My co-founder Ziv Sivan and I are delighted to bring Neosec out of stealth today! It is amazing to see how much progress our team has made in the past year revolutionizing application security by inventing API Detection & Response (ADR), bringing the product into market and even receiving Gartner recognition (not to mention raising money, hiring and other fun things).
Why API Protection?
Before Neosec, I built LightCyber in 2011, which invented Extended Detection and Response (XDR), performing behavioral analytics on network and endpoint data to eliminate attacks. LightCyber was acquired by Palo Alto Networks in 2017.
The need for EDR and XDR was a result of the changing threat landscape, from generic malware, to targeted attacks aimed at the data center and corporate network. The traditional antivirus and network firewall solutions that relied on signatures could not capture that behavior of attackers and became ineffective.
In the past few years, the customer environments shifted significantly. Today, instead of datacenters and isolated business systems, organizations build cloud-based application environments that are exposed, by design, to the outside via APIs. The threat landscape changed accordingly because attackers have the same aim–money or data. When PII and money is transferred via APIs, and these APIs are exposed eternally, attackers naturally target the API surface directly, skipping the corporate network altogether.
‘Traditional application security’, like a Web Application Firewall, was not built to protect APIs and doesn’t see these new environments so they remain typically unprotected. The reality is that security organizations don’t even have an inventory of exposed APIs, let alone a plan to protect them.
The existing application security solutions had the same weaknesses I saw in the antivirus space at the time–a reliance on writing signatures, that is both time consuming, and misses real attacker behavior, combined with a focus on exploits instead of the complete attack lifecycle.
Most APIs are only accessible to authenticated users and enable them to create transactions, move money and access PII. That authenticated traffic is therefore the riskiest, but it typically goes through without any inspection. The reality is that ignoring what is happening once a client authenticates (which can also be an attacker or other form of misuse) is a major security gap and the root cause for many cyberattacks in recent years. Attackers enter from the front door with valid credentials and nobody inspects their behavior.
What is API Detection and Response (ADR)?
This is where behavior analytics comes in and why ADR is the obvious next evolution in application security. Can you trust what your partners and suppliers are doing inside your APIs? What if they are compromised through account takeover? You can no longer assume that behavior in your authenticated APIs is safe. Today, they are unprotected and attackers are increasingly attacking these APIs because they contain both data and money. The harsh reality is that every API is different and is a window into an organization's business systems. Ignoring them is not an option.
Which brings me to Neosec. We help an organization see and understand the normal and abnormal behavior in its APIs. Neosec is a new intelligent application security platform based on data and behavioral analytics. Neosec is the EDR/XDR equivalent for application security. Neosec is the first API Detection and Response (ADR) platform.
We have examined the API security market and noticed a vendor landscape built on legacy thinking that relies on cumbersome deployment of per-app sensors and thin examination of data. In addition to covering one application at a time, most approaches look at one request, or at most a short sequence of requests, missing the behavior over time and its business meaning. When you don’t look at the entire set of microservices over time, you miss the forest for the trees.
True behavioral analytics is not implemented in-line or on-prem, in fact it can only be done with an out-of-band SaaS platform, and it must have all the data. You need to profile what is normal to detect abnormal behavior (and that profiling needs to be performed on every entity and business process and on every API). Once detected, the data is needed to investigate and respond. The data is also crucial when extending the platform for a specific business process beyond what we at Neosec had in mind.
One simple question to ask any API security vendor to see if they actually perform true behavioral analytics is “Do you store the API data, and how long for?” If they don’t store it in the cloud for 30 days, they probably just provide some basic black-box detection capabilities, without the ability to profile behavior, investigate, and extend the detection to business-specific use cases. Don’t be fooled. They can’t possibly be a behavioral analytics platform.
The majority of the breaches today involve the API attack surface while security teams lack the most basic visibility. After spending a decade in the XDR space combating targeted attackers, with behavioral analytics, it is now time to apply the same methodology to the current threat landscape. Just as XDR eradicated the endpoint antivirus industry, ADR reinvents application security.
Personally, I’d like to close by thanking our investors including True Ventures, New Era Capital Partners, TLV and SixThirty in addition to security visionaries Mark Anderson, Gary Fish, Mickey Boodaei, Rakesh Loonkar and Shailesh Rao. They see our vision and are helping us every day.
I’m excited. The journey has only just begun!