How Distil Battles Bots Without Bothering Buyers

[vc_row full_width=”” parallax=”” parallax_image=””][vc_column width=”1/1″][vc_column_text]It happens to every Internet user at least once. The day she’s asked to type a simple combination of letters and numbers into a window to prove she’s not a robot pretending to be a human being – and she fails.

No matter how closely she looks, no matter how many times she resets, no matter how often she screams “I am a human being” at her computer or iPad, she simply cannot decipher the string of blurry, ill spaced and squiggly numbers necessary to buy her widget, claim her trial subscription or whatever else it was she had been aspiring to use the Web to do before being unable to differentiate herself from a piece of malware.

There’s a very good reason these bot-screening gateways exist: more than half of all the “people” on the Internet aren’t actually people – they are data mining cyberbots pretending to be people. And some of them are also deployed in the service of cybercriminals. Those bots can be used to make all kinds of expensive mischief – Web scraping, brute force attacks, competitive data mining, account hijacking, unauthorized vulnerability scans, spam, man-in-the-middle attacks and click-fraud. Businesses have very good reasons to prove that they are really exchanging data with other humans and not pesky bots.

However good that reason is, it’s just not reasonable to put Web users through increasingly complicated Turing tests every time they want to buy something or test-drive a video-streaming service for a month. Because the reality is that after consumers have tried squinting, screaming and swearing at their screens, they just give up and abandon their purchase attempts in surrender. This friction-filled security solution that acts, instead, as a sales conversion killer is clearly looking for an innovation.

And innovation in the Web’s ongoing war with the bots is just what the team at San Francisco’s Distil Network is hoping to offer.

“We can tell the difference between a bot and a real person without the need for any kind of intrusive action. We do this across an entire website to make it more secure,” CEO and co-founder Rami Essaid said.

By intrusive, Essaid means those “squiggly lines you’re being asked to read” which is just challenge code that some websites are simply putting every user through in order to screen out the bad guys. Distil offers an alternative – which sits in the background and holds off on challenging in favor of screening via other indicators.

“Distil sits in the background and first validates the browser that a consumer is using is really what the browser says it is. We can get rid of anyone who is spoofing their browser or spoofing their IP,” Essaid explained. “And we also have a system of machine learning that looks at browsing behavior, looks at the consumer’s entry point into the site, their navigation path, where they were before — a lot of different data points — and we can come up with a really conclusive and accurate score as to whether or not that consumer is, in fact, a bot. Without needing to interrupt every request or every customer.”

Those interruptions do still occasionally come into play with Distil – but only after the background actions have flagged a potential user as automated. The normal result of those interruptions is confirming the bot status of the flagged user.

The Virginia-based firm was founded in 2011 – and though it’s been around for a comparatively short time – it’s seen the landscape of cybersecurity change rapidly as the criminals of the world have gotten much better at operationalizing their botnets against innocent Web bystanders. And though the task is big, Essaid said the Distil team finds it more engaging and daunting because they believe it is a competition in which they have a fundamental advantage.

“It’s an arms race we do have to keep working on, but the trick is the bad guys don’t really know what the true website traffic pattern actually looks like. They don’t have a perspective on every single user that comes to them and what that user does,” Essaid noted. “They have an idea of what they think it looks like, but when they use bots, without fail, we find some things that are either really, really systematic or really, really random, and it falls outside of the norm.”

What they have noticed has changed over time.

Early on in Distil’s evolutions, spotting bots was as easy as spotting a handful of suspicious IP addresses – but that’s no longer the case. In the last couple of years, for example, Essaid told PYMNTS, they’ve seen a new pattern emerging among bots which spawn from malware infected computers. Those compromised PCs have legitimate looking IP addresses and so they are no longer easy to spot that way.

“Then we started challenging that by asking ‘Is this a real Web browser, or is this just stripped on a computer?’ And sure enough, that failed that test because it wasn’t a true Web browser,” said Essaid, noting that this capability did not end the arms race – it just saw the game change again.

Meaning that the bad guys caught on.

Soon they had developed malware that ran in the browser instead of in the operating systems to leverage the full browser capability to pass the browser challenge. “So then we had to move on to more nuanced things. Behavioral issues like whether the user is actually touching a mouse, or actually used their keyboard since they’ve been on the site,” Essaid explained.

And their ability to spot the those nuances — and leverage their actual knowledge of their merchant partners’ systems — has recently attracted some big investor interest. Earlier this week, Distil announced that it scored $21 million in venture funding in a Series B round led by Bessemer Venture Partners. Bessemer is a new investor to Distil – though it was joined in the round by current investors Foundry, TechStars, ff Venture Capital, Idea Fund and Correlation Ventures. Distil will also be gaining a new board member in Bessemer partner David Cowan.

Essaid told PYMNTS that while the infusion of funds will, in part, fund the expansion of their marketing and sales efforts, most of the money will be spent in an engineering push to strengthen and expand their technological offering.

“We are always going to be an engineering heavy company. And so we are going to add more engineers than anything else. We want to continue to evolve in our website protection against bots, but we also want to add more product to protect businesses,” Essaid noted. “We are releasing another product later this year to protect API. And that is our evolution – we want to own Web application security as a holistic space. We want to add more so our suite can help secure Web applications whatever form they come in.”

When Distil got started, it was mostly a service for SMBs – though in the last two or so years the firm has seen its client roster swell with major banking institutions and Fortune 500 firms – which Essaid unsurprisingly declined to offer up by name. He did note, however, that though Distil is certainly pleased as punch to be taking on major enterprise level players, they remain committed to serving the SMBs – and not purely because they are altruistic, good people.

