Application Security / Machine Learning

An AI Engine for API Security at Scale

7 Aug 2017 3:00am, by

An increasing number of companies such as such as GuardiCore, Darktrace, JASK and Edgewise Networks are focusing artificial intelligence and machine learning on learning the normal behavior of infrastructure to alert on aberrations.

Redwood City, Calif.-based Elastic Beam focuses solely on API security.

“APIs are a tough problem by themselves,” said CEO Bernard Harguindeguy, explained that he and co-founder Uday Subbarayan wanted to focus on one problem and do it well. They founded the company in 2014, but only released their API Behavioral Security product last month.

Not to be confused with Elastic, the company behind Elasticsearch, the name comes from the concept of scaling elasticity and beams of insight coming back to its users, Harguindeguy said.

Harguindeguy formerly was CEO web security startup GreenBorder, and Subbarayan, one of the founders of API management company Apigee, both acquired by Google.

They set out to base their new venture on security, API behavior and data science to create a solution for API security at scale.

They aimed it at a multi-cloud environment receiving a high volume of data. Elastic Beam looks at the end-to-end flow of information across the API across multiple clients and across time to detect attacks.

“To do this well, you have to have very large scale,” Harguindeguy said. It could be two, three, four data centers. Some could be public, some private.

“You’ve got to have efficient reporting on all attacks, on all those connections to block the attacks. If you find an attack in one cloud, you’ve got to be able to tell the other clouds of the same attack.”

It’s been attracting clients in finance, health care and IoT, though it’s not naming them publicly, and has one installation involving 180,000 connections per second, Harguindeguy said.

Lagging Security

Kin Lane, on his API Evangelist blog, calls API security “one of the most deficient, and underinvested areas of API operations.”

“Companies are just learning to design, deploy, and manage their APIs, and monitoring, testing, and security are still on the future road map for many API providers I know,” he wrote.

Two other players in this space, Distil Networks and Shield Square focus on protection from bots.

Lane wrote that he’s working with Elastic Beam. The company also has partnered with AWS, Microsoft, Red Hat, HiveMQ to scale IoT traffic and Caucho Technology, which produces web server and application server software.

Elastic Beam’s software includes the API Security Enforcer (ASE ) for traffic processing and enforcement, and API Behavioral Security artificial intelligence engine. Its AI engine learns the normal API activity on existing API gateways, API management platforms, or APIs implemented directly on app servers, such as Node.js, Tomcat, or WebSphere — in hybrid clouds, public clouds, or on premise. Totally self-learning, it requires no signatures, security rules or policies to write.

Using Linux, it’s most commonly deployed in containers on bare metal, Azure, AWS or across hybrid environments. It’s fully compatible with tools like Ansible, Chef and Puppet.

“Once the engine determines that there is an attack, we can fit this into an enforcement node or it can be an API so we can just drop the connection at that moment and prevent the hacker from reconnecting. Then we give the customer a ton of information on the attack so they can look into it later,” Harguindeguy said.

But the engine is not relying on any existing rule or policy or knowledge of a previous attack.

“Attacks are constantly changing. If you rely on rules, the rules are quickly outdated,” he said. “With AI, you can get to a level of sophistication so you don’t need to rely on rules and policies to recognize an attack.

And while artificial intelligence is great for detecting anomalies, by itself, it’s not enough, Harguindeguy said. It requires deep knowledge of security and API behavior to be truly effective.

It detects attacks in three categories:

    • API-specific DoS/DDoS attacks such as cookie management.
    • Log-in attacks, including pre-log-in activity.
    • Attacks on applications, systems, and data such as data theft, deletion, or poisoning.

In the in-band configuration, it acts as a proxy, with negligible latency, through which API traffic must pass. In an out-of-band deployment, Security Enforcer connects with a switch SPAN port to gather and process unencrypted API traffic data between clients and servers. It then forwards the data to the AI engine for detection and reporting.

Security Enforcer shares API information across all ASE nodes to simplify setup, but nodes are not deployed inline and cannot automatically block malicious clients in this configuration.

Today, you need an API definition, which is a JSON file. However, the company is working with several soon-to-be announced partners to eliminate the need for any configuration at all, Harguindeguy said.

In hybrid environments, it supports:

  • Automatic propagation of security information for immediate attack blocking across clouds.
  • Natural resiliency — any node can take over another node’s function.
  • Zero downtime — new APIs, API gateways, application servers, and enforcement points can be added or removed from live environments.

In reporting, while many companies using AI to detect anomalies in infrastructure report a score — often on a scale of 1 to 10 — reflecting the probability of an attack, that’s not really helpful, since security team then have to prioritize and investigate, Harguindeguy said.

Elastic Beam reports incidents in three ways: This is definitely an attack, this is definitely NOT an attack, and this is something to investigate further.

When attacks are detected, the machine learning engine updates Security Enforcer on the attackers to block, if the customer chooses to automate that. ASE then terminates the attackers’ sessions and prevents them from reconnecting. Customers receive reports with fine-grain details such as every command or method used.

It also provides the ability to set traps for hackers through the creation of fake APIs.

Feature Image: “Parkview” by Chris Bartnik, licensed under CC BY-SA 2.0.


A digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.