The document describes a webinar about reducing API security risks using graph analytics. It includes presentations on introducing graph databases for APIs using Neo4j, the API landscape assessment from Process Tempo, and why API security needs a reset. The webinar presentations will cover modeling APIs as a graph to identify valuable assets and suspicious behavior, and using graph algorithms for tasks like identifying duplicate APIs and rationalizing access management.
Reduce API Security Risk by Leveraging Graph Analytics
1. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
WEBINAR | 2023-2024
Reduce API Security
Risk by Leveraging
Graph Analytics
2. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Introduction to Graph for APIs with Neo4j
Sammy Dagher, Sales Engineer, Neo4j
The API Landscape Assessment from Process Tempo
Phil Meredith, CEO & Founder, Process Tempo
Why API Security Needs a Reset
Daria Chadwick, Marketer, Process Tempo
3. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
WEBINAR | 2023-2024
Why API Security
Needs a Reset
5. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Problems with being "Tool-Focused"
6. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Why API Security Needs a Reset
Daria Chadwick, Process Tempo
Introduction to Graph for APIs with Neo4j
The API Landscape Assessment from Process Tempo
Phil Meredith, CEO & Founder, Process Tempo
7. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
WEBINAR | 2023-2024
Introduction to Graph
for APIs with Neo4j
8. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
What is Neo4j?
The industry’s largest dedicated investment in Graph Database Ecosystem
Industry Leaders use Neo4j
Creator of the Labeled Property
Graph
Thousands of Customers World-
Wide
Graph Database Leader with
more than 50% of Market Share
Innovation Leader with Highest
concentration of Graph
Innovators, Experts, Analysts,
Developers and Publications
HQ in Silicon Valley, offices include
Boston, London, Munich, Paris, Malmo,
Sydney, Singapore, India, APAC
20 of 20 Top Financial Institutions
9 of 10 Top High Tech Companies (Including
those who have competitive products, use
Neo4j internally for their mission critical
applications)
7 of 10 Top Retailers
8 of 10 Top Insurance Companies
8 of 10 Top Automakers
3 of 5 Top Hotels
7 of 10 Top Telecoms
Global Governments - Civilian, Defense and
Intelligence using Neo4j EE to Analyze,
Optimize & Protect
9. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
MARRIED_TO
DRIVES
name: “Dan”
born: May 29, 1986
twitter: “@dan”
name: “Ann”
born: Dec 5, 1984
since:
Jan 10, 2017
brand: “Volvo”
model: “V70”
Nodes
• Represent the objects in the
graph
• Can have one or more labels
(noun)
Relationships
• Relate nodes by type (verb) and
direction
Properties
• Name-value pairs that can go
on nodes (adjective) and
relationships (adverb)
LOVES
LOVES
O
W
N
S
PERSON
CAR
LOVES
PERSON
since:
Jan 12, 2017
since:
Jan 10, 2017
10. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Why Graph for API Security?
• Modeling your infrastructure as a graph enables you to:
• Identify your most valuable assets (your “crown jewels”) and target
security investments
• Generate alerts for relevant teams about the impact of incidents across
systems
• Identify suspicious behavior, reducing the mean time to detection and
uncovering insider threats
• Analyze and rationalize identity and access management to enforce the
principle of least privilege
11. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
– John Lambert, Engineer and General Manager, Microsoft Threat Intelligence Center
Attackers think in graphs
12. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Cybersecurity in Graphs
• The API Landscape is a Graph
– API Landscape is a highly interconnected ecosystem with many variables,
moving parts and stakeholders
•APIs, gateways, product owners, etc.
