Cequence Security is a venture capital-backed company that has raised more than $100 million from leading and blue chip venture firms in Silicon Valley.
“WE PROCESS OVER 6 BILLION API CALLS PER DAY ACROSS OUR ENTIRE CUSTOMER BASE IN A VARIETY OF INDUSTRIES AND GEOGRAPHIES.”
Currently, it is protecting more than 2 billion user accounts from a variety of fraud and abuse. “In all these clients, the general assets that we are protecting amount to more than US$ 1,300 million,” said the interviewee.
The executive highlighted that more than 100 global brands are using Cequence to protect their APIs, including leaders in a variety of industry verticals such as telecommunications, finance, luxury goods, retail, social platforms and dating sites.
“Every customer login to American Express around the world goes through Cequence. Your chief data officer deals with issues like data leaks involving social security numbers and private customer data, and ensures your government meets the standards required by regulators and Cequence Security. We are protecting your customer base from account takeovers. He is a satisfied customer for more than 5 years”, he pointed out by way of example.
As part of its solution, Cequence Security has curated threat intelligence for the API security issue that is constantly updated, with a database that has over 100 million data points or records. “These 6B API calls per day constantly update that threat intelligence and redistribute it to all customers on a regular basis.
“This threat intelligence database is constantly being fed into the product, benefiting from the outset of data that Cequence has curated, such as fingerprints and signatures of known attack tools, malicious proxy IP addresses (residential, data center , bulletproof, etc.) or known leaked credentials,” Azad explained.
“STARTING THIS YEAR (2022), API ATTACKS WILL BECOME THE MOST FREQUENT ATTACK VECTOR.”
For the specialist, the massive growth of APIs and legacy security solutions can’t keep up. “As Gartner analysts note, ‘Enterprises are producing a large number of APIs at a rate that outpaces the maturity of network and application security practices. Newly built APIs support emerging architectures and are often hosted in cloud environments. This situation resembles the early days of infrastructure-as-a-service (IaaS) deployment, as ungoverned API usage is on the rise. As architecture and operational technologies continue to mature, security controls try to apply old paradigms to new problems,’” he quoted.
He also commented that, according to Gartner research, by 2022, the vast majority of web-enabled applications (90%) will have more surface area exposed to attacks in the form of APIs than through the human user interface.
In that sense, what Cequence has done is create a map for API security that a typical company can take. “We have created five steps – some of which are optional – for this API security lifecycle:
1) Which APIs can attackers target? This first step is to understand the external attack surface. Knowing which APIs can be accessed, what are the hosting environments, if there are any accidental exposures like fully accessible databases, externally accessible files or performance monitoring services, is there any risk of accidental exposure? What APIs are hosted?
2) API cataloging and getting a runtime inventory of all your APIs. So once the environment has been identified. The next step is to understand what these APIs are doing and what their level of behavior is at runtime.
You need to know if these APIs are managed or unmanaged, are they hidden or unauthorized APIs in your infrastructure where your security team is not aware that these APIs are being activated? They may or may not be going through an API gateway. And they may not be following your API management strategy.
“So cataloging these APIs at runtime, making sure they’re using the right security controls, from an authorization and authentication standpoint, making sure they’re not leaking sensitive information that you don’t want your APIs to exchange, and doing make sure your APIs conform to the schemas”, summarized the Chief Revenue Officer of Cequence Security.
3) Are attacks targeting these APIs being analyzed? As much as the environment is known, the APIs are cataloged, and these APIs are known to use proper security authentication and authorization, fully clean and secure APIs can still be targeted by increasingly sophisticated and often more sophisticated attackers. relentless. This can be in the form of the top ten attacks listed by OWASP, business logic abuse, or simple bots, which lead to fraud. These are the attacks that can be targeted at your APIs with or without ensuring your hygiene is up to scratch.
Therefore, attack detection, for attackers targeting these APIs, is the third step in your API security journey.
4) Once you detect these attacks, what you do next is really the fourth step. How do you respond to these attacks targeting your APIs?
Cequence believes that native mitigation is critical and not relying on other sources or solutions, and we recommend looking for an API security solution that can respond to API attacks on its own, rather than relying on third-party solutions like WAFs and firewalls. , or API gateways.
The reason for this native mitigation is to ensure that you have a response module that sees the same traffic as the detection module, which may not be the case if you rely on a WAF or API gateway. You also want to make sure there isn’t a vendor lock-in based on a third-party dependency.
And once you start performing a response action, you want feedback to ensure that the response action was performed within a single unified console instead of looking at two different providers.
5) The fifth step is all about API testing and making sure your APIs are secure before they even go live.
Testing is about getting into the DevOps cycle and testing these APIs for security vulnerabilities, weaknesses, lack of authentication, and making sure they are secure before they go live.
Cequence Security helps organizations complete this API security lifecycle journey through three different products, all powered by a single machine learning and artificial intelligence (ML/AI) engine.
API Spyder it analyzes the external attack surface, looks outside, and also helps you with the fifth step, which is API security testing. “This tool requires absolutely no deployment. And it is a required probe of zero contact and zero knowledge of its external attack surface”, said the interviewee.
API Sentinel It looks at API cataloging, attack detection, and also the mitigation of those attacks. “This is primarily focused on finding shadow APIs, unmanaged APIs, along with managed APIs, APIs with hygiene issues like weak authentication, leaking sensitive information. Then generate an answer for native mitigation options for those weaknesses,” he explained.
Bot Defense It primarily looks for attacks such as business logic abuse, bots, and fraud. “Even if you have taken care of API hygiene, business logic abuse or bot attacks can still happen and this module takes care of these types of attacks,” Azad added.
The interviewee concluded by stating that implementing Cequence solutions is easy because “it basically involves just a few steps. The first order of business we recommend is to discover your external attack surface first, using API Spyder, which does not require any implementation,” he noted. “And we can also deploy them in public or private cloud, on-premises or hybrid.”
Cequence Security API Usage and Threat Report 2022
-14.4 billion or 70% of the 21.1 billion application requests analyzed were based on APIs.
-95% increase in six months in the use of APIs to facilitate logins and account registrations, and this is a big problem and a big target for attackers, and where the fraud and abuse really starts.
-It was found that 80% or 1.8 billion of blocked attacks were directed at APIs.
-Applications are evolving, infrastructure is evolving, but API security is not evolving. Resulting in security breaches and compromises.