Automated attacks are growing in speed and sophistication, far outpacing the human defenses most organizations rely on. Whether it’s credential stuffing, scraping, or denial-of-wallet attacks, bots can drain your resources before they even steal a cent.
In this episode, Sam Crowther, founder of Kasada, discusses how their bot detection and mitigation solution flips the economics of attacks. By disrupting automated behavior at wire speed—without impacting user experience—Kasada ensures you’re doing business with real people, not fake clicks. Joining him are panelists Jimmy Sanders, president of ISSA International, and Jason Elrod, CISO at MultiCare Health System.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Kasada
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking with Kasada and learning about what they’re doing in bot detection and mitigation. Now, the problem they’re addressing is the scale of automated attacks. Helping us get some answers to these questions are Jimmy Sanders, the president of ISSA International, and Jason Elrod, CISO at MultiCare Health System.
Jimmy, I’m going to start with you. Why are we still struggling with automated attacks and the increasing scale we’re seeing them in?
[Jimmy Sanders] One of the aspects that I learned from Netflix is that when automated attacks happen, but they don’t actually log in, sometimes you think that that’s a real user and you think that that’s adding to your user account instead of it being just something automated that’s costing you resources.
[Rich Stroffolino] All right. Well, Jason, I would love your perspective on this. Why are we still struggling with this?
[Jason Elrod] I think we’re struggling with this because… I throw it into three categories, right, of speed of attack, speed of the threat actor. So, our speed of defense needs to have parity with the threat actor. And we all have like three speeds we work at, like number one, bureaucratic speed, which takes 30 to 60 days to do anything.
Human speed, which if you’re really lucky, takes a day to maybe within hours. And then wire speed. And when we’re looking at bots and automations and AI, they’re operating at wire speed, and we don’t operate at wire speed. So, we need something to get parity there.
[Rich Stroffolino] All right. Well, today we’re going to be talking with Sam Crowther, the founder of Kasada. Now, to start out, Sam, we need to answer three essential questions, kind of set the table and the tone for the conversation. So, how do I explain the value of what Kasada is doing to my CEO?
What does your solution do and what does it not do? And we need to know the pricing model. Can you help us out with these preliminaries?
[Sam Crowther] When discussing with a CEO what it does, our whole remit functionally is to undermine the economic incentives of attackers leveraging bots to scale. Right? We want to make sure that you are doing business with real humans online. And when we are displacing legacy technologies like CAPTCHA, we also want to actually improve that consumer experience, never disrupt them, picking a fence or picking a motorbike.
Our solution is able to, without ever actually interacting with the consumer, determine who a real human is on your mobile apps, on your websites, versus some sort of automated tool, be that a simple Python script, right up to a fully-fledged automated browser. We are not in the business of manual fraud.
We are not in the business of detecting SQL injection like a WAF may. We are in that business of determining are you a real human or are you a bot? Pricing, we are all consumption based. Our model is the amount of traffic we have to protect for our customers is functionally what we charge for.
[Rich Stroffolino] Excellent. All right. Well, we’ve gotten a taste for the solution, but I am sure there are a ton of questions and particulars to get into. So, Jason, I’m going to start with you. What are the questions you have for Kasada?
[Jason Elrod] Well, you mentioned displacing CAPTCHA, which piqued my interest here. So, in a highly compliant driven industry, healthcare, we have certain things that need to be in place. And CAPTCHA, of course, we’ve got to be really sure that the claimant is the identity they’re being claimed. But also, when we look at things like CAPTCHAs in place, and we’re talking about, again, a visible way of actually managing that, how are you ensuring that you’re not, for instance in healthcare, capturing PHI with your invisible tool in front of something like a patient portal?
[Sam Crowther] We are very deliberate to not touch any data that could be PII or PHI. The way our system would integrate is it gets called out via an API on your back end. So, all that sensitive data can be stripped out. We don’t want to touch that. Similarly, we don’t want to touch any of our banking customers’ usernames and passwords.
[Jason Elrod] Okay, great. So, nothing passes through. You do a call out, get the affirmation, and it comes back, and then we can proceed as normal?
[Sam Crowther] Exactly.
[Jason Elrod] All right, fantastic.
[Rich Stroffolino] And Jimmy, what questions do you have for Sam and Kasada?
[Jimmy Sanders] So, your quote about usage model really piqued my interest because prior we used to have at Netflix a solution that was based on usage model. And over the holidays, they found out our solution and they ramped it up so that we paid almost 100% more just by them attacking our solution, even though they didn’t do any fraud.