•All in a complex multidimensional network
–Must-have piece of technology in your locker to manage API Sprawl
•Living dynamic window of your API landscape at large across all
your API-related tools and data
13. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
API Application
Owner
Gateway
LinterScore
End Point
Usage Metric
14. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
End Point (A)
Port
443
Port
63 Port
12
Port
44
Port
440
Port
3474
Port
3400
Port
562
Port
7
Port
367
End Point (B)
Attack
API 2
API 1
15. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
API 1
Method
edit
Method
set Method
sort
Method
get
SQL TABLE
“CUSTOMERS”
Application 1
RETRIEVES_DATA
API 2
Application 2
Method
M_1
Method
M_2
Method
M_3
Method
M_4
RETRIEVES_DATA
2 Scenarios
1.Being Proactive – Checking the graph before developer
picks up API creation task.
2.Reducing duplicate code – Running graph data science
algorithms to find duplicate methods
16. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Pathfinding &
Search
• Shortest Path
• Single-Source Shortest Path
• All Pairs Shortest Path
• A* Shortest Path
• Yen’s K Shortest Path
• Minimum Weight Spanning Tree
• K-Spanning Tree (MST)
• Random Walk
• Breadth & Depth First Search
Centrality &
Importance
• Degree Centrality
• Closeness Centrality
• Harmonic Centrality
• Betweenness Centrality & Approx.
• PageRank
• Personalized PageRank
• ArticleRank
• Eigenvector Centrality
• Hyperlink Induced Topic Search (HITS)
• Influence Maximization (Greedy, CELF)
Community
Detection
• Triangle Count
• Local Clustering Coefficient
• Connected Components (Union
Find)
• Strongly Connected Components
• Label Propagation
• Louvain Modularity
• K-1 Coloring
• Modularity Optimization
• Speaker Listener Label Propagation
Supervised
Machine
Learning
• Node Classification
• Link Prediction
… and more!
Heuristic Link
Prediction
• Adamic Adar
• Common Neighbors
• Preferential Attachment
• Resource Allocations
• Same Community
• Total Neighbors
Similarity
• Node Similarity
• K-Nearest Neighbors (KNN)
• Jaccard Similarity
• Cosine Similarity
• Pearson Similarity
• Euclidean Distance
• Approximate Nearest Neighbors
(ANN)
Graph
Embeddings
• Node2Vec
• FastRP
• FastRPExtended
• GraphSAGE
• Synthetic Graph Generation
• Scale Properties
• Collapse Paths
• One Hot Encoding
• Split Relationships
• Graph Export
• Pregel API (write your own algos)
17. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Louvain -- an algorithm for identifying communities based
on modularity
Modularity -- How many relationships a group contains, vs. the
expected value if all relationships were evenly distributed the graph
A community has high modularity if it is unusually well-connected within itself,
and unusually weakly connected to nodes outside the community
What are some similar APIs based on
existing relationships?
• Groups of APIs that may be similar in
functionality (Possible API Sprawl)
18. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Why API Security Needs a Reset
Daria Chadwick, Process Tempo
Introduction to Graph for APIs with Neo4j
Sammy Dagher, Sales Engineer, Neo4j
The API Landscape Assessment from Process Tempo
Phil Meredith, CEO & Founder, Process Tempo
19. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
WEBINAR | 2023-2024
The API Landscape
Assessment with
Process Tempo
20. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
We created a program called ReactFirst
Which enables different teams to come
together to help reduce API security risk.
A comprehensive approach:
People, Process, and Technology
working together to solve this problem.
21. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
The Gap
Protection
Management
Management
Management
Design Standards
Management
Management
The Gap
22. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
How many APIs do you have?
You cannot secure what you don’t know about!
23. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
What is standing in the way?
Complexity
Constant Change
Constant Change
Human Error
Lack of Standards
Lack of Standards
Complexity
Complexity
Complexity
Complexity
Complexity
Constant Change
24. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
What are the state of these APIs?
Do you know where to begin?
25. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
API Risk and Quality Indicators
• Risk Indicators:
– Can the API be accessed externally?
– What authentication method does it use?
– How often are keys rotated?
– Is it on a known gateway?
– Does it have an owner?
– Does it expose PII?
– Is it in production?
– How many conformance errors does it have?
• Quality Indicators:
– Is it even used?
– How many applications leverage it?
