IT Security Guru recently sat down with Michelle McLean, VP of product marketing at Salt Security, to learn more about API security as its own discipline and how it supports cyber resiliency in large enterprises on their digital transformation journeys.
Michelle started her career working as a technology journalist for almost a decade and has since held marketing leadership roles in a variety of enterprise security and software companies, as well as an advisory role at META Group. She’s recognised that the majority of businesses today, even more so since the pandemic happened, are fuelled by applications and these are built on Application Programming Interfaces (APIs) for the transmission and retrieval of data. This, she says has led attackers to get through more traditional security defences that typically protect applications, like web application firewalls, to attack the APIs themselves.
“Those kinds of security devices see a single snapshot at a time and they look for known patterns of bad, so they can stop that known pattern of bad. But with APIs, bad actors attack differently,” she said. “They’re trying to figure out your API and they’re trying to look for a business logic gap. Maybe you ask for authentication at the beginning, but then in a later request you don’t ask for authentication, or you don’t ask for authorisation and so threat actor manipulates what they’re doing in the API call and they get data they shouldn’t have access to. Many well-known API attacks in the US such as those on Experian and Peloton were done via the API.”
Detecting attacks on APIs is therefore far more nuanced and requires deep context and richer information to remediate. This is an area where Salt Security stands out because its architecture is built on cloud-scale big data that provides the whole picture needed to correlate an attacker’s reconnaissance efforts and say, “we have a problem”.
“Salt is focused on applying really rich information and context across the API life cycle to protect APIs. We do full discovery: what are the APIs that are running? what sensitive data do they expose? We baseline what constitutes “normal” and so bad traffic always stands out even if it’s a tiny, tiny percentage. But you need to find the manipulations, as well as the reconnaissance activity of the bad actors to be able to find it. That’s where Salt really shines- at finding those run-time attacks,” Michelle explained.
“We store data over days and weeks. API attacks unfold over a really long period of time, so if you only see a finite amount of data, you’re going to miss 95% of the attacks that happen in a given time period,” she continued. “You need to see way more data and have a very rich understanding of the whole picture. By knowing what a bad actor did an hour ago, a day ago, a week ago, along with being able to correlate it in real time is how you find these kinds of attacks.”
Another focus area in security is “shift-left”, which describes the process of doing things better and more securely from the start in order to shorten the cyber kill chain. For Salt, this means helping customers write better APIs and making them more secure over time, something which is vital to large organisations in financial, retail, pharmaceutical and medical industries that process huge amounts of valuable data through APIs.
As organisations continue to digitise at scale, Michelle encourages young people to join the cybersecurity industry, noting the well-known shortage of well-trained people.
“I think it’s one of the most exciting and honestly one of the most inclusive and diverse communities in tech, which I find very promising. However, let’s have reasonable expectations around how we bring more people into the industry; rather than having a very high bar of university degree, and X number of experiences, bring people in and train them. We can absolutely do that.
“There’s constant innovation. If you think about how bad actors keep evolving with their own creativity and how the industry in turn keeps evolving to keep up and stay ahead – I think the cycle of innovation is very exciting,” Michelle concluded.