APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Understanding API Abuse With Behavioral Analytics
Giora Engel, CEO and Co-Founder, Neosec
3. Investigations &
Threat Hunting
Better Efficacy With True Behavioral Analytics
Anti-virus EDR/XDR
Legacy Application
Security
Neosec API Detection
& Response
Signatures
Single request (Data not stored)
In-line
True behavioral
analytics
All requests over time
(Data stored in cloud)
SaaS service
Enterprise security
Application security
Detection method
Data evaluated
Deployment
Threat Hunting
4. Basic API Security is Necessary, But Not Sufficient
Known Threat Protection
(Bot Mitigation, WAF)
Authentication &
Authorization
(API Gateway)
DDoS Protection
(CDN)
Cloud Security
(CWPP, CSPM)
Account Takeover
Unauthorized
Data Access
Data Harvesting
Authenticated Users & Partners
are the Riskiest
B2B / Partner
Integration
User Access
Fraud / Business
Logic Abuse
5. Which API Problems?
Today’s Focus
Tomorrow’s Focus
Vulnerable APIs
Prevent OWASP Top 10 vulnerabilities
and misconfigurations from hitting
production.
Shadow APIs
Discover your complete API
footprint - including rogue, legacy,
admin, zombie, etc.
API Abuse
Stop business logic abuse such as data
scraping or data exfiltration using
behavioral analytics.
6. Abuse cases are not always vulnerabilities
Even perfectly written APIs
can be abused.
Credential stuffing in Financial
institutions
Reservation abuse in Hospitality
Trading platform
microtransaction automation in
Fintech
Payment abuse in Payments
etc....
Vulnerabilities Abuse Cases
7. API abuse case analysis
Identify what
you expose
New account creation
Paying invoices
Authentication
Reservation system
Payment transactions
Money movement
Gift card transactions
etc.....
Which entity
uses the API
B2B partners
Customers
aggregators
channels/agents
Security risk
user/partner
compromised
user/partner abuses or
misuses the API
implementation error
Potential losses
Monetary
Information/data
Regulatory
compliance
8. Real Abuse Cases in Payments
Payment
Provider
Payment API
Invoices API
Customer 1
Customer 2
Merchant 1
Merchant 2
9. Real Abuse Cases in Payments
Payment
Provider
Payment API
Invoices API
Customer 1
Customer 2
Merchant 1
Merchant 2
Implementation
errors
Compromised
merchant account
Compromised
user account
API Abuse Impact:
PII loss
Money loss/Fraud
Money laundering
Denial of service issues
10. Detect Threats Using Behavioral Analytics
Find threats in
your API data set
for every entity
Complete visibility
and context through
recording API activity
on a timeline
Understand normal
behavior through
continuous and
automatic baselining
Show abusive
behavior through high
confidence alerts
11. Aggregator based API abuse
Financial
Institution
FDX API
Web/ Mobile app
Aggregator 1
Aggregator 2
Aggregator Fintech
Web
Customer 1
Mobile
Customer 2
Consumer
Fintech 1
Fintech 2
Fintech 3
12. Aggregator based API abuse
Financial
Institution
FDX API
Web/ Mobile app
Aggregator 1
Aggregator 2
Implementation
errors
Compromised
user account
API Abuse Impact:
PII loss
Money loss/Fraud
Money laundering
Denial of service issues
Aggregator Fintech provider
Web
Customer 1
Mobile
Customer 2
Consumer
Fintech 1
Fintech 2
Implementation
errors
Compromised
fintech
fraudulent/ bad
user
13. Multi-Entity Tracking
Every entity has a timeline
Actor Entities are
partners, merchants,
aggregators, users,
tokens, IPs
Each actor has a
behavior profile and its
own timeline.
Business process
entities are accounts,
transactions, payments,
invoices.
Finding abuse requires
profiling every entity
found in your APIs. This
enables abuse
detection at the
business logic level
14. API Security Model
How mature is your organization?
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Visibility to API
activity
API Discovery Risk Audit Behavioral
Detection
Response Investigate and
Threat Hunt
Do you have access
to API activity
data/logs?
Are your logs
sufficient?
Do you know all your
APIs?
Is the
documentation
accurate?
What is your risk
posture?
• Misconfigured?
• Errors?
• Documented?
• Sensitive data?
Can you detect
misuse or business
abuse?
Can you identify the
entities in your APIs?
Deploy automated
responses?
Are responses
customizable?
Can you find threats
in your past data?
Can you hunt for
threats?
Use your own data.
Agents not required.
Breadth of coverage
is most important.
Audit of entire
estate, not just
where sensors
deployed.
Behavioral analytics
requires data &
SaaS.
Open platform to
create response
playbooks.
Requires historical
data and SaaS.
15. Vulnerable APIs
Shadow APIs API Abuse
Continuous API
Discovery
Risk audit &
Posture Alerts
Behavioral Alerts
Detection & Response
Reinventing API Security
AI-Driven | 100% SaaS Platform | Data rich | API Detection and Response
Visibility & Investigations & Threat Hunting
16. NEOGRAPH API
Neosec API Security Platform
DATA LAKE
API DISCOVERY
& RISK AUDIT
1
BEHAVIORAL
DETECTION
2
AUTOMATED
RESPONSE
3
INVESTIGATE &
THREAT HUNT
4
MANAGED THREAT
HUNTING
API ACTIVITY DATA
AUTOMATED
PLAYBOOKS
CUSTOMER
PREMISES
NEOSEC ANALYTICS PLATFORM
19. Abstract
Presentation Title: Understanding API abuse with behavioral
analytics
Description: Visibility is vital in API security. First is discovering
your APIs, then understanding those with vulnerabilities. But true
visibility includes seeing normal behavior and understanding
abusive behavior on every API.
Date: April 6 @ 3:10pm EST