Risk Management

API Security with AI – Interview with Elastic Beam

Elastic Beam - Axway

I’m delighted to welcome this week Bernard Harguindeguy, CEO at Elastic Beam.

Stephane Castellani: Hi Bernard, can you please present Elastic Beam in a few words?

Bernard Harguindeguy: Elastic Beam is focused on protecting API infrastructures, and the digital assets they connect, from hackers and botnets. We deliver automated blocking of cyberattacks in hybrid and multi-cloud environments, as well as deep visibility into all API traffic for forensic and compliance reporting.
Our HQ is located in Redwood City (heart of Silicon Valley) with Sales offices in Denver and Australia.
A friend, Uday Subbarayan, and I founded the company in December of 2014 to address a need that we knew would become very painful quickly for DevOps and security teams.
Including consultants, the company has over 30 employees. Elastic Beam surfaced from stealth mode in July of 2017 and has built quickly a business in several market segments including Banking (Open Banking/PSD2), Insurance, Healthcare, Telco, IoT and government. Elastic Beam is working with a number of three letter agencies and an array of household names.

SC: What is your flagship product?

BH: Elastic Beam’s API Behavioral Security (ABS) software protects the digital assets behind APIs. Hackers use APIs to steal data, take over customers’ or patients’ accounts, or remotely control applications. Our solution brings automated cyberattack blocking and deep API-traffic visibility using real-time and AI-powered API security software engines–on premise, in hybrid clouds or in public clouds.

Key value:

  1. Detects and automatically blocks cyberattacks on REST and WebSocket APIs in multi-vendor and multi-cloud environments.
  2. Auto discovers all APIs and all connected IPs to make sure that no API is left unprotected.
  3. Provides, via dashboards and reports, complete visibility into all API traffic–down to every method used at any time by anyone or “thing.”

Understanding what’s going on with APIs and delivering strong protection is a big data problem. So our solution uses advanced Artificial Intelligence algorithms to sort out all API sessions and traffic at very large scale, identifies those that are abnormal or suspicious for automated blocking, and delivers compliance and forensics reporting with rich details on all transactions.
We can even give you every URL name that hackers are trying on the API infrastructure as they probe the environment looking for ways to access and use the APIs.
Our API Deception (patent pending) is further technology that we combine with AI to deliver a honeypot environment with “fake APIs” to instantly recognize hackers–and block them from using the real APIs.
But the best is that the use of AI enables us to deliver solutions that require absolutely no signatures and no rules to program in order to detect new and changing attacks. Security is self-learned and most of the deployment is automated.

SC: Why is API security so important today?

BH: API deployments are accelerating as businesses are embracing digital transformation initiatives and using APIs to provide connectivity to data and line-of-business apps. As such, they represent a new attack surface that is increasingly targeted by hackers to take over accounts, steal data, steal photos, delete data, commit fraud, shut down services, disable mobile apps, take control of industrial systems, etc.
We are all witnessing an influx of attacks on APIs these days but most go undetected as organizations are still wrestling with this new set of threats. Yet, Instagram, the IRS, Snapchat, Jeep, Apple and others had to apologize for well-publicized attacks that used their APIs to steal consumers’ private information or remote control a car.
The deployment of a API Cybersecurity solution must go hand-in-hand with the roll-out of any digital transformation project. Gartner, 451 Research, The API Evangelist, David Berlind of Programmable Web and many others are calling the industry’s attention to this issue.

SC: How do you complement existing API Gateways and their embedded threat protection mechanisms?

BH: API Gateways offer solid foundational security including encryption, rate limiting and access control.
Elastic Beam integrates with existing API Gateways security to bring:

  1. Incremental security layers that protect against a broad range of API cyberattacks
    • Attacks that attempt to bypass or defeat Login systems.
    • Attacks that use stolen cookies or tokens to access data and apps behind the APIs.
    • Hackers probing for API vulnerabilities.
    • DoS and DDoS attacks on APIs to disrupt or cripple services–many can only be detected with AI as they target specific APIs and are not about flooding with volumes of requests. Also many attack the API memory or the session management service.
    • Post login attacks on data, apps and systems from hackers that defeated the access control with brute force or are using compromised credentials. Leads to data theft, account take over, remote control of systems and applications, etc.
  2. Rich API traffic visibility, as well as Forensics and Compliance reporting
    • Gain unique insight into all API activity with dashboards and in-depth reporting.
    • Accelerate gathering of evidence after an attack to expose all activity.
    • Track compliance with optimized reports.
  3. API deception for instant attack detection and blocking
    • Inserts decoy APIs within the real ones.
    • Instantly traps hackers–attack source identified and pattern analyzed.
  4. Hybrid/Multi-Cloud security that automates attack blocking across clouds and prevents terminated hackers from reconnecting though another connected cloud.

