What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success.
Ping Identity and MuleSoft have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect.
This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with MuleSoft. We will look at some common monitoring capabilities on the MuleSoft API and what a security violation would look like.
Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks.
From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a MuleSoft API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.
8. API Security Measures
• Basic authentication
• IP whitelisting
• Client ID enforcement
• SLA based rate limiting and
throttling
• OAuth 2.0
• JWT
• TLS
9. API Security + WAF
• Protects against many common
attacks - OWASP Top 10 attacks
• SQL injection
• Cross Site Scripting
• Body scanning
• DDoS
• What are the vulnerabilities?
• Advanced API attacks from
authenticated hackers
• Detecting authenticated attacks is
difficult!
14. Current API Security Landscape
• API Security Survey
• 45% not confident in
ability to detect
malicious API access
• 51% not confident in
security team’s
awareness of all API’s
• Lesson learned: reactivity
to proactivity
16. The Difficult
Problem of
Securing APIs
High volume of traffic across many APIs
High velocity connections across many APIs
Variety of client types and activity
Who is responsible for APIs?
17. How Vulnerable
are APIs?
API login and
DDoS attacks
Brute force
login attacks
Stolen
identifiers
API DDoS
attacks
Stolen account
Account take
over
Data theft
App control
Hackers using
Machine
Learning
Every attacks
looks different
Every blocked
attack leads
to a new
attack
Always
getting
smarter
18. Answer:
Leverage AI
• Behavioral learning
• Continuously build security model
Model
• Look for deviations from the learned
behavior
Detect
• Block compromised tokens/access
• Notify/alert
Block
19. PingIntelligence
for APIs
Deep API
visibility
Dynamically
discover APIs
across all
environments
Monitor APIs
across all
environments
Automated
threat
detection and
blocking
Detect and
block attacks
on your APIs
API
honeypots to
instantly
detect
probing
hackers
Self learning
Use AI to
build
behavioral
model
No need to
author and
manage
policies and
update API
security
21. Zero Trust
• You can’t trust your own tokens!
• Bearer tokens are vulnerable (but necessary)
• Vulnerabilities at other vectors are exploited at API level
• Client app, user, 3rd party identities
GitHub leaking client
secrets
Phishing
Stolen token
User data
<api>
22. API Security +
PingIntelligence
Scalable Multi-Cloud API
Platform
Content Injection
JSON, XML, SQL, XSS
Flow Control
Throttling, metering, quota
management
Access Control
AuthN, AuthZ, Tokens
AI-Powered Threat
Protection For APIs
Automated Cyber-
Attack Blocking
Blocks stolen tokens/cookies,
Bad IPs, and API keys
API Deception and
Honeypots
Instant hacking detection and
blocking
Deep Visibility and
Reporting
Monitor and report on all API
activity
PingIntelligence
for APIs
23. PingIntelligence
Augments API
Security
• API management
• Security policies
API Gateways
• OWASP top 10 protection
Web Application Firewalls
• Authenticated users
• Advanced attacks
PingIntelligence for APIs
24. Attack
Landscape
Summary
API breaches go undetected for months or years
Zero trust strategy for securing APIs is crucial
Gartner: "by 2022, API abuses will be the most
frequent attack vector that result in breaches"
Many attacks can't be detected with traditional API
security
Help is here from PingIntelligence + API Gateways
All of these phases are equally important
Only once you get to the management phase can you begin to properly secure and monitor your API, but security must be at the forefront of each phase – not an afterthought
Once in the management phase this is a typical process
So you can see that the management phase itself is not trivial!
Managing and monitoring an API should be ongoing, but that does not mean you always need a human’s eyes on glass
It’s important to note that most people who are developing APIs are familiar with these security measures, BUT it’s too often that common API security mistakes occur:
Leaving an API open to the world aka no security
Not protecting data in transit
Security as an afterthought
Not assigning ownership
No plan/documentation for the API
We can fix those common mistakes by planning for security upfront and keeping it as a primary focus through each development phase
These API security measures are the basics, and at minimum should be implemented
This is the next step in API security beyond just securing your API directly
This is securing for known vulnerabilities! The unknowns remain unknown
Google took 2.5 years to detect a breach
This is a typical “best practice” architecture.
Is great for blocking many common attacks.
The API train has left
All future value to customers will be routed through APIs in some way or another
Almost 50% of people purchased an API for security and that is changing rapidly => getting value out of it, exposing data, connecting systems, etc
Digital transformation --- > guess who is equally excited about this open API world we like to paint a picture of?? Hackers are!
What is happening is a direct correlation between API growth and attacks
As APIs are created, the attack surface of systems/applications is increased
Fingers get pointed at API practitioners
2018 was not a great year, and 2019 has not been a great year either, for folks tasked with protecting API infrastructures.