So, it cost us. It went from like $10,000 a month to $100,000 in three days. And so, my question is, in a case like that, would you work with the customer to make them whole? Because the competition that I dealt with didn’t, and so we kicked them out to the curb. But how do you mitigate that?
[Sam Crowther] Yes, absolutely. We have seen what we call denial of wallet.
[Jimmy Sanders] Yes.
[Sam Crowther] Quite a few times where it is just attack the vendor to make them charge a lot. So, the way we deal with that is we view the only thing the customer should pay for is the actual attempted protected request, nothing else around the product, no telemetry collection, which some people have commercial models around.
If someone is abusing to that level, the way we view any relationship with a customer is it is a relationship, it is a partnership, it’s not a you pay us, you get one protected request. So, we want to make sure that we are good to do business with, as our customers are good to do business with as well.
[Jason Elrod] I’d like to double-click on that a little bit. You mentioned like the denial of service, and then of course, denial of wallet. I love that term, by the way, I’m going to steal it. Maybe I’ll give you credit. But denial of wallet, great, great parsing there. But a denial of service, let’s look at that.
If you were being attacked or overwhelmed, or the API itself was being actually impacted because of a massive volume of actual bots attacking the API, what’s the fallback mechanism? What happens to us if, like in my case, the patient wants to get in, and you’re currently experiencing that, what’s the fallback model that’s in place for me as the consumer there?
[Sam Crowther] Yeah, the model we would typically encourage is fail open. For us to fail, it will take some pretty incredible volumes. If I look at all the traffic across all of our like big tech customers, big retailers, airlines and whatnot, you’d have to have a pretty large network of bots to bring us down.
But in the case where it happens, the fail open is generally encouraged. Even if it means a few attacks get through, it’s better that the consumer can still do what they need to do and access their healthcare, access their bank account, book that flight, than sit there frustrated and angry at the customer’s brand.
[Jimmy Sanders] So, my question for you would be, as you ramp up your process, and what I’ve seen through a bot strategy is that, first, they do low-level attacks, and then they constantly graduate up. How do you, in terms of your business model, work with the company to set expectations? Because when I saw it, it stopped the low-level attacks, then they ramped up again, so it goes in a wave pattern.
How do you work with customers to have them set that expectation?
[Sam Crowther] Yeah, the way we talk about it is, our goal out of the box is to get rid of the 95% of adversaries that just shouldn’t be there anyway, right? Like the lower level and maybe mid-tier. But then for that upper echelon, we want to just drive their costs up so much that the scale they can reach is no longer impactful, right?
The reality is, there will always be people that are smart enough to be there. It’s just can we cap their impact by increasing how much it costs so much that they no longer actually harm our customers’ businesses?
[Jason Elrod] During an active attack, what kind of telemetry is actually delivered to me as a customer, to my SOC, to my SIEM? How are we made aware of that? How can we react to that? How does that integrate with an existing security program?
[Sam Crowther] So, most of our customers will ingest our logs into Splunk or some other kind of SIEM. We’ll provide context around what the bot was doing, right? What sort of attack it was, where it was coming from, and try and profile it like that so that your SOC can go, okay, great. There is an account takeover attack using a bunch of residential proxies out of the United States or whatever it may be, and that you just pay a little bit more attention then to those URLs that are being hit just in case someone’s doing something a little sneakier and it requires some manual investigation.
We’ve definitely seen some fraudsters use bots to throw up smoke screens. They’ll actually do a massive cred stuffing attack that was never meant to be successful, but then those few manual logins that they were performing from stolen creds are the ones that were meant to give them that reward.
[Jason Elrod] Right, what’s the actual signal and the noise that’s happening there? Along those lines, do you provide any cyber threat intelligence for what you might be seeing with another customer and then actually push that out to your other customers saying, “Hey, look, there’s some bot activity,” like you mentioned, from these IPs, these locations, this velocity, this type of attack, “I know they’re not hitting your system yet, but hey, let’s get proactive about it and get some distributed denial of service in place, protection in place.” Do you have a mechanism to do that?
[Sam Crowther] We do. Firstly, my background is a lot of threat intelligence work and so it’s something we have built into the way we’ve designed the product, but we as defenders have one big advantage over attackers and that’s that we get to see a lot of traffic across many different websites and that’s a huge advantage we want our customers to be able to leverage.
And so, we will share data anonymously around, okay, you need to focus on these IPs. Maybe it’s worth looking at access attempts across other systems that may not be web facing, could be like a VPN login or some sort of remote access login that’s just worth cross-checking because we’ve seen credential stuffing from these proxy nodes across businesses in similar verticals to you guys.
