2022 APIsecure_API Security & Fraud Detection - Are you ready?
0 likes135 views
The document highlights the increasing significance of API security, stating that APIs are vulnerable to attacks and are becoming the most frequent attack vector. It discusses various security challenges, including the need for specialized tools to protect APIs and detect fraud effectively. The proposed solutions involve advanced monitoring, encryption, and machine learning technologies to safeguard APIs against malicious activities and prevent fraudulent transactions.
2022 APIsecure_API Security & Fraud Detection - Are you ready?
- 1. API Security & Fraud Detection Are you ready ? APIsecure 2022 Amandine ELBAZE Cybersecurity Advisor Cybersolutions
- 2. THE KEY ROLE OF APIS • HTTP-based application integration protocol • M2M communication platform • Provides application interoperability • Opens doors for web/cloud services • APIs are business enablers • Integrates technology companies • APIs support modern IT infrastructure 2
- 3. According to Verizon: “90% of breaches targeted Web Applications AND APIs make up 90% of the web app attack surface area...” According to Gartner: In 2022, API’s will become “Most Frequent Attack Vector” “There’s been an increase in vulnerabilities that are either specific to APIs or present a bigger risk, which many developers are unaware of.” - Erez Yalon, Project Lead at the OWASP Security concerns on the rise:
- 4. API SECURITY CHALLENGES 4 APIs require a different approach at network security APIs expose core business data and services Business and regulations both create demand • 85% of all network traffic pass through an API • API Management & WAF don’t have the necessary tools to secure APIs • The API landscape is vast, growing and diverse • Malicious input must not reach core systems • Data leak prevention is a top priority of modern IT • Rising trend of attacks by passing perimeters via use of an internal server • Data must be secured both at rest- and in-transit • Grant access to third party providers • Compliance demands encryption, monitoring, fraud prevention, and content-based policies
- 5. API SECURITY Agile solution for webservice protection & control ▌ Added security layer for web applications and services ▌ Enforce Encryption, Security, Content and Monitoring policies ▌ Create logs straight from the API traffic ▌ Highly customizable policies ▌ Stop API specific attacks before they could reach your backend system… ▌ … and stop data leaks before sensitive information could leave the backend 5
- 6. API SECURITY Granular Control and Monitoring of API traffic ▌ Deep Packet Inspection of API traffic ▌ Full interpretation of SOAP and REST protocols ▌ Schema validation based on a Positive Security Model ▌ Custom Security Policies based on header and body contents ▌ Custom Logging Policies for SIEM, SOC, Big Data systems ▌ Custom TLS Encryption policies ▌ Easy deployment without the need to alter the protected backend system 6
- 7. ▌ Public APIs are vulnerable to botnets and malicious actors with automated exploit scanners ▌ They can cause service slowness and outages in business-critical systems ▌ Botnet attacks are hard to detect and identify with standard security tools The solution ▌ Quick response, lightweight solution to filter out malicious sources ▌ Custom threat intelligence feed integration ▌ Added GeoIP filtering 7 THREAT INTELLIGENCE Prevent Botnet attacks and zero-day attacks
- 8. Proxedo Security Flow 8 Filter Deserializer Decompressor Insight Enforcer Serializer Compressor Filter Serializer Compressor Insight Enforcer Deserializer Decompressor Request Response Client Protected Backend TLS Encyption TLS Encyption TLS Encyption TLS Encyption
- 9. ▌ Detecting fraud requires a specialized toolset ▌ These transactions should be stopped in transit, or marked for review in order to efficiently fight fraud ▌ This process must be automated, and must provide context to make accurate decisions The solution ▌ Fully integrated, precise and customizable solution for fraud detection ▌ Automated data collection and aggregation for monitored transactions ▌ Enrichment of transaction data for a wider scope of information and context in decision making ▌ Machine learning technology processing the digital footprint of each transaction 9 FRAUD DETECTION Prevent fraudulent financial transactions
- 10. Fraud Detection 10 Fraud Module Enrichment Response Scoring API call Data ▌ Basic building blocks of a transaction ▌ Enriched by multiple data sources to provide context ▌ Machine Learning process ▌ Include custom data ▌ Enriched data is scored based on context, relations, previous activity ▌ Custom scoring options ▌ Whitelist – Blacklist ▌ Machine Learning rules ▌ Block fraudulent transactions ▌ Log selected traffic contents ▌ Customizable policies ▌ SIEM integration for Alerts ▌ Big Data integration for fighting money laundering Score Log Alert Abort Enrich
- 11. Thank You ! Amandine Elbaze amandine.elbaze@cybersolutions.fr