– When was it last updated?
– When was it last audited?
– What technology does it use?
– Is it redundant? A duplicate?
– Has it passed design review?
– What is the average linter score?
27. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
API Assessment Results
Secure
Visible
Documented
Reused
Owned
Monetized
Open (not secure)
Hidden (dark)
Unused (zombie)
Redundant
Poorly documented
Improperly categorized
Single consuming app
Legacy design
No owner
The Good The Bad The Ugly
x ?
28. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
The Architecture
The React First Interface
29. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
The Approach
Develop the API Catalog
Develop an accurate and comprehensive
picture of your API landscape.
• Develop a baseline
• Data validation via stakeholder feedback
• Conduct attestations / surveys
• Assign ownership
• Identify dark APIs
• Iterate
• Automate
• Monitor
Classify & Remediate Automate & Improve
Implement a classification and remediation
effort to reduce cyber risk and improve quality.
• Review / modify classification rules
• Score each API against risk and quality
• Set remediation goals
• Track progress against goals
• Leverage advanced AI/ML to improve
efficiency
Improve operational procedures; implement
advanced analysis and intentional design.
• Implement design standards
• Expand the scope?
• Implement a Software Bill of Materials
(SBOM) capability
• Assist in migration efforts
30. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
A day in the life
User Registers New API
(Manual Entry)
31. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
API Appears in the Catalog
Status = New
Survey Status = Pending
Risk Score = Unknown
Quality Score = Unknown
A day in the life
User Registers New API
(Manual Entry)
32. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
API Appears in the Catalog
Status = New
Survey Status = Pending
Risk Score = Unknown
Quality Score = Unknown
A day in the life
User Registers New API
(Manual Entry)
New API Discovered
(Automated)
External Data
Sources
33. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
A day in the life
User Registers New API
(Manual Entry)
New API Discovered
(Automated)
API Appears in the Catalog
Status = New
Survey Status = Pending
Risk Score = Unknown
Quality Score = Unknown
External Data
Sources
Classification status begins to age
34. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
A day in the life
User Registers New API
(Manual Entry)
New API Discovered
(Automated)
API Appears in the Catalog
Status = Pending
Survey Status = Pending
Risk Score = Unknown
Quality Score = Unknown
The Owner is provided
instructions and reminders
via email
External Data
Sources
Classification status begins to age
35. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
A day in the life
User Registers New API
(Manual Entry)
New API Discovered
(Automated)
API Appears in the Catalog
Status = Classified
Survey Status = Complete
Risk Score = Medium
Quality Score = Unknown
The API drops off of classification
aging report
User uploads Swagger and runs
Conformance Scan
Classification status changes:
Red à Yellow à Green
The Owner is provided
instructions and reminders
via email
External Data
Sources
Classification status begins to age
36. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
A day in the life
User Registers New API
(Manual Entry)
New API Discovered
(Automated)
API Appears in the Catalog
Status = Classified
Survey Status = Pending
Risk Score = Medium
Quality Score = High
User uploads Swagger and runs
Conformance Scan
Classification status changes:
Red à Yellow à Green
The Owner is provided
instructions and reminders
via email
Leadership and stakeholders
monitor progress via executive
dashboards
External Data
Sources
Classification status begins to age
The API drops off of classification
aging report
37. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
A Quick Preview
Animated Charts
Responsive UI
Minimal Training
Required
Integrated Forms and
Workflow
38. INTEGRATE • MODEL • VISUALIZE • ANALYZE • ORCHESTRATE • AUTOMATE
Amazing things
happen at the
intersection of:
• Modern Data Warehousing
• Integrated Governance
• Self-Service Dashboards
• Embedded Workflow
Greater
Adoption
Greater
Confidence
Greater
Reuse
Greater
Control
Data
Quality
Data
Security
Data
Consistency
Data
Value
Self-Service
Dashboards &
Reports
Modern Graph
Data Warehouse
Integrated
Governance
Embedded
Workflow
What is Process Tempo