September 25, 2024

00:41:54

Episode 278 Deep Dive: William Glazier | Why Is There A Focus on API Security in 2024?

Episode 278 Deep Dive: William Glazier | Why Is There A Focus on API Security in 2024?
KBKAST
Episode 278 Deep Dive: William Glazier | Why Is There A Focus on API Security in 2024?

Sep 25 2024 | 00:41:54

/

Show Notes

In this episode, we sit down with Will Glazier, Head of the Cequence Prime Threat Research Team from Cequence Security, as he discusses the intricate landscape of API security in 2024. Will delves into the essential intertwining of API security and bot management, emphasizing why these cannot be handled independently. The conversation covers the diverse nature of API security issues, from inventory and compliance to active threat protection, and the industry’s shift towards consolidated security tools. Will also highlights the often-overlooked but critical importance of API security, compared to more tangible threats like business email compromise, and stresses the necessity of integrating security within CI/CD pipelines to mitigate risks.

William Glazier  is Head of Cequence Security’s new Cequence Prime Threat Research Team, whose mission is to help the security industry better understand how cybercriminals execute automated, malicious bot attacks against web, mobile, and API-based applications. As Head of CQ Research, Will focuses on the rapidly escalating problems of account takeover, fake account creation and content scraping at scale. He has an extensive background in fraud and abuse prevention, as well as building threat intelligence systems and databases. He has also extensively studied the shared attacker infrastructure and network fingerprints of tools used by cybercriminals to carry out these attacks, and has presented research at various security conferences such as BotConf, Hack.lu and GreHack.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: API security and bot management. Those two things are inseparable. One or the other is not a solved problem. One or the other can't be handled independently. Those teams who use the tools designed to solve those need to work together. Ideally, they need to be using a tool that's capable of all of the above. Definitely don't ignore bot management and bot mitigation as part of API security. [00:00:27] Speaker B: This is KBCs as a friendly target. Ransomware campaigns, security and testing and performance. [00:00:35] Speaker A: And scalability, risk and compliance. [00:00:36] Speaker C: We can actually automatically take that data and use it. Joining me today is Will Glazier, head of CQ prime threat research team from sequence security. And today we're discussing why there is a focus on API security in 2024. So, will, thanks for joining and welcome. [00:00:56] Speaker A: Thank you, Carissa. [00:00:56] Speaker D: It's my pleasure to be on. [00:00:58] Speaker C: Okay, so let's start. So API security in recent times here, specifically in Australia, has been a massive topic. So maybe let's start there. Let me hear your thoughts, because I think this is a very broad topic, so it doesn't, you know, you have to go sort of super deep right now, but just keen to hear your thoughts straight off the bat. [00:01:16] Speaker D: That's a great question, and I love that you started with that because, you know, API security can mean a million different things to a million different people. And it really all depends on the problem statement. Is your problem statement an inventory problem statement where you just inventory and discovery? You need to know where all your APIs are, where they're hosted and what's exposed on the Internet? That's that inventory problem statement is your problem statement a compliance one where you don't know what kind of sensitive data lives in which APIs, you don't know which kind of APIs enforce, which standards of authentication and authorization, and you need to see that traffic and inspect how those APIs are truly behaving to know what's reality, not theory, which might be an API spec? Or is your problem statement one where your hair's on fire, your APIs are being attacked by bots being actively abused, whether that's threats like business logic, abuse, credential stuffing, account takeover, fraud leading to monetary loss, all of those things would present themselves as your hair being on fire and money being lost. [00:02:20] Speaker A: Right? [00:02:21] Speaker D: And so it's really hard to stop that kind of stuff. It relies on the right tooling in the network. Why is it not keeping up with the threats and with those bad actors? And how does it evolve and keep up with retooling over time? So those are three very distinct problem statements. [00:02:38] Speaker A: Right. [00:02:38] Speaker D: Discovery and inventory, compliance and hygiene, and then active threat protection and active bot mitigation. But they all fall under this broad umbrella sometimes. And so there can be a lot of noise from different vendors on that. [00:02:52] Speaker A: Yeah. [00:02:53] Speaker C: So will you mention there's a lot of noise on the topic from vendors? So what do you mean by that? What does the noise look like? [00:03:00] Speaker A: Yeah, I think, I mean that a lot of people understood that this was a hot area with very hot problems, problems that needed to be solved. Right. That's what happens in security, is when people identify a problem, there's a lot of people going to try to build. [00:03:14] Speaker E: Businesses to solve that problem. [00:03:15] Speaker A: I think that's natural. What