What Does XDR Have to Do With API Security?

A growing number of organizations understand the critical role that some form of API security plays in their overall security and compliance posture. But for many, understanding where API security technology investments fit in with their broader security stack can be challenging.

I think that may be because many security silos have evolved over time to more unified extended detection and response (XDR) approaches. Neosec is a big believer in XDR. A number of our company leaders and team members pioneered many of the concepts and technologies behind XDR at LightCyber and later in leadership roles on the Palo Alto Networks Cortex XDR team.

Neosec sees an opportunity to bring the power of XDR to API security. But doing this raises a key question that both vendors and security teams must consider.

Can XDR as we know it today be extended to include API security? Or, should API security be addressed by a separate set of security tools and practices that apply the best innovations of XDR to the unique security challenges posed by APIs?

Reviewing detection and response silos

Technologies for detecting and responding to security threats have existed for decades. Most started with narrow goals in mind:

• Endpoint detection and response (EDR) to protect endpoints and in some cases servers
• On-premises network detection and response (NDR) to detect and mitigate threats on enterprise and data center networks
• Cloud NDR to extend similar concepts to cloud or hybrid-cloud infrastructure
• Secure email gateways (SEGs) to detect and mitigate email-based attacks
• External threat intelligence feeds to provide early warning signals about possible threats

Each of these played an important role in reducing risk. But, their effectiveness was limited by the fact that they operated in silos. Each lacked information from the others that could provide a more complete and accurate picture of threats and risks. Instead, they put the burden on security teams to connect the dots.

Collapsing silos to create XDR

XDR innovations advanced security in three important ways:

1. It converged detection and response signals across all of the silos noted above into a unified model.
2. It harnessed cloud scale and techniques like machine learning and behavioral analytics to monitor large amounts of data over longer time horizons, to deliver more complete and more meaningful security insights but perhaps more importantly, could establish baseline behavior in order to identify deviations
3. It presented security teams with human-understandable, timeline-based views of security incidents that avoid alert fatigue and make it faster and easier to respond decisively.

When implemented and adopted correctly, XDR has a transformational effect on security team productivity and effectiveness.

Can the principles of XDR better protect APIs?

Even with XDR providing significant security value, APIs are largely missing from the XDR picture today. In the form of current market offerings, we perceive many organizations use XDR to focus on enterprise security infrastructure, whose risks center on users connecting to applications and cloud services running on hosts.

Quick clarification: there are APIs that involve users, referred to as business-to-consumer, or B2C, APIs. For the purposes of this discussion, we focus on the rapidly growing space of externally-facing APIs exposed to partner applications, plus the vast space of machine-to-machine (M2M) API-based communication.

In contrast, the traffic of APIs that service M2M communications is different from users and hosts. Consequently, the characteristics of API security threats can also be quite different from enterprise security threats. For example, subtle attacks like business logic abuse do not exist in the traditional enterprise security space and require specialized detection and mitigation approaches.

As a result, API security might not gain very much from organizational use of XDR that’s focused on enterprise security activity and threat information.

But that does not disqualify the use of XDR principles to API Security. In fact, the very nature of B2B or M2M API traffic suggests that XDR principles must be used, because with a vast quantity of traffic, only “extended detection” can detect needle-in-a-haystack API abuses.

Can existing XDR be extended to include APIs?

Probably not: Trying to pry API security, with unique attributes like a DevSecOps focus and machine-to-machine communication into a standard XDR model may not be possible, let alone valued by current consumers of existing XDR solutions.

But, in fact, many of the core concepts of XDR are exactly the same concepts that need to be used to protect APIs at scale. They just need to be applied in unique and focused ways.

That is the Neosec innovation: We’re applying many of the same XDR concepts that transformed enterprise security to application security. Much in the same way that enterprise security evolved from attack signatures and point-in-time detection to behavioral analytics, we’re leading the API security industry through the same evolution:

• Extended detection via broad API traffic data collection to a cloud-based service with long-term data retention, and enriching the data
• True machine learning and behavioral analytics
• Contextual investigations and threat hunting
• Automated, flexible response mechanisms including software development lifecycle and API gateway integrations

Many core innovations of XDR can be applied to APIs

We believe that the benefits of this transformation will be even greater for APIs and application security than they were for enterprise security. Security teams will not be able to keep pace with the vast amounts of machine-to-machine communications without an assist from behavioral analytics.

Applying behavioral analytics to large data sets is also a better way to address the nuances of application security threats. For example, API abuse cannot be detected effectively through inline or point-in-time analysis. Creating baselines of normal behavior and detecting anomalies is the only way to differentiate abuse from nearly identical legitimate activity.

What about threat hunting?

Several XDR solutions on the market today enable threat hunting in their user interfaces and a subset of those solutions offer managed threat hunting. Neosec’s utilization of XDR principles goes this far as well. The Neosec user interface includes a powerful API threat hunting tool set. Starting from any alert, teams can search for malicious behavior using entity timelines, logical expressions to narrow down traffic, and more. Recognizing that API security remains a new solution and hence, API threat hunting skills in your organization might still be in the learning process, Neosec offers ShadowHunt, the industry’s only expert-staff API managed threat hunting service.

Apply the principles of XDR to your APIs today

Are you ready to apply XDR concepts to your growing set of API security challenges? Register for a free trial of Neosec to bring greater clarity to your API security and see the results fast!