Elastic Beam uses Gateway policies to implement this incremental security with a sideband deployment within existing or new implementations.

SC: You are leveraging Artificial Intelligence in your algorithm, how is it useful compared to standard pattern detection?

BH: The key advantage is that with AI you no longer need to know about the specific attack pattern used by a hacker in order to recognize malicious activities. It even recognizes constantly changing attacks and is immune to the various updates and changes that hackers may implement.
This is really important as older generation tools need to be programmed with attack details via rules or code that must be constantly updated by the Ops team as hackers keep changing their methods.
Our AI algorithms (patent-pending) detect API sessions that deviate from normal. The secret sauce is not only in the algorithms but also in the implementation to do this at massive scale. This is the needle in the haystack problem. You have 120,000 transactions per second … and one of them is a hacker stealing credit card and private information or taking your customer data out!
David Berlind, editor and chief of Programmable Web and one of the most notable voices in the API space articulates our unique approach eloquently in this write-up:

“…unlike other security solutions in the way they are based on patterns. If you think of traditional security solutions like antivirus that look for patterns of intrusion, what Harguindeguy says is true. Elastic Beam’s solutions are not quietly running in the background waiting to pounce on some recognized pattern of intrusion. Rather, the artificial intelligence inside is actually doing the opposite. It is constantly watching for a non-pattern, only pouncing when the unexpected happens.”

SC: Which level of granularity do you offer in terms of API security?

BH: Our software is capable of tracking detailed information about every access. We deliver reports that identify every method used on any API at any time. We associate the IP address, the API key or token or cookie used with every session.

SC: Which dashboard do you provide and how do you alert IT security teams?

BH: When procuring our solution you receive a dashboard, with ElasticSearch Kibana as the underlying platform, that graphically displays a vast array of API cybersecurity related information including time-series reports on attack activities.
All of the information made available by our solution can be accessed via one of our APIs. This is the API that we use ourselves to drive our dashboard and reports. That same API can be used by any enterprise dashboard to ingest valuable information on the security posture of the API infrastructure. Any JSON-based reporting engine can also be used to deliver custom reports that match the DevOps or security team’s needs.

SC: What about false positives?

BH: Our AI algorithms classify attacks amongst three buckets: normal sessions, anomalies and attacks. When we classify a session as an attack it is because the probability of a false positive at that time is extremely low. Our AI engine keeps learning changes in the environment and adapts automatically to those changing conditions. Consequently, as new updates and new APIs are deployed, our AI engine tunes itself automatically. This adaptive, API behavior-based approach ensures that friendly traffic is rarely flagged as malicious. For those environments that are extremely risk averse, as those of government organizations, we offer the ability to additionally tune the environment manually.

SC: Can you give an example of a recent malicious attack your solution could detect that any other solution would have missed?

BH: Although Instagram has not provided details of its API breach (announced in August 2017) which exposed customer account information, information published about the attack gives us a strong indication that the nefarious behavior deviated significantly from normal behavior or from the way developers intended their APIs to be used. Our AI powered behavioral security engine would likely have detected the attack.
We also believe that we would have detected the TMobile “attacks” (announced in October 2017) that exploited an API vulnerability to gather user account information.
We have been involved recently with API DoS/DDoS attacks that destroyed a mobile app user experience or disconnected consumers from a service. No solution on the market could stop those attacks as they were targeted and not about volumes of requests.

SC: Who are your competitors and how you do position against them?

BH: A few companies are focused on detecting botnet attacks on the login services of web applications. However, APIs used by mobile and enterprise applications require a very different set of countermeasures to automatically block targeted attacks and provide rich details on every session.
To date we are first to market and have no direct competition–as was concluded by Programmable Web, 451 Research, and Gartner.

SC: Which channels do you sell your product through? Online, via sales teams, via partners?

BH: A core part of our GTM strategy is to work with industry partners, system integrators and resellers. We are quite selective and are keen to cultivate relationships with partners that are hyper focused on Digital Transformation projects. Currently we have about a dozen partners spanning the globe from North America and Europe to India and Australia.

SC: Thank you Bernard, this was a great interview. I wish you a lot of success for 2018.

BH: Thank you Stephane. This has been a pleasure.