Reduce API Security Risk by Leveraging Graph Analytics

INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
WEBINAR | 2023-2024
Reduce API Security
Risk by Leveraging
Graph Analytics

Introduction to Graph for APIs with Neo4j
Sammy Dagher, Sales Engineer, Neo4j
The API Landscape Assessment from Process Tempo
Phil Meredith, CEO & Founder, Process Tempo
Why API Security Needs a Reset
Daria Chadwick, Marketer, Process Tempo

WEBINAR | 2023-2024
Why API Security
Needs a Reset

Problems with being "Tool-Focused"

Daria Chadwick, Process Tempo

WEBINAR | 2023-2024
Introduction to Graph
for APIs with Neo4j

What is Neo4j?
The industry’s largest dedicated investment in Graph Database Ecosystem
Industry Leaders use Neo4j
Creator of the Labeled Property
Graph
Thousands of Customers World-
Wide
Graph Database Leader with
more than 50% of Market Share
Innovation Leader with Highest
concentration of Graph
Innovators, Experts, Analysts,
Developers and Publications
HQ in Silicon Valley, offices include
Boston, London, Munich, Paris, Malmo,
Sydney, Singapore, India, APAC
20 of 20 Top Financial Institutions
9 of 10 Top High Tech Companies (Including
those who have competitive products, use
Neo4j internally for their mission critical
applications)
7 of 10 Top Retailers
8 of 10 Top Insurance Companies
8 of 10 Top Automakers
3 of 5 Top Hotels
7 of 10 Top Telecoms
Global Governments - Civilian, Defense and
Intelligence using Neo4j EE to Analyze,
Optimize & Protect

MARRIED_TO
DRIVES
name: “Dan”
born: May 29, 1986
twitter: “@dan”
name: “Ann”
born: Dec 5, 1984
since:
Jan 10, 2017
brand: “Volvo”
model: “V70”
Nodes
• Represent the objects in the
graph
• Can have one or more labels
(noun)
Relationships
• Relate nodes by type (verb) and
direction
Properties
• Name-value pairs that can go
on nodes (adjective) and
relationships (adverb)
LOVES
LOVES
O
W
N
S
PERSON
CAR
LOVES
PERSON
since:
Jan 12, 2017
since:
Jan 10, 2017

Why Graph for API Security?
• Modeling your infrastructure as a graph enables you to:
• Identify your most valuable assets (your “crown jewels”) and target
security investments
• Generate alerts for relevant teams about the impact of incidents across
systems
• Identify suspicious behavior, reducing the mean time to detection and
uncovering insider threats
• Analyze and rationalize identity and access management to enforce the
principle of least privilege

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
– John Lambert, Engineer and General Manager, Microsoft Threat Intelligence Center
Attackers think in graphs

Cybersecurity in Graphs
• The API Landscape is a Graph
– API Landscape is a highly interconnected ecosystem with many variables,
moving parts and stakeholders
•APIs, gateways, product owners, etc.
•All in a complex multidimensional network
–Must-have piece of technology in your locker to manage API Sprawl
•Living dynamic window of your API landscape at large across all
your API-related tools and data

API Application
Owner
Gateway
LinterScore
End Point
Usage Metric

End Point (A)
Port
443
Port
63 Port
12
Port
44
Port
440
Port
3474
Port
3400
Port
562
Port
7
Port
367
End Point (B)
Attack
API 2
API 1

API 1
Method
edit
Method
set Method
sort
Method
get
SQL TABLE
“CUSTOMERS”
Application 1
RETRIEVES_DATA
API 2
Application 2
Method
M_1
Method
M_2
Method
M_3
Method
M_4
RETRIEVES_DATA
2 Scenarios
1.Being Proactive – Checking the graph before developer
picks up API creation task.
2.Reducing duplicate code – Running graph data science
algorithms to find duplicate methods

Pathfinding &
Search
• Shortest Path
• Single-Source Shortest Path
• All Pairs Shortest Path
• A* Shortest Path
• Yen’s K Shortest Path
• Minimum Weight Spanning Tree
• K-Spanning Tree (MST)
• Random Walk
• Breadth & Depth First Search
Centrality &
Importance
• Degree Centrality
• Closeness Centrality
• Harmonic Centrality
• Betweenness Centrality & Approx.
• PageRank
• Personalized PageRank
• ArticleRank
• Eigenvector Centrality
• Hyperlink Induced Topic Search (HITS)
• Influence Maximization (Greedy, CELF)
Community
Detection
• Triangle Count
• Local Clustering Coefficient
• Connected Components (Union
Find)
• Strongly Connected Components
• Label Propagation
• Louvain Modularity
• K-1 Coloring
• Modularity Optimization
• Speaker Listener Label Propagation
Supervised
Machine
Learning
• Node Classification
• Link Prediction
… and more!
Heuristic Link
Prediction
• Adamic Adar
• Common Neighbors
• Preferential Attachment
• Resource Allocations
• Same Community
• Total Neighbors
Similarity
• Node Similarity
• K-Nearest Neighbors (KNN)
• Jaccard Similarity
• Cosine Similarity
• Pearson Similarity
• Euclidean Distance
• Approximate Nearest Neighbors
(ANN)
Graph
Embeddings
• Node2Vec
• FastRP
• FastRPExtended
• GraphSAGE
• Synthetic Graph Generation
• Scale Properties
• Collapse Paths
• One Hot Encoding
• Split Relationships
• Graph Export
• Pregel API (write your own algos)

