – Steve Douglas

The automated threat landscape continues to change, as automation frameworks are rapidly evolving, making it easier and cheaper for bot operators to create stealthy bots that fly under the radar. It is hard to believe that the popular automation framework, Puppeteer, is only three years old and Playwright has only been around for just over a year. There is no doubt that the pace of innovation with these DevTools will continue to rapidly progress. A major point to consider is that most bot defense systems were created before these frameworks ever even existed, and they didn’t account for these frameworks in their architecture.

This is exactly why long-term efficacy of a bot mitigation product offering needs to be a core pillar for bot detection. Too often, solutions work just fine at the onset, only to quickly lose their efficacy months later, as adversaries reverse engineer the solution and make the information easily accessible to the masses in order to exploit them. To have bot operators reverse engineer your sensors essentially throws your R&D out the window, rendering it ineffective.

Changing the Bot Mitigation Game

Bot mitigation is often referred to as a cat and mouse game. For too long, bot operators have been allowed to play the game on their own terms. At Kasada, we’ve learned a lot about how to build a better mouse trap. Several v2 features were conceived in the heat of the battle in “if only we had x” moments, where the mouse had the upper hand. 

Two features of v2 that dramatically improve our defensive security capabilities are: 

  1. Employing sophisticated JavaScript obfuscation. This is something that has been done carelessly by many providers. So, we took extra care to make sure we got it right.
  2. The ability to dynamically inject JS into the client, without upgrading the code. This provides us with a distinct advantage because we can rapidly insert new detection techniques as adversaries inevitably change their tactics.

Our Code on Their Machines

Designing a detection platform that includes remotely executing scripts inside browsers and mobile apps is a complex task. As an example, our code has to run on an adversary’s machine, which makes it subject to reverse engineering attempts. Essentially all of the little things add up to ensure that your defense platform holds the test of time. Our v2 defensive platform allows us to maximise our ability to detect automation whilst ensuring the best possible human experience.

We’ve increased our sensor detections by >15x whilst simultaneously delivering a 70% performance improvement – that’s great news for all our existing and potential customers, but not so good for bot builders. To help obscure our new bot detection improvements, we have also developed a new obfuscation method that doesn’t rely on open source JavaScript tools that can be easily deciphered. 

Incorporating Customer Feedback

Our team has grown significantly over the past two years. The establishment of customer support, customer success, security engineering, and the platform engineering team’s growth are pivotal developments for Kasada. These teams have also allowed us to improve our product, as they are key consumers.

In particular, the dramatic improvement in v2 customer-facing logs is directly related to feedback from our team and customers. Reducing the verbosity and data volume of the logs by > 70% ensures a high signal-to-noise ratio and enables our customers to get greater visibility into their data platform of choice. This also significantly reduces the cost for SIEM budget holders. As a result, internal security operations teams have access to significantly more valuable data to defend their apps.

Future-Proofing our Bot Defence

To ensure immediate and long-term protection for our customers, we’ve evolved core components of our solution, such as the cryptographic challenge. Challenge v2 forces bots to undertake computationally challenging puzzles to submit requests. This is a key component to controlling a bot builders’ tooling. It allows us to lift the barrier to entry and forces the game to be played on our terms.

We’ve also established new components that will be critical to our future growth. The v2 platform introduces a significant data-based defensive capability for Kasada. We’ve doubled down on “out-of-band” anomaly detection and automatically mitigating the more subtle attacks that this method catches. This is different from most vendors in the space, which send the user through a CAPTCHA when anomalies are found. And ugh, who wants a CAPTCHA? Ultimately coupling our best-in-class client-side detection platform with our data platform significantly improves our adaptability during a battle.

Defensive Security: It’s Just the Beginning

We’ve come a long way, but we’re just getting started. Even though it’s been hundreds of thousands of hours of R&D for our team, we’re just scratching the surface of what’s possible. The hardest part of the startup evolution is knowing what the product needs to look like but not being able to do “that” yet. The release of the v2 defensive security platform introduces many of the things that we’ve been most excited about for some time and redefines what customers should expect from a bot mitigation provider. Bring on the bots!

Join our technical meetup where I’ll show demos of the latest adversarial tools and techniques attackers use to exploit enterprise mobile apps and APIs – you can sign up here.

If you’d like to see v2 in action, feel free to reach out to me or request a demo here

*** This is a Security Bloggers Network syndicated blog from Kasada authored by Nick Rieniets. Read the original post at: https://www.kasada.io/behind-the-scenes-defensive-security-kasada-v2/