Modern cybersecurity technologies are among some of the most advanced in the enterprise tech stack.

Despite these impressive advances, most organizations still suffer from data security blind spots in places their cloud-enabled security solutions should cover.

While IT professionals are quick to secure user accounts, monitor network traffic, and protect against email phishing, API security often remains one of the most overlooked areas of modern enterprise infrastructure.

< Back to Tag
Jan 07, 2022

Data Security Blind Spots Explained

Modern cybersecurity technologies are among some of the most advanced in the enterprise tech stack. Solutions like database monitoring and intrusion detection systems have proven extraordinarily effective against cybercrime. While state-of-the-art technology used to be exclusive to large enterprises, widespread cloud infrastructure has made them accessible to small and mid-sized businesses in a scalable, cost-efficient way.Despite these impressive advances, most organizations still suffer from data security blind spots in places their cloud-enabled security solutions should cover. Alarmingly, executives can mistakenly believe these blind spots are covered when in reality, they are not. This pitfall has become a recurring pattern in most high-profile data breaches. Time and time again, overlooking small details led to disastrous results.API security is one of the many areas where these small details matter. Application programming interfaces provide external developers with programmatic access to internal databases. They allow organizations to share data with trusted partners automatically or expose time-consuming processes directly to customers through an app. While IT professionals are quick to secure user accounts, monitor network traffic, and protect against email phishing, API security often remains one of the most overlooked areas of modern enterprise infrastructure.
Image

Why Executives and IT Teams Overlook API Security

Since APIs provide external developers with programmatic access to internal databases, they straddle the divide between "database security" and "network security.” Large enterprise security teams may have personnel directly responsible for API security, but small and mid-sized organizations are more likely to distribute multiple responsibilities to a core team. This can lead to API security falling through the cracks. In some cases, small and mid-sized IT departments that outsource API development might assume that they must be getting a secure API in return since they’re working with third-party contractors. Professional API developers recognize the value of API security principles, but time and budget pressures can easily result in less-than-optimal results. Many small and mid-market organizations don't have an in-house API development team. As a result, the tendency is to see API security as "the developer's problem.” Making sure the project requirements are met on time takes precedence over verifying the technical security approach used. But the main pitfall that executives and IT leaders fall into is assuming that API security is static. Like every other part of the cybersecurity framework, API security must adapt to new threats in real-time. This responsibility does not fall squarely on the shoulders of the original API developer – it's a database monitoring and network security issue.

Apps and APIs are Like Windows into Your Business Infrastructure

It can be helpful for IT leaders to think of their business infrastructure as a house. When burglars break in, they rarely enter through the front door. An unsecured window is a much more compelling entry point, especially if the intruder can see through it before attempting.A payment API works using the same principle. It's a programmatic interface that receives customer credit card data and directs payments to company accounts. It reports completed payments to accounting software and processes returns. It's not something you can easily hide or conceal – not without compromising customer trust.Since customers can see what your payment API is doing, cybercriminals can too. Like residential burglars, they can peer inside the window and plan an attack.Many of these attacks are client-side attacks. In a client-side attack, cybercriminals target third-party code to compromise trusted systems. For example, a hacker may tell the payment API to copy all incoming customer credit card data and send it to an unauthorized offsite address. This card-skimming exploit is a textbook example of a Magecart attack.The more apps and APIs a business has, the more opportunities it presents to potential attackers. But it's not the number of apps and APIs that lead to data security blind spots. It's the complexity of the API environment itself.

How API Complexity Impacts the Security Landscape

Apps and APIs are critical components of the next-generation user experience. Organizations are increasingly investing in API development initiatives (and increasing the complexity of their environment) in multiple ways:
  1. Organizations Expose Multiple Data Sources.
    It's rare for a business of any size to limit itself to just one API. According to Postman's 2020 State of the API report, most enterprises use at least 50 APIs concurrently. It's worth pointing out that very few of Postman's survey respondents actually knew how many APIs their companies use, pointing towards a troubling trend in API visibility.According to Imperva, the average enterprise manages 363 APIs. This number reflects a smaller survey of enterprise IT professionals, but the takeaway is clear. API security must accommodate hundreds of moving parts.Cybercriminals may not need to fully compromise a single API to gain access to sensitive data. They will increasingly be able to exploit visibility loopholes through multiple access points. This could allow attackers to compile sensitive records by comparing data captured from multiple sources.
  2. DevOps Increases Deployment Frequency.APIs are a fundamental tool to DevOps and the Agile development methodology. This development approach prioritizes automation and empowers self-governing teams to deliver software changes and updates in an ongoing way. This means IT teams can reduce the amount of time it takes to publish software updates from months to minutes.Since client-side attacks can take advantage of compromised third-party software integrations, increasing the frequency of integrations can increase vulnerability. For companies using DevOps, establishing security practices that don't result in production bottlenecks is a significant challenge.Under traditional development models, security comes at the end of app testing. This doesn't work in a DevOps environment. Security testing must occur at every stage of development so that flaws and loopholes can be addressed immediately.
  3. Service-Oriented Architectures Are Expanding.
    APIs are at the core of service-oriented architectures, including microservices. This architectural style structures applications as a collection of independent, easily maintainable services owned by a small, dedicated team. It enables the rapid development of large applications in complex environments.This can create serious security challenges. Individual services may be distributed over several different cloud providers in multiple data centers across the globe. Independent application components are harder to test independently without seeing how they communicate across different infrastructure layers.Importantly, service-oriented architectures expose new entry points for internal and external users. This can significantly increase the need for comprehensive access controls. Not only must API security accommodate hundreds of moving parts, but it must also verify the relationships between these parts.
Image

