Why the Financial Industry Needs Intelligent API Security Wesley Dunnington, Field CTO East Region at Ping Identity

1. WHY THE FINANCIAL INDUSTRY NEEDS
INTELLIGENT API SECURITY
Copyright ©2019 Ping Identity Corporation. All rights reserved.
Wesley Dunnington, Field CTO
APIdays London, November 13, 2019

2. Copyright ©2019 Ping Identity Corporation. All rights reserved.
WHO AM I?
Name: Wesley Dunnington
Location: Boston
Email: Wesley.dunnington@pingidentity.com
Wesley has been in the identity and security space for over 25 years.
Wesley Dunnington is currently Field CTO for Ping Identity
In this role he helps customers understand both the business value and implications of new technologies, and helps Ping maintain its
thought leadership position via blogs, whitepapers, conference presentations, and standards body work.
As director of engineering with CA Technologies SiteMinder he led the teams building CA’s federation, web service, and secure proxy
products. Transitioning into an architectural VP position Wesley became chief architect for CA’s Secure Cloud IDaaS offering
More recently Wesley was lead platform architect for Sophos Central, an AWS based SaaS platform for Sophos’ cloud cybersecurity
offerings that protect 100 million people and 100,000 businesses in 150 countries.
Wesley is on the OpenID Foundation board of directors, is actively participating in the FastFed working group, and was a member of
Kantara’s Interoperability Review Board

3. Copyright ©2019 Ping Identity Corporation. All rights reserved.
A NEW FINANCIAL LANDSCAPE
• Open Banking and PSD2 promise to improve end-
users financial experiences by making payments
easier and allowing third party applications greater
access to their banking information
• This is a massive API-driven transformation
• However along with this comes an increased
likelihood of fraud
• These new publicly exposed API’s provide a large
and attractive attack surface for hackers
• This is not a knock against API’s or FAPI
• We are less mature when it comes to protecting
API’s
No
Contract
Bank
MerchantExplicit
Consent

4. Copyright ©2019 Ping Identity Corporation. All rights reserved.
“By 2022 API breaches will become the top attack vector that
result in data loss”
– Gartner –
Exponential Growth of APIs
Growth in number of attacks
Average Time to Detect Breach
2018 Verizon DBIR
API CYBERATTACKS TAKE MONTHS TO DETECT
Copyright ©2019 Ping Identity Corporation. All rights reserved.

5. • Client and Patient accounts taken over …
• Critical control systems taken hostage or worse …
• Services, mobile apps shut down or disrupted …
• Data breaches – theft of customer records, private data,
credit cards, …
• Fraud for banks, retailers, payment processors, …
API BREACH IMPACT
Copyright ©2019 Ping Identity Corporation. All rights reserved.

6. Users, Devices,
Bad Actors
API Access to
Systems and Apps
Public/Private Cloud
LEADERS MOST OFTEN ANSWER …
“NO, WE CANNOT” TO THESE QUESTIONS
§ Visibility
• Do you know about all your APIs?
• Can you tell good from bad traffic on your APIs?
• Can you track the traffic on all APIs?
• Do you have traffic visibility across clusters of gateways
• How about reports for Compliance and Forensic
for each API?
§ Attacks – Can you detect insider or external attacks on APIs, login
control, or digital assets connected?
LACK OF VISIBILITY AND CYBERATTACK
DETECTION TODAY
Copyright © 2019, Ping Identity Corporation. All rights reserved.

7. • DDoS Protection
• Transport Security
• Rule based Sec.
• OWASP Top 10
• Fraud Detection
• Browser Validation
• Rate Limiting
• Encryption/Signing
Brute Force
Data ExtractionStolen Tokens
Acct. Takeover API DDoS
API TAKE OVER Partner Breach
Partner Abuse
CDN
ADC
WAF Bot
Detection
API
GW
Data Theft
APIs/Data
ATTACKS GO THROUGH EXISTING DEFENSES – EVERY TIME
Copyright ©2019 Ping Identity Corporation. All rights reserved.

