What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success.
YOU MUST REGISTER HERE TO GET THE CONFERENCE LINK: https://bigcompass.typeform.com/to/emg9DO
Ping Identity and Azure have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect.
This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with Azure. We will look at some common monitoring capabilities on the Azure API and what a security violation would look like.
Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks.
From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a Azure API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.
2. Overview
1. API Lifecycle
2. API Management
3. Securing an API
4. API Landscape
5. Layered Security with Azure + MuleSoft + PingIntelligence
3. About Big Compass
• Boutique consulting firm
• Specializing in integration and related technologies
• We build connections
• Systems
• Apps
• People
• Corporations
8. First Line of Defense - Gateway Security
• Basic authentication
• IP whitelisting
• Client ID enforcement
• SLA based rate limiting and
throttling
• OAuth 2.0
• JWT
• TLS
10. Second Line of Defense - API Security + WAF
• Protects against many common
attacks - OWASP Top 10 attacks
• SQL injection
• Cross Site Scripting
• Body scanning
• DDoS
• What are the vulnerabilities?
• Advanced API attacks from
authenticated hackers
• Detecting authenticated attacks is
difficult!
15. Current API Security Landscape
• API Security Survey
• 45% not confident in
ability to detect
malicious API access
• 51% not confident in
security team’s
awareness of all API’s
• Lesson learned: reactivity
to proactivity
17. The Difficult
Problem of
Securing APIs
High volume of traffic across many APIs
High velocity connections across many APIs
Variety of client types and activity
Who is responsible for APIs?
18. How
Vulnerable are
APIs?
API login and
DDoS attacks
Attacks from
valid
identities
Stolen
identifiers
Under-the-
radar API
DDoS attacks
Stolen account
Account
takeover
Data theft
App control
Hackers using
Machine
Learning
Every attacks
looks
different
Every blocked
attack leads
to a new
attack
Always
getting
smarter
19. Answer:
Leverage
Machine
Learning and AI
• Behavioral learning
• Continuously build security model
Model
• Look for deviations from the learned
behavior
Detect
• Block compromised tokens/access
• Notify/alert
Block
20. PingIntelligence
for APIs
Deep API
visibility
Dynamically
discover APIs
across all
environments
Monitor APIs
across all
environments
Automated
threat
detection and
blocking
Detect and
block attacks
on your APIs
API
honeypots to
instantly
detect
probing
hackers
Self learning
Use AI to
build
behavioral
model
No need to
author and
manage
policies and
update API
security
21. Zero Trust
• You can’t trust your own tokens!
• Bearer tokens are vulnerable (but necessary)
• Vulnerabilities at other vectors are exploited at API level
• Client app, user, 3rd party identities
GitHub leaking client
secrets
Phishing
Stolen token
User data
<api>
22. API Security +
PingIntelligence
Scalable Multi-Cloud API
Platform
Content Injection
JSON, XML, SQL, XSS
Flow Control
Throttling, metering, quota
management
Access Control
AuthN, AuthZ, Tokens
AI-Powered Threat
Protection For APIs
Automated Cyber-
Attack Blocking
Blocks stolen tokens/cookies,
Bad IPs, and API keys
API Deception and
Honeypots
Instant hacking detection and
blocking
Deep Visibility and
Reporting
Monitor and report on all API
activity
PingIntelligence
for APIs
23. PingIntelligence
Augments API
Security
• API management
• Security policies
API Gateways
• OWASP top 10 protection
Web Application Firewalls
• Authenticated users
• Advanced attacks
PingIntelligence for APIs
24. Attack
Landscape
Summary
API breaches go undetected for months or years
Zero trust strategy for securing APIs is crucial
Gartner: "by 2022, API abuses will be the most
frequent attack vector that result in breaches"
Many attacks can't be detected with traditional API
security
Help is here from PingIntelligence + API Gateways