apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare July 28 & 29, 2021 Solving API security through holistic obervability Jean-Baptiste Aviat, AppSec Staff Engineer at Datadog

1. Solving API security through holistic
observability
APIDays NYC, July 28th 2021

2. Jean-Baptiste Aviat
Datadog AppSec engineer
CTO & Co-founder
Former (Red Team)
Email: jb@datadoghq.com
Twitter: @jbaviat
Podcast:

3. What is this? Worldwide life expectancy
multiplied by 2.4 in 150 years

4. Medicine in the past...

6. What happened in 150 years?
Microbiology
ECG
X-Ray
Radiotherapy
Blood transfer
Magnetic resonance imaging
CT scan
ECG

7. Correlate result from
various micro observations.
Wouldn’t have been
possible a century ago.
And now medicine students
have statistical classes.
Algorithm to evaluate a
macrocytic anemia

8. This progress came from medicine
ability to collect data, to exploit it, and to
make it usable by practitioners.

9. How do we translate this to security?

10. We have data from everywhere

11. Use data from everywhere (and not only left)
Observability
platform
Feedback Feedback

12. What do we actually need?
● Security resources are scarce
● They are spread thin
○ monitor production
○ help developers design secure systems
○ keep up with the business
● The systems are becoming more complex
→ security products have to make their life much easier and
help them focus on what matters

13. 100%
Only requests
matching an attack
pattern
1%
Only attacks
matching an
existing route
.5%
Only attacks
targeting
what the
code does
.05%
Kill false positives.
Resurface threats.
By compounding security
events with contextual
information.
Only
attacks
on non
edge
services
.001%
100% API traffic

14. Query the framework
The attack is calling a real API endpoint
jb@datadoghq.com
6801-8226415-321-74
Find associated user

15. The attack is superficial: the API is on the edge

16. The attacked API actually performs a Cassandra query

17. The attack triggered a (caught) exception

18. request_params {
org_id 123 AND check = true UNION SELECT
email, pwd_hash, seed FROM users
}
NoSQL injection stealing user credentials
If user parameters are:
1. matching the database query
2. changing the query shape
That’s a proof of a NoSQL injection.

19. Let’s take this to the next level.
Instead of a dozen data points, hundreds
can be automatically gathered from your
production environment.

20. Information tight to a request

21. Information tight to an actor

22. Information tight to a service

23. True view about the
security context of an
API.
Combined with
statistical analysis,
provides the most
complete view in order
to monitor production
systems.

24. Holistic & code level API observability.
What’s beyond?

25. Remember: shift everywhere
we only focused on a subset of Operate + Monitor
Observability
platform
Feedback Feedback

26. Future:
● improve security data collection
● gather more context
● improve correlation
● make tools available to practitioners
Beyond the SIEM.

27. SIEM
Traces
Attacks OS
behavior
Errors
Vulns
Flattened information and disparate sources
(e.g. logs) prevents correlation
logs
logs
logs logs
logs

28. Cloud Security
Platform
Traces
Attacks OS
behavior
Errors
Correlation needs to happen on rich events
To allow efficient correlation
Vulns

29. Takeaways
Security evolves, but we need more data and more tools.
Don’t only shift left: shift everywhere.
Leverage observability from your engineering organization to
improve security monitoring:
● Production
● Software development lifecycle: tests, releases, designs
Correlate data using rich and coherent sources (rather than flat
and disparate)

30. Questions?