APIs: Threat prevention as important as detection

Application developers have made one thing clear in recent years: APIs are now the tool of choice for efficiently creating fully-featured apps across web and mobile platforms. Businesses are now trusting APIs to exchange information, including sensitive data such as payment details and account login credentials.

This preference for APIs, in turn, has brought a new class of cyber threats. Unless your organization is ready to pay close attention to its API environment and defend against the latest advanced threats, you may find your APIs have become a preferred attack target, with new security risks emerging all the time.

The primary way to keep data as safe as possible involves unified API protection, meaning your organization is able to discover its potential attack surface, detect real-time threats and prevent those threats natively, and in real-time. It’s important to not overlook that third step, prevention, especially because some API security products stop short of actually offering countermeasures.

Why is API threat prevention so important?

API threat prevention is such a high priority because of the dire consequences that can result when organizations don’t have adequate defenses in place. Common API-related attacks, such as system compromise due to weak authentication, account takeovers and sensitive data exfiltration can lead to regulatory fines, reputation damage and major monetary losses.

APIs have become popular with both developers and threat actors:

● Of the 21.1 billion application requests measured in the second half of 2021, over two-thirds, 14.4 billion, were API-based.

● Four-fifths of all blocked traffic during the same time period was also API-based.

With APIs powering so many applications and also attracting so much attention from attackers, it’s vitally important for every company to have a threat prevention strategy in place specifically focusing on API attacks.

As common API vulnerability types and risk factors IT security teams can expect to deal with, the Open Web Application Security Project (OWASP) API Security Top 10 list provides a useful primer. The two most popular threats on the list involve threat actors using broken access control features to break into systems. At No. 3 on the list is inadvertent sensitive data exposure due to cryptographic failures. Each of these risks is more often than not the result of coding errors on the back end.

Other issues highlighted by OWASP include misconfigured security features, authentication problems, outdated components and design flaws. With attackers targeting so many aspects of APIs and the applications they power, it’s essential for IT security departments to have comprehensive threat prevention tools in place.

What are the best practices of API threat prevention?

Threat prevention encompasses a few different potential responses to harmful traffic. As soon as an organization detects an attack targeting its APIs, the security solution should counter the incoming traffic with the appropriate action. This could involve:

Blocking the source of the attack.

Rate limiting access to the company’s APIs.

Geo-fencing to block access from certain regions or addresses.

Deception, which makes the attack appear successful.

This response should involve a heavy automation component, to prevent the delays and labor associated with manual processes. Rather than having to formulate a threat prevention response for each instance of malicious activity, an IT security team can trust that customized or default rules and machine learning models will identify the attack and provide the appropriate response.

A well-configured rules and ML engine can not only ensure every attack is met with the correct response, but it can also prevent false positives, in which legitimate API traffic is blocked. This is an important consideration because so much of a given organization’s data interchange will occur via APIs and attackers are adept at making their malicious actions appear legitimate. It’s important to keep the APIs running smoothly while also providing security.

How do you combine API threat detection with prevention?

Seamless integration is the key concept for providing a unified API threat prevention experience.

API threat prevention should also be closely integrated with API discovery and detection tools, ensuring that every risk factor and vulnerability identified by these solution elements receive a timely, appropriate and automated response. The only way to ensure a rapid response is to look for a solution that natively mitigates threats, without the need to rely on 3rd-party security tool integration.

API threat prevention tools that take advantage of this close integration can protect against both known threat types and emerging threats, as cataloged by the API discovery and detection solution components.

With advanced ML-based detection of API threats, it’s possible to tell the system to protect common theft targets such as credit card information and Social Security numbers, but also intellectual property or credentials relevant to their industries.What does Unified API Protection mean?

Unified API Protection goes beyond limited API security tools to address every phase of an organization’s API protection lifecycle.

● First, organizations must discover their entire API attack surface, using both outside-in and inside-out methods to see what attackers will see. This includes finding shadow APIs, deprecated and outdated components and more potential risk factors.

● Then, businesses need to employ real-time API threat detection methods to prevent all kinds of harmful traffic. Systems should be able to guard against both known threats and emerging threats, all according to customized rules.

● Finally, as discussed above, IT security teams require comprehensive API threat prevention tools. These must be capable of providing customized and automated responses based on the type of harmful traffic detected, whether that means blocking, limiting or even deceiving the attack.

Putting these API-focused advanced threat protection components together provides a more comprehensive approach to data defense than would be possible with a web of disconnected API security tools that only deal with parts of today’s varied threat environment.

Considering the overwhelming popularity of API-based development, it’s likely that your organization already maintains numerous APIs, with more to come over time. Protecting that potential attack surface is therefore a fundamental cybersecurity need.

Jason Kent

For over the last 20 years, Jason has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organisations secure their assets and intellectual property from unauthorised access. As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...