SlideShare a Scribd company logo

2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector

APIsecure_ Official
APIsecure_ Official

APIsecure - April 6 & 7, 2022 APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. API Abuse - How data breaches now and in the future will use API's as the attack vector Sudeep Padiyar, Product Manager at Traceable Tim Davis, Director of Product Management at Chime

Technology
1 of 17
Download to read offline
Data Breaches: How API’s have become the key attack vector Sudeep Padiyar Founding Member, Product Management Traceable AI Tim Davis Director of Risk, Move Money Products Chime
Agenda ● Latest Data breach Statistics ● Evolution of Fraud with modern apps and API’s ● Data exfiltration protection at the API layer ● Key tenets of API Abuse Prevention ● Product Demo ● Q&A
Data Breaches Verizon DBIR Statistics Abuse Patterns in Data breaches Data Breach Categories
Sensitive Data Exposure by Type
Data breaches consequences Customer Information is Exfiltrated: ● Data sold on dark web to fraudulent end users ● User information used to create new account in customer name at other businesses ● Customer financial accounts monetized ● New credit accounts opened in customers’ names Customer Credentials Are Stolen ● Fraudulent Actors are able to access customer accounts ● Additional customer data is extracted through customer user interface ● Purchases made in customer name ● Customer financial accounts monetized ● Rewards and/or incentive accounts monetized
APIs Control Everything Online Travel Digital Payments e-Commerce Online Brokerage
API Abuse outside of data breaches With Access to APIs, Malicious Users Can: - Increase reward program balances - Lower merchandise pricing - Manipulate inventory availability - Gift Card and Referral frauds - Bypass policies and controls
Modern cloud native architectures K8s LB, Proxy, Gateway Edge VM Serverl ess Browser Mobile 3rd Party
API’s are the attack surface for data breaches K8s LB, Proxy, Gateway Edge VM Serverl ess MicroService MicroService MicroService MicroService MicroService MicroService
Using Tracing and API patterns for anomaly detection Behavioral Baseline 1. Digital Fingerprint: User agent, GeLocation, IP category etc 2. User ID: JWT/Basic Auth, Request header etc 3. Access pattern of Sensitive data per and across sessions 4. API sequence, Inter-API time interval 5. Sensitive Data flow between API’s
11 Data Exfiltration Prevention ● Track volumes of Sensitive data traversing between API’s over time ● Highlight anomaly if sensitive data volume increases significantly over baseline for same user or across users ● Customizable Data Sets - PCI, PII, HIPAA or custom sets ● API Centric Data exfiltration view ● Sensitive data exposure to External API’s ● Categorize users accessing data through API’s - ○ Partners ○ Data Owners ○ Threat Actors ● Sensors to improve detection accuracy - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Reside ntial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts PCI HIPAA GDPR CCPA API
12 API Fraud ● Watch Materially sensitive data (account balance, price, game score etc) ● Data usage patterns via API’s by users/groups will be learnt for watched data over time ● Use User Attribution and Digital Fingerprint to correlate user behavior across API’s ● Account for Tokenization for credit cards, crypto currencies and other materially significant data. ● Sensors to bump up fraud risk - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Residen tial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts
13 Data Exfiltration Dashboard
14 Data Exfiltration Services View
15 Data Exfiltration User View
16 ➔ Sensitive data flow predominantly through API’s given cloud native app design ➔ Baselining behavior based on User, Device, API and sensitive data types are key ➔ Anomaly detection can solve a good fraction of Business logic abuse attacks ➔ Data flow and risk drives modern application security ➔ Data breaches and Fraud via API’s are on the rise and need to be stopped Recap
Sudeep Padiyar Founding Member, Product Management Traceable AI Thank you. Tim Davis Director of Risk, Move Money Products Chime

Recommended

USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPS
USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPSUSING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPS
USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPSForgeRock
 
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...Jeff Kelly
 
Privacera Databricks CCPA Webinar Feb 2020
Privacera Databricks CCPA Webinar Feb 2020Privacera Databricks CCPA Webinar Feb 2020
Privacera Databricks CCPA Webinar Feb 2020Privacera
 
Single Sign On IDM Value
Single Sign On IDM ValueSingle Sign On IDM Value
Single Sign On IDM ValueKarthik Ethirajan
 
