Despite APIs becoming a development tool of choice in reaction to user expectations, competitive business dynamics, and application componentization for seamless app experiences, their high visibility makes them an irresistible target for attackers.

As such, it becomes fundamental to discover the API attack surface, as this helps prioritize APIs that need beefed up runtime protection. Cequence Security Inc. comes in handy in the discovery, detection and defense of APIs, according to Subbu Iyer (pictured, right), vice president of product management at Cequence.

“It really breaks down into three key areas that we talk about Cequence … one is you start by discovering all your APIs,” Iyer stated. “The second thing is to tell them detection information. They then get to see where their API traffic is coming from. If you’re running a pizza delivery service out of California and your traffic is coming from Eastern Europe, that traffic immediately comes up, and it will tell you that it is hitting your unauthenticated API. It is hitting your API that is vulnerable.”

Iyer and Ameya Talwalkar (pictured, left), founder and chief executive officer of Cequence, spoke with theCUBE industry analyst John Furrier during the “Cybersecurity — Detect and Protect Against Threats” event, an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how API protection is at the heart of Cequence solutions and the types of API attacks. (* Disclosure below.)

What does an API attack look like?

By comprehending the different types of API attacks, Iyer believes this offers more insights into the most suitable protective gear. The two main types are API abuse or business logic abuse and BOLA attacks or mass assignment attacks.

“There are really two different forms of attacks of APIs,” he explained. “One type of attack exploits APIs that have known vulnerabilities or some form of vulnerabilities; for instance, APIs that may use a weak form of authentication or are really built with no authentication at all.”

Cequence takes the pain of API attacks away through enhanced protection. It even scrutinizes the details that were probably not thought through by the developer or the API designers, according to Iyer.

“The second form of attack is a more subtle one; it’s called business logic abuse,” he pointed out. “It’s utilizing APIs in completely legitimate manners, but exploiting those APIs to exfiltrate information or key sensitive information. When we do API protection, we really need to be able to handle both of those scenarios, protect against abuse of APIs, such as broken authentication, as well as protecting APIs from business logic abuse.” 

Based on the exponential growth of APIs, Talwalkar believes security teams have been unable to keep up with this trend. As a result, they are at times oblivious to the existence of some APIs.

“What has happened in the API side is the API space has lagged behind the growth and explosion in the API space,” he stated. “So what that means is APIs are getting published way faster than the security teams are able to control and secure them. APIs are getting published in environments that the security team is completely unaware of.”

Cequence has created differentiated ways to identify malicious intent with APIs. This includes using an intelligence network to detect anomalous traffic, according to Iyer.

“There are three key ways that we differentiate against our competition,” he stated. “One is we have the ability to actually detect such traffic. We have built out a very sophisticated threat intelligence network. Built over the entire lifetime of the company where we have very well curated information about malicious infrastructures and operators around the world.”

By using machine learning models, Iyer believes Cequence can profile the traffic coming in, which helps in weeding out bad actors. This plays a pivotal role in preventing an attack.

“The second aspect is in analyzing the requests that are coming in, that API traffic that is coming in,” he explained. “From the request itself, being able to tell if there is credential abuse going on or credential stuffing going on or known patterns that the traffic is exhibiting, that looks like it is clearly trying to attack the API. The third one is really more sophisticated.”

A perimeter-based defense mechanism is a thing of the past

With the advent of multicloud, a perimeter approach is no longer viable, according to Talwalkar. Therefore, Cequence offers a uniform view across all APIs irrespective of their location, which provides a single point of control.

“The perimeter, as we know, doesn’t exist anymore,” he said. “It used to be the case that you hit a CDN, you terminate your SSL, you stop your layer three and four DDoS. And then, you go into the application and do the business logic. That perimeter is just gone because it now could be living in a multicloud environment; it could be living in an on-prem environment, which is Kubernetes friendly.”

Since APIs are deployed in multiple environments, Cequence is uniquely positioned to work in any environment. This is made possible because it protects APIs as a SaaS solution, with some companies already processing a billion API calls daily, according to Talwalkar.

“We are the only player in this space that can protect your APIs purely as a SaaS solution or purely as an on-prem deployment,” he pointed out. “We have some deployments which are on your brand and the rest of this solution is in our SaaS. If you think about it, customers have secured their APIs with Cequence within 15 minutes of going live, from zero to live, and getting that protection instantaneously.”

It is a huge awakening for enterprises to assess the security risks tied to their APIs. Therefore, it becomes crucial for organizations to understand what APIs they are protecting in the first place, according to Talwalkar.

“The start is basically knowing what to protect,” he said. “In most cases, you see these API breaches that are hitting the wire pretty much every week. They’re absolutely just not protected at all, which means the security team or any team that is responsible for protecting these APIs are just completely unaware of these APIs being there in the first place.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the “Cybersecurity — Detect and Protect Against Threats” event:

(* Disclosure: Cequence Security Inc. sponsored this segment of theCUBE. Neither Cequence nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE