INDUSTRY

Unified API Protection for Telecommunications Services

Telecom carriers and service providers are using APIs for their web and mobile applications in ever increasing numbers to ensure an engaging customer experience. APIs make it easy for application designers to coordinate different data sources that add value to their applications. For example, they can subscribe to services to enable everything from location-based services through GPS information, to payment integration, voice, messaging and video capabilities, SMS and WebRTC-based features and more.
However, the same power and flexibility found in APIs that developers love are also leveraged by attackers, who use their developer skills for malicious purposes with 80% or 1.8 billion of the blocked attacks being API-based. APIs simplify the execution of hard to prevent automated attacks and business logic abuse, highlighted by a 62% increase in ATOs against login APIs and a surge of 178% in content scraping against APIs.

By the Numbers

69%

Nearly 69% of developers use 3rd-party APIs with API calls coming from a wide array of customers, partners, and applications.
Source

47%

47% of software modules that are used by multiple applications had a vulnerability discovered in one of its dependencies.
Source

$33B

Telecoms fraud, including the harvesting of high value resources like card details, and gaining access to phone or bank account details costs the industry and end customers over $33B each year.
Source

The API Protection Challenge for Telecommunications Services

The rapid proliferation of APIs within the telecom industry, coupled with the increasingly amount of personal information held within our mobile devices has made services the telecom industry a high-value target for threat actors. Account takeovers and enumeration attacks that lead to SIM-swapping; poor authentication coding practices that allow escalated privileges; and data masking or encryption lapses that lead to data loss and compliance violations are just a few examples of the types of attacks being launched against the thousands of APIs in use by the telecom providers. Attacks on your APIs can introduce significant a range of risks and they impact the entire business – not just the security team. Business impact examples include:

Infrastructure

Whether it’s an automated ATO on a perfectly coded API, or a enumeration attack against an API coded with poor authentication (OWASP API#1), the impact on infrastructure teams can cause costs to skyrocket. Worse yet, the web site and mobile app can become non-responsive, resulting in (real) user dissatisfaction.

Security

Security is impacted by efforts to slow or stop API attacks, often struggling to separate real transactions from fake, or worse yet, blindsided by an unprotected shadow API.

Fraud Teams

Often engaged directly if the attacks are fake account or ATO related, investigating individual accounts, issuing account reset or delete recommendations. All of which consumes time that could (and should) be spent on broader team goals.

Marketing, Sales, eCommerce

Depending on the type of attack, these groups may be presented with inflated marketing statistics which turn into poor or misleading sales program decisions, missed revenue projections and damage to vendor relationships.

Customer Satisfaction, PR, Brand

With the understanding that 57% of consumers spend more on brands to which they are loyal, which can generate a 12%-18% incremental revenue growth per year, retailers are singularly focused on customer retention. A bad experience due to a slow or unavailable website, or desired item can drive them elsewhere, resulting in a 5x increase in costs of acquiring a new customer.

Limitations of Traditional Defenses

Today’s security teams simply lack the visibility and defense capabilities they need to protect the ever-growing risk from APIs and other application connections. Many believe that compliance with PCI or SOC 2 and a “shift-left, DevOps” approach is sufficient to protect their APIs. The problem with these strategies is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs and API vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate transactions in an attempt to steal data, or commit fraud. Traditional approaches that use WAFs or API gateways depend on easily evadable detection, lack the real-time ability to discern good from bad API activity and are reliant on static, least common denominator protection spread across multiple technology components.

Fast Facts

2 of 3

Cequence provides API protection for two of the top three U.S. telcos

1 Billion+

Telecom industry API transactions protected by Cequence every day

Cequence Secures the Telecom Industry

Cequence Security believes in taking a holistic approach to defending against API-related data risk with a market-defining Unified API Protection solution that goes beyond API security approaches that may focus solely on one aspect of the API protection journey. Achieving true peace of mind for comprehensive API attack protection means traveling through six distinct steps associated with the Unified API Protection solution:
API Protection Lifecycle - API Security
Outside-in discovery: Viewing an organization’s API attack surface from a threat actor perspective to know the unknown.
Inside-out inventory: Performing a comprehensive API inventory, including all existing APIs and connections.
Compliance monitoring: Keeping APIs in compliance with specifications, standards and regulations such as the OpenAPI Specification and ensuring ongoing API governance.
Threat detection: Continuously scanning for threats, including subtle business logic abuses and malicious activity that has not yet been observed.
Threat prevention: Employing countermeasures such as alerts, real-time blocking and even deception, without the need for added third-party data security tools.
Ongoing API testing: Integrating API protection into development, which shifts API security left within the organization, so risky code doesn’t go live.
Unified API Protection is different from fragmented or incomplete API protection offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle.

Why Cequence?

With the Cequence Unified API Protection solution, customers can continue to reap the competitive and business advantages of ubiquitous API connectivity. The Cequence solution results in attack futility, failure, and fatigue for even the most relentless of attackers. It significantly improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.

Get an Attacker’s View
into Your Organization

New Research Discovers More Than 30% of All Malicious Attacks Target Shadow APIs. Learn more Arrow icon