APIs enable Digitalization and make communication easier. And opening APIs requires security. But what does API security mean? Security is everywhere and applies on almost all topics, like availability, audit or identity management. In this article, we will focus on one aspect: thread protection.
Protecting threads require to identify threads. Let’s rely on the famous Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks.
Some risks are the “attacks” kinds, others are “good practices” kinds. Common point is that the risk can be prevented by applying the right rule. And this is what traditional API security is: applying rules.
Let’s take as an example top 1 OWASP risk: injection. Injections have typical “patterns” that can be detected in the request. Detecting the attacks means “search for following patterns and notify if found.” Other examples of rules are checking virus signature, limiting rate, validating schemas. These rules are processed by dedicated software, typically Web Application Firewall or API Gateways.
Read why you need an API Gateway and security.
Rules are great because it works as expected. Correctly configured, they give high security, not easy to breach.
And that’s the trick. What allows the rules is normal traffic. And that’s where the attacker will hide.
Let’s take some examples of how to work around the rules.
Rate limiting is enforced. But the rate was planned to allow few consumers with exceptional traffic, not many attackers hitting below the limit.
API access can be achieved using a JSON Web Token (JWT). JWT requires a signature, so it’s hard to counterfeit. If one way or another an attacker gets a JWT, then all user data can be accessed. This is a way to exfiltrate a lot of personal data, but it takes time.
A human can detect such issues and refine the rule. But then the attacker could evaluate the new rule and refine the attack. The defender is in a hard position. How to find a few abnormal APIs calls in billions of normal APIs calls? I guess you have it, looking at this article title. That’s where the AI takes a role.
AI-Based security is the detection of what is not anticipated by the rules.
So how does it work?
Each time an API request or its response is sent, the call context is forwarded to the IA engine. At the same time, the engine is evaluating and learning. Potential attacks are reported, visible in a dashboard, while detected attacks are blocked.
To work well, the AI Engine requires to learn what is “normal.” This is done by processing API traffic, without further configuration. It also provides a nice trick to detect attackers: a “honey pot.” Fake, attracting APIs are added, like “/login.” Blind attackers, trying to automatically detect these APIs will find and call them. And proving they are not regular consumers.
The primary value of AI-Based security can be seen as blocking attacks. This is not the only one. The hardest one to detect are the slow ones, taking place during months. A great value is to drastically shorten the detection time.
If you want concrete implementation, you can take a look at what PingIntelligence is providing.
A better protection
As threat protection improves, so does the attacker. The world is more and more connected, giving them the opportunity of more complex attack schemes.
Traditional API security, like API Gateways or WAF, apply protection rules and do well their protection job. Rules protect from many attacks, and they are just mandatory. But they have their limits. It takes time to design it. When a rule is defined, there can be a workaround. Managing rules take time. And it is very hard to design a very strict rule not impacting the consumer experience.
AI-Based security, at the opposite, will learn directly from the traffic. It will detect abnormal behavior, this “unexpected” traffic that human cannot find with such a big amount of data. And it could even detect an on-going attack in a new protected system.
AI-Based security is there to complement traditional security, by detecting abnormal traffic, that rule-based protection cannot.
Discover and learn more about API security.