Chanchal ODSC-fraud-2017
Chanchal ODSC-fraud-2017Chanchal ODSC-fraud-2017
Chanchal ODSC-fraud-2017Chanchal Chatterjee
 
Applying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR SuccessApplying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR SuccessForgeRock
 
ForMotiv - InsurTech Innovation Award 2022
ForMotiv - InsurTech Innovation Award 2022ForMotiv - InsurTech Innovation Award 2022
ForMotiv - InsurTech Innovation Award 2022The Digital Insurer
 
Big Data as Competitive Advantage in Financial Services
Big Data as Competitive Advantage in Financial ServicesBig Data as Competitive Advantage in Financial Services
Big Data as Competitive Advantage in Financial ServicesCloudera, Inc.
 

Recommended

USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPS
USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPSUSING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPS
USING BEHAVIOR TO IMPROVE SECURITY AND ENHANCE RELATIONSHIPSForgeRock
 
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...Jeff Kelly
 
Privacera Databricks CCPA Webinar Feb 2020
Privacera Databricks CCPA Webinar Feb 2020Privacera Databricks CCPA Webinar Feb 2020
Privacera Databricks CCPA Webinar Feb 2020Privacera
 
Single Sign On IDM Value
Single Sign On IDM ValueSingle Sign On IDM Value
Single Sign On IDM ValueKarthik Ethirajan
 
Chanchal ODSC-fraud-2017
Chanchal ODSC-fraud-2017Chanchal ODSC-fraud-2017
Chanchal ODSC-fraud-2017Chanchal Chatterjee
 
Applying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR SuccessApplying Innovative Tools for GDPR Success
Applying Innovative Tools for GDPR SuccessForgeRock
 
ForMotiv - InsurTech Innovation Award 2022
ForMotiv - InsurTech Innovation Award 2022ForMotiv - InsurTech Innovation Award 2022
ForMotiv - InsurTech Innovation Award 2022The Digital Insurer
 
Big Data as Competitive Advantage in Financial Services
Big Data as Competitive Advantage in Financial ServicesBig Data as Competitive Advantage in Financial Services
Big Data as Competitive Advantage in Financial ServicesCloudera, Inc.
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take OverLaurent Pacalin
 
Ping Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesPing Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesBenjamin Canner
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...apidays
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial ServicesCloudera, Inc.
 
Relying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services ExperienceRelying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services ExperienceCloudera, Inc.
 
Super data-charging your corruption reviews with integrated analytics
Super data-charging your corruption reviews with integrated analyticsSuper data-charging your corruption reviews with integrated analytics
Super data-charging your corruption reviews with integrated analyticsJim Kaplan CIA CFE
 
The digital transformation of retail
The digital transformation of retailThe digital transformation of retail
The digital transformation of retailCloudera, Inc.
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for complianceGDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for complianceCloudera, Inc.
 
Unraveling the GDPR Compliance
Unraveling the GDPR ComplianceUnraveling the GDPR Compliance
Unraveling the GDPR ComplianceCleverTap
 
Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy European Merchant Services
 
MSME NEO Banking Platform
MSME NEO Banking PlatformMSME NEO Banking Platform
MSME NEO Banking PlatformSouvik Chaki
 
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIsAPIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIsJeremy Brown
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j
 
Reach targeted audience segments with top-quality 3rd party data.
Reach targeted audience segments with top-quality 3rd party data.Reach targeted audience segments with top-quality 3rd party data.
Reach targeted audience segments with top-quality 3rd party data.reklamajans
 
Increase online growth: In 4 steps optimal data orchestration
Increase online growth: In 4 steps optimal data orchestration Increase online growth: In 4 steps optimal data orchestration
Increase online growth: In 4 steps optimal data orchestration OrangeValley
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Utiliza el Identity Management para crear segmentos y audiencias para tus est...
Utiliza el Identity Management para crear segmentos y audiencias para tus est...Utiliza el Identity Management para crear segmentos y audiencias para tus est...
Utiliza el Identity Management para crear segmentos y audiencias para tus est...Solvis Consulting, LLC
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...APIsecure_ Official
 

More Related Content

Similar to 2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector

Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take OverLaurent Pacalin
 
Ping Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesPing Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesBenjamin Canner
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...apidays
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial ServicesCloudera, Inc.
 
Relying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services ExperienceRelying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services ExperienceCloudera, Inc.
 