Most Database Monitoring Solutions Don't Identify API Users Individually

Executives and IT teams intent on securing their infrastructure need to distinguish between two basic threat categories:
  • Insider Threats are internal network users with malicious intentions. These might include compromised accounts, corporate espionage, or deliberate sabotage by disgruntled employees. These kinds of threats typically focus on exploiting code loopholes, access privileges, and data exfiltration opportunities.
  • Outsider Threats are external hackers and bots looking for vulnerabilities to exploit. Since they exist outside the network, they must first infiltrate it – often using email phishing scams – before they can start causing damage. This damage might come in the form of DDoS attacks, account takeovers, or SQL injections.
Insufficient visibility into API security makes it difficult for IT teams to distinguish between insider and outsider threats. Many of the exploits that insider threats rely on are far removed from the places security engineers typically look at using database activity monitoring (DAM) solutions.In a typical database environment, a security engineer might see the following data in a log record:
  • User. This is the user's self-reported name. If an employee directly accesses a database from a recognized device, it's probably the employee's real name.
  • Role. This explains what the user does. It also shows what level of permission the user has been granted.
  • Source IP. This is the network address of the device that the user is connecting to the database.
  • Destination IP. This is the network address of the destination the user would like to connect to.
  • Object. This record describes the asset this user interacted with during this particular session.
When a user directly connects to a database, the DAM system logs all of this information automatically. As the user goes about their business, they generate log data. If something goes wrong, a security analyst can collect that data and create an audit trail to investigate.This log data is different when a user connects to the database through an app or an API. It's common practice for APIs to assess a single service account for all users. Suppose the API does not validate user credentials or assign permission-based roles. In that case, it might not be possible to tell whether a customer, an employee, or an unauthorized user is accessing the database.For example, any organization that outsources accounting services to a third party should expect its partners to log into their systems to collect financial data. If the accounting partner uses an automated FinTech solution to collect that data, it will be logged as an API user. There is no way to tell the difference between individual connections from that accounting firm in a typical DAM scenario.In this example, the security logs may report something like "FinTech_User_01" and "FinTech_User_02" to anyone who connects through the accounting API. This does not offer any factual information about the user's identity at all. If the security team needs to construct a company-wide audit trail following a cyberattack, valuable information could be irretrievably lost here.

User Identity Tracking Enables Comprehensive API Security

Security professionals rely on logs to generate audit trails and understand the impact of unauthorized access. The greater the level of detail these logs provide, the better-equipped IT teams handle security events.When security teams assess unique identities to individual API users, their auditing capabilities increase significantly. Ideally, a DAM solution should generate logs that differentiate between individual API users and keep track of frequent connections on a user-by-user basis.In this scenario, "FinTech_User_01" may be better represented as "Alex_S_AccountingFirmXYZ.” This immediately confirms the real-life identity of the individual accessing the database through an API. If the accounting firm reports a cyberattack that resulted in some of its accounts being compromised, you'll know who’s account requires verification first.This identity-based API security approach also enables more extensive tracking and analysis. Imagine a scenario where the "Alex_S_AccountingFirmXYZ" account starts accessing records it usually never touches. These are sensitive records the accounting firm has access to, but a different user usually processes them. A generic service account cannot reveal unusual or suspicious activity as accurately as one that tracks individual user identities.

Cross-correlation Enables Accurate Risk Analysis

API security is just one aspect of the intelligence framework that small businesses and mid-sized organizations need to consider. The ability to distinguish between API users on an individual basis helps security professionals correlate log data from the many different sources that generate it.Serious security breaches do not occur in isolation. Data breaches, cyberattacks, and account takeovers leave traces throughout multiple layers of compromised company infrastructure. Unwinding the layers of an attack – what infosec professionals call the kill chain – requires security tools that log high-quality records of user behaviors on protected assets.User identity tracking is a small yet important part of a fully-featured cybersecurity solution. Enabling DAM solutions to distinguish between individual API users helps organizations keep their sensitive records protected against unauthorized access attempts, regardless of where they come from.Gradient's 500-point security analysis correlates NetFlow traffic and historical log data in real-time. Our security intelligence platform enables state-of-the-art risk assessment with actionable insights. Schedule a demo
Active Directory Trusted Cybersecurity Advisors for Schools