This article is the third in a series of five covering key API security topics and provides some answers to common questions we often get when talking to potential customers. The series will cover the following topics:
- API Discovery
- API Posture Management
- Attack Protection
- API Security Testing
- Attack Detection and Threat Hunting
API security needs are specific to individual organizations and their particular market or industry, and the Cequence Unified API Protection platform was developed with that in mind – it’s highly flexible, customizable, and built to grow with your business.
This article focuses on application and API attack protection, which is a foundational component of the Cequence Unified API Protection platform. Cequence’s inline or passive deployment options offer the ability to detect attacks and either mitigate natively (in the case of inline deployment) or pass the attacker identifiers off to a third party, such as a WAF, for mitigation (in the case of passive deployment). Mitigation options include logging, rate limiting, deception, and blocking. The following are some common requirements that we’ve heard voiced by potential customers:
Detect And Block Newly-Identified CVEs
Cequence can detect and mitigate newly-identified CVEs, natively, and in real time. Mitigation options are user-configurable and include logging, rate limiting, deception, and blocking. Other vendors that rely on a data lake for attack identification and analysis are necessarily delayed in these objectives. Once their out-of-band analysis is complete, they require a third-party solution (such as a WAF) to perform the blocking. Inherent WAF limitations such as their inability to block high-volume attacks and their dependence on easily-changed and easily-spoofed IP addresses make them a suboptimal choice for API security.
Detection Of Low & Slow (Long-Lived, Hidden) Attacks
Cequence was designed from inception to identify and block “low and slow” attacks in real time, which are low volume attacks carried out over a longer period of time and at lower volume than standard attacks in hopes of avoiding detection. Cequence’s behavioral fingerprinting analyzes unique combinations of characteristics such as tools, infrastructure, and credentials to identify and track attacks, no matter their speed. Cequence’s inline detection and native blocking capabilities enable instant, real-time response, unlike vendors that rely on a data lake and delayed analysis.
Automatically Track the Threat Level Of Each User
Cequence can automatically identify threat actors by various attributes – usernames, sessions, fingerprints, IP addresses, and customer fields
Pre-Attack Threat Actor Identification
Cequence can identify threat actors before an attack occurs through various attributes – usernames, sessions, fingerprints, IP addresses, and customer fields
Identify Active Data Exfiltration Per API, Services, Users
Cequence can identify active data exfiltration per API, per service, and per user by keying on various attributes such as usernames, sessions, fingerprints, IP addresses, and even custom fields. Custom fields designated by the customer such as credit cards numbers, IMEI, or SSN can be used to identify sensitive data transacted by APIs. Other vendors that rely on a data lake for attack identification and analysis are necessarily delayed in these objectives. Once their out-of-band analysis is complete, they require a third-party solution (such as a WAF) to perform the blocking. WAFs inherent limitations such as their inability to block high-volume attacks and being dependent on easily-changed and easily-spoofed IP addresses make them a suboptimal choice for API security.
Enforce Blocking By Direct Call To 3rd-Party Control Points
Cequence is the only API security vendor with native blocking capabilities that does not require a third-party product, such as a WAF, to enact blocking. Cequence offers several mitigation options including logging, rate limiting, deception, and blocking. Cequence also can take advantage of existing third-party products, such as WAFs or API gateways, for additional mitigation options if desired. Other vendors that do not perform native mitigation and blocking and instead rely on third-party products face inherent limitations such as the inability to block high-volume attacks and dependence on easily-changed and easily-spoofed IP addresses, making them a suboptimal choice for API security.
Session Integrity Validation
Cequence includes Session Stitching, which tracks a user’s session throughout their journey within the customer’s API and application infrastructure. Example sessions include a user interacting with their bank account or a user in a purchase sequence. Other vendors require each application to be instrumented in order to track user journeys. Since all applications cannot be instrumented, such as those that do not support JavaScript or mobile SDKs, user journey tracking from these vendors will be incomplete.
ML-Based Multi-Dimensional and Temporal Fraud Detection
Cequence uses machine learning algorithms to identify, correlate, and track threat actors and their activity despite their use of evasive tactics and retooling. Hundreds of out of the box rules and ML models, additional customer-specific rules, and the ability to incorporate customer models through its open system ensure comprehensive detection. Cequence’s network-based deployment enables it to see all API traffic, and its behavioral fingerprinting capability enables it to detect malicious behavior – even if it appears legitimate – by analyzing multiple criteria. Other vendors that only use a data lake for attack identification and analysis are necessarily delayed in these objectives.
Agent-Based (Language-Specific, In-Line)
It is a well-known fact, that security teams and developers alike, hate agents on their pristine revenue-generating applications. Cequence has no need to deploy or integrate agents. Cequence deploys at the network level, ensuring the greatest possible coverage of API and application traffic, unlike other solutions which require each application to be instrumented. Instrumenting each application is a significant hurdle – not only from the initial integration effort, but also from an ongoing maintenance standpoint. Every time the agent or the application is updated there’s more potential for conflict, so additional testing/QA must be done. Additionally, many applications cannot be instrumented due to language or proxy dependencies. Cequence can be deployed inline or passively, making it easy to get started and prove its effectiveness, and is language and proxy independent.
Some of the other areas of attack protection where Cequence excels:
Detect and block OWASP (Web) Top 10 security events | |
Detect and block OWASP API Top 10 security events | |
Detect and block API business logic attacks | |
Correlate threat actor (user) activity despite evasive tactics | |
Identify and block abnormal API behavior (user behavior) | |
Identify and block abnormal API usage rates | |
Detect and block credential stuffing & brute forcing (ATO attempts) | |
Detect and mitigate bad bots | |
Detect and block application-layer denial of service (DoS) attacks | |
Fully customizable protection policies based on transaction details | |
Set and enforce sensitive data protection policies | |
Enforce blocking in-line | |
Customizable fraud detection rules and criteria | |
Real-time fraud assessment |
There are certainly other facets of application and API attack protection, but these are some of the topics we hear about most frequently. Check out the other articles in this series, or our eBook, “Ten Things Your API Security Solution Must Do.”
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.