API Security is more than just protecting B2C APIs from bots

0

Most security teams now realize that APIs are one of their biggest security blind spots. Many reacted by focusing on their most obvious area of ​​API risk: the business-to-consumer (B2C) APIs that external mobile and web applications rely on.

This is perfectly logical. After all, the fact that B2C APIs serve the outside world makes them particularly vulnerable to attacks using bots and other automated methods. So, in response, many organizations have deployed specialized bot mitigation tools or are using first-generation API products or web application firewalls (WAFs) to tightly manage how these APIs are accessed. .

But while these are best practices, B2C APIs are only the tip of the iceberg when it comes to overall API risk. A much larger set of API risks often remains hidden beneath the surface in an organization’s cross-enterprise APIs.

The building blocks of digital transformation are B2B APIs

While B2C API security is now relatively well understood, many security teams overlook the central role B2B APIs now play in their organization and the potentially devastating risks they expose. Digital transformation is now a must for any organization that wants to stay competitive in today’s market. But as trading partners integrate their key operational functions through APIs, it creates a complex web of interconnectivity.

Many of these API-based connection points provide direct visibility and access to critical business functions. This may be fine when that functionality and data is limited to intended use by trusted partners. But in the hands of a dishonest partner or external threat actor, this level of API access can be exploited in ways that could have devastating business impact.

The often overlooked attack vector is your API-to-API traffic.

B2B API security is often overlooked for several reasons. First, B2B APIs are often written and maintained – and sometimes even managed – by different teams within an organization than those responsible for B2C APIs. For example, B2B APIs for resellers, vendors, and other business partners are owned either by the business unit or by the IT department. And very often the methodologies and processes differ significantly from department to department.

Second, B2B APIs are generally considered more reliable because they are authenticated as known partners of established businesses. This familiarity of well-known partners as API consumers often adds to this willingness to overlook or ignore API security best practices. But in reality, people work in companies and people make mistakes. They misplace API keys and can be compromised, socially manipulated, or otherwise turn into malicious insiders.

Third, because B2B APIs are authenticated and typically serve a smaller number of API consumers compared to B2C APIs, it’s easy for API and security teams to be lulled into a false sense of security. . Many organizations fail to anticipate how B2B APIs can be used in unexpected ways and underestimate the impact on the business.

For example, an authenticated partner using your API may gain an unfair advantage — or compete with your business — by abusing their access to your data and business functions. Or worse, a trusted partner could be hacked, giving a malicious actor leeway over your sensitive resources and time to seek out other vectors of damaging API abuse.

And even when these risks are understood, they cannot be mitigated with bot mitigation tools, WAFs, or first-generation API security products. One of the main reasons for this is that most organizations do not have a complete inventory of the B2B APIs that their organization exposes.

Another major challenge is the fact that B2B APIs are generally not subject to predictable attack patterns or spikes in traffic volume suggesting bot activity. More often than not, they are attacked by forms of API abuse that fit perfectly into legitimate use. Even though the security team has a full inventory of B2B APIs that they actively monitor, they are unlikely to detect these forms of API abuse using traditional attack signatures. There are no signatures that detect one-time or “zero” day API abuse.

Broad Visibility and Behavioral Analytics Key to Effective B2B API Security

So how can businesses better control the security of their B2B API? The two most important steps they can take are:

  1. Implement extensive and ongoing API discovery and visibility capabilities
  2. Apply behavioral analytics technology to differentiate abuse from legitimate activity
Continuous API discovery and visibility

While most organizations strive to implement well-structured processes and governance for their APIs, rogue and phantom APIs are a reality almost everywhere. Often, they are usually not created with malicious intent. The simple reality is that most companies have many teams and moving parts, all of which are rapidly changing. Add to that the occasional merger or acquisition and suddenly even the most proactive organization will likely find themselves in the dark when it comes to seeing the APIs they are exposing.

The only answer is to continuously monitor all environments for API activity. This can be accomplished by capturing and analyzing API traffic and logs from all available sources, including:

  • Package brokers
  • Traffic mirroring
  • API Gateways
  • Content Delivery Networks
  • Cloud provider logs
  • Log management systems
  • Orchestration tools

Once you understand the full scope of your organization’s API activity and have a plan to sustain it as changes occur, then you can move on to protecting B2B APIs.

API behavioral analysis is essential

The key to closing the risk mitigation gaps for B2B APIs is to augment or replace the tools and techniques you use to protect B2C APIs with a behavioral-based approach. Why? Just as many security teams have discovered XDR for enterprise security, behavioral analysis helps benchmark legitimate or expected behaviors and spot anomalies that would be impossible to anticipate in advance. The same concepts can be applied to application security. It starts with profiling the users and business processes represented in your API data. Once you’ve done this, you can more easily spot anomalies that signal that your B2B APIs are being abused or, at the very least, being used in unexpected ways.

See the full picture of your API’s security posture

Embracing API behavioral analytics to gain a better understanding of API usage — and abuse — doesn’t have to be complicated. You don’t need a complex and expensive on-premises security infrastructure. With Neosec, you can get your first insights in minutes and scale seamlessly to understand and protect your entire API footprint with our 100% cloud approach.

Take the first step by requesting a free trial today at neosec.com.

*** This is a syndicated blog from the Security Bloggers Network of Blog written by the Neosec team. Read the original post at: https://www.neosec.com/blog/how-do-you-protect-an-api-from-scraping-0

Share.

Comments are closed.