Louvain -- an algorithm for identifying communities based
on modularity
Modularity -- How many relationships a group contains, vs. the
expected value if all relationships were evenly distributed the graph
A community has high modularity if it is unusually well-connected within itself,
and unusually weakly connected to nodes outside the community
What are some similar APIs based on
existing relationships?
• Groups of APIs that may be similar in
functionality (Possible API Sprawl)

Daria Chadwick, Process Tempo
Sammy Dagher, Sales Engineer, Neo4j

WEBINAR | 2023-2024
The API Landscape
Assessment with
Process Tempo

We created a program called ReactFirst
Which enables different teams to come
together to help reduce API security risk.
A comprehensive approach:
People, Process, and Technology
working together to solve this problem.

The Gap
Protection
Management
Management
Management
Design Standards
Management
Management
The Gap

How many APIs do you have?
You cannot secure what you don’t know about!

What is standing in the way?
Complexity
Constant Change
Constant Change
Human Error
Lack of Standards
Lack of Standards
Complexity
Complexity
Complexity
Complexity
Complexity
Constant Change

What are the state of these APIs?
Do you know where to begin?

API Risk and Quality Indicators
• Risk Indicators:
– Can the API be accessed externally?
– What authentication method does it use?
– How often are keys rotated?
– Is it on a known gateway?
– Does it have an owner?
– Does it expose PII?
– Is it in production?
– How many conformance errors does it have?
• Quality Indicators:
– Is it even used?
– How many applications leverage it?
– When was it last updated?
– When was it last audited?
– What technology does it use?
– Is it redundant? A duplicate?
– Has it passed design review?
– What is the average linter score?

Risk + Quality = Remediation Priority

API Assessment Results
Secure
Visible
Documented
Reused
Owned
Monetized
Open (not secure)
Hidden (dark)
Unused (zombie)
Redundant
Poorly documented
Improperly categorized
Single consuming app
Legacy design
No owner
The Good The Bad The Ugly
x ?

The Architecture
The React First Interface

The Approach
Develop the API Catalog
Develop an accurate and comprehensive
picture of your API landscape.
• Develop a baseline
• Data validation via stakeholder feedback
• Conduct attestations / surveys
• Assign ownership
• Identify dark APIs
• Iterate
• Automate
• Monitor
Classify & Remediate Automate & Improve
Implement a classification and remediation
effort to reduce cyber risk and improve quality.
• Review / modify classification rules
• Score each API against risk and quality
• Set remediation goals
• Track progress against goals
• Leverage advanced AI/ML to improve
efficiency
Improve operational procedures; implement
advanced analysis and intentional design.
• Implement design standards
• Expand the scope?
• Implement a Software Bill of Materials
(SBOM) capability
• Assist in migration efforts

A day in the life
User Registers New API
(Manual Entry)

API Appears in the Catalog
Status = New
Survey Status = Pending
Risk Score = Unknown
Quality Score = Unknown
A day in the life
(Manual Entry)

Status = New
A day in the life
(Manual Entry)
New API Discovered
(Automated)
External Data
Sources

A day in the life
(Manual Entry)
New API Discovered
(Automated)
Status = New
External Data
Sources
Classification status begins to age

A day in the life
(Manual Entry)
New API Discovered
(Automated)
Status = Pending
The Owner is provided
instructions and reminders
via email
External Data
Sources

A day in the life
(Manual Entry)
New API Discovered
(Automated)
Status = Classified
Survey Status = Complete
Risk Score = Medium
The API drops off of classification
aging report
User uploads Swagger and runs
Conformance Scan
Classification status changes:
Red à Yellow à Green
via email
External Data
Sources

A day in the life
(Manual Entry)
New API Discovered
(Automated)
Status = Classified
Risk Score = Medium
Quality Score = High
User uploads Swagger and runs
Conformance Scan
Classification status changes:
Red à Yellow à Green
via email
Leadership and stakeholders
monitor progress via executive
dashboards
External Data
Sources
The API drops off of classification
aging report

A Quick Preview
Animated Charts
Responsive UI
Minimal Training
Required
Integrated Forms and
Workflow

Amazing things
happen at the
intersection of:
• Modern Data Warehousing
• Integrated Governance
• Self-Service Dashboards
• Embedded Workflow
Greater
Adoption
Greater
Confidence
Greater
Reuse
Greater
Control
Data
Quality
Data
Security
Data
Consistency
Data
Value
Self-Service
Dashboards &
Reports
Modern Graph
Data Warehouse
Integrated
Governance
Embedded
Workflow
What is Process Tempo

Reduce API Security Risk by Leveraging Graph Analytics

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Reduce API Security Risk by Leveraging Graph Analytics

Ähnlich wie Reduce API Security Risk by Leveraging Graph Analytics (20)

Mehr von Neo4j

Mehr von Neo4j (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Reduce API Security Risk by Leveraging Graph Analytics