8. Copyright ©2019 Ping Identity Corporation. All rights reserved.
OPEN BANKING ADDITIONAL CHALLENGES
• Banks’ fraud detection is harder!
• Banks not in control of vetting TPP’s
• Banks have less visibility into user activity
• SCA makes authentication stronger
• But only see customer at points in time
• Existing UEBA/Continuous authentication
broken
• Many other fintech's have delayed SCA
ASPSP
TPP

9. • Hackers with compromised credentials look like
authorized user – could also be insiders
• Attack examples/impact:
• Control system attacks
• Data exfiltration
• Data manipulation or deletion
• Account take over
• Line of business application attacks
• Most difficult to detect – must understand normal
behavior or specific attack pattern
• Malicious activity remains invisible!!!
Valid Cookies
Valid Tokens
Authorized Users
Insider
Valid Credentials
APIServices
Systems
and Data
“AUTHORIZED” USER ATTACKS
Copyright © 2019, Ping Identity Corporation. All rights reserved.

10. Copyright ©2019 Ping Identity Corporation. All rights reserved.
API TAKE OVER ATTACK – AS A NORMAL USER
• Hacker uses valid account to access app
and API – and is an authenticated user
• Hacker reverse-engineers API logic
• Uses discovered vulnerabilities to access
other accounts
• Takes over accounts and steal data,
photos, private information
• Continues for months
Uses a valid account
Account #1
Account #2
Account #3
Account #4
Account #5
harvest

11. ANATOMY OF AN ATTACK – T-MOBILE
Discovery Result:
• Anonymous black hat hacker
claimed wide use; a YouTube
video shows the exploit
• T-Mobile fixed in 24 hours
Potential Impact:
• Takeover SIM cards by
impersonating users
• Track users using IMSI number
T-Mobile WSG API
.../...?access_token=xx&msisdn= 123-456-7890
• API returns the following for 123-456-7890:
o Email address
o Name
o Billing account number
o IMSI number
o Other numbers under account (e.g. family)
Attack
• Change 123-456-7890 to another T-Mobile phone #
o API returns report on the other user
You cannot count on your application for security!
Attackers use Postman, CURL, etc
Copyright ©2019 Ping Identity Corporation. All rights reserved.

12. API
Service
• Different from Layer 3/4 DoS/DDoS which overwhelms network
• Clients keep activity below rate limits by intelligently adapting
• Examples of targeted API attacks:
• DoS attack on API memory to disable service
• Multiple client distributed attack to disrupt login services
• DDoS attack on session management services
• Impact: disable service such as hotel reservations, etc.
• Intelligent algorithms needed to identify targeted API DDoS attacks
BOTBOTBOTBOT
API/LAYER 7 DOS/DDOS ATTACKS
Copyright © 2019, Ping Identity Corporation. All rights reserved.

13. Copyright ©2019 Ping Identity Corporation. All rights reserved.
AI CAN HELP PROTECT VULNERABLE API’S
• Intelligent AI/ML analytics at the API level!
• World Economic Forum report: “The New
Physics of Financial Services”
• “AI presents new tools to fight fraud,
respond to the shifting form of payments
and draw valuable insights from data”
• “The risks of real-time payments are
overcome as new AI-led pattern-
detection methods make significant
inroads against financial crime”

14. INTRODUCING PINGINTELLIGENCE FOR APIS
AI/ML Solution to secure API infrastructures
Users, Hackers,
and bots
PingIntelligence
for APIs
APIs
Automated AI-powered Cyber Security
• API auto-discovery identifies all active APIs
• API activity audit trails for deep insight –
compliance and forensic reports
• Identifies cyberattacks on APIs and data/systems
• Automatically blocks API threats
Copyright ©2019 Ping Identity Corporation. All rights reserved.

15. Automated Threat Detection and Blocking
§ Uses AI/ML to detect abnormal behaviors on APIs
§ Self-learned with no rules or policies
§ Runs asynchronously – no impact on performance
§ Analyze behavior by token, cookie, user, API key
§ Warn or Block attacks that use APIs to breach /steal
data
§ Protects against new and changing attacks
§ Leverage API honeypots to instantly detect hackers and
block access to production APIs
Smart
Cluster
Meta-Data
Capture
Terminate
Access
API
Security
Enforcer
API
Security
Enforcer
Artificial
Intelligence
Engine/Cluster
Users and
Devices
API Traffic
APIs
Meta-Data
Capture
Terminate
Access
Artificial
Intelligence
Engine/Cluster
APIs
API Gateway
API Traffic
Introducing PingIntelligence for APIs
Copyright ©2019 Ping Identity Corporation. All rights reserved.