[Jimmy Sanders] So, one of my questions that I always ask when I’m talking to people about a new product or I’m trying to introduce it to the CEO is, when I’m bringing your product to my CEO or to one of my peers, what is the thing that makes you amazing? Not that you’re a botnet company or not that you can stop attacks, but when it boils down to it, why would I go to a Kasada when I can go to somebody else?
[Sam Crowther] If you take away the human obsession that a lot of the team and myself have around solving this problem, we started with the adversary, which is very different from a lot of other web security companies. I used to write bots to buy sneakers and a few of the other guys used to as well, which is how we sort of all met.
So, we approached it from the point of view as like what would make our own lives difficult? And then how does that influence the design of the overall system? And one of the things we came to realize is speed is everything, right? We want to provide a system that is so unbelievably flexible for us to run for our customers that they never have to sort of sit there in a holding pattern, “Well, you need five months for a product update before we can deal with that attack.” That’s just unacceptable.
[Jason Elrod] So, that made me think about something here. You used to write bots to buy sneakers. One of the things that’s out there, and this has nothing to do with healthcare, but you made me think about this. Well, let’s say there’s concert tickets coming out and bots are out there, they’re pulling out all those concert tickets.
And then of course, it goes to a scalper or secondary market. Is there a mechanism by which Kasada could be used to mitigate some of that? So, the bots that are being used to legitimately purchase things, I guess, but not a mechanism that the seller or the end customer base would like. I’ll just put it that way, to keep names and stuff out of the way.
[Laughter]
[Sam Crowther] Yes, there is. So, we do work with some, let’s say, organizations who sell tickets who want to solve the problem. However, there are perverse…
[Jason Elrod] Have you mastered the problem yet?
[Sam Crowther] There are perverse incentives for some, and I think that drives behaviors around whether or not you truly want it to go away, especially if you were say, clipping the ticket on a resale as well. You may not be incentivized to…
[Jimmy Sanders] Double dipping.
[Sam Crowther] Yeah, exactly. You may not be as incentivized to prevent the transaction versus someone selling a shoe, for example, where it’s actually more important to your brand and your customer relationship that the real enthusiasts and collectors get the shoes versus a bot to resell.
[Jimmy Sanders] So, you were talking about scale, you were talking about ingestion, you were talking about SIEMs. My other big question for any company is, tell me about your APIs, what kind of APIs or plugins or dashboards or what you can do to help me automate your solution into an existing security lifecycle to make it as seamless as possible?
[Sam Crowther] So, we’ve really focused on how do we make disintegration simple, right? Big organizations are unbelievably complex, the less teams involved, the better. So, we typically integrate at the CDN layer. It’s a very, very simple API, and we give you the code to call out our system. That means you don’t need to involve any back-end engineers, you don’t need to involve front end engineers, it’s literally just someone typically than the security team who can change configuration on the CDN.
Then there’s a portal for all the reporting if you don’t want to ingest into your own SIEM, we’ll give you insights into what bots are doing, the level of sophistication that we rank them based on which defenses they triggered, and anything else that just may be insightful and help you make better business decisions.
And from there, that’s it. We don’t want to be too burdensome. It shouldn’t be like yet another thing to manage. There’s no rules. We have internally what we call the no knob policy, which is both people and UI, no additional knobs. You shouldn’t have to twist something or press something that just takes up someone’s time when our job should be to make sure this product works for you.
[Rich Stroffolino] All right, well, I got to jump in here. Sam, what’s one thing we didn’t ask about that we need to know?
[Sam Crowther] We are in an interesting part of the business where a security tool can actually impact pretty positively the business part of the business, right? So, I would always strongly encourage, like how can this actually become a cost saver or a profit driver? A very practical example with some of our big retail customers – if you stop web scraping, you can save a lot of money on Amazon, right?
Which I’m sure at Netflix, you guys saw lots of scraping.
[Jimmy Sanders] That is exactly what I was just going to say is that by implementing a good solution, maybe similar to yours, saved us honestly millions.
[Sam Crowther] It’s an amazing position to be in as a security business, but it’s something I strongly encourage security folk we work with to think about is how can you actually make this a win for multiple teams without them having to do anything and maybe get some more budget or just buy some amazing political goodwill?
[Rich Stroffolino] All right, well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to kasada.io. Big thanks to Jimmy Sanders and Jason Elrod for helping us learn more about Kasada, and a huge thanks to Sam Crowther for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at [email protected].
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.