Good bots vs. bad bots: How Electrocomponents tells the difference

Electrocomponents sells billions of pounds worth of products online, but malicious bots threaten that business. Here's how they keep bad bots at bay.

Threat assessment  >  Differentiating elements / good vs. bad / angel vs. devil amid abstract data.
Serazetdinov / Violka08 / Getty Images

Almost every company is now a digital company. The more digital a company becomes, however, the more challenges arise out of securing both the customer-facing portals and the channels.

RS Components sells billions of pounds worth of product online. Like any other digital retailer, it deals with millions of hits to its website from automated bots, some of which have malicious intent. That presents a challenge to security: How do you identify and block the bad bots to avoid compromise and keep services available?

Large digital business a target for bots

Founded as Radiospares in 1937, RS Components is part of Electrocomponents, an FTSE 250 company specialising in industrial and electronic products and solutions.

“If you if you know RS from old, it used to be a catalogue business,” says Steven Whitchurch, head of cybersecurity at RS Components. “But we are a digital business now. We have in excess of a billion pounds a year revenue just from digital streams, and we put 4% of our revenue back into digital.”

“We have in excess of 500,000 products and over a million customers, that equates to one and a half million parcels that we ship out organisation every month,” says Whitchurch. “We have over 10 million site visits on our websites per month and 62% of our sales are digital. So, it's really important as an organisation that we protect that.”

Whitchurch is responsible for security operations and architecture across the entire Electrocomponents business, which spans 32 countries. While he has a small security team internally, he makes maximum use of external partners through managed services rather than creating extra work internally. “We have outsourced a lot of that commodity work: email gateways, endpoint protection alerts. Those are commodities that get leveraged by third parties. I'd rather manage relationships and provide value to our customers.”

As well as managing external relationships with companies doing that commodity security work, Whitchurch aims to help foster better relations with the internal business to help the business grow but with security being viewed as an enabler to that. “The old traditional view of security as being blockers--the no people. My job's not to say no. It's to understand the risk and to translate that risk back to the business to make informed decisions. We make decisions based on how we want to grow organically or inorganically through M&A, and then my job is the best advice and how and what controls money to put in place to do that securely.”

Cloud transition while keeping bots at bay

Electrocomponents is currently undergoing a company-wide series of cloud migration projects. Its current estate is a mix of existing data centres with workloads that are being moved to the cloud on a per-project basis, and Whitchurch ensures the teams are doing that in conjunction with the security function.

“Everybody will be moving to cloud as a part of a cloud-first strategy, if you will. More and more of our workloads are moving to cloud, and we have teams dedicated to moving there”, he explains. “This is a business-driven decision taken on a per-project basis, and security as a function is engaged on that. If we were looking to move ERP systems or CRM systems, for example, that will be in conjunction with security, and there are principles that we don't break when they move out. It could be painful for projects, but engaging security early is always far cheaper than trying to put the controls in afterward.”

Given the slice of the company’s revenue that comes from digital, ensuring its websites are available and resilient is an imperative. Poor loading sites can affect everything from search engine rankings to customer satisfaction and bounce rates, which inevitably impact revenue. A major contributor to a slowly loading website can be the number of bots continuously crawling and making requests. Whitchurch says the company’s websites receive an average of 1.5 billion edge hits per month, yet some 50% of that is automated bots, both good and bad.

Electrocomponents is using Akamai's Bot Manager to help tell the difference. “We have 763 million edge hits just from bots a month. They're not all malicious, it could be a good bot or a bad bot, and that was an eye-opener for when we first got Bot Manager. We didn't have the visibility to begin with.”

Some 16% of all website attacks that the company was seeing were around PHP despite the company not running any PHP in its application stack. While they posed no direct threat to the sites or applications, those attacks still consume resources that could be better used on other tasks and inevitably cause a performance hit.

“We don't deal with PHP, yet that doesn't stop the bad guys trying to attack us or seeing what's out there and our servers still had to deal with that information. They keep trying, you can ignore it, you can block it, but they will keep throwing rocks at your organisation and you need the automated system in order to track this and keep up with the volume of attacks and scraping that go on.”

Business benefits of bot management

While conversations around bots usually translate to botnets and DDoS attacks, there is an easy conversation security can have with the business around how better management of good bots – for example ones performing site crawls, price comparisons, or similar automated processes – can have a positive impact on the business and its relationships with partners.

“You can waste an awful lot of good time looking at the good bots wondering, are they malicious or not?” says Whitchurch. “You don't want to block good traffic, so we rate limit them right down to see if there's any impact on what that bot is doing.”

As well as bots from partners or crawlers from the likes of Google or Microsoft Bing that can have positive outcomes and malicious bots that may be conducting reconnaissance or attacks, there's a myriad of non-malicious but undesirable bots that can drain resources. According to Imperva's latest bot report, competitors may be scraping prices or inventory to adjust their own go-to-market strategies, resellers might bulk-buy limited edition or hard to source items to sell for profit, and even investment companies may be gathering information from sites to determine business health for investment purposes.

Blocking malicious and unwanted bot traffic caused site loading times to drop to under one second. The company also massively improved site performance after spotting and blocking a partner’s bot that was causing issues. “We had a good bot which is badly configured. It was from one of our customers that we had to let through. It added over a second to each page and that had a massive impact on performance.”

While the bot management technology was able to keep the misconfigured good bot from causing site slowdowns, Whitchurch and his team got that partner to reconfigure the bot so that it doesn’t have such a noticeable impact when performing tasks.

“Having the speed site increased by adding a security component is an amazing story for me to tell across business, I want people to engage with me, because we want to help,” says Whitchurch. “We don't want people working around us as an organisation.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!