In a see-sawing economy, it can be difficult to determine how best to invest, which is why Forrester’s latest Planning guide 2023: Security and risk report is seen as providing a much-needed steer. It suggests that CISOs should prioritise by focusing on technologies that improve the customer experience or increase revenue, but at the same time they should also seek to trim waste – and that means reappraising the cyber security stack.
For many businesses, it’s not unusual to have a stack of between 20 and 70 products. Comprising best-of-breed point solutions obtained from multiple suppliers, these have limited integration capabilities and are highly time-intensive to manage. The stack will have grown organically, with systems added in reaction to events rather than in a proactive, methodological way, which then inevitably leads to overlapping functionality and even unused feature sets.
A prime example of this is in application security. As businesses began to deploy mobile apps, containers, serverless computing and microservices, so their dependence on application programming interfaces (APIs) has increased. But in the absence of a dedicated API solution, many found it made logical sense to repurpose existing security tools, such as web application firewalls (WAF), next-generation firewalls (NGFW) or intrusion prevention systems (IPS). Some will have gone a step further and supplemented these with API gateways to help manage complexity.
While these tools may be successful in preventing some basic types of attack, they lack the visibility necessary to track the APIs in use across an entire environment, assess whether APIs are properly configured, and detect stealthy anomalous activity. Such systems struggle because they look for signature-based threats, can leave exploitable gaps because they don’t use runtime analysis to check for misconfiguration, and can even act as a single point of failure.
A recent ESG report found that 38% of those questioned then had to resort to buying more tools because those they had were not up to the job and didn’t perform as expected, adding to tech sprawl. It also revealed that many were unaware of how well their tools were performing, revealing the lack of insight they had into their API security.
Interestingly, API security is one of the top technologies advocated in the Forrester report because it is a technology that is easier to deploy to provide access to other applications, but is also highly susceptible to attack. So where does this leave businesses that have cobbled together some form of API defence? The obvious conclusion is that any investment in API security also presents a golden opportunity to rationalise the stack and to assess and replace such makeshift solutions.
Securing APIs presents some unique challenges. These mechanisms are typically exploited by the attacker probing and using the API’s own characteristics against it, so any defence needs to focus on behaviour analysis and look for anomalous activity. This can only be achieved by monitoring using predefined behavioural fingerprints and applying rules, using machine learning and threat intelligence.
Take, for example, the attack on MailChimp back in April. This saw the hackers obtain API keys that allowed its customers to self-manage their accounts and perform marketing campaigns autonomously. Armed with these, the attackers were able to send out phishing emails to Trezor’s customers, a cryptocurrency client of Mailchimp.
Its customers were informed that their wallets had been compromised and were advised to download a bogus application and set up a new PIN. The compromise of those API keys could have been detected using behavioural monitoring, but would be missed by a signature-based solution.
Also, the proliferation of APIs, which are fast overtaking web applications as the connectivity mechanism of choice, suggests that an even more comprehensive approach is needed. Realistically, businesses have hundreds of APIs deployed, some of which will have been spun up and forgotten and will present a continual security risk. More APIs will then be developed and added, and if security isn’t part of the production process, can further elevate risk.
All those then deployed need to remain visible, so they can be updated or reconfigured correctly and monitored on a continuous basis.
Cradle to grave
What this means is that API security is no longer simply concerned with protecting the API, but with the entire lifecycle of discovery, detection and defence, from carrying out an API audit to creating a runtime inventory, to ensuring APIs remain compliant with specifications and in accordance with industry-specific regulations; from not just detecting threats, but preventing them through active scanning of the API infrastructure and through detecting and fixing issues before deployment when APIs are in pre-production.
Adopting a unified approach that covers all of these angles obviates the need to use the WAF, NGFW, IPS for API protection or even an API gateway, which means the CISO can reduce the load on some of these tools and decommission others, thereby whittling down the stack. It also ensures rapid time to value by reducing API exploits, eliminating compliance violations and protecting end-users from attacks.
The likelihood is that security budgets will be squeezed as businesses battle inflation and rising costs, with the focus on keeping the lights on. Forrester is advocating that the money gets spent where it matters, but also that businesses reduce costs and complexity. There is now no reason why CISOs can’t do both, if they’re savvy enough to capitalise on recent advances made in the API industry.
Jason Kent is hacker in residence at Cequence Security.