A few years ago, Gartner made a prediction that by 2022, API attacks would become the most-frequent attack vector, causing data breaches for enterprise business applications. As we approach that timeframe, it turns out that this is one prediction that ended up to be true. Enterprises are more dependent on APIs than ever before and even though many enterprises are now focusing on API security, there are still significant API security gaps. The Log4j vulnerability is the most recent incident to spotlight these gaps — API endpoints that contain the vulnerability offer an attractive attack vector because many organizations have limited visibility over their API inventory and their APIs' behavior.
As we bring in 2022 and finish grappling with Log4j, we must also look ahead to what fortunes 2022 may bring us. We know that APIs will continue to see massive proliferation. What will it mean for 2022? We don’t know for certain — who saw Log4j coming? While we must absolutely expect the unexpected, here are three predictions for 2022. One good, one bad, and one downright scary.
The Good: Dedicated API Security Becomes a Common Control
2022 is the year that dedicated API security becomes a common control for security teams. What is a common control? Common controls are security controls used throughout organizations’ information systems, these security controls typically can be inherited as part of the organizations’ technology stack and are applied to multiple systems within the organization (NIST’s SP 800-53 provides a good overview).
We see common controls utilized today with mainstream security solutions such as laptop encryption, network firewalls, and WAFs. New employees expect that their laptops will have some built-in encryption as part of the standard security. App developers expect that their applications will be protected behind a network firewall and a WAF. These are common controls.
Many systems will need additional security that may be unique to the system or information it is handling. These are “tailored” controls that are specifically designed to address the requirements left unaddressed by the common controls. Today, API specific security falls into this category. While some aspects of the API security can be addressed with existing common controls (network and web app controls), these common controls still leave large security gaps that leave the API, and the business, potentially vulnerable to attack and abuse.
APIs are already business-critical for modern digital business and they will undoubtedly become, if not already, the most frequent attack vector. The surge in API growth, both in numbers and volume of traffic, have left security teams struggling to efficiently observe and adequately address the gaps left by existing common controls. The business demands for APIs will drive widespread adoption of dedicated API security solutions and they will become a common control for every organization that has modern business applications.
The Bad: Organizations Will Be Detecting Breaches and Exposures That Have Existed for a Long Time
One of the most memorable comments I heard from a CISO was when she said, “there are two types of companies: “those that know they have been compromised, and those that don’t.” While I don’t believe every company has been compromised, It's a quote that will unfortunately resonate with many as it's not far off the mark.
As we saw in the last two years, many of the largest breaches were actually breached well before they were detected. The SolarWinds breach took nearly a year before any indicators of compromise (IoCs) were discovered. If this seems like a long time, you’re right. It is also important to know that the entities breached included FireEye, Microsoft, and government agencies like Homeland Security and the Treasure Department. All of these have some of the most skilled cybersecurity professionals in the world. Yet the breach still went unnoticed. Most organizations don’t have the staff skill set nor the technology that these organizations have, so there is a high probability that an attack, even one not as sophisticated as the SolarWinds attack, could go noticed for extremely long periods of time, even years.
The SolarWinds breach was not unique in its ability to go undetected. IBM’s 2021 report details that the average time to detect and contain breaches has continued to increase for the past four years. The most recent data reports 287 days to detect and contain a breach (212 to detect, 75 to contain). With the mass proliferation of APIs (the new top attack vector), many of which are outside the purview of security teams, there is absolutely no reason to think this will get any better in 2022. The result is that, assuming hackers didn’t take any time off in 2021, the majority of API related breaches found in 2022 will have actually been there since the previous year.
The Scary: The Biggest API Security Breach in 2022 Has Already Happened
In an early 2021 interview Microsoft’s president Brad Smith said the SolarWinds breach was the “largest and most sophisticated attack the world has ever seen.” He went on to estimate that this sophistication probably required 1000 engineers to develop. SolarWinds reported that about 18,000 of its customers were impacted by the compromise. The scary part is that this attack, and we must assume others as well, was likely used to install additional malware that has yet to be detected. A long fuse that has already been lit. We will be waiting for the explosion in 2022.