I just mentioned around API security. [00:03:19] Speaker E: Can mean multiple different things. [00:03:21] Speaker A: That noise is also, it's just another layer of difficulty from when I put myself in the shoes of our customers to sift through some of the messaging and hone in on what my particular problem is. And then when I'm looking at tools. [00:03:36] Speaker E: And solutions, make sure that that tool. [00:03:38] Speaker A: And solution can really nail what my particular problem is. But also, at the same time, you're balancing the fact of like, okay, can it solve, is it a point solution that solves one problem, or can it actually take care of all the other parts of API security too? Like can it go through the lifecycle of I can find and discover my APIs and inventory them. I can understand where my sensitive data is, and I'm not being attacked right now, but if I do get attacked in that moment of truth, will it be good enough to block bots abusing this or vice versa? [00:04:08] Speaker E: Right. [00:04:09] Speaker A: You've been experiencing a lot of attacks, you've gotten a handle on it, you've been able to block them, and you identified why it was such a hot target. Maybe there was a vulnerability in that API, maybe there was some weakness in how it was structured. And you want to make sure that. [00:04:24] Speaker E: No developer puts that type of thing out there again. [00:04:27] Speaker A: You got to kind of test that away in your CI CD pipelines, in your dev cycles. [00:04:32] Speaker E: And that's just a very different, it's. [00:04:34] Speaker A: Like left brain, right brain thinking, you know what I mean? That's a very dev centric part of your brain to exercise where the needing to block big bot attacks is a very defensive network security SoC analyst part of your left brain. And so not everyone can do everything as human beings. And so that's where I think that just contributes to the noise, is the scope of the problem, but it doesn't make it any less important like I was saying, with those, with the amount of breaches that have happened through this vector. [00:05:07] Speaker C: Okay, so you mentioned before, point solutions. So you probably observed in the market there was a time where everyone was going like super specific point solution and now it's like we're seeing this trend back to like consolidation and reduction of tools and things like that. What are you sort of seeing in that space then? [00:05:23] Speaker A: Yeah, it's a great question and honestly, it's a question that I think is probably hard to separate from broader macroeconomic trends. Right. And theres those classical pictures of those Gartner hype cycles, the Gartner lifecycle hype cycle. Preston, its really funny. I think if you looked at that type of chart, that macro high level view of the bot management market, bot mitigation market, you would see that that market has gone through the journey of, what is it, the hype cycle in that trough and then the peak of disillusionment and now its bad and consolidation, and then, and then you reach a stable state where you've got strong players and strong capabilities. This bot mitigation, I've mentioned that as. [00:06:08] Speaker E: Part of the API security problem. [00:06:10] Speaker A: APIs are meant for automated interaction. That's their entire purpose. And so we've got circumstances where now you have to separate malicious automated traffic from good automated traffic. That's harder than separating just humans from bots. And so that market, as it's matured, it's gone through this journey and you've seen that happen. And I think that's what's maybe a little bit of that is happening with. [00:06:39] Speaker E: The term of API security. [00:06:40] Speaker A: Or maybe people are finally realizing that really old problem, the quote unquote older solved problem of bot mitigation isn't actually a solved problem. It's just that APIs are a threat vector that you need to cover as efficiently, as effectively as you did cover with bot mitigation defenses that relied on. [00:07:05] Speaker E: Client side instrumentation that was possible on. [00:07:07] Speaker A: A web browser or a mobile app. But your API channels just cannot have. [00:07:14] Speaker E: Client side instrumentation in them because of. [00:07:16] Speaker A: The tools and the systems they're interacting with. So it's just some old problems reskinned and then some new problems come out of that ecosystem. And I think that when we talk about like consolidation, that's how I see the consolidation at least is a little bit of the hype cycle coming down off the high and then really wrangling with what are the core, what's the essence of the problem, what are the hardest things to solve in this problem. [00:07:48] Speaker C: So I just want to zoom out for a moment. Now, this seems like a real basic question, but do you think people get how APIs actually work? Because sometimes I think people sort of just, you know, say terminology. But I mean, and what I mean by that question is like the mechanics and perhaps the risks associated with, you know, APIs and stuff like that. So what do you sort of, what do you think in that space? [00:08:08] Speaker A: Yeah, that's, that's a great question. I think, like people, when you simplify it, it's easy to understand what an API is and how it's working. But yeah, what you bring up is. [00:08:21] Speaker E: All of the things that can be. [00:08:22] Speaker A: Done over APIs, all the different operations and interactions with our digital lives that it