We saw that many major companies have gotten breached – companies most consider to be on the forefront of the tech industry, including Facebook and Google
First off, it is very common that organizations and people don’t feel confident in actually securing the API’s they are developing. This is an interesting point because
the confusion between security groups (infosec) and development groups in IT is blurry.
Who owns APIs?
Who is tasked with securing them?
Who is in charge of documenting them?
Who is in charge of sustaininment and maintenance?
Security teams argue they are not aware of all API’s, but developers argue they are not in charge of securing API’s
Over the last few years we have seen a formidable increase in both the velocity and sophistication of cyber attacks on APIs
When you do a post-mortem on many of the recent attacks you find a few things in common.
majority of attacks are coming from authenticated users and hackers who have reverse engineered the API
Reactive -> Proactive
We need to being thinking from this perspective
Average time to detection is flabbergasting (for facebook 18 months – Google 2 years)
In the case of Location Smart who is a 3rd party API that was being misused to actually identify the location of users from all the major telcos.
It is hard to detect attacks, and many fly under the radar for long periods of time.
API management is crucial here
Hackers are getting smarter
Flying under the radar of many detection systems
Very advanced attacks where no two attacks are the same
Again, must go from reactivity to proactivity
API Security is not trivial --- it is tough and nuanced
And when you think about it is almost a perfect dichotomy.
As infosec professionals we wake up every day pursuing the task of protecting our organizations Data, Systems, and applications.
Digital transformation initiatives around APIs are doing the exact opposite – they are rapidly opening up access to our data and applications to a wealth of new partners and customers
Once you digest that fact do you begin to understand why API security is so challenging and complex.
True big data problem -> seeking to find that needle in the haystack
Many connections - many things happening – credential theft on the rise
Not to mention most malicious traffic and abuse coming from authenticated users
We can talk about API login and DDoS attacks and stolen accounts, but this is what we know. What we don’t know is the scary part!
Since hackers are getting smarter, APIs (even with the best practices of API security + WAF) are vulnerable
What we’re really worried about here is that no two attacks are the same!
API Login and API DDoS Attacks
•Brute force login attacks
•Stolen identifiers: cookies and tokens
•API specific DoS and API DDoS attacks
Compromised Account / Insider Attacks
•Account take over
•Data theft
•Application control
Hackers using Machine Learning
•Every attack looks different
•Every blocked attack leads to a new attack …
Can Machine Learning Help? Yes.
I imagine most everyone in the audience is familiar with UBA – User behavior analytics in context to threat detection?
UBA is great but will perpetually fall short because human begins are innately unpredictable creatures.
What is starkly different than an human being is an API – purpose built to do narrow tasks around pushing and pulling data and providing access to systems.
So if you can leverage ML and AI to model and understand what is normal behavior on each of your APIs it gives you the unique vantage point to be able to to identify all sorts of misbehavior and outright attacks that are coming from authenticated users.
You are already collecting all of this data with your API gateway so you might as well use it and mine.
More-so ML can identify a multitude of client identifiers and be used to be able to automatically block
What is PingIntelligence for APIs
Provides 3 core benefits to Infosec professionals and API practioniars.
Visibility is key and visibility from two perspectives
Firstly: You can’t protect what you don’t know about – so we built a way to plug into your existing systems to autodiscover all APIs
Secondly, visibility is important to understand what is happening on your APIs after authentication has occurred and understand changes in behavior over time
Attack detection and blocking
And finally – self learning
Gone are the days of having to rely on and build static rules and policies for each API
PingIntelligence sits in front of or side car to your APIs
It can integrate with many different API Gateways – not just MuleSoft
Once connected to your API, you get the 3 pillars of:
API discovery in your environment
Deep visibility and reporting
Attack blocking
Self learning and modeling behavior
Zero trust – we don’t trust anything – it eliminates the concept of trust – “never trust, always verify”
Taking a stance that nothing is trustworthy and using a check and verify process
With proper zero trust architecture you set up a tight perimeter around your protection surface and validate who, what, when, where, why, and how
The zero trust policy determines who can cross the perimeter at any one time
80% of today’s data breaches are caused by misuse of privileged credentials
PingIntelligence is supplemental to API Gateways such as MuleSoft
PI is the last line of defense against advanced attacks
Has anyone heard of the martial art technique of Judo?
You use the strengths of your opponent against them. That’s exactly what PingIntelligence does with hacker deception and honeypots.
Can sprinkle honeypots throughout your API infrastructure and instantly detect and block threats across your environments
These 3 together is the best, most potent combination.
You want to sleep well? Need all 3 components
It used to be that just the first two were needed, but now with the sophistication of attacks becoming more advanced, the security must advance with it
Recap/summary slide
Compare API security + WAF to adding PingIntelligence on the next slide. You will see how lightweight and non-intrusive adding PingIntelligence is
PingIntelligence hooks into the API to monitor and model its behavior. The rest of the security set up is still recommended