APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 The Importance of Real-Time Protection in API Security Jeremy Ventura, Director, Security Strategy & Field CISO at ThreatX ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. THE IMPORTANCE OF REAL-TIME
PROTECTION IN API SECURITY
Jeremy Ventura
Field CISO

2. AGENDA
Copyrights 2
The key challenges and risk
associated with API Security
Case Studies from ThreatX
The importance of real-time
blocking

3. APIS REPRESENT A TARGET RICH ENVIRONMENT
• Thousands of APIs and
endpoints with limited visibility
• API vulnerabilities easily
exposed and discoverable
• Attackers continually leverage
advanced techniques against
APIs
• Multi-mode attacks becoming
the norm
3
Increased Usage = Increased Risk

4. APIS IN THE NEWS
• Entity had access from November to
January to an API
• Data attained via API was done
“without authorization”
• Name, Address, Email, Phone,
DoB, Account #
• 37 million end users affected
• More info to come but:
• Lack of visibility?
• Misconfiguration/Misuse?
• Broken business logic?
• Stolen Credentials?
4
Incidents & Breaches on the Rise

5. COMPLEXITY & AUTOMATION OF ATTACKS IS EVER INCREASING
5
• Hacking is easier than ever
• Industrialized hacking tools
• Rent-a-bot/Solver Services
• Attack-as-a-Service
• Residential proxies, anonymizers
• Advanced attacks are far more
coordinated
• Security tools do not keep up
Multi-mode attacks require a fundamental shift in protection strategies
Traditional
OWASP Top 10
Sophisticated,
multi-mode
attacks

6. THE THREAT OF MULTI-VECTOR ATTACKS
6
• Orchestrated attacks that span
varied phases & techniques
• Distributed IPs
• Massive volumes
• Diversionary tactics
• Embedded, multi-step
automation
Disguise true attack through diversion, distraction & evasion

7. A WORD ABOUT BOTS
7
• Bot management critical, but must
evolve with attacks
• Current approaches best suited for high
volume, binary attacks
• Heavy reliance on static threat intel
feeds
• APIs present new challenges
• No browser injections
• No Captcha or IP challenges
• Attacker profiling & behavioral context
critical for protection against multi-
mode attacks
Bots present a new challenge to protecting APIs

8. TALES FROM THE THREATX SOC
8
• Large online retailer taking fire from
multiple directions
• Periodic mid-grade DDoS attacks
• Increased login failure rates on web
• High rate of rebate fraud
• Goal: trigger BGP routing to bypass
fraud protection for mobile APIs while
the security team is distracted
• Multiple best-of-breed technologies
fail to identify & block attacks
Attackers deploy multiple techniques to distract security & target APIs

9. TALES FROM THE THREATX SOC
9
• Gaming company launching new
product
• Attacker engaged foreign botnet to
discover potentially vulnerable API
endpoints
• Later during product launch, attacker
deployed large ATO attack while
quietly attempting vulnerability
exploits
• Although rotating IPs and user agents,
TLS signatures & IP fingerprints
detected same attacker profile to
block all suspicious behavior
Tracking & correlating attacker behavior – to enable real-time protection

10. PROTECTING APIS STARTS WITH FOCUS ON THE ATTACKER
10
• Understanding attacker risk profile
• Digital fingerprints to each unique
attacker
• Cumulative across multiple attack
vectors
• Continually evaluate risk &
response
• Behavioral fingerprints of an attack
reveal patterns, techniques &
targets
Context of attack over time is key to protecting APIs

11. INSIGHT & CONTEXT THROUGH CROSS PLATFORM VISIBILITY
11
• Identify unique attacker
executing campaigns across
multiple methods and vectors
• Correlate data over time to see
through deception
• Understanding behaviors and
intentions
• Biggest challenge = enabling
effective response
Correlating attack patterns to identify and mitigate API risk

12. BLOCKING API ATTACKS IN REAL TIME
12
• Observing attack data offline will not
enable real-time protection of APIs
• Often too late by the time an attack is
discovered
• Complexity required to identify attacks
typically can’t be replicated in 3rd party
firewall
• Blocking single IP at a time
• Responses must occur as the attack
is underway – and based on insights
gathered over time
Real-time API protection key to defense

13. API PROTECTION: KEY CAPABILITIES
13
Real-time Analysis
& Response
• AI/ML/Context Engine
• IP Interrogation &
Fingerprinting
• Active Deception
• Tarpit/Rate Limiting
• Attacker/User Behavior
Analysis
• Data Flow Analysis &
Enforcement
• Real-time Blocking
13
API Discovery &
Analysis
• API Discovery
• API Specification Mgt
• Endpoint Usage Analysis
• Endpoint Attack Metrics
• Endpoint Risk Scoring
Fully Integrated
Attack Prevention
• API Protection
• Web App Protection
• DDoS Protection
• Bot Mgt & Mitigation
• Fraud Protection
Flexible
Deployment
Options
• Inline / Agentless
• Inline / Agent-based
• Out-of-Band / Agentless
• Hosted, Cloud, On-Premise
Managed Services
• Managed Cloud Platform
• Managed Threat Analysis
• Managed Policy Enforcement
• Managed Attack Response
• APIs are under siege – by mixed-mode, high volume attacks, including bots and DDoS
• API observability does not = real-time protection
• API protection must deliver active, real-time attack blocking
• API protection should have ability to extend to broader application portfolio
Can’t block?
Then you’re not protecting APIs.