In just a few years, APIs have claimed a top spot in the digital transformation of enterprises, turning the wheels of innovation and customer satisfaction. But while APIs get their reputation for ease of use, in reality, they are very complex to build, maintain – and secure.

As an experienced security professional, you already have in place many layers of protection around your data, network, cloud, and applications. And while it’s tempting to think these are enough to cover your APIs as well, it probably doesn’t.

Why? Because every API has a unique functionality, making it vulnerable to attacks on the business logic. There’s no signature to such attacks that exploit unique design and implementation flaws.

Here’s a short overview of the main gaps from existing general-purpose security solutions:

 

Gartner quote 2021

Access Control

Yes, your API Gateway protects you
from access violations.

However, it can’t effectively detect anomalous usage by authenticated users, or alert on usage of irregular fields.

Runtime Protection

Yes, your WAF protects you against known vulnerabilities.

However, it can’t protect you from unique vulnerabilities since it can’t learn the application context to detect anomalies. 

Security Testing

Yes, your xAST enables you to find
known vulnerabilities.

However, it can’t learn the API business logic in order to generate attacks that attempt to manipulate the functionality.

probably not protected image

Existing security solutions provide you with some level of API security. Together, they can detect and block known vulnerabilities such as injections and bots, they can alert on anomalous user behavior, and make sure only authenticated users are granted access. It’s a lot, but still far from enough.

Detecting API abuses first requires understanding of the API business logic. This is why analyzing the metadata isn’t enough. But by learning the application behavior patterns through full API data analysis, it becomes possible to detect and block breaches through anomaly detection.

For more on this topic, read our white paper: Why Your WAF is Not Enough

Achieving context-aware API protection

Statistical Modeling

Statistical modeling is the most common approach for detecting deviations from a baseline of activity. It works best when the number of features is relatively small, as in the case of analyzing traffic metadata (e.g., network-based analytics).

However, given the complexity and variability of API data and the need to contextualize relationships and sequences, using statistical modeling that isn’t adequate for API data results in low detection accuracy.

False positives and misdetection

Deep Learning

The deep learning approach is a proven way to analyze complex data, such as images. It works best when provided with massive amounts of data, used to train the model to identify anomalies in complex data sets.

However, deep learning models come short in providing deterministic explainability into the reasoning of why something is an anomaly, which is necessary for security analysts to understand the implication of the anomaly.

No explainability

Achieving context-aware API protection

computers

NLP allows us to achieve high detection accuracy at scale while providing detailed explainability. 

Consider this: NLP models relationships between data objects. In text analysis, this includes, for example, the modeling of relationships between words in the context of other words in a sentence. When applied to API data, using NLP can uncover the structures, hierarchies, sequences, and relationships between data objects. This uncovers the API’s functionality at different levels of granularity, generating deep context into the business logic.

Building on the normal functional behavior of the API as context, it becomes possible to detect breaks in one or more of these relationships as a ‘Meaningful Anomaly’, i.e., an anomaly that manipulates the business logic of the API. Focusing on anomalies that demonstrate intent to break the logic, allows us to achieve a very high level of accuracy – a 0.0001% ratio of false positives, according to various field deployments conducted by Imvision.

Furthermore, it allows us to explain to the security analyst the implication of a specific anomaly, given the objects on which it occurred, their type, the relationship being manipulated, user characteristics, and more.

See Imvision's full lifecycle API security platform in action