What is API Runtime Protection?

Organizations are achieving new levels of connectivity, productivity and agility through the use of APIs. They use APIs to connect internal applications, accelerate processes with their business partners and even deliver data services to the public. But a small fraction of organizations are able to keep tabs on the thousands, if not tens of thousands of APIs making data calls within their digital ecosystem. Even fewer are fully prepared to protect against runtime API threats. And the fact is, misconfigured and hacked APIs are behind some major data breaches.

With that in mind, API runtime protection refers to the process of securing APIs during their normal functioning as they operate and manage requests. The idea is to identify and prevent malicious API requests. Runtime security guards APIs against a range of threats that emerge after deployment, including:

• An attacker pulling large volumes of sensitive data from an API
• Privilege escalation attacks that exploit security bugs
• Deployment of unauthorized APIs outside of the normal deployment processes

This is the reason API runtime protection is so critical. Of the three API security pillars, it’s the final layer of defense against threats.

How do you block API threats?

Blocking runtime API threats requires an ability to protect data by leveraging more context. Enterprises need to understand API access, usage, and behavior. Because APIs have been specifically designed to enable easy connections and data flow across applications, it’s expected that they should be actively moving data. That means it can be difficult for traditional security tools to discern between a legitimate and malicious request by an API.

Authentication and authorization is more complex when it comes to APIs than in traditional web applications. While a web application may rely on a CAPTCHA system to filter out non-humans, those sorts of controls don’t work well for machine-to-machine authentication. In this scenario, organizations need information about how each API is intended to be used. To accomplish this, there needs to be a whole new layer in the application security stack – an API security platform.

An important first step is to assess the API security posture. This is a fancy way of saying use an API discovery tool that finds and inventories all your APIs. Most notably your legacy and shadow APIs. As the old saying goes, you can’t protect what you can’t see. Upon running these tools, many organizations are shocked to find the sheer number of APIs and interdependencies at play.

The right discovery tools can identify each API, its owner, the types of sensitive data it interacts with, how it is routed, its associated physical resources, and to which business unit or application it belongs. Once an organization’s unique API footprint is inventoried, API security tools can continually monitor for vulnerabilities and misconfigurations.

Once you have an idea of your API estate, you want to employ AI and machine learning capabilities to monitor traffic. The aim here is to build a baseline understanding of typical behavior in order to detect what’s anomalous. Real time traffic analysis will provide contextual insights into data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks.

The best API security platforms also integrate with existing security systems. The API security platform reports any suspicious behavior, misconfigurations and data policy violations to the API gateway, SIEM system, and other application security engines in order to inform the larger security team. Your organization can then choose to remediate any issues manually or automatically depending on the severity of the threat.

Monitoring API traffic for attacks

API security risks and issues are not all discovered in source code alone. Observing API traffic behavior within the context of the network provides the full context to derive risk findings. Deploying a monitoring solution prior to having an accurate picture of how vast your API estate is will only provide limited visibility. After the API footprint is inventoried, an API runtime protection module can continually monitor traffic and API consumption and look for vulnerabilities and misconfigurations.

Detecting anomalous behavior

Beyond monitoring traffic to detect outright attacks, you also need to monitor traffic in order to develop a baseline understanding of typical network behavior. This will help your team identify anything out of the ordinary. You can use historical knowledge to determine anomalous behavior which may reveal attacker intent. Anomalies can be examined further in the context of other actions taking place within the application or network. For instance, if data requests are generally a certain size, and you receive an API call requesting data larger than usual requests, it should be flagged. It may or may not be malicious but the anomaly definitely calls for further inspection.

Detecting data exposure

APIs are also responsible for sending and receiving sensitive data. Which means sensitive data can be, and often is, exposed in the traffic. Sensitive information that is accessible due to a security vulnerability allows an attacker to escalate privilege or other improper access control configurations. Runtime protection solutions can also utilize anomaly detection to monitor and provide insights into data leakage, data tampering, and data policy violations.

Best practices for API Runtime Protection

To address runtime security threats, it’s wise to deploy API security auditing tools. These tools should be able to monitor traffic in real-time and alert you of attacks and other malicious at a minimum:

• Perform continuous monitoring to identify attackers and malicious requests.
• Passively scan APIs, internal and external, for misconfigurations and oversights that could enable or worsen a breach or weaken defenses.
• Enforce policies on what data should (and shouldn’t) be sent or received by APIs.