Super data-charging your corruption reviews with integrated analytics
Super data-charging your corruption reviews with integrated analyticsSuper data-charging your corruption reviews with integrated analytics
Super data-charging your corruption reviews with integrated analyticsJim Kaplan CIA CFE
 
The digital transformation of retail
The digital transformation of retailThe digital transformation of retail
The digital transformation of retailCloudera, Inc.
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...apidays
 
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for complianceGDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for complianceCloudera, Inc.
 
Unraveling the GDPR Compliance
Unraveling the GDPR ComplianceUnraveling the GDPR Compliance
Unraveling the GDPR ComplianceCleverTap
 
Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy European Merchant Services
 
MSME NEO Banking Platform
MSME NEO Banking PlatformMSME NEO Banking Platform
MSME NEO Banking PlatformSouvik Chaki
 
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIsAPIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIsJeremy Brown
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j
 
Reach targeted audience segments with top-quality 3rd party data.
Reach targeted audience segments with top-quality 3rd party data.Reach targeted audience segments with top-quality 3rd party data.
Reach targeted audience segments with top-quality 3rd party data.reklamajans
 
Increase online growth: In 4 steps optimal data orchestration
Increase online growth: In 4 steps optimal data orchestration Increase online growth: In 4 steps optimal data orchestration
Increase online growth: In 4 steps optimal data orchestration OrangeValley
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxSteveNgigi2
 
Utiliza el Identity Management para crear segmentos y audiencias para tus est...
Utiliza el Identity Management para crear segmentos y audiencias para tus est...Utiliza el Identity Management para crear segmentos y audiencias para tus est...
Utiliza el Identity Management para crear segmentos y audiencias para tus est...Solvis Consulting, LLC
 

Similar to 2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector (20)

Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Digital banking Account Take Over
Digital banking Account Take OverDigital banking Account Take Over
Digital banking Account Take Over
 
Ping Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesPing Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial Services
 
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
APIsecure 2023 - Discovery is the Starting Point for Defending APIs, Giora En...
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial Services
 
Relying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services ExperienceRelying on Data for Strategic Decision-Making--Financial Services Experience
Relying on Data for Strategic Decision-Making--Financial Services Experience
 
Super data-charging your corruption reviews with integrated analytics
Super data-charging your corruption reviews with integrated analyticsSuper data-charging your corruption reviews with integrated analytics
Super data-charging your corruption reviews with integrated analytics
 
The digital transformation of retail
The digital transformation of retailThe digital transformation of retail
The digital transformation of retail
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for complianceGDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
GDPR: 20 Million Reasons to get ready - Part 1: Preparing for compliance
 
Unraveling the GDPR Compliance
Unraveling the GDPR ComplianceUnraveling the GDPR Compliance
Unraveling the GDPR Compliance
 
Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy Understanding the impact of your fraud strategy
Understanding the impact of your fraud strategy
 
MSME NEO Banking Platform
MSME NEO Banking PlatformMSME NEO Banking Platform
MSME NEO Banking Platform
 
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIsAPIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
APIdays Open Banking & Fintech: Workshop - Financial Services Use Cases for APIs
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
 
Reach targeted audience segments with top-quality 3rd party data.
Reach targeted audience segments with top-quality 3rd party data.Reach targeted audience segments with top-quality 3rd party data.
Reach targeted audience segments with top-quality 3rd party data.
 
Increase online growth: In 4 steps optimal data orchestration
Increase online growth: In 4 steps optimal data orchestration Increase online growth: In 4 steps optimal data orchestration
Increase online growth: In 4 steps optimal data orchestration
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices World
 
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docxDATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
DATA PROTECTION IMPACT ASSESSMENT TEMPLATE (ODPC).docx
 
Utiliza el Identity Management para crear segmentos y audiencias para tus est...
Utiliza el Identity Management para crear segmentos y audiencias para tus est...Utiliza el Identity Management para crear segmentos y audiencias para tus est...
Utiliza el Identity Management para crear segmentos y audiencias para tus est...
 

