This article is the fifth in a series of five covering key API security topics and provides some answers to common questions we often get when talking to potential customers. The series will cover the following topics:
- API Discovery
- API Posture Management
- Attack Protection
- API Security Testing
- Attack Detection and Threat Hunting (this article)
API security needs are specific to individual organizations and their particular market or industry, and the Cequence Unified API Protection platform was developed with that in mind – it’s highly flexible, customizable, and built to grow with your business.
This article focuses on attack detection and threat hunting, which is a foundational component of the Cequence Unified API Protection platform. Attack detection and threat hunting is greatly simplified with Cequence compared to competitors that rely on data lakes to perform offline, delayed threat hunting. Cequence’s inline or passive deployment options not only enable the platform to identify and mitigate threats in real time but also offer opportunities for near real-time threat hunting for truly novel attacks. Cequence is able to either mitigate natively (in the case of inline deployment) or pass the attacker identifiers off to a third party, such as a WAF, for mitigation (in the case of passive deployment). Mitigation options include logging, rate limiting, deception, and blocking.
The following are some common requirements that we’ve heard voiced by potential customers:
Explorable Transaction Data Lake
Cequence stores anonymized customer data for short-term for real-time analysis, and supports long-term data retention (e.g., data lake) as an add-on SKU. Cequence’s ability to detect and mitigate threats in real time obviates most of the need for a data lake. Other vendors require a data lake to do their analysis and detection, delayed though it may be. Once threats are detected in the vendor’s data lake, they must then rely on a third party (such as a WAF) for mitigation or blocking. Cequence’s real time capabilities are much more efficient, so long term data storage is rarely needed for threat hunting and analysis.
Correlate and End-To-End Connect All Application API Transactions
Cequence includes a graphic capability that graphically visualizes end-to-end API flows with an attractive, easy-to-understand interface. This capability enhances security team visibility by distinguishing between normal and malicious traffic, enabling personnel to quickly identify and take immediate action on any malicious activity with a single-click in a fully integrated way without relying on third party products such as a WAF.
Deep API Transaction Context for API Incident Response and Threat Hunting
Cequence offers native real-time threat detection and protection without relying on a third-party tool such as a WAF. Cequence has taken a very different approach to API attack mitigation using multi-dimensional machine learning (ML) techniques to analyze user behavior without requiring any client-side or application integration or instrumentation. Cequence analyzes behavioral intent across web, mobile, and API traffic, detecting legitimate behavior without relying solely on IP addresses, which can change or be spoofed. Conversely, attack traffic is identified by its behavior as well, which is continuously determined and learned by the ML models. This approach actively “fingerprints” incoming requests based on the similarity of their behavioral traits, as analyzed by the ML models. Additionally, the open platform allows customers to import security intelligence and export it into third-party systems like SIEMs, anti-fraud tools, firewalls, and IDS/IPS systems.
Capture And Store Good, Suspicious, And Bad API Traffic for Analysis
Cequence not only captures and stores good, bad, and suspicious API traffic, but also fingerprints it using behavioral fingerprinting, providing the ability to track attacks as attackers retool. Traffic is stored by default for a short term, and optionally indefinitely in a data lake.
Some of the other areas of attack detection and threat hunting where Cequence excels:
Analyze the body/payloads of requests and responses | |
Detect suspicious client requests based on IP reputation | |
Identify geo-location of API calls to help with API risk assessments | |
Use IP Intelligence to assess API endpoint risk and set policy | |
API Performance metrics, call and error patterns | |
Share data with SIEM, SOAR, and ITSM systems |
There are certainly other facets of attack detection and threat hunting, but these are some of the topics we hear about most frequently. Check out the other articles in this series, or our eBook,“Ten Things Your API Security Solution Must Do.”
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.