Data Matters — Is Your API Security Data Rich or Data Poor?

For many organizations, APIs now serve as the connective tissue that brings application functionality and data together to power critical business processes — both internally and with partners. This shift has unlocked many new business opportunities across a diverse set of industries. But it has simultaneously created an entirely new set of challenges for enterprise security teams.

Early efforts by security teams to adapt to the API wave largely followed the traditional enterprise security playbook: analyze events in the moment, respond based on predefined policies, and move on. This approach has the benefit of immediacy, but it falsely assumes that all attacks (a) have been seen before, and (b) are executed as a single, point-in-time event.

This approach also leaves security teams with a data-poor API security model that is incapable of detecting the more sophisticated API attacks that unfold in small steps over a longer period. In effect, everything that is detected is immediately forgotten.

As we’ve already seen in other areas like extended detection and response (XDR), evolving to a data-rich security approach that can form a deeper understanding of normal behavior and detect behavioral anomalies is the most effective way to stay a step ahead of today’s ever-evolving API threats.

How a data-rich API security approach works

The cornerstone of a data-rich API security approach is a scalable data lake capable of storing and analyzing your complete set of API activity data over 30 days or more.

This is not a trivial investment, but taking this step unlocks several critical capabilities:

• It allows you to better understand the entities involved in your API activity and incorporate this additional layer of context into your detection efforts.

• It enables the use of behavioral analytics techniques to establish baselines of behavior and detect anomalies that are too nuanced or novel for point-in-time detection rules to detect.

• It allows your team to go back in time to gain a deep understanding of historical attacks and possible future threats.

To be effective, your API data lake must ingest API activity data from as many sources as possible, such as your API gateway and infrastructure components like cloud platforms, microservices orchestration tools, network devices, content delivery networks, and more. This will ensure that you have a complete view of API activity, even rogue or shadow APIs that you didn’t know about in advance.

Using richer data to enhance API threat detection

Once you have a data lake with a complete and contextualized history of API activity data, you can enhance your API threat detection capabilities in numerous ways. The most impactful way that a data-rich API detection approach helps is by differentiating between normal and malicious behavior with a much higher degree of accuracy.

API attacks are generally more nuanced than most other types of security threats. While traditional application-focused attacks often exploit vulnerabilities to breach an organization’s infrastructure, a high percentage of API-focused attacks would be better characterized as abuse. After all, why put the effort into executing a breach when you can get the same sensitive data or functionality by simply asking an API for it in a creative way?

Even when sound DevSecOps practices are used, developers can’t anticipate every possible way that an API may be used in an unintended manner. Data scraping is a simple example of this. 

• A small number of API queries by an authorized partner may represent normal and approved behavior. 

• A large number of nearly identical API queries, executed every hour for several months, could effectively represent a new kind of data breach. 

Yet, all these events look the same to an API security tool that only performs point-in-time analysis.

And there are, of course, many more sophisticated ways that threat actors abuse the business logic codified into API implementations or exploit authentication and authorization flaws to use APIs in unintended ways.

Harnessing a data-rich approach to more accurately differentiate between similar events that mean very different things based on context is critical to effective API security.

To be clear, there is still significant value in attempting to detect and stop clearly identifiable API attacks as they happen by using traditional web application and API protection (WAAP) technologies. But with APIs, complementing real-time detection with deeper analysis through a lens with a wider aperture is critical. In addition, automated responses can still be taken to stop API abuse, even if it is detected through deeper analysis over time.

Empowering responders and threat hunters

The business impact of a data-rich API approach extends well beyond the point of detection. One of the biggest challenges that many security operations teams face is that they are bombarded with alerts but they don’t have the tools at their disposal to dive deeper into what they are seeing. 

After all, when an accurate alert is received, this is the beginning — not the end — of the detection-and-response process. A data-rich API security approach gives incident responders the power to go back in time and truly understand what happened — just as a security professional in the physical world might do with a digital video recorder. This gives them a simple and repeatable workflow for investigating threats efficiently and thoroughly and for identifying the steps required to mitigate them.

A well-organized and human-readable history of all API activity is also invaluable to threat hunters. It makes it easy for them to identify the most concerning risk areas efficiently and drill up or down to further their understanding of possible threats — and how to mitigate them. This makes it much more practical to implement a proactive threat hunting function to complement your API threat detection capabilities (Table).