For the last four years, Verizon data breach reports have consistently shown that authentication bypass and credentials compromise attacks are increasingly successful.
In fact, they cause the majority of organisational data breaches.
Such a breach, according to Verizon, costs an organisation more than US$2million on average. For organisations that rely solely on perimeter defences and the API gateway for API security, this is of great concern.
An extra layer of API security beyond the API Gateway should be a key priority.
Understanding APIs
In today’s technological ecosystem, any system can be connected to any other as part of a service for consumers, or an organisational or business process. What makes all this possible is Application Programming Interfaces (APIs).
APIs are literally the glue that connects the systems that need to communicate or exchange data. As increasing numbers of different systems become interconnected, Application Programming Interfaces (APIs) become even more critical to business operations.
For most businesses, APIs are also critical to service delivery: any compromise to APIs makes the associated service unavailable to customers and partners.
Clearly, securing these ‘glues’ is a priority for any organisation that uses them.
The common approach to API security
Many organisations’ API-based services were set up after the organisation’s IT network and security stack. This means that most of the organisation’s existing security against API-based attacks is not designed specifically for APIs. This approach has two key characteristics.
Security controls are used at the perimeter in a single layer. For most organisations, the perimeter is the most important layer of defence and security. This is typically where firewalls and security gateways are set up. For API services, organisations also implement the API gateway as a key security control. The API gateway is as important as the perimeter, as it authenticates and authorises incoming API requests and transactions. Within budget constraints, most large organisations will boost their perimeters with other controls such as Web Application Firewall (WAF), anti-scraping and anti DDoS (Distributed Denial of Service) products.
Perimeter defence is rule-based. Most of these controls at the perimeter are rule-based, which means that the systems function through a series of rules that determine what goes into the company systems and what doesn’t. Occasionally these rules are updated to reflect any observed changes in threat or fraud patterns.
The problem with typical API security approaches
The rule-based systems used in many perimeter security implementations are very good at detecting known threats and other, predictable attempts to attack or abuse the system. However, most API-based services are fuelled by agile software development practices and are constantly evolving. These changes also affect API — and service — usage patterns.
In this context, rule-based security struggles to detect novel attacks.
By contrast, the concept of Defence in Depth — or DiD — in a cybersecurity context recommends a layered approach to security. With this approach, an incoming digital request is screened multiple times using different techniques to determine any abuse or attack on the system.
The objective of DiD is to help ensure that if one security layer fails, the next layer may detect the attack. All the layers work together to prevent system compromise. Currently, many organisations have compensating controls, most of which are at the perimeter, but they lack comprehensive and API-specific DiD.
Machine Learning, in contrast to rule-based systems, uses mathematical models to constantly monitor multiple features of a problem space, and form patterns from different groupings of these features. Consequently, ML can predict with high accuracy how these patterns can evolve. This kind of adaptive technology ideally complements existing rule-based security controls for APIs. When the two are combined, organisations achieve a predictive capability which evolves with the system’s users.
The role of Point of Entry and Execution API traffic screening
Point of Entry and Point of Execution screening are applications of Defence in Depth. As the name suggests, these techniques ensure that any digital request for a service or data is screened for threats at the point of entry into the company’s network, and at point of execution when the request is processed.
Of course, this dual inspection doesn’t check for the same things twice; it screens for different attack vectors at different stages of the digital service pipeline. Given the modular nature of APIs and API requests, Point of Entry and Point of Execution API screening broadens the scope for API defence and offers a viable alternative for locking down and securing operational APIs.
Avoid the major cause of data breaches with Aiculus
Remember those expensive authentication bypass and credentials compromise attacks that Verizon reported on? Now we can see how important an additional layer of API security beyond the API Gateway is for avoiding them.
Aiculus’ approach to API security looks at the problem from an entirely different angle — one that seeks to protect organisations by preventing their APIs from being used as attack vectors.
Aiculus offers enhanced API and data protection by looking more deeply into the API request and using Machine Learning to search for indications of API abuse. Combined with a WAF, or the API Gateway, Aiculus realistically enhances the organisation’s Defence in Depth in API security.
Given the gap in API Point of Execution security screening for most organisations, Aiculus is a critical security bolster and offers organisations a real chance of detecting sophisticated API attacks hidden within the API request.