Akamai Technologies introduced this week that it’s going to purchase privately funded software programming interface risk detection and response agency Neosec, a finalist within the 2022 RSA Conference Innovation Sandbox Contest. The deal is ready to shut in June. Neosec’s workers, together with co-founder and chief govt officer, Giora Engel, and co-founder and CEO, Ziv Sivan, are additionally anticipated to affix Akamai’s safety expertise enterprise.
The acquisition speaks to the wake-up name second: the rising significance of API threat detection and assault remediation as a part of always-on detection and response, and the ascendance of extra holistic safety platforms.
In the latter circumstance, IT firms like Cisco, Check Point and others are providing a holistic single platform various to a multiple-vendor strategy — one centered on myriad safety software-as-a-service options to particular vulnerabilities — fairly like dozens of proverbial Hollanders plugging identified leaks with their thumbs however not addressing the massive image.
Rupesh Chokshi, basic supervisor of software safety at Akamai, defined that the acquisition brings much-needed experience in API to Akamai.
SEE: Coordinated cybersecurity is safety aligned with enterprise targets (TechRepublic)
“There are a number of things we have become really good at, but we haven’t focused on API interactions. With this new capability we are able to see anomalies: Why are these calls being made? What is the data shared or traversed, what known vulnerabilities are we seeing? We will now have the ability to quickly alert the customer that this is what’s going on,” Chokshi stated.
Mani Sundaram, govt vp and basic supervisor of the safety tech group at Akamai stated, “Enterprises expose full business logic and process data via APIs, which, in a cloud-based economy, are vulnerable to cyberattacks. Neosec’s platform and Akamai’s application security portfolio will allow customers to gain visibility into all APIs, analyze their behavior and protect against API attacks.”
API assaults on the rise
Security corporations are seeing a brisk improve in API risk exercise. Salt Security, in its March State of API Security report famous a 400% improve in attackers over the prior six months. The report additionally discovered:
- 80% of assaults occurred over authenticated APIs.
- Nearly half of respondents now state that API safety has change into a C-level concern.
- 94% of survey respondents skilled safety issues in manufacturing APIs prior to now 12 months.
- 70% stated their organizations suffered an information breach because of safety gaps in APIs.
One instance illustrates how efficient a comparatively easy API assault may be: the NCC Group, in its 2022 annual Threat Monitor, famous that Australian telecom Optus had the non-public info of 10 million prospects uncovered in an information breach accessed via an uncovered API.
Roey Eliyahu, co-founder and CEO, Salt Security famous that whereas APIs are powering digital transformation delivering new enterprise alternatives and aggressive benefits, “The cost of API breaches, such as those experienced recently at T-Mobile, Toyota and Optus, put both new services and brand reputation, in addition to business operations, at risk.”
Akamai’s State of the Internet report famous the inclusion of API vulnerabilities within the upcoming Open Web Application Security Project API Security Top 10 launch is emblematic of rising business consciousness of API safety dangers.
Risk grows with elevated velocity of software program improvement
The Akamai report cites two elements driving the rise in API assault quantity. One is acceleration within the software improvement lifecycle, which “requires a faster turnaround in creating and deploying these applications in production, which could result in a lack of secure code,” stated the report.
Akamai cited Veracode’s Enterprise Strategy Group survey, through which 48% of organizations acknowledged that they launch weak functions into manufacturing due to time constraints (Figure A).
Figure A
Akamai additionally reported the variety of vulnerabilities is on the rise, with one-tenth of all vulnerabilities within the excessive or vital class present in internet-facing functions. The report additionally stated open supply vulnerabilities like Log4Shell doubled between 2018 and 2020.
Attackers see APIs… however do you?
Akamai stated that amongst different issues, Neosec’s resolution supplies visibility of APIs — which is of vital significance as a result of organizations typically don’t know the place, or what number of APIs they’ve under the digital decks.
“That is priority number one,” stated Chokshi. “In security language, it’s discovery and visibility. And it’s going to be interesting because customers want the baseline: they want to understand (their API exposure).”
