2022 APIsecure_Monitoring and Responding to API Breaches
Download as PPTX, PDF0 likes101 views
The document discusses monitoring and responding to API breaches. It notes a large increase in API traffic and attacks in recent years as companies increasingly leverage APIs. Responsibility for API security is often unclear as it involves multiple teams. Many companies secure APIs the same way they secure web applications, which can be insufficient. The document recommends establishing API discovery, threat monitoring, integration with security platforms, and log retention to aid in prevention, detection during incidents, and post-incident forensics. Tools like WAFs, API gateways, and testing can help, but a holistic approach across the development lifecycle is needed to properly secure APIs.
2022 APIsecure_Monitoring and Responding to API Breaches
- 1. Monitoring and Responding to API Breaches API SECURE 2022 Carolina Ruiz Brier & Thorn
- 2. THE THREAT LANDSCAPE Companies are leveraging APIs more frequently. With a total increase of API traffic of 321% (Salt Security, 2022) in comparison to last year. With the majority of the companies cite • Development Efficiencies/ Standardization • Platform System Integrations • Cloud Migration As the main drivers behind the use of API. In 2021, a total increase of 681% (Salt Security. 2022) of attack traffic for APIs was detected. “Gartner predicts that by 2022, application programming interface (API) attacks will become the most-frequent attack vector...” Companies are struggling to keep up with the deployment of APIs unable to perform security testing fast enough . A narrow view on API Security, viewing prevention as the only security strategy.
- 3. THE THREAT LANDSCAPE Platform or Product Team , 2% Other , 1% DevSecOps, 12% DevOps, 11% Developers, 29% AppSecTeam , 21% API Team , 14% Infosec , 10% A multi- department approach is needed to tackle all of the challenges with API security. Efforts to fill in the gaps in knowledge regarding API security is necessary for all teams involved. Companies are struggling to define responsibilities for API Security. 41% Companies secure their APIs in the same way that they secure their web applications (Dark Reading, 2021)
- 4. WHAT ABOUT MONITORING PREVENTION RESPONSE FORENSICS Before the Incident During the Incident After the Incident API Discovery Behavior and Analytics Identify your business as usual Threat Monitoring Log and identify malicious activity Integration Consolidate to a security platform (e.g. SIEM, XDR) Use Case Creation e.g Create alarms based on applicable use cases. Log Retention Historical logs will prove critical during forensics effort. Shadow API: APIs that existing outside of the official maintenance processes. Zombie API: Forgotten APIs T O O L S 1 0 1 T O O L S + CDN/ ADC WAF API GATEWAY Helps with latency, reliability and traffic spikes and provides some protection against volumetric DDOS Attacks Will provide protection against application layer attacks such as SQL injection, cookie poisoning and cross-site scripting (XSS). Supports companies in routing API request, aggregating API responses etc.… whilst protecting against an array of vulnerabilities. (e.g. Invalid input) Dynamic and Static Application Test API Penetration Testing
- 5. Q&A www.brierandthorn.com www.linkedin.com/company /brier-&-thorn @brierandthorn www.brierandthorn.com.mx https://mx.linkedin.com/company/b rier-&-thorn-mexico-s-a-p-i-de-c-v @BrierandThornMX Brier & Thorn Inc. Brier & Thorn México Carolina Ruiz www.linkedin.com/in/carolinamruiz @RuizCarolinaM
Editor's Notes
- #2: My name is Carolina Ruiz, CEO of Brier & Thorn, Managed Security Service Provider and a long-time cybersecurity and compliance enthusiast.
- #3: According to the report “State of API Security” by Salt Security. As you can see between the growth % of API traffic and API attack traffic, is disproportionate. Meaning that we not only seen the the growth in attack traffic that match the growth in API infrastructure, but we see that this the attack traffic doubles it. The narrow view focusing almost exclusively on the prevention aspect of security. We got so caught up in protecting from an API attack that we lose sight that we should focus on protecting our environment or data from the risk associated to APIs – not just the API attack vector.
- #4: I’ve included this statistic from Drak Readings Secure Applications Survey, which states that 41% of companies use the same tools ans strategies to protect their API as they do with their web application. In this situation a good example would be relying solely on having a Web Application Firewall in place, although a WAF has its place within application security Its main focus it to protect against the OWASP Top Ten which difer from the OWASP AP Security Top Ten – effectively creating a gap in security and visibility. Lastly these following points focus on the confusion around the ownership of API Security, as detailed by the chart (From the Salt Security report) there is an evident confusion across companies of who should own it. Mention: Christine Bottagaro – Resurface on the importance of collaboration from the security team and development team – often times with the development not receiving sufficient training on security and on the other side security engineers coming from a network background requiring more training on the API side.
- #5: So how do we go about monitoring. Threat Monitoring: Maintaining an API logging system will be critical to identify anomalous and potentially malicious traffic promptly and aid the response time for security teams. Logging input validation failures, application errors and events that deal with the API functionality such as payments and settings. If there is anything I want you to leave this talk with, is that security monitoring for APIs is critical for companies and they must take a holistic and multi department approach. It is not enough to apply controls at the development level, we must ensure that we are prepared to monitor and respond to incidents as part of security operations as a whole.
- #6: II have included Brier & Thorn’s social media accounts as well as my personal accounts, if you want to follow, look at our content or just say hi. Thank you to API Secure for having me and ill open up for any questions.