Data Matters — The Value of Visibility in API Security
Welcome to part three of the three-part Data Matters blog series. In the first two posts in this series, Is Your API Security Data Rich or Data Poor? and Empowering Threat Hunters to Reduce API Risk, I discussed some of the ways that a data-rich API security approach makes API threat detection, incident response, and threat hunting more effective.
If you read those blog posts, you may have noticed that one common thread runs through all these security strategies: visibility.
The value of visibility
The importance of visibility in detecting and understanding security threats isn’t new. We’ve seen time and again in other areas of security that drinking from a fire hose of alerts is nowhere near as effective as being able to:
See a clear picture of what is happening
Connect actions and behavior with business impact
Use each threat discovery as a jumping-off point for finding others
The dangers of using an old playbook
Unfortunately, first-generation API security products have repeated the mistakes of the past in this area. There’s a reason for this: Unlike traditional endpoint and application use, API use is not limited by the constraints of human involvement. Data volume for most types of activity grows according to human factors, such as employee expansion or the introduction of new customer-facing applications.
API activity, in contrast, is primarily machine-to-machine communication. Therefore, its growth isn’t constrained by human involvement, and it can spike dramatically for both legitimate and malicious reasons.
Because it was impractical to spool large amounts of API activity data on-premises, first-generation API security products reverted back to the old playbook by attempting to analyze activity in the moment and block suspected threats based on predefined rules.
Predictably, this old playbook resulted in many false positives. But, more important, it failed to assemble a complete picture of what was really happening since threat campaigns often unfolded over weeks or months and could be indistinguishable from legitimate API use.
The importance of broad API discovery
Implementing a broad and comprehensive API discovery strategy is the first step in achieving an effective level of API security visibility. Even if your organization has formal processes in place for API deployment and decommissioning, and centralized infrastructure like an API gateway, rogue or shadow APIs have a way of appearing in unexpected places.
Nearly every organization that we engage with, including many with a high level of security maturity, finds a large assortment of APIs they weren’t aware of. They find forgotten legacy assets, development workarounds that never went away, and overlooked acquired systems, among others.
The only way to truly ensure that you have a full inventory of your APIs is by casting a wide net. In addition to pulling in information from obvious sources like your API gateway, you should also find ways to analyze activity data from all available data sources, including your cloud providers, microservices orchestration tools, network devices, and content delivery network.
Analyzing all this activity for evidence of API use is the only way to know for sure that you are seeing the whole picture of APIs that are exposed across your environment.
Growing and enriching your API data lake
As you might imagine, broad API discovery results in a large collection of API data that must be managed. This is particularly true if you want to keep a rolling history of 30 days or more, which is the only way to visualize the types of low-and-slow threat campaigns that are very common with API abuse.
A cloud-based data lake is the only way that this is practical at an enterprise scale. This investment provides the foundation for many of the advanced capabilities that I discussed in my previous posts, including:
Identifying and mapping the entities represented in your API activity
Establishing baselines of normal API use and employing anomaly detection to better distinguish between abuse and normal behavior
Giving incident responders and threat hunters an interface to replay activity and find similar instances of discovered malicious behavior quickly and easily
This is quite a bit different from the on-premises data processing approach that most first-generation API security products use. However, techniques like tokenization make it possible to store and analyze data with cloud scalability and elasticity while ensuring data confidentiality.
Turning API visibility into business impact
At the end of the day, API visibility is about one thing: empowering people to use their experience and intuition to spot the novel ways that threat actors exploit APIs every day.
An example of the power of complete visibility
One of our clients, a major entertainment company, experienced an unexpected spike in API requests that didn’t resemble their normal API use.
If this customer was using a first-generation API security product, one of two things would have likely happened:
They would have missed the incident; since it was a completely novel type of API activity for their environment, it was unlikely that they would have had a pre-defined detection rule for it
If they did detect the incident, it would have likely been ignored since their security operations center (SOC) team would have had limited ability to investigate further
Here’s what happened instead: Security operations (Akamai’s Security Operations Command Centers, in this case) engaged our ShadowHunt threat hunting service. Using the visibility provided by our cloud-based API security data lake, our threat hunters were able to replay the activity and trace it to a shadow API.
The threat actor was using an API in the customer’s environment to check the validity of stolen credit card numbers. So, in the end, the threat actors weren’t actually targeting the customer — instead they were hijacking the customer’s resources to commit crimes elsewhere.
Armed with a detailed understanding of what was happening and why, our team was able to block the attack, even as the threat actor took evasive action, such as shifting the attack source from a single IP address to a distributed botnet.
Although this is only one specific example, it demonstrates the power and business impact of moving from small, disconnected data points to complete API visibility.
Start your journey to data-rich API security
Akamai API Security is a 100% software-as-a-service (SaaS)–based solution that applies extended detection and response (XDR) concepts to your API estate. It can be deployed alongside Akamai App & API Protector or on a stand-alone basis to:
Discover APIs in your environment continuously
Maintain a data-rich, 30-day view of all your API activity
Identify and map relationships between entities involved in your API use
Use sophisticated behavioral analytics to baseline normal API use and detect anomalies
Provide detailed insights and recommendations in response to detected threats
Automate seamlessly with your security operations and IT stack to streamline incident response and threat hunting