Sam Crowther
Founder and CEO, Kasada
As a young tech-smart schoolboy in Newcastle, Sam Crowther loved breaking things. “I’d think, ‘Here’s a website. How can I use it in a way the person who built it didn’t expect and what can I make it do?’”
By his mid-teens, driven by persistence and “just curiosity”, Crowther snared some complex security work with the Defence Department’s Australian Signals Directorate, the government intelligence agency responsible for information security and protection against cyberwarfare. After school, Crowther put plans for a computer science degree on hold. Instead, at 17, he took up the offer to gain “phenomenal real-world experience” with a year-long stint at Macquarie Group, analysing web application logs to detect cyber attacks. “Another eye-opener in terms of how bad the problem could be and how little there was out there to solve it,” he says.
Now 23, Crowther is in Chicago overseeing the global growth of Kasada, a company he founded in 2015 to tackle the proliferation of malicious bots and automation that pose massive hazards to organisations worldwide.
With a staff of 20, Kasada is addressing mind-boggling security problems for major retailers, energy providers, listings providers, sports betting companies, hoteliers and financial institutions. Crowther declines to name clients but insists the automation threat posed by “cybercriminals with millions of computers, who have more financial incentives than ever before” crosses all industries.
The extent of the danger is captured with one quick statistic: “We’ve had cases where in excess of 70 per cent of [visitors] to a website weren’t actually human.”
It’s an astounding wake-up call for companies that thought they were serving millions of customers monthly or daily.
Crowther outlines the basics: bots attempt to impersonate users to log in and steal customer information; when a data breach happens, attackers’ bots take stolen names and passwords, which are then directed to many websites to try to access user accounts. “It’s all automated and it takes advantage of the fact that people re-use usernames and passwords.”
Recently, reports Crowther, attacks have gone from being “loud and visible” to a longer, more sophisticated game. “They’ll follow the daylight hours of a region that a company operates in, sending login requests in the middle of the day and peddling back at night, sometimes just taking small amounts of information. This can go on for months without the company realising.”
Another common ruse is content scraping or price scraping used by mainstream ecommerce competitors to monitor their rivals’ prices. “Every time there’s a discount, the bot sends that back into the main system, allowing a competitor to further discount,” says Crowther. The fix? Artificial intelligence (AI) and machine learning work for both the dark side and those fending off attacks. “There’s no silver bullet in security. We use a number of mechanisms, as a combination of approaches works best,” he says. “A big part of our business is understanding what attackers are using and how they think so we can think from the opposite perspective: ‘How can we stop them?’”
Crowther claims Kasada, with its still predominantly Australian client base, has prevented about 100 million fake login attempts over the past year, stopping a major menace to organisations that are now legally obliged to make data breach notifications. “Considering Australia has only 25 million people, we’ve protected the same people a few times,” he says.
Preventing data violations is a cat-and-mouse game but ultimately it’s possible to stay ahead, asserts Crowther. “We’re heavily invested in research and development. And because we have access to data from all the organisations we work with, we’re sharing internally. So any time something happens, we’re at the bleeding edge of the curve.”