Saint-Gobain Distribution Bâtiment France protects its Data & Saves 12% of its Infrastructure Resources

The Problem: Protecting Intellectual Property

Olivier Boissin is Technical Head of the Digital Operations Department at Saint-Gobain Distribution Bâtiment France. His team develops, manages and pilots e-commerce sites and mobile applications for the subsidiary’s 14 brands, which are virtual reflections of the physical branches.

The team offers subsidiaries an in-house e-commerce solution, essentially an assembly of open source components, which is currently being used by all the brands, including pointp.fr, cedeo.fr et dispart.fr.

The e-commerce platform also communicates with the sales management systems in the physical points of sale, in particular for inventory management and order processing.

“The digital operations department is an autonomous structure rather close to the marketing department, which functions a bit like a web agency in an internal customer-supplier relationship with the subsidiaries”, Olivier explains. “As such, we have development teams as well as e-business teams made up of SEO, UI and UX experts, who support our brands in determining the tools they need to meet their objectives.”

As is often the case, the first signs of bad bot attacks were erratic traffic spikes which challenged the underlying systems.

“We had significant traffic spikes that did not correspond to normal platform activity. This caused us a lot of worry,” Olivier explains.

At the time, the origin of these traffic spikes were not well understood; the team could only observe them on the network equipment. But their undesirable nature was obvious. Saint-Gobain Distribution Bâtiment’s business is mainly in France, and traffic from faraway countries is suspicious by definition.

In addition to this technical problem, there were also business and legal implications. The Digital Operations Department began to find some of its content duplicated on third-party sites that had no link to Saint-Gobain, or even on competitors’ sites, both in France and elsewhere.

“This scraping of our content was rather easy to recognize. For example, we found proprietary content regarding brands we are the only ones to sell, on sites that don’t belong to Saint-Gobain,” Olivier comments.

He points out that Saint-Gobain Distribution Bâtiment France sells not only Saint-Gobain’s own products, but also those of its competitors. Depending on the supplier, the available information—sizes, technical characteristics, documentation and certificates of compliance, even product photos—is more or less comprehensive.

“We have a supplier reference team whose role is to complete and improve the quality of missing data in our vendor catalogs,” he explains. “As a result, the information that’s available on our sites has a lot of value, because a competitor who doesn’t invest in the same work will have only partially complete data. Having the most complete information is one of the main advantages of our sites.”

This intellectual property theft represented a real business risk for Saint-Gobain.

The Solution: DataDome Automatically Detects & Blocks Scraper Bots

To address both the unpredictable traffic spikes and the theft of proprietary data, Olivier and his team began by implementing a web application firewall which is part of the group’s arsenal of managed services.

“The firewall protects us from a whole range of security threats, such as SQL injections and cross-site scripting,” explains Olivier. “But we noticed that the bots which DataDome calls “commercial”, that scrape for competitive intelligence or business intelligence purposes, are not at all considered a security threat by the firewall, which lets them through. So we realized that we needed to bolster our setup.”

The choice fell on DataDome, a SaaS bot protection solution for e-commerce sites. DataDome integrates easily and seamlessly with any web infrastructure, thanks to its line of server-side modules, including the Nginx module deployed by Olivier and his team.

Olivier’s first goal was to measure and quantify the attacks, and to have the tools (real-time indicators, notifications and reports) he needed to raise awareness internally.

Before activating the protection, the team first let DataDome run in monitoring mode for a few days, in order to analyze the automated traffic without acting on it in order to establish a baseline.

“We had no idea how much of our site traffic should be considered security threats,” Olivier admits. “Our automated traffic mainly consisted of scraper bots, which wasn’t unexpected, but the volume was really a surprise.”

The observations that were gathered during this observation period, thanks to the real-time dashboard, the attack notifications and the expertise of DataDome’s account managers, helped raise awareness of the bot threat among all teams. This facilitated the decision to implement DataDome’s recommendations to put a stop to these threats.

Today, DataDome automatically blocks scrapers as well as all other undesirable bots from the sites of all 14 subsidiaries, without requiring any intervention on the part of Olivier and his team. DataDome detects a new bad bot somewhere in the world every 10 milliseconds, and all users of the platform are immediately protected from these new threats.

The Results: Protected Data & Immediate ROI

The decision to implement the DataDome solution was primarily motivated by the awareness of scraping and to stem the leakage of proprietary data.

“Thanks to this protection, scrapers no longer get through, and we no longer find our content on competitors’ sites,” Olivier declares.

But beyond this business benefit, other performance indicators also revealed an obvious ROI following the deployment of the protection.

12% reduction in operating expenses.

“At the very least, the return on the technical investment is fairly easy to calculate,” comments Olivier. “In our case, we could easily measure the reduction in traffic against the commercial activity, which was not decreasing.”

Since the DataDome solution was activated, Saint-Gobain Distribution Bâtiment France has indeed noticed that their servers now receive about 12% less traffic, which corresponds to the undesirable traffic that is now blocked and therefore no longer reaches the servers.

“Behind these 12%, there are operating expenses,” Olivier points out. “If you compare the reduction in infrastructure costs, which may be per-use when you’re in a cloud system, with the cost of the license, there’s already a direct ROI which is very easy to calculate. Even if we hadn’t had the scraping problem, it would have been a shame to forego this.”

A better user experience.

The company also observed another rather unexpected benefit.

“Some of our customers had automated the placing of orders on our sites and were blocked by DataDome,” explains Olivier. “The dashboard makes it very easy to unblock them, but more importantly, it has allowed our sales people to get closer to these customers, pay a little more attention to them, and find better ways to help them with the ordering process.”

Time savings.

Today, bot traffic takes up very little of Olivier and his team’s time. DataDome’s weekly reports reassure them that the solution is working properly, and the rare interventions consist mainly of unlocking in a few clicks any customers or partners who need automated access.

“DataDome’s dashboard is simple enough to easily check what’s going on, find an activity and block it if necessary, apply a Captcha or what have you, all without having to go through IT or managed services providers, for example,” explains Olivier.

“The solution perfectly complements Saint-Gobains’ system where IT service management is centralized and in charge of security, and where we, as an applications team, autonomously manage a tool that’s specific to our area of responsibility. It’s very satisfying.”