powers. It's kind of mind bending sometimes to understand all of that. I think maybe a great example that's tangible that people can visualize, to speak above that is how a lot of fintech applications interact with your bank accounts. For example, banks have open API ecosystems, and depending on which country you're in, there's different geographical region, there's different layers of regulation and things that are mandated. But basically banks expose APIs for fintech apps to interact with them. It means when you have a mobile app, if you go to your banking mobile app, or if you go to maybe an investment account mobile app that you have, you'll see these widgets where they'll say, plot out your retirement, plot your net worth, plan out your retirement, all that kind of stuff. Just add in your other accounts so you can see things in one place. You can get a holistic picture of your financial health. How does that information get gathered? Oftentimes it's that app. Whatever app you're using is connecting to an aggregator service which is connecting via API again to your bank account. That middleman, that middle layer of that aggregator service. [00:09:46] Speaker E: Or maybe the app is going directly. [00:09:47] Speaker A: Maybe it's a big enough app and maybe that company has passed all of the requisite compliance checks. But there are a lot of people trying to create startups and new fintech apps, new great user experiences like banks of the future. And it's easier for them to plug into an aggregator, plug into that middleman, all your compliance is taken care of. You've passed all those requisite regulations and checks, and that middle layer is seamless for your users. They have no idea that that data is going through there. It looks to them like a pop up. They enter in their credentials or a token, or they provide, maybe they generate an API token in their bank account. They give it the API token. So it's unique and it feels secure. It's a good user interface a lot of times. And that whole like aggregator access to bank accounts. [00:10:38] Speaker E: And it's not only bank, that same. [00:10:40] Speaker A: Flow of like an aggregation middleman that can take place for many different use cases. APIs power that whole thing. And I think that's a nuance, a level of depth that a lot of people, they see it, they feel it. [00:10:54] Speaker E: When they use those apps. [00:10:55] Speaker A: You see it in that user interface and the user interface is so slick and APIs make a lot of that stuff so slick. But how is it working on the backend? It gets quite nuanced, it gets quite detailed and the problems begin to, the challenges nest upon themselves. How do you trace one of those. [00:11:12] Speaker E: Transactions through that middleman all the way? [00:11:15] Speaker A: If you're in the bank's position, how do you defend that whole ecosystem? Because good guys and bad guys are coming through the same funnel, the same, the same tunnel of that middleman basically. So I find that quite an interesting problem and I think that's a good example to just to talk about APIs, their practical uses and how those practical uses turn into challenges for, you know. [00:11:39] Speaker E: Defenders in the security space. [00:11:42] Speaker C: So how would you defend that whole ecosystem? [00:11:45] Speaker A: Yeah, that's a great, that's a fabulous, you know, question. And ultimately it involves, again, where you stand depends on where you sit at sequence. We do actually have, we have customers in the financial space, banks, so we'd be protecting them. So we're sitting where they sit in that case. And we also have some of those aggregator providers who are customers of ours as well. So each of their perspectives differ slightly. I'll talk about it from the bank's perspective because I think that's probably what your listeners and all of us have, bank accounts, right? And from their perspective what's really hard is joining disparate transactions together that dont have unifying keys and unifying identifiers. [00:12:29] Speaker E: Someone used an app to connect to an aggregator. [00:12:32] Speaker A: Then that aggregator forwarded along the transaction to you, the bank. That final leg of the connection came from the same IP address, the same IP address that a lot of other good user traffic is coming through. So you can't use IP addresses and IP reputation and organizations and geographical detections. [00:12:57] Speaker E: And mitigations to block things. [00:12:58] Speaker A: You can't look at something like oh hey, this IP address or this session. [00:13:04] Speaker E: Used a lot of different usernames because. [00:13:07] Speaker A: Again you've got that funnel. You need a way to take identifiers that are passed along from that first transaction of which app sent in the request to the aggregator of which user and their user id, the email address, the domain, the reputation of it that. [00:13:25] Speaker E: Came in from the first request to the middleman. [00:13:28] Speaker A: You need a way to join those with stuff that actually came to your servers. If you're the bank, that second request, that's a really hard problem for them. How do you join those things together in real time and get those defenses into your network? And that one tactic right there, that sounds very tactical, but it's really interesting. And that is one thing. There's a capability in the sequence tool suite that allows users to do that based on whatever pivot they want. I talked about app ids and username domains. You can just