As the cyber threat landscape continues to grow — and threat actors increasingly steal data, commit acts of fraud, and expand retailer losses — it’s time for the retail industry to rethink its cybersecurity strategies and shift the focus to the protection of online outlets. As many have seen, news of point-of-sale malware has increasingly made headlines, and these constant threats by malicious actors are a growing concern for retailers.
Today, many retailers are leveraging artificial intelligence (AI) across their sales operations, using the technology to help improve consumer shopping experiences both in-store and online, determine target audiences, personalize offers and discounts based on purchase histories, promote key items, and more. However, many retailers are ignoring one of the most impactful uses of AI in retail — cybersecurity.
As more people than ever before abandon brick-and-mortar stores and flock to e-commerce sites, the potential threat to retailers from hackers is increasing exponentially. As the volume of online transactions rises, and fraudulent purchase attempts, denial of service (DDoS) attacks, and detrimental bot behavior spike, retailers are at risk of losing thousands or even millions in revenue. What’s more, these attacks could leave retailers’ reputations in shambles and struggling to regain consumer trust, as exemplified by organizations such as Target, Neiman Marcus and Forever 21.
These retailers are among the organizations most vulnerable to cyberattack, given the nature and volume of customer information available to cyber criminals. They're also some of the most advanced in leveraging new AI technology to achieve a multitude of business objectives. So why have they continued to overlook AI as a potential solution to their cyber woes? And how can AI transform the future of security for retailers?
Many online retailers use off-the-shelf applications that often come packaged with known vulnerabilities — and both researchers and hackers are discovering numerous new vulnerabilities in these applications every day. Other retailers may use their own customer applications, but these could potentially expose undiscovered vulnerabilities to hackers as well.
Today, many retailers are developing their own mobile apps that use machine-to-machine communications via APIs that can also be targeted by hackers. Online web applications and APIs are increasingly becoming points of entry for hackers, and must be protected from the constant increase in cyberattacks.
For years, rule-based web application firewalls (WAFs) have been the technology of choice to protect online retailers’ web applications. However, these technologies have only offered generic and limited rulesets with inadequate bot management capabilities using antiquated challenges like CAPCHA. Those responsible for WAFs are often frustrated by the time-to-tune, limited protection, lack of accuracy, and the increasing management overhead. In addition, most WAFs on the market offer little if any protection for APIs. As a result, APIs are often left completely exposed to threat actors. However, all of this is about to change.
Today, the industry is witnessing a new generation of WAFs, bot managers and API defenses that are incorporating machine learning (ML) and AI capabilities into the mix. For example, forward-thinking WAF vendors are beginning to integrate traditional rule-based WAFs with supervised ML that can shorten the rule-tuning process to hours instead of days, weeks or even months. ML- and AI-enabled WAFs often don't use the traditional core rulesets, but instead identify behavioral-based anomalies and subsequently are able to defeat a broader range of targeted application-based attacks without the use of rules and signatures.
Beyond WAFs, these same vendors are also incorporating ML and AI capabilities into their bot management solutions that are capable of finding the smallest of subtleties to help identify human visitors vs. malicious bots. Although some bots are needed to improve SEO, the vast majority of bots have malicious intent, and their traffic targeting retailers’ applications and APIs is not needed — nor desired. ML and AI capabilities can also be incorporated into protection mechanisms designed specifically for APIs, as the nature of the traffic is much different than traditional browser-to-application traffic, whereby traditional WAF rulesets have little value.
The recommendation for online retailers is to begin to expand their adoption of ML and AI in the fight against cybercrime. The technology is here, developed and ready to act as a completely independent, autonomous system that can be deployed as a layer over human talent and traditional WAF technology. AI is limitless and nonlinear, smarter and faster than any human or computer, and the more it’s trained, the more powerful it becomes.
Leon Kuperman is the co-founder and chief technology officer at Zenedge, a cloud-based DDoS mitigation, WAF, API protection and bot management solutions provider.
Related story: Online Marketplace Spring Uses AI to Improve CX