“There are some things that are unique to individual sites, while there is other stuff that is ubiquitous all over the globe that correlates from the smallest to largest sites. We love seeing the data,” Essaid said. “So we try to really keep catering to the smaller sites just to continue to see the data that they offer. We want to work with both large and small because we think this is a problem that has to be holistically tackled.”

Essaid also noted that Distil and and its employees are good net citizens that just want to make the Web the best place for everyone. But Essaid said that at the end of the day, the secret ingredient in Distil’s recipe for fighting cybercrime is data — and they are always happy to arm themselves with more.[/vc_column_text][vc_text_separator title=”PYMNTS Innovation Investment Tracker: Fourth Week of June 2015″ title_align=”separator_align_left” align=”align_center” color=”grey” style=”” border_width=”” el_width=””][vc_column_text]June’s final full week of activity showed a strong drop-off from the third week – not all that surprising, as the latter period was marked by a deal worth more than $2.8 billion for Italian bank Istituto Centrale delle Banche Popolari Italiane. This most recent week proved a lot more muted, with about $632 million in fund flows, and that’s understated, due to the fact that (as always) not all deal terms were announced.

Highlights among the week centered on a few deals within retail and technology. Most notable was the $175 million placement by Viking Global Investors into Credit Karma, a fourth round of funding by the online credit scoring company. That was in fact the largest single investment tally for the week, as the next largest deal stood at $84 million as Insight Venture seeded a third round with Checkmarx, a software code and security company. All told, security to date has gathered roughly $4.8 billion in investment activity, with about $359 million of that coming in the month of June.

The juggernaut deals so far in 2015 remain the aforementioned bank deal and the $2 billion in capital raised by Friedman Fleischer and Lowe for its fourth private equity fund. Those two deals boosted the banking area and trade finance realms to year to date $11 billion and $9.2 billion fund flows, among the largest in all categories tracked. A bit more than 40 percent of the week’s activity was tied to the retail payments side, with a focus on banking, data analytics (which in turn was related to retail and commerce).

Through the month to date as June drew to a close, Europe had edged the U.S. as the largest regional concentration of investments, with 50 percent of funding compared to the U.S. at 47 percent.[/vc_column_text][vc_raw_html]JTNDc2NyaXB0JTIwaWQlM0QlMjJpbmZvZ3JhbV8wX2ZpbnRlY2hfaW52ZXN0bWVudHNfYnlfcmVnaW9uXzYzMCUyMiUyMHNyYyUzRCUyMiUyRiUyRmUuaW5mb2dyLmFtJTJGanMlMkZlbWJlZC5qcyUzRm1OMiUyMiUyMHR5cGUlM0QlMjJ0ZXh0JTJGamF2YXNjcmlwdCUyMiUzRSUzQyUyRnNjcmlwdCUzRQ==[/vc_raw_html][vc_raw_html]JTNDc2NyaXB0JTIwaWQlM0QlMjJpbmZvZ3JhbV8wX2ZpbnRlY2hfZnVuZGluZ182MzAlMjIlMjBzcmMlM0QlMjIlMkYlMkZlLmluZm9nci5hbSUyRmpzJTJGZW1iZWQuanMlM0YxNWElMjIlMjB0eXBlJTNEJTIydGV4dCUyRmphdmFzY3JpcHQlMjIlM0UlM0MlMkZzY3JpcHQlM0U=[/vc_raw_html][vc_raw_html]JTNDc2NyaXB0JTIwaWQlM0QlMjJpbmZvZ3JhbV8wX2ZpbnRlY2hfZnVuZGluZ182MzAlMjIlMjBzcmMlM0QlMjIlMkYlMkZlLmluZm9nci5hbSUyRmpzJTJGZW1iZWQuanMlM0YxNWElMjIlMjB0eXBlJTNEJTIydGV4dCUyRmphdmFzY3JpcHQlMjIlM0UlM0MlMkZzY3JpcHQlM0U=[/vc_raw_html][vc_column_text]With a bit more granular view, we can see that to-date funding in financial technology has been dominated by the banking sector, as noted in the chart above. That subset of financial tech accounts for about 74 percent of the funding flows to date in the FinTech arena, with $11 billion logged through the end of June.

Finally, looking at the year to date overall, some $45 billion has crossed from investors to various targets.[/vc_column_text][vc_raw_html]JTNDc2NyaXB0JTIwaWQlM0QlMjJpbmZvZ3JhbV8wX2ludmVzdG1lbnRfdHJhY2tlcl9zdGF0c182MzAlMjIlMjBzcmMlM0QlMjIlMkYlMkZlLmluZm9nci5hbSUyRmpzJTJGZW1iZWQuanMlM0ZZVlolMjIlMjB0eXBlJTNEJTIydGV4dCUyRmphdmFzY3JpcHQlMjIlM0UlM0MlMkZzY3JpcHQlM0U=[/vc_raw_html][vc_separator color=”grey” align=”align_center” style=”” border_width=”” el_width=””][vc_single_image image=”146445″ alignment=”center” style=”vc_box_shadow_3d” border_color=”grey” img_link_large=”” img_link_target=”_blank” css_animation=”left-to-right” img_size=”full” link=”http://www.pymnts.com/investment-tracker/”][vc_column_text css_animation=””]

For more Investment updates, click here.

[/vc_column_text][vc_separator color=”grey” align=”align_center” style=”” border_width=”” el_width=””][/vc_column][/vc_row]