configure whatever you want. [00:14:08] Speaker E: So you can join those things together. [00:14:10] Speaker A: But that's how a lot of our partners in the banking ecosystem have to try to defend against these what we've worked with them to develop. From another perspective though, they've got challenges of just separating out all the behaviors, automated, everything that reaches those API servers of theirs from these aggregators is a bot. It's good bots and then it's not so good bots. And you got to come up with some behavioral profiles, some patterns, ratios, speed and regularity of how things happen. Those are examples of features that you need to generate and you need to know and you need to have tool and a system to do that math for you fast. So you can split those good normal regular bots that show up every day. [00:15:00] Speaker E: At the same time from the aggregator. [00:15:02] Speaker A: Because it's their time to pull your ecosystem and get the transactions for their users, versus the bot that was just subtly different and was coming in a little bit too fast or maybe too slow actually. Like there was a minute between every request, exactly a minute on the minute, right. That kind of stuff. The behavioral profiling is the second really. Like how would you do it, how. [00:15:30] Speaker E: Do you defend that kind of stuff. [00:15:32] Speaker A: From a, from the banking perspective? So those are two tactical components of how folks do it. And you can see one of the underlying threads between the two of those is its very math centric, right. Theres a lot of big math at scale statistics, machine learning models that need to be run fast and have interpretable outputs and outcomes for the people charged with stopping abuse and fraud and so on. The team I run that CQ prime. [00:16:03] Speaker E: Threat research team includes our machine learning. [00:16:05] Speaker A: Engineering team and that's one of their. [00:16:09] Speaker E: Primary charters, is basically we need to. [00:16:11] Speaker A: Come up with the math and the. [00:16:13] Speaker E: Models that can run, that can run. [00:16:15] Speaker A: Relatively lightweight, and then users can understand them. [00:16:18] Speaker E: They can turn into rules, they can. [00:16:19] Speaker A: Turn into features that someone that can either just be used right there in. [00:16:24] Speaker E: The line of the transaction to block. [00:16:26] Speaker A: Or that someone who's analyzing data offline. [00:16:29] Speaker E: Can automate against and scale their lives. [00:16:32] Speaker A: To help, again, protect, just protect people's accounts from, in this case, fraud, abuse, theft and takeover. [00:16:41] Speaker C: So what bothers you about API security? Because obviously you're really at the coal face of this space in the research arena. But what's sort of annoying you at. [00:16:51] Speaker A: The moment, you've asked questions that have had me touch on it multiple times throughout the interview earlier. I think what bothered me, and maybe still bothers a little bit, is the noise that's distracting about this problem statement and this space. What bothered me in the past was that we didn't appreciate how much this and bot management, bot mitigation are related, are intertwined and inseparable, because APIs are simply a vehicle by which bots attack. Just like a tortilla chip is a vehicle for your guac, right? That's like, like that to me was so, so clear and obvious that too much talk about the other stuff just seemed distracting from the problem. Right now. Again, where you stand depends on where you sit. A lot of the time our team spends is in the data with our customers against active attacks. Like billions, I'm talking billions of bots every month that our system's blocking at. [00:17:54] Speaker E: Some of the biggest environments of the. [00:17:55] Speaker A: World and like critical, you know, infrastructure and ecosystems, like, like, like, like the telco space. So that commands the lion's share of mental, mental attention. To be fair, I don't wanna understate. If you only focus on that stuff. [00:18:10] Speaker E: The low hanging fruit can slip right. [00:18:12] Speaker A: By, which is just the amount of times APIs are exposed to the public. [00:18:17] Speaker E: Internet when they weren't meant to be. [00:18:18] Speaker A: They were meant to be testing, and they don't have authentication, and they return real data about users. We have this cheeky term internally that we use. We call it this unholy Trinity shadow API with no authentication exposed to the Internet. That's a simple concept. It's a low hanging fruit. We do have to solve those things as an industry, and we work at sequence with our partners to solve that, than some of our partners, even in Australia as well, to like solve that, solve that problem, make sure we take care of the low hanging fruit before. [00:18:54] Speaker E: We get mentally consumed by the really advanced, sophisticated attackers. [00:18:58] Speaker A: So yeah, that was a great question about what bothers me and I'd say, yeah, it kind of, I think as. [00:19:04] Speaker E: An industry we're coming to the realization. [00:19:06] Speaker A: Bot management and API security are inseparable, two sides of the same coin. So I think we're moving in the right direction. [00:19:14] Speaker C: So just going back to API's, exposed to the Internet, people probably don't even know that they've got that right. And I get you got to do discovery and all visibility and all of that, but do you think this is always