apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance
April 21 & 22, 2021
Novel approaches in API security
Dr Tal Steinherz, CTO at Syber.ai
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Steinherz, Syber.ai
1. Dr. Tal Steinherz, Co-Founder & CTO
Syber.ai
Novel approaches in API security
2. Today’s speaker
Former CTO, Israel National
Cyber Directorate
Former head of Cyber R&D
division in the Prime Minister’s
office
A record of delivering
groundbreaking innovations
PhD in machine learning
Dr. Tal Steinherz, CTO
2
4. We live in an API Economy. Everyone needs API protection
“By 2022, 50% of web attacks will be
through APIs”
Gartner
4
“There is an 83% to 17% split between
API and HTML traffic on our secure
content delivery network”
Akamai, Feb ‘19
“The size of the API economy was
$2.2 Trillion in 2018”
Ovum
6. What makes API so vulnerable?
• Open architecture
• Agile development cycles
• Many stakeholders
• Uncontrolled users
6
7. Companies face many API-related concerns
• Are there APIs that the organization is not aware of?
• Is there personal information that is leaking?
• Are we compliant with regulations? (HIPAA, Open Banking)
• Who is using our APIs?
• Is the usage authorized and reasonable?
7
8. Confidential
What does good API protection include?
8
Hacking
Malicious actors
attacking the
APIs
Abuse
Customers with
valid credentials
that are
abusing their
privileges.
A revenue
assurance risk
Data Leaks
Misconfiguration
leading to personal
information leaks
A regulatory concern.
10. 10
Specific requirements
• Agentless
• Hybrid (on-prem and in the cloud)
• Transparent (no performance penalties)
• For some customers: compliant with
(privacy) regulations
• Adjustable (to business logic)
General requirements
• API discovery
• Anomaly detection
• Investigation
• Remediation
12. The Spectrum of API Security Solutions
Development Production
RASP
API collaboration
tools
OpenAPI
validation
API BAS
WAF
Anti-bot
API GW
Network-based
API monitoring
RASP = Runtime Application Self Protection
BAS = Breach and Attack Simulation
API Agents
Goal: design, document and perform
development testing of APIs
Goal: protect organizations against
malicious API attacks, API data leaks
and API abuses
14. • Content (payload) inspection
• Multi-level profiling for every interaction between any user and any
endpoint
• PII detection and association
• Time series and correlation
14
15. The importance of Deep Message Inspection
• Discovers APIs and builds an API catalog
• Detects leaking personal information
• Offers vertical-specific intelligence: Open Banking, HIPAA
• Cross-correlates multiple profiles to reduce false alerts
• Detects APIs that deviate from their Swagger/GraphQL definitions
• Captures API sessions of interest for deeper inspection and analysis
15
16. Extracting valuable information
APIs carry a lot of repetitive data,
Identifying the unique information
allows us to:
• Detect anomalies
• Dramatically reduce the storage
required to store significant
transaction history
16
17. Example : Banking API
17
Endpoint identifier
DF56KR
User ID
5934023
Account number
891 5533 4567
$15,430
-- -- Account number
891 5577 1234
$79,023
-- -- Account number
891 5533 4567
$15,430
Credit rating
640
-- -- Account number
891 5533 4567
$15,430
Account number
891 5533 4568
$4,699
Account number
891 5533 4569
$1,700
Normal:
Someone else’s data:
Data leak:
Potential attack:
19. The importance of profiling on multiple dimensions
19
The benefits of
multi-dimensional profiling
• Profiling in multiple dimensions helps
discover the full range of threats
• Cross-correlating these dimensions
dramatically reduces false alarms
What we profile
• Call: a single API request/response pair
• Session: a set of consecutive API calls
with the same credentials
• User: a history of sessions for each user
• IP: aggregated calls from the same IP
address over time
• API: all calls to the same API endpoint
20. The Importance of flexible deployment models
20
As an API Proxy
• Instant deployment
• Useful for 3rd party cloud-to-cloud
(e.g. Teams to Hubspot, Salesforce
to Marketo)
• Can filter traffic
As an API Sniffer
• Receive a copy of the API Traffic
• Supports cloud and on-prem
deployments
• Agentless
• No impact on API reliability
• No impact on API performance
21. Confidential
The API protection problem is nearing an inflection point
21
Regulations
Privacy regulations mandate
securing the APIs
Remote access
Fewer in-person transactions.
More remote work
CISOs understand
Existing security solutions
don’t work for APIs
Open banking
Regulators forcing
banks to open their API
Hackers notice
APIs are the next frontier
in cybercrime
22. Typical on-premise deployment
22
API Servers
Clients
API Calls
Load Balancer &
SSL Terminator
Tap
API Sniffer
Best Practices
• Agentless
• Not in-line
• Vendor-agnostic
23. Confidential
It is important to understand the specific
API issues of each business process
Generic API issues
API issues specific to
Open Banking
API issues specific to
Health applications
API issues specific to
Insurance
API issues specific to
Insurance
API issues specific to
Insurance
API issues specific to
Insurance
23
24. Supporting cloud AND on-prem deployments
24
On-prem is important because
• Many organizations still have most of
their APIs on-prem. Thus, cloud-only
solutions are not sufficient
• GDPR and other regulations are causing
some companies to remain on-prem
• Cloud bills are causing some
organizations to return to on-prem
• On-prem installations have greater risk
of misconfigurations and risk
Cloud is important because
• New-economy companies are cloud-
centric
• Many established organizations are
moving to the cloud
25. We live in an API Economy. Everyone needs API security
“By 2022, 50% of web attacks will be
through APIs”
Gartner
25
“There is an 83% to 17% split
between API and HTML traffic on our
secure content delivery network”
Akamai, Feb ‘19