Is there a clear winner for perimeter API security versus a holistic approach?
Threat detection and incident response (TDIR) has never been more critical. According to Statista, and citing chief information security officers (CISO), three in four companies in the United States were at risk of a material cyberattack in 2023. The goal of TDIR is to identify potential threats and respond before they can impact a business.
Complicating TDIR efforts is the significant need to keep application programming interfaces (APIs) secure. In today’s digital environment, APIs are the backbone of enterprise applications, comprising over 80% of all internet traffic. APIs have evolved how web applications are developed, providing communication pipelines between multiple distinct services and micro-services. With a micro-service architecture enabled by APIs, developers innovate more quickly to add the features that customers or internal users need.
Cybersecurity Blind Spot
API activity is often the largest blind spot to cybersecurity programs. The average cost of an API security breach is $6.1 million. APIs come under attack by threat actors because they are public targets and due to their constantly changing nature. With the proliferation of web application development and usage, enterprises just aren’t sure how many APIs to monitor, fostering a sprawling attack surface and putting security teams in a precarious position because they can’t recognize enterprise risk and confidently protect what they don’t know they have. Often available over public networks, easily accessible, and typically well-documented, this allows malicious actors to quickly reverse-engineer API requests to reach their objectives, such as stealing personally identifiable information (PII). With the increasing complexity and sheer volume of APIs, IT security teams, DevOps teams, and CISOs face the overwhelming challenge of discovering APIs, monitoring API activity, and recognizing indications of threats and exploited vulnerabilities.
Perimeter-based API Security – Where Standard WAFs Fall Short
API security solutions available on the market today often focus solely on the perimeter. It is logical to begin securing API traffic with a Web Application Firewall (WAF) or API gateway. However, just as we layered defense for our web services, solely preventing threat actors from entering the perimeter is not a fail-safe strategy.
While it is recommended to use a WAF, they are not designed to protect against all classes of attacks. They’re good at recognizing known attack techniques, but not as adept at being fine-tuned for specific applications. There is a new class of attacks by authenticated users to the API. This class of attacks makes it challenging to harden a WAF because it requires an understanding of particular user behaviors and application behaviors. Also, due to both signature and ML-based anomaly approaches, WAFs suffer from generating a higher volume of false positives preventing automated actions.
Other concerns about WAF as a stand-alone strategy:
- They don’t speak the API Language - Standard WAFs are fluent in HTTP/HTTPS, but not in the unique dialects of APIs – like SOAP, XML-RPC, gRPC, or data formats such as JSON and XML.
- Encryption is often too advanced - WAFs investigate encrypted traffic, but they don’t have a view of more complex encryption algorithms. APIs’ robust encryption can severely limit the WAF’s ability to inspect APIs effectively.
- A next-level approach is needed- APIs call for a more nuanced approach including understanding the user, the application state, and the specific API endpoint. A standard WAF does not have this capability.
- Fast Response to Changing APIs - APIs are constantly evolving, altering the attack surface and WAFs struggle to keep up without extensive manual configuration and tuning.
- Defense Against Zero-Day Exploits - APIs present unknown challenges with no patterns or signatures to detect – something a WAF relies on.
Securing the Perimeter in an Open Environment
We naturally think of perimeter-based security the way you would think about protecting the outside of physical buildings - with locks and walls. However, APIs are, by nature, open and publicly available for all developers to access backend data that can then be utilized to enhance their applications.
The new class of API threats takes advantage of this, requesting API tokens directly from the application vendor for direct access. The authenticated threat actor can leverage published documentation to enumerate through legitimate API requests, identifying opportunities to gain footholds into inappropriate data or infrastructure access.
Focusing solely on securing the perimeter avoids the problem of monitoring attacks that make it past the perimeter. While there are tremendous business benefits to allowing access to APIs and data for your customers, supply chain partners, and between applications, for security and DevOps teams this can lead to data leaks or even infrastructure access, creating security headaches.
Multi-Layer Holistic API Security – the Future?
Modern attacks aren’t singular. They are often multi-layered, and API usage may be one step in an attack. This is why preventing API attacks requires a multi-layer defense and full visibility into API requests and their respective responses, as well as recognition of the activity from applications and systems beyond the perimeter. Understanding the full context of the API response reveals nefarious activity from the authenticated user class of attacks. Coupled with real-time visibility into systems and applications, this allows for recognition of threat actors that cross API boundaries exploiting misconfigurations, loose data barriers, or faults in the application. This level of visibility connected across these data sources allows for accurate threat recognition and rapid responses from security teams to neutralize these threats before material impact.
Case in point, perimeter-based API security solutions typically only monitor requests and not responses. If a threat actor is posing as an authenticated user, for example, their requests will appear authentic. Responses may also be shielded as legitimate “200” indicating that the request succeeded. However, the content of the response code may include leaked system headers, leaked directory listings, leaked runtime errors, and even leaked source code. Any of which can be leveraged by the threat actor in the next steps of their attack. True visibility is achieved through a multi-layered security approach consisting of both perimeter and inside-the-perimeter defenses. This includes real-time monitoring for attacks, and the analysis of end-to-end API request and response data so security professionals have the insights needed to identify and address the gaps. This thorough visibility of APIs is necessary to pinpoint and isolate unknown attacks since attackers are finding innovative ways to remain undetected.
One of the most exciting developments in moving towards API strategy adoption is the recognition of the problem within the security industry. Gartner recently advised that organizations must put in place security controls to protect against the evolving API threat landscape. Whether perimeter-based or holistic, all API security protocols are one step forward in a TDIR strategy and a win no matter how small the step. While there will be trial and error for many organizations, 2024 may just be the year that we see API security strategies develop at a more rapid pace, with many organizations taking the first step to quantify their risks and their API inventory to better understand potential impacts.