just going to be a thing like regardless, because sometimes it's hard to, you know, I don't know, someone might do something and then they leave the company and then who knows? Right. So, and I know you've got to continuously be able to do this, but is there always going to be this problem that exists out there? [00:19:39] Speaker A: Yeah, it absolutely will. This problem is not going away. And especially as you think about the growth in 2023, 2024 of generative AI companies and LLMs being consumed via API, which a lot of new companies and new startups and new business growth are, those are the platforms and ecosystems they're. [00:20:04] Speaker E: Building, their business, their application on top. [00:20:07] Speaker A: Of that's just like you're linking up. It's like putting a pacemaker in your heart, I guess. It's like you're linking so close that your APIs are at the foundation of your business. [00:20:20] Speaker E: In that case. [00:20:21] Speaker A: So development of those APIs that are of your, in this case, I'm speaking from the perspective of the startup, let's say the newer company creating an API to interact with an LLM from OpenAI or from anthropic, you need to go fast, create a product gain, market share. You're going to be making those types of APIs left and right part of your business. It's how you're going to grow so that we're just at the cusp, I think of that, I saw some stats that I actually don't even know how this came into my mind, but someone talking about a, a release that talked about the ratio of OpenaIs revenue stream right now and how still the vast majority of it was just from consumer folks like you and I with the $20 subscription per month for the latest models chat GPT four and only 20% to 30% of their revenue was the b two B API stuff. Right now that to me says were at early stages of the growth of that stream as an ecosystem for revenue for those LLM providers, but also growth of sprawl on the Internet of APIs using these things. And that being said, the whole tenor of that paragraph of my thought was startup centric new people building companies on top of those APIs. But all enterprises are looking for big enterprises, especially looking for cost reduction. And a lot of the promise of some of these LLM applications is that tasks that used to take longer won't and cutting man hours and cutting soft costs associated with some of these tasks that LLMs are particularly good at. Big enterprises are really, really looking for that right now and they're going to invest in it and then that's big enterprises, right? Developing these new APIs to connect to these ecosystems that are net new, but they have to fit that into an. [00:22:26] Speaker E: Ecosystem that supports a lot of legacy. [00:22:29] Speaker A: Whether it's legacy protocols, whether it's legacy applications, or just works in more of a not big tech centric ecosystem or industry. I think telecoms are actually a perfect example of an industry where all this API security stuff we've been talking about. [00:22:50] Speaker E: You layer in with telecoms. [00:22:52] Speaker A: The next layer of they have to support a lot of protocols, they have to do a lot of stuff. They have to have a retail website basically where you can buy phones, buy things from them, upgrade your plan, all of that. And then they also have to have APIs that basically support sending out sms notifications to subscribers or some of the white labeled services, let's say, that use their network, their backbone. That's how they interact with the ecosystem to send out these sms messages. And so you just get a lot of, you have an extra layer there of having to support a lot of legacy systems, having to develop fast, but also deal with that sprawl. So I think the telecom industry's particularly got, it's even harder for them to try to wrap their head around these problems. But again, we work with some of them and there's really good people that are working really hard on solving that problem. [00:23:54] Speaker C: But this is the part that gets me right. So going back to your point around companies going fast, new releases, new product, et cetera, it's getting faster and faster and faster, right? So if we split it down the middle between, okay, the business is like, in order for us to stay relevant, generate revenue, not fire everybody, we need to do these things, right? But then I get it. But then it starts to creep into the other side of it, which is the security side of it, which is like, hey, happy to do that and support that. But then we're going so fast that's like, well we have all these exposed APIs on the Internet, you know, we don't know what's going on at this point, because we got to release things faster and faster. So we've sort of, you know, trying to solve one problem from a business perspective, but then we're sort of opening up then another one. So in this conundrum now. So how does that then work moving forward? [00:24:38] Speaker A: You're absolutely right. And that's like it touches on, you know, the great debate between growth and security. It's always, it's always a tug of war, right? And those politics, that's the one thing, well, AI certainly won't be able to solve human nature and the political push and pull right between in circumstances like this that'll stay. I will offer one modest technical solution to that problem, which is the security folks can help reach a compromise with. [00:25:05] Speaker E: The business folks in this sense by. [00:25:07] Speaker A: Providing better testing in the