More from APIsecure_ Official

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...APIsecure_ Official
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right WayAPIsecure_ Official
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the oddsAPIsecure_ Official
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and IdentityAPIsecure_ Official
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API EcosystemsAPIsecure_ Official
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API VulnerabilitiesAPIsecure_ Official
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIsAPIsecure_ Official
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?APIsecure_ Official
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterpriseAPIsecure_ Official
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?APIsecure_ Official
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API BreachesAPIsecure_ Official
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIsAPIsecure_ Official
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSecAPIsecure_ Official
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...APIsecure_ Official
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...APIsecure_ Official
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid CredentialsAPIsecure_ Official
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral AnalyticsAPIsecure_ Official
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of InnovationAPIsecure_ Official
 
2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API SecurityAPIsecure_ Official
 

More from APIsecure_ Official (20)

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation
 
2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security2022 APIsecure_API Discovery: First step towards API Security
2022 APIsecure_API Discovery: First step towards API Security
 

Recently uploaded

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

2022 APIsecure_API Abuse - How data breaches now and in the future will use API's as the attack vector

  • 1. Data Breaches: How API’s have become the key attack vector Sudeep Padiyar Founding Member, Product Management Traceable AI Tim Davis Director of Risk, Move Money Products Chime
  • 2. Agenda ● Latest Data breach Statistics ● Evolution of Fraud with modern apps and API’s ● Data exfiltration protection at the API layer ● Key tenets of API Abuse Prevention ● Product Demo ● Q&A
  • 3. Data Breaches Verizon DBIR Statistics Abuse Patterns in Data breaches Data Breach Categories
  • 5. Data breaches consequences Customer Information is Exfiltrated: ● Data sold on dark web to fraudulent end users ● User information used to create new account in customer name at other businesses ● Customer financial accounts monetized ● New credit accounts opened in customers’ names Customer Credentials Are Stolen ● Fraudulent Actors are able to access customer accounts ● Additional customer data is extracted through customer user interface ● Purchases made in customer name ● Customer financial accounts monetized ● Rewards and/or incentive accounts monetized
  • 6. APIs Control Everything Online Travel Digital Payments e-Commerce Online Brokerage
  • 7. API Abuse outside of data breaches With Access to APIs, Malicious Users Can: - Increase reward program balances - Lower merchandise pricing - Manipulate inventory availability - Gift Card and Referral frauds - Bypass policies and controls
  • 8. Modern cloud native architectures K8s LB, Proxy, Gateway Edge VM Serverl ess Browser Mobile 3rd Party
  • 9. API’s are the attack surface for data breaches K8s LB, Proxy, Gateway Edge VM Serverl ess MicroService MicroService MicroService MicroService MicroService MicroService
  • 10. Using Tracing and API patterns for anomaly detection Behavioral Baseline 1. Digital Fingerprint: User agent, GeLocation, IP category etc 2. User ID: JWT/Basic Auth, Request header etc 3. Access pattern of Sensitive data per and across sessions 4. API sequence, Inter-API time interval 5. Sensitive Data flow between API’s
  • 11. 11 Data Exfiltration Prevention ● Track volumes of Sensitive data traversing between API’s over time ● Highlight anomaly if sensitive data volume increases significantly over baseline for same user or across users ● Customizable Data Sets - PCI, PII, HIPAA or custom sets ● API Centric Data exfiltration view ● Sensitive data exposure to External API’s ● Categorize users accessing data through API’s - ○ Partners ○ Data Owners ○ Threat Actors ● Sensors to improve detection accuracy - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Reside ntial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts PCI HIPAA GDPR CCPA API
  • 12. 12 API Fraud ● Watch Materially sensitive data (account balance, price, game score etc) ● Data usage patterns via API’s by users/groups will be learnt for watched data over time ● Use User Attribution and Digital Fingerprint to correlate user behavior across API’s ● Account for Tokenization for credit cards, crypto currencies and other materially significant data. ● Sensors to bump up fraud risk - ○ GeoLocation ○ IP reputation ○ Cloud/Hosted/Residen tial IP ○ Tor/Botnet/Proxy ● Co-relate with increases in ATO/Excessive login attempts
  • 16. 16 ➔ Sensitive data flow predominantly through API’s given cloud native app design ➔ Baselining behavior based on User, Device, API and sensitive data types are key ➔ Anomaly detection can solve a good fraction of Business logic abuse attacks ➔ Data flow and risk drives modern application security ➔ Data breaches and Fraud via API’s are on the rise and need to be stopped Recap
  • 17. Sudeep Padiyar Founding Member, Product Management Traceable AI Thank you. Tim Davis Director of Risk, Move Money Products Chime