Because giant organizations can have hundreds of apps, they typically need to deal with high-risk APIs, as a result of they will’t deal with every thing without delay, he added.
“They are using lots of different exit points, API gateways like (Google Cloud’s) Apigee, or Kong, or load balancers like F5, so there’s this whole complexity that each enterprise environment has that we have to work with customers to tackle as we go forward. The end objective would be visibility and discovery figured out, and intelligence, and then work on protection: How much of this can we do with blocking, how much with response and can we automate?” Chokshi stated.
Former FBI Special Agent Dean Phillips, govt director of public sector packages at API safety agency Noname stated the dangers are multiplied by visibility points, a perennial drawback with enterprises with giant and rising numbers of built-in functions and interfaces.
“We have found that in private security upwards of 30% of APIs that are active in an environment are unknown by users,” he stated “So there is quite a lot that goes on that users just aren’t aware of, including movement of sensitive data, not just names and addresses but social security numbers, birthdays, that the application doesn’t necessarily need or use. It’s a major problem. If you don’t know what you have, or what it’s doing, how do you protect it?”
Rising API assault incidents in 2022
According to Google Cloud Cybersecurity Action Team’s April 2023 Threat Horizons Report, the rise in API compromise was a consider one-fifth of incidents final 12 months. According to the report, prospects delayed safety upgrades as a result of “they worried that such upgrades might also bring unanticipated API changes, which might undermine their applications’ functionality.”
The report stated, nevertheless, that APIs don’t truly change with minor upgrades, addressing Kubernetes cluster’s general working surroundings, and the scope of the updates may be managed. “Customers were not always aware of this configuration option, however,” the report stated.
Growing deal with API safety
Because of the ubiquity of APIs as intermediaries in an increasing number of cloud native transactions, Chokshi stated he sees the API safety market probably changing into a safety superset.
“The interactions will be that much greater because of areas like the automotive industry, healthcare, and smart cities, versus classic end user or mobile applications,” he stated.
“You also have a lot of businesses where APIs are critical to the back end: A customer is trying to open an app or account, and in the back end there is a credit check, or other actions. More and more business-to-business transactions taking place in this cloud economy, including supply chains, are API-driven. The API market, in general, is rapidly growing and the tooling that is required to keep up is lacking. Security becomes even more important because of that,” Chokshi added.
Phillips agrees APIs are an lively area. “It’s becoming white hot, and lots of folks are trying to get involved in API security because there’s a growing recognition that they are the number one attack vector,” he stated, noting that in 2022, Gartner had estimated that by final 12 months, APIs can be the No. 1 assault vector. “And we have seen tremendous growth,” Phillips stated.
API surveillance joins the platform
Alamai’s acquisition follows a shift away from single-point options to complete providers — from merchandise to platforms — the virtues of which business consultants have been extolling for years.
“It’s a constant conversation between best-of-breed technology and platform solutions,” stated Wendi Whitmore, SVP of Palo Alto Networks’ Unit 42 group. “The discussion previously had been one or the other. I will say that our ability to provide a much broader range of solutions across technology is really compelling, and I will say the majority of our products are best of breed. It will be tougher for organizations to compete in a world solving one small problem,” she stated. “There is never one single silver bullet. It’s too complex today.”
Chokshi stated Akamai’s acquisition — and a security-platform strategy to cyberdefense — permits the agency to profit from adjacency in order that an attacker doesn’t get misplaced in transit between one level of visibility (or safety product if the group is utilizing a number of distributors) and one other. “We are already providing a high level of protection, they are comfortable with our portals and platforms and so this becomes an additional capability in that same continuum.”
Phillips, who stated Noname employs a “left of boom” strategy — basically shifting left to deal with API vulnerabilities earlier than an incident makes them apparent — predicts there will probably be extra consolidation that brings API safety capabilities below the aegis of main gamers. “There’s enough recognition in the industry that API security is growing. APIs have been around for a long time but recognition of vulnerabilities hasn’t. Attacks are increasing but the question becomes what’s the impact? Is the pain of the attack enough to drive action?”