[By Andy Grolnick, CEO, Graylog]
In the past couple of years, there has been explosive growth in API usage as API-related solutions have enabled seamless connectivity and interoperability between systems. From facilitating data exchange to cross-platform functionality, companies with an API-first approach have more performant financial outcomes. According to Postman’s 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. Among this group, 43% specifically mentioned that APIs account for over a quarter of their company’s total revenue. Moreover, the rise of the API economy has spurred organisations to open up their services, fostering collaboration, and enabling the creation of new products and services through third-party integrations.
As the popularity of APIs has grown, so have the security risks they pose to organisations. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in the past 12 months. APIs hold valuable data such as personal user data, financial details, or business-critical information. In sectors such as financial services, APIs can be exploited to manipulate financial transactions or steal credentials for direct financial gain. What makes API attacks increasingly concerning is their low barrier to entry. APIs have publicly accessible documentation. Exploiting vulnerabilities is not a complicated task for hackers, granting them unauthorised entry to manipulate endpoints, leading to potential data breaches and gaining control over systems.
That is why it’s strange that for many CISOs, APIs remain a critically under-protected attack surface as API security falls into no-man’s land. API Security is usually the remit of security teams, but the APIs themselves are developed by product teams who tend to prioritise speed and time-to-market. Hence security teams have relied on developers to address issues as the products are being built.
Unfortunately, we anticipate that this achilles heel will be exploited by bad actors in 2024. It is important that CISOs and their teams understand their organisation’s API risk posture when developing an API security strategy for the next 12 months. It will be up to CISOs to drive initiatives between security and product teams to ensure visibility into APIs and devise strategies to mitigate potential threats.
All is not lost. Enterprises are now waking up to the dire need for API security, and CISOs have a significant role to play in safeguarding their environment.
We delve into the top challenges we expect CISO to face in 2024 in securing APIs and how they can overcome these growing concerns to bolster their organisations’ security posture.
Authenticated Attacks
Protecting against API threats will be a major challenge CISOs should be ready to face as traditional, perimeter-based solutions are ineffective at identifying such threats.
Hackers are finding innovative ways to gain authenticated user access and with low-cost APIs, hackers can pose as real customers or partners. Additionally, as nation-state-backed cybercriminal groups are on the rise, criminals have more access to resources to pay and become customers. Insiders will deliberately exploit their authorised access to steal sensitive data, manipulate API endpoints, or perform unauthorised actions, leading to data breaches, service disruptions, or system compromise.
As WAFs only monitor HTTP requests, new perimeter-based API security solutions tracking user requests, not responses, do not provide full-fidelity of the API traffic. The actions of malicious customers or partners will appear legitimate because they come from authenticated users. Securing APIs in a modern threat landscape requires a threat detection and incident response (TDIR) approach that prioritises inside-the-perimeter defences to ensure even if malicious actors gain access, the threat is rapidly identified, and privileges are revoked.
CISOs will need to ensure their API security strategy takes a multi-layered approach that supplements perimeter defences with application-level security. Full fidelity of APIs is necessary to isolate unknown attacks as hackers find innovative ways to remain undetected by traditional solutions.
Executive buy-in
The API security market is in its infancy as the threat of API attacks has become more accentuated over the past year, which means there is a significant education gap when it comes to API security. The truth is that most organisations don’t have full visibility into their API environment or their API risk posture. API inventories are changing at an exceptionally rapid rate which makes tracking changes and risks a challenge.
This makes it hard to communicate to budget holders and other C-suite members why they should invest in an API security solution. Getting company buy-in for API security is just as big a challenge for CISOs as defending APIs from attackers.
CISOs play a crucial role in ensuring comprehensive visibility within their API environment to identify the extent of API exposure in real time promptly. This visibility is pivotal in aligning security objectives with business goals.
By having a clear view of their APIs in real time, CISOs can accurately measure the potential business risks associated with insecure APIs. An API attack can significantly impact a company’s financial health, causing reputational damage, and revenue loss due to disrupted services or the necessity to pay for data access restoration. Having real-time API visibility enables CISOs to quantify risks and strategise security measures effectively, understanding the direct implications on the company’s bottom line.
Finding the right security tool for compliance
General Data Protection Regulation (GDPR), The Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA) are just some of the regulations organisations must adhere to, to protect personal data from being exposed through APIs. As organisations conduct international business, they must ensure their API security meets multiple regional regulatory frameworks.
When it comes to APIs, third-party risks are more acute due to the sensitive nature of the information APIs handle. SaaS security solutions require a lengthy and complicated process to be compliant, as data has to be filtered, redacted, and anonymised before it can be uploaded into a cloud environment. Organisations in sectors such as financial services, are particularly wary of sharing data with third parties of the potential for this data to be misused.
However, API endpoints are growing at a scale we have never seen before, and traditional on-prem solutions do not have the capacity to process such a massive amount of data. The challenge for CISOs will be to find security tools that don’t make compliance a hindrance to efficiency and operations. An option is to prioritise on-premise tools that eliminate the need to process data before it can be analysed. These tools can also be up and running within days, as there is no need to ensure data processing meets third-party risk requirements.
Shifting to a proactive approach to securing APIs
With threats of AI-powered attacks and the increasing sophistication of hackers, proactive threat hunting has become central to all TDIR strategies. CISOs will have to rethink their TDIR strategies to incorporate real-time API traffic scanning to ensure early detection of API threats. Relying on guides such as the OWASP Top 10 API Security Risks is no longer enough, as attackers can easily evade known threat detection. CISOs should build their API security strategies on full observability of API traffic. A proactive approach to APIs will ensure that even sophisticated, or insider threats are flagged as malicious traffic before they can disrupt application behaviours.
In the evolving landscape of API security in 2024, CISOs face a myriad of challenges. The exponential growth of APIs brings financial benefits but also heightens security risks, especially concerning insider threats and evolving attack methodologies. Addressing these challenges demands a multi-layered security approach, inside-the-perimeter defences, and proactive strategies to detect and respond swiftly to potential breaches. Securing executive buy-in, meeting compliance standards, and balancing security with operational efficiency are critical hurdles. Prioritising real-time API visibility and adopting proactive measures against evolving threats will be pivotal for CISOs in fortifying API security and safeguarding organisational integrity in the years ahead.