development pipeline to avoid some of these common problems. The API sprawl, the sensitive data exposure that doesn't need to be there, the lack of authentication and authorization, maybe injection APIs vulnerable to injection attacks, especially when we talk about the LLM stuff like. [00:25:31] Speaker E: Prompt injection types of attacks. [00:25:33] Speaker A: But there are common themes of the. [00:25:36] Speaker E: Types of vulnerabilities and risks you can. [00:25:39] Speaker A: Introduce during API development. So the idea is build some tests inside your CI CD pipeline so that you can code those away and the developers don't have to worry too much about it. They make what they need to make. They move fast. They push the code into the pipeline, the pipeline spits it out and says, you failed this test, here's what you need to do to fix it. And then they go ahead and they're. [00:26:05] Speaker E: Able to move that much faster. [00:26:06] Speaker A: Security in that case is an enabler, not a roadblocker. And that's a big, when organizations work like that and the two teams are actually collaborating pretty well, things are good. That really helps where it's instead of just like, no, you don't see it my way, you don't understand. [00:26:23] Speaker E: No, you don't see it my way, you don't understand. [00:26:26] Speaker A: That compromise of helping in the testing and development pipeline is one thing we've seen work. [00:26:32] Speaker C: I want to switch gears now. I want to talk about, you mentioned a lot about API creep. What is that? [00:26:38] Speaker A: Yeah, API creep. I think that's maybe just one way to talk about one particular part of that unholy trinity I mentioned of the common types of API breaches take place on shadow APIs that expose sensitive data and lack authentication. Well, what is that first element? That first thing I said, shadow API. What is a shadow API? Effectively those are, shadow APIs are what come from API creep? They are APIs that are undocumented. There is no spec, no rules of the road for how it's supposed to function. People don't know it exists, don't know what's out there. They don't know what kind of traffic even hits it. A good example of those can be APIs that a lot of businesses, whether they're consumer or b, two b they have to a lot of people, they all have CRMs to manage a lot of their customer relationships, their prospect relationships, and track inventory, order history, order management, all that stuff. [00:27:44] Speaker E: Your CRM will interact with those APIs. Oftentimes only your CRM will interact with those APIs. [00:27:51] Speaker A: But are you sure that only your CRM interacts with those APIs? Is that API actually being hit by other stuff? Is it being exposed to the Internet? Does it have the proper authentication and. [00:28:03] Speaker E: Authorization that enforces that only your CRM. [00:28:07] Speaker A: Can interact with those APIs? Thats a perfect example of API creep because somebody had to develop that API to make your CRM interact with because otherwise your CRM would not be delivering the value that it needed to deliver to the team who needs that data. I think thats a good example of API creep is shadow APIs. Those terms I would use somewhat interchangeably. [00:28:34] Speaker C: So I'm assuming that shadow APIs are pretty common across most companies from what you're saying. [00:28:41] Speaker A: Yeah, that's right, that's right. [00:28:43] Speaker E: Typically that's one of the first things. [00:28:44] Speaker A: When we go into an environment and we run crawls from the outside. But also when we're like when our software is installed and people are sending their traffic to us, one of the first things we do is look at how many of the API, of the transactions that are coming through the system. [00:29:01] Speaker E: Match any of the documented specs that. [00:29:04] Speaker A: Exist and how many don't. And then of those that don't, a lot of times what we do next is actually take a representative basket of that traffic and create the definition. [00:29:16] Speaker E: If the definition doesn't exist that was. [00:29:18] Speaker A: Created by a developer, we will create it and say, all right, here are the new rules of the road based on the math. Once that baseline is created, things still deviate from them. Oftentimes what deviates is those types of shadow APIs. That means where I've got an API spec and I've got traffic that says this API only takes in data, it only accepts post requests. People send the data to this API. That's all well documented. It's all well and dandy. The gates are locked and the guards are standing at the ready, but then all of a sudden that API also accepts get requests. So people are fetching data from that API, and that wasn't really expected, it wasn't documented. That's an example of a shadow API. That's a common theme of that method. Divergence and expected and normal methods, which APIs are used for, are used with, excuse me. We see that a lot, and it's one of the earliest things we tackle with customers. And oftentimes the percentages of APIs that are shadow APIs, it's not uncommon to see 1020, 30% of the API state is a shadow API. The variance depends mostly on how many definitions they had before they started with us or not. It's not uncommon. People shouldn't feel bad or embarrassed if they have a bunch when they start, but it's all about making that line. [00:30:48] Speaker E: Of how many exist trend in the. [00:30:50] Speaker A: Right direction and just keep chipping