Business applications have become more API-centric as businesses have transformed on their digital journeys, and this digital evolution has been required in order to keep pace with the demands from their markets, both business-to-business and business-to-consumer.
The cliché of “there’s an app for that” is now rather “there’s an API for that.”
In the traditional rules-based approach, legacy applications were comprised of a single code base and required massively disruptive processes for the release of new features and enhancements. What we see today is these monolithic apps being transformed into modern micro-services-based architectures that are broken out into smaller focused services that collectively provide an application’s full functionality. These micro-services have their own code base and each resides behind its own set of APIs, resulting in today’s applications being comprised of many APIs.
Threat actors or attackers are aware of the popularity of APIs for business operations as well as the opportunity to exploit blind spots in these operations to gain access to sensitive data. Unfortunately, APIs are becoming a frequent attack vector for organisations.
Common approaches to protecting APIs typically involve the following technologies to combat threats: Web Application Firewalls (WAFs), API Gateways, Load-balancers, and Edge technologies such as CDNs.
These technologies take a layered and rule-based approach to securing APIs, meaning you need to know each API and API endpoint you wish to protect (the what). You then need to define what types of attacks you want to protect against (the how). This process requires discipline and mature governance to maintain and there is plenty of associated admin when it comes to keeping these rules in check.
To have peace of mind when securing APIs, you need real-time discovery and visibility of them and their endpoints. You also need the same for their usage and behaviours. These include the type of information they are exposing. Rules-based technologies can’t dynamically achieve this as they rely solely on humans to define what and how to protect. Threat actors are aware of this and have progressed from known methods of attacks that a rules-based approach may protect. They have moved from a ‘one and done’ method to a ‘low and slow’ systematic attack that aims to manipulate the business logic of APIs to compromise sensitive information. The traditional rules-based approach can’t protect against the new type of attack because in order to have protection, additional context is required.
To truly understand and protect APIs, a unique approach is required to the problem. This is a shift that has been seen taking place in the cybersecurity industry, even beyond APIs.
Rather than only considering what traffic is being allowed by a rules-based approach, we need to look at the data from all of the components that are involved in serving the responses sent and requests received for APIs. This requires large amounts of unstructured data, called Big Data.
This Big Data is stored in an engine and Machine Learning (ML) and Artificial Intelligence (AI) are programmed and utilised to correlate the most frequent attack types. It also learns the expected behaviours of your APIs, which is the context that is required.
An example of this requirement is that today’s number one API attack type as published in the OWASP API Top 10 is the Broken Object Level Authorisation (BOLA) attack type. It’s represented in approximately 40% of API attacks. Rules-based approaches are unable to identify and protect against this attack type because an understanding of the API’s business logic is required.
The behavioural and contextual analysis that is achieved with this approach identifies when an API is acting outside of the norm. This could be as simple as where it is being accessed and/or who is accessing it. More importantly, you are able to understand when an API is behaving outside of its intended design parameters.
In conclusion, to discover, protect and improve the posture of your APIs from today’s threats, you need more than a traditional rules-based approach. You need context and you can only derive this by utilising solutions that are powered by ever-improving real-time Big Data analysis.