16. API DECEPTIONS
Leverage Hacking Behaviours Against Attackers
Users and
Devices
APIs
Decoy
API
1. Decoy APIs attract probing hackers
2. Source identified instantly
3. Blocks access to production APIs
/finance
/query/date
/account
/query/name
Instant Hacking Detection
APIs
Decoy
API
Copyright ©2019 Ping Identity Corporation. All rights reserved.

17. APIs
• Analyzes API activity against normal use
• API Behavior Modelling for each API
• User-based Behavior Modelling
• Cross-API Behavior Modelling
• Evaluates API control plane data
• Requests/Responses, Methods used
• IP Address, Header contents, etc.
• Detect attacks based on all behaviors
• Continuously learns and adapts
• Can migrate trained models between
environments
Time
Clients
Client
Client A
Client B
Client C
Client C
…/API1
…/API1
…/API2
…/API1
…/API2
API TRAFFIC BEHAVIOR ANALYSIS WITH AI
Sorting out “good” and “bad” traffic
Copyright © 2019, Ping Identity Corporation. All rights reserved.

18. IDENTIFYING GOOD AND BAD TRAFFIC
Authentication
System
API Disruption
• System “misfiring” and flooding API fabric or
Data leak due to system misconfiguration or bug
Bad System
• Partner use of API for unintended purposes
e.g. Cambridge Analytica on Facebook
API Misuse
• Extraction of customer data against company policy
• Disgruntled employee abuses
Insider Abuse
• Compromise accounts via APIs
• Extraction, injection and other attacks
Hacker Attack
Copyright ©2019 Ping Identity Corporation. All rights reserved.

19. Deep API Traffic Visibility
PingIntelligence
for APIs
§ Dynamically discover active APIs
§ Monitor all API activity including every command and
method used throughout a session
§ Sorts out good and bad traffic
§ Unification of security views across API gateways
§ Dashboard and JSON reports
§ Info and reports for Forensics, Compliance, DevOps
§ Integration with SIEMs
§ APIs for integration with 3rd party dashboards
PINGINTELLIGENCE FOR APIS
Copyright © 2019, Ping Identity Corporation. All rights reserved.

20. “SINGLE PANE OF GLASS” FOR UNIFIED VIEWS
• Unification of API traffic visibility
across gateways and clouds
• Centralized AI processing
• Consistent API activity reporting
• Centralized threat monitoring
SIEM
Syslog
APIs on cloud B APIs on-prem
PingIntelligence
for APIs
APIs on cloud A APIs on-prem
Copyright ©2019 Ping Identity Corporation. All rights reserved.

21. Sideband
With API Gateways
or PingAccess
Inline
With API Gateways,
PingAccess or App Servers
Users and
Applications
PingIntelligence
For APIs
API Gateway
Or
PingAccess
Users and
Applications
PingIntelligence
For APIs
API Gateway
Or
PingAccess
APIs
APIs
DEPLOYMENT OPTIONS
Copyright ©2019 Ping Identity Corporation. All rights reserved.

22. INTEGRATIONS AND DEPLOYMENT
Copyright ©2019 Ping Identity Corporation. All rights reserved.
Sideband
Policies
API
Gateways
SUPPORTS ALL
- In Line -
App
Servers

23. SIMPLE POC WITH AI IN THE CLOUD
Quicker deployment
• Artificial intelligence runs in the cloud
• Single tenant per customer
• Just need policy on API Gateway and ASE on
the side or in front of APIs to connect to Cloud
• Dashboard and reports
PingIntelligence
For APIs
API
Security
Enforcer
Agent
Copyright ©2019 Ping Identity Corporation. All rights reserved.
API
Gateway

24. Copyright ©2019 Ping Identity Corporation. All rights reserved.
IN CONCLUSION
• Vet the behavior of your API callers, not just
customers
• Add additional lines of defense against
downstream vulnerabilities and
programming errors
• Prevent attackers from probing your API’s
• Add an additional layer of protection with
API Intelligence
PingIntelligence
for APIs
APIs

25. Thank You
Copyright ©2019 Ping Identity Corporation. All rights reserved.