away. [00:30:52] Speaker C: Okay, so this is interesting. I want to get into this deviation stuff. How often is that happening? [00:30:58] Speaker A: Yeah, that, that happens, not just at the beginning, like you said. I mentioned how that was the first thing we do, right, is looking for, you know, you want to get the lay of the land, figure out how many APIs they exist and what hosts they're on, what sensitive data exists, and what the authentication profile is. But I'm, after you get the baseline. [00:31:18] Speaker E: The most important thing you can do. [00:31:20] Speaker A: Like, that's a lot of focus at the beginning, right? And then you think you're good, but what you really need to, after that. [00:31:27] Speaker E: Moment in time, what matters the most next is anomaly detection. [00:31:31] Speaker A: That's a, that, that's the key of it, right? If you can't detect anomalies, again, based on math, really, and math and models, like, if you can't do that, you're going to struggle to scale and support over the long term, because a year from today, some business priority is going to change. Something's going to happen, somebody's going to need to develop something, and something new is going to happen that hasn't happened. [00:31:54] Speaker E: Before, and you need to know when. [00:31:55] Speaker A: Something new has happened. And so that's a key part of where API security and bot mitigation are the same thing, because they rely like, effective manifestations of. Both rely on quality anomaly detection, whether it's anomalies based on what you see right now in day zero of a deployment or anomalies on day 365. You just need to be able to know that something's happened to relate it back to something. I mentioned earlier, I talked about those aggregators and you have good bots and you have bad bots and they're all coming through the same channel. Well the anomaly detection in this case is the bad bot detection. [00:32:38] Speaker E: Usually everything is coming in at the same time. Usually everything is always succeeding because the. [00:32:43] Speaker A: App already has people's credentials or the. [00:32:45] Speaker E: Tokens associated with them. [00:32:47] Speaker A: But then when one day that success rate drops from 90 to 70, that's weird. That's an anomaly, right? That's what we have to identify. Very similar on API, the API sprawl stuff and the catching those shadow APIs, shall we say. It's really that anomaly detection, that one get request I talked about where now. [00:33:08] Speaker E: Data is being fetched and not pushed. [00:33:10] Speaker A: Usually theres a lot of transactions flowing through these APIs. So one request may not stand out, certainly wont to the human eye, but thats where tooling and automation comes in play to help defenders. [00:33:23] Speaker C: So when youre presenting this back to a client, are any of them blindsided by this? Like, oh well I thought that was all taken care of in terms of the documentation, etcetera. You know, what's being fetched, for example? [00:33:35] Speaker A: Yeah, yeah. There's always cases where people are surprised and find it interesting, certainly. I tell you though, I do think oftentimes people are not surprised that there's no documentation. That's again, trying to fight, trying to fight human nature is trying to make. [00:33:52] Speaker E: Engineers do better documentation. [00:33:53] Speaker A: So that's kind of why that feature exists of generating the specification and documentation from the traffic, because that's a little way to bypass human nature, shall we say, instead of trying to fight it. I might also not be the best person to speak representatively on that question. Cause a lot of times when I'm working with our clients, we're talking for a reason, they're focused on this problem. They kind of know what things they're hoping to find in the tool. So it's not that it's earth shattering. They always, always appreciate that stuff. I'd say where a lot of times maybe people do get surprised, is once we move into the attack area, once we move into like okay, we've identified all the APIs and got all the inventory stuff handled, and now we're talking about one API is getting attacked and getting abused. The scale and scope and sophistication of some of these actors hitting those APIs is crazy. And the arsenal of the ecosystem that those attackers have to support Benjen to scale themselves, to obfuscate themselves, is quite immense. When you're talking about how to anonymize yourself from an attacker's perspective. The holy grail of an attack is you can send a million requests from a million different ip addresses, all of whom belong to the exact same residential ip providers that your target's customers come from. Right. Being here in the states, that's like, I want Comcast, Verizon, spectrum, T mobile IP addresses. Because when I'm attacking an american target, american people are their primary customers. Right? And you could draw the same parallel to Australia with, like, with, you know, Telstra IP addresses, optus IP addresses, those are, that's the ideal ecosystem that an attacker wants access to. There are these things that we've had. [00:35:45] Speaker E: We coined the term bulletproof proxy networks. [00:35:47] Speaker A: But it's these residential proxy networks that exist that provide that fuel for the fire that they're kind of the oil that makes the engine go. For a lot of these bot attacks, people definitely get surprised at the scale. [00:35:59] Speaker E: And the scope of those. [00:36:00] Speaker A: I'm talking like that. 1 million requests from 1 million ips, that's not that big. And a million ips, that's a decent chunk, and that's not that big. When we talk relative to the types of attack volumes we see, there are. [00:36:14] Speaker E: Pools of proxies that are in the. [00:36:15] Speaker A: Tens of millions, which is pretty crazy when you think about it. So that ends up being one of the areas where people, their eyes get. [00:36:25] Speaker E: A little bit bigger when they see. [00:36:27] Speaker A: The scale and scope of those things. [00:36:29] Speaker C: Trey, just on that note, just as you're speaking, what was coming to my mind was, do you think API security is one of those things that sort of flies beneath the radar a little bit? I wouldn't say people forget about it, but there's other things out there, like business email compromise. People like, you can see it maybe a little bit more tangible or data breaches, et cetera, but API security just feels like it's a bit of a background character. [00:36:52] Speaker A: Yeah, maybe. Again, hard for me to speak authoritatively when I spend too much of my time living it here at sequence, but I think maybe a nice way to think about the difference you just called out is that some of those. But business email compromised, great example, like social engineering types of security risks, consumers. [00:37:16] Speaker E: Are the ones that feel the pain from some of those. From a lot of those. [00:37:20] Speaker A: Right? If you are the victim of the, shall we say, it's not a prank, but the theft where someone has impersonated your CEO and convinced you to buy $250 of gift cards and send them to them, you are the one who feels that heat, right? Like you lost money. Generally, things, I think that make people directly financially harmed makes the news a little bit more. The API breaches that hit the news, right, those tend to be data leakage issues, right? This massive soup of data, million records, 2 million records, whatever million records it is of customer information gets leaked. Now, when that happened, you or I, right then, did not lose anything, right then, any money, right then, right. The pain was less acute at that very moment, but it's all about what happens after, right. [00:38:10] Speaker E: Next comes the fraud, the edge of. [00:38:11] Speaker A: Any theft, all of those terrible follow on second order effects that take place with that data that's been leaked. So I think maybe that speaks to some of the newsworthiness, or lack thereof. [00:38:27] Speaker E: At least the difference between the two. [00:38:29] Speaker A: Categories you called out there, I've certainly seen. I feel like API security has definitely had its day in the sun as far as buzz and notoriety. We're witnessing some of that consolidation, some of that realization that man bot management, bot mitigation wasn't a solved problem. API security is quite closely related to it. We gotta be able to solve these. And so it's just, it'll be interesting to see where it goes, I think, for sure. And I'm definitely not trying to, by. [00:38:58] Speaker E: That example or explanation like try to. [00:39:00] Speaker A: Downplay the damage of, associated with millions of records of Pii being leaked, right. That's like really damaging and really bad. And that's why a lot of countries are upping their regulatory regimes to try to make sure there are consequences to things like that. [00:39:16] Speaker C: So, will, do you have any sort of closing comments or any final thoughts you'd like to leave our audience with today? [00:39:21] Speaker A: The common journey and the common themes between API security and bot management. I think if I could leave people. [00:39:28] Speaker E: With one thing, it's that those two. [00:39:30] Speaker A: Things are inseparable and that one or the other is not a solved problem. [00:39:35] Speaker E: One or the other can't be handled independently. [00:39:38] Speaker A: Those teams who use the tools designed to solve those need to work together. Ideally, they need to be using a tool that's capable of all of the above. And that would be my first, biggest takeaway. My second, maybe biggest takeaway is that I think we're still in the early days of growth of API first companies, API centric ecosystems. As this new wave of companies is going to be built on top of LLMs exposed as a service, LLMs and models exposed via API. We are going to see entire companies, entire organizations built on top of these APIs. So it's so core and fundamental to those businesses that you get on top. [00:40:22] Speaker E: Of this problem early. [00:40:23] Speaker A: When you get on top of this problem early and you have a good understanding from the beginning, it does make it a lot easier in the end. That I find is quite a difference in perspective. When we talk with companies where there's tons of sprawl and legacy issues versus companies that are in their national stages where they can at least conceive, you. [00:40:48] Speaker E: Can get your head around the problem. [00:40:50] Speaker A: I think those are maybe the two thoughts I could say is we're early days the API in growth of API first companies and definitely don't ignore bot management and bot mitigation as part of API security. [00:41:11] Speaker B: This is KBcast, the voice of cyber. [00:41:15] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Mediaev to get access today. [00:41:24] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent Mercset's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes