Will Glazier [00:00:00]:
API security and bot management, those two things are inseparable. 1 or the other is not a solved problem. 1 or the other can’t be handled independently. Those teams who use the tools designed to solve those need to work together. Ideally, they need to be using a tool that’s capable of all of the above. Definitely don’t ignore bot management and bot mitigation as part of API security.
Karissa Breen [00:00:38]:
Joining me today is Will Glazier, head of CQ Prime Threat Research team from Cequence Security. And today, we’re discussing why there is a focus on API security in 2024. So, Will, thanks for joining, and welcome.
Will Glazier [00:00:56]:
Thank you, Karissa. So it’s my pleasure to be on.
Karissa Breen [00:00:58]:
Okay. So let’s start. So API Security, in recent times here, specifically in Australia, has been a massive topic. So maybe let’s start there. Let me hear your thoughts because I think this is a very broad topic. So it doesn’t you know, you had to go sort of super deep right now, but just keen to hear your thoughts straight off straight off the bat.
Will Glazier [00:01:16]:
That’s a great question, and I love that you started with that because, you know, API security can mean a 1000000 different things to a 1000000 different people. And it it really all depends on the problem statement. You know, is your problem statement an inventory problem statement where
Chris [00:01:30]:
you just inventory and discovery. You need to know where all your APIs are,
Will Glazier [00:01:30]:
where they’re hosted, and what You need to know where all your APIs are, where they’re hosted, and what’s exposed on the Internet. That’s that inventory problem statement. Is your problem statement a compliance one where you don’t know what kind of sensitive data lives in which APIs? You don’t know which kind of APIs enforce which standards of authentication and authorization and you need to see that traffic and inspect how those APIs are truly behaving to know what’s reality not theory which might be an API spec or is your problem statement 1 where your hair’s on fire, your APIs are being attacked by bots, being actively abused, whether that’s threats like business logic abuse, credential stuffing, account takeover, fraud, you know, leading to monetary loss. All of those things would present themselves as your hair being on fire and money being lost. Right? And so it’s it’s really hard to stop that kind of stuff. It relies on the right tooling in the network. Why is it not keeping up with the threats and what those bad actors and how does it evolve and keep up with retooling over time? So, those are 3 very distinct problem statements, right? Discovery and inventory, you know, compliance and hygiene and then active threat protection and active bot mitigation. But they all fall under this broad umbrella sometimes and so there can be a lot of noise from different vendors on on on that.
Karissa Breen [00:02:53]:
Yeah. So, Will, you mentioned there’s a lot of noise on the topic from vendors. So what do you mean by that? What does the noise look like?
Will Glazier [00:03:00]:
Yeah. I I I think I mean that a lot of people understood that this was a hot area with very hot problems, problems that needed to be solved. Right? That’s what happens in security is when people identify a problem, there’s a lot of people going to try to build businesses to solve that problem. I think that’s natural. What I just mentioned around, you know, API security can mean multiple different things. That noise is also it’s just another layer of difficulty from when I put myself in the shoes of our customers. Right? To sift through some of the messaging and and hone in on what my particular problem is. And then when I’m looking at tools and solutions, make sure that that tool and solution can really nail what my particular problem is.
Will Glazier [00:03:41]:
But also at the same time, you’re balancing the fact of, like, okay, can it solve is it a point solution that solves one problem Or can it actually take care of all the other parts of API security too? Like, can it go through the life cycle of I can find and discover my APIs and inventory them? I can understand where my sensitive data is. And I’m not being attacked right now, but if I do get attacked in that moment of truth, will it be good enough to block bots abusing this or vice versa? Right? You’re you’re you’ve been experiencing a lot of attacks. You’ve you’ve you’ve gotten a handle on it. You’ve been able to block them and you identified why it was such a a hot target. Maybe there was a vulnerability in that API. Maybe there was some weakness in how it was structured. And you want to make sure that no developer puts that type of thing out there again. You gotta kinda test that away in your CICD pipelines, in your dev cycles.
Will Glazier [00:04:32]:
And that’s just a very different it’s like left brain, right brain thinking. You know what I mean? It’s a that’s a very dev centric part of your brain to exercise where the needing to block big bot attacks is a very, like, defensive network security, SOC analyst part of your left brain. And so, you know, not everyone can do everything as human beings. Right? And so that’s that’s where I think that just contributes to the noise as the scope of the problem, but it doesn’t make it any less important, like I was saying, with those with the amount of breaches that have that had that had happened through this vector.
Karissa Breen [00:05:06]:
Okay. So you mentioned before point solutions. So Mhmm.
Will Glazier [00:05:10]:
And you
Karissa Breen [00:05:10]:
probably observed in the market, there was a time where everyone was going, like, super specific point solution, and now it’s like we’re seeing this trend back to, like, consolidation and reduction of tools and things like that. What are you sort of seeing in that space then?
Will Glazier [00:05:23]:
Yeah. It’s a it’s a great question. And, honestly, it’s a question that I think is probably hard to separate from broader macroeconomic trends. Right? Then there’s those, like, classical pictures of those Gartner hype cycles, the the Gartner life cycle hype hype cycle. It’s really funny. I think if you looked at that type of chart, that macro high level view of the bot management market, bot mitigation market, you would see that that market has gone through the journey of the, what is it, the hype the hype cycle and that trough and then the peak of disillusionment and now it’s back and and consolidation and then, you know, and then you reach a stable state where you’ve got strong players and strong capabilities. This bot mitigation, I’ve mentioned that as part of the API security problem. Right? APIs are meant for automated interaction.
Will Glazier [00:06:13]:
That’s, like, their entire purpose. And so we’ve got circumstances where now you have to separate malicious automated traffic from good automated traffic. That’s harder than separating just humans from bots. And so that market as it’s matured, it’s it’s gone through this journey and you’ve seen you’ve seen that happen. And I think that’s what’s maybe a little bit of that is happening with the term of API security or maybe people are finally realizing that really, like, old problem of the the the quote unquote older solved problem of bot mitigation isn’t actually a solved problem. Right? It’s just that APIs are a threat vector that you need to cover as efficiently as effectively as you did cover with bot mitigation defenses that relied on client side instrumentation that was possible on a web browser or a mobile app, but your API channels, right, just cannot have client side instrumentation in them because of the the tools and the the systems they’re interacting with. So it’s just some some old problems reskinned and then some new problems come out of that ecosystem. And I think that when we talk about, like, consolidation that’s that’s how I see the consolidation at least is a little bit of those the the hype cycle coming down off the high and then really wrangling with what’s what what are the core what’s the essence of the problem? What are the hardest things to solve in this problem?
Chris [00:07:48]:
So I
Karissa Breen [00:07:48]:
just wanna zoom out for a moment. Now this seems like a real basic question, but do you think people get how APIs actually work? Because sometimes I think people sort of just, you know, say terminology. But I think and what I mean by that question is, like, the mechanics and perhaps the risks associated with, you know, APIs and stuff like that. So what do you sort of what do you think in that space?
Will Glazier [00:08:08]:
Yeah. That’s that’s a great question. I think, like, people, when you simplify it, it’s easy to understand like what an API is and how it’s working. But yeah, like what you bring up is like all of the things that can be done over, over APIs, all the different operations and interactions with our digital lives that it, like, powers, it’s kinda mind bending sometimes to to understand all of that. I I think maybe a great example that’s tangible that people can visualize to to speak above that is how a lot of Fintech applications interact with your bank accounts, for example. Right? Banks have open API ecosystems. And depending on which country you’re in, there’s, you know, geographical region. There’s different layers of regulation and things that are mandated.
Will Glazier [00:09:02]:
But basically, banks expose APIs for fintech apps to interact with them. Right? It means, you know, when you have a mobile app if you go to your banking mobile app or if you go to maybe like a an investment account mobile app that you have, you’ll see these widgets where they’ll say like plot out your retirement, you know, plot your net worth, plan out your retirement, all that kind of stuff. Just add in your other accounts so you can see things in one place. You can get a holistic picture of your financial health. How does that information get gathered? Right? Oftentimes is that app. Right? Whatever app you’re using is connecting to an aggregator service which is connecting via API again to your bank account. That that middle man, that middle layer of that aggregator service, or maybe the app is going directly, maybe it’s a big enough app. Right? And maybe that that company has passed all of the requisite compliance checks.
Will Glazier [00:09:54]:
But there are a lot of people trying to create startups. Right? And new Fintech apps, new great user experiences like banks of the future. Right? And it’s easier for them to plug into an aggregator, plug into that middleman, all your compliance is taken care of, you’ve passed all those requisite regulations and checks, and and that middle layer is seamless for your users. They have no idea that that data is going through there. They have it it looks to them like a pop up. They enter in their credentials or a token or they they provide maybe they generate an API token in their bank account. They give it the API token so it’s unique and it feels secure. It’s a good user interface a lot of times.
Will Glazier [00:10:32]:
And that whole, like, aggregator access to to bank accounts and it’s not only bank, that same flow of, like, an aggregation middleman that can take place for many different use cases. APIs power that whole thing. And I think that’s a nuance, a level of depth that a lot of people, they see it, they feel it when they use those apps. You see it in that user interface, and the user interface is so slick, and APIs make a lot of that stuff so slick. But how is it working on the back end is pretty it gets quite nuanced, it gets quite detailed, and the problems begin to the challenges nest upon themselves. Right? How do you trace one of those transactions through that middle man all the way, you know, if you’re in your if you’re in the bank’s position, how do you defend that whole ecosystem? Because good guys and bad guys are coming through the same funnel, the same the same tunnel of that middleman basically. So I I find that quite an interesting problem, and I think that’s a good example to just to talk about APIs, their practical uses, and how those practical uses turn into challenges for, you know, defenders in in the security space.
Karissa Breen [00:11:42]:
So how would you defend that whole ecosystem?
Will Glazier [00:11:45]:
Yeah. That’s a great that’s that’s a fabulous, you know, question. And and, ultimately, it involves again, where you stand depends on where you sit. At Sequence, we do actually have we we have customers in the financial space banks, so we’d be protecting them. So we’re sitting where they sit in that case. And we also have some of those aggregator providers who are customers of ours as well. So each of their perspectives differ slightly. I’ll talk about it from the bank’s perspective because I think that’s probably what your listeners and, you know, all of us have bank accounts.
Will Glazier [00:12:15]:
Right? And from their perspective, what’s really hard is joining disparate transactions together. You know, there’s gonna be that that don’t have unifying keys and unifying identifiers. Right? Someone used an app to connect to an aggregator, then that aggregator forwarded along the transaction to you, the bank. That final leg of the connection came from the same IP address, the same yeah, the same IP address that a lot of other good user traffic is coming through. So, you can’t use IP addresses and IP reputation and and organizations and and geographical detections and mitigations to block things. You can’t look at something like, oh, hey, this IP address or this session used a lot of different usernames. Right? Because again, you’ve got that you’ve got that funnel. You need a way to take identifiers that are passed along from that first transaction of which app sent in the request to the aggregator of which user and their, you know, user ID, the email address, the domain, and the reputation of it that came in from the first request to the middleman.
Will Glazier [00:13:28]:
You need a way to join those with stuff that actually came to your servers if you’re the bank. Right? That second request. And so that’s a really hard problem for them. How how do you join those things together in real time and get those defenses into your into your network? And that one tactic right there that it’s that sounds very very tactical, but it’s really really interesting and that is one thing. There’s a capability in the sequence tool suite that that allows users to do that based on, you know, whatever kinda pivot they want. Right? I talked about app IDs and username domains. Right? You can just configure whatever you want so you can join those things together. But that’s how a lot of our partners in the banking ecosystem have to try to defend against these, you know, what we’ve worked with them to develop.
Will Glazier [00:14:19]:
From another perspective though, they’ve got challenges of just separating out, like, all the behaviors automated. Right? Everything that reaches those API servers of theirs from these aggregators is a bot. Right? It’s good bots and then it’s not so good bots. And, you gotta come up with some behavioral profiles, some patterns, ratios, speed, and regularity of how things happen. Those are examples of features that you need to generate and you need to know and you need to have tool in a system to do that math for you fast. So you can split those good normal regular bots that show up every day at the same time from the aggregator because it’s their time to pull your your ecosystem and get the transactions for their users versus the bot that was just subtly different and was coming in a little bit too fast or maybe too slow actually, like there was a minute between every request, exactly a minute on the minute. Right? That that kind of stuff. The behavioral profiling is the second really like like how would you do it? How do you defend that kind of stuff from a from the banking perspective? So those are 2 tactical components of of how folks do it.
Will Glazier [00:15:38]:
And you can see one of the underlying threads between the two of those is it’s very math centric. Right? There’s a lot of big math at scale, statistics, machine learning models that need to be run fast and have interpretable outputs and outcomes for the people charged with stopping abuse and and fraud. And so, on the team I run, that that CQ Prime threat research team includes our machine learning engineering team, and that’s one of their primary charters is basically we need to come up with, you know, the math and the models that can run, that can run relatively lightweight, and then users can understand them. They can turn into rules, they can turn into features that someone that can either just be used right there in the line of the transaction to block or that someone who’s analyzing data offline can automate against and, and scale their lives to, help again protect. Just protect people’s accounts from, in this case, fraud, abuse, theft, and and takeover.
Karissa Breen [00:16:41]:
So what bothers you about ABR Security? Like because, obviously, you’re really at the coalface of this space in the research arena. But what what’s sort of annoying you at the moment?
Will Glazier [00:16:52]:
You’ve asked questions that have had me touch on it multiple times throughout the interview earlier, but I think what bothered me and maybe still bothers a little bit is the noise that’s distracting about this problem, problem statement and and this space. What bothered me in the past was that we didn’t appreciate how much this and bot management, bot mitigation are are are related, are are intertwined and inseparable because APIs are simply a vehicle by which bots attack just like a tortilla chip is a vehicle for your guac. Right? That’s like like that to me was so so clear and obvious that too much talk about the other stuff just seemed distracting from the problem. Right? Now, again, where you stand depends on where you sit. A lot of the time our team spends is in the data with our customers against active attacks, like, billions. I’m talking billions of bots every month that our system’s blocking at some of the biggest environments of the world and and, like, critical, you know, infrastructure and ecosystems like like like the telco space. So that commands the lion’s share of mental mental attention. To be fair, I don’t wanna understate, if you only focus on that stuff, the low hanging fruit can slip right by which is just the amount of times APIs are exposed to the public internet when they weren’t meant to be.
Will Glazier [00:18:18]:
They were meant to be testing and they don’t have authentication and they return real beta from about users, we call it this we have this cheeky term internally that we use. We call it this unholy trinity, a shadow API, with no authentication exposed to the Internet. That’s a simple concept. It’s a low hanging fruit. We do have to solve those things as an industry, and we work at sequence with our our partners to solve that. And some of our partners even in in Australia as well to, like, solve that solve that problem, make sure we take care of the low hanging fruit before we get mentally consumed by the really advanced sophisticated attackers. So, yeah, that was a great question about what what bothers me. And I’d say, yeah, it kinda, I think as an industry, we’re coming to the realisation.
Will Glazier [00:19:06]:
Bot management and API security are are are inseparable, two sides of the same coin. So I think we’re moving in the right direction.
Karissa Breen [00:19:14]:
So just going back to APIs exposed to the Internet, people probably don’t even know that they’ve got that right. And I get you to do discovery and all visibility and all of that, but do you think this is always just gonna be a thing? Like, regardless because sometimes it’s hard to, you know I don’t know. Someone might do something and then they leave the company and then who knows. Right? So and I know you’ve gotta continuously be able to do this, but is there always gonna be this problem that exists out there?
Will Glazier [00:19:39]:
Yeah. It it absolutely will. This this problem is not going away. And especially as you think about the growth, you know, in 2023, 2024 of of of generative AI companies and and and LLMs, being consumed via API which a lot of new companies and new startups and new business growth are you know, those are the platforms and ecosystems they’re building their business, their application on top of. That’s just like you’re linking up. It’s like it’s like putting a pacemaker in your heart, I guess. Right? It’s like you’re linking so close that your APIs are at the foundation of of of your business in that case. So development of those APIs that are, you know, of of your in this case, I’m speaking from the perspective of the the the startup, let’s say, the newer company, creating an API to interact with, like, an LLM from OpenAI for a man for profit, you need to go fast, create a product, you know, gain market share.
Will Glazier [00:20:43]:
You’re gonna be making those types of APIs left and right part of your business. It’s how you’re gonna grow. So that, like, we’re just at the cusp, I think, of of that. I saw some I I saw some stats today, actually. I don’t even know how this came into my mind, but someone talking about a a release that talked about, like, the ratio of, you know, OpenAI’s revenue stream right now and how still the vast majority of it was just from consumer folks like you and I with the $20 subscription per month for the, you know, latest models, chat g p t four. And only 20 to 30% of their revenue was the b to b API stuff right now. That to me says we’re at early stages of of the growth of that stream as an ecosystem for revenue for those LOM providers, but also growth of sprawl on the Internet of APIs using these things. And in that like, that being said, the whole tenor of that sec like, you know, paragraph of my thought was kind of startup centric.
Will Glazier [00:21:45]:
Right? New people building companies on top of those APIs. But all enterprises are looking for big enterprises especially looking for cost reduction. Right? And, a lot of the promise of some of these LLM applications is that, you know, tasks that used to take longer won’t, and cutting man hours and, you know, cutting soft costs associated with some of these these tasks that LLMs are particularly good at. Big enterprises are really really looking for that right now, and they’re gonna invest in it. And then that’s big enterprises, right, developing these new APIs to connect to these ecosystems that are net new. But they have to fit that into an ecosystem that supports a lot of legacy, you know, whether it’s legacy protocols, whether it’s legacy applications, or just works in more of a not big tech centric ecosystem or or industry. Right? I think telecoms are actually a perfect example of an industry where, like, all this API security stuff we’ve been talking about, you layer in with telecoms the next layer of they have to support a lot of protocols. They have to do a lot of stuff.
Will Glazier [00:22:58]:
They have to have a retail website basically where you can buy phones, buy things from them, upgrade your plan, all of that. And then they also have to have a APIs that basically support sending out SMS notifications to subscribers or, some of the some of the white labeled services, let’s say, that use their network, their backbone. That’s how they interact with the ecosystem to send out these SMS messages. And so you just get a lot of you have an extra layer there of having to support a lot of legacy systems, having to develop fast, but also deal with that sprawl. So I think the telecom industry’s particularly got it’s it’s even harder for for them to try to wrap their head around these problems. But, again, they have you know, we work with with with some of them, and there’s really good people that are working really hard on solving that problem.
Karissa Breen [00:23:54]:
But this is the part that gets me. Right? So going back to your point around, you know, companies going fast, new releases, you know, new product, etcetera, it’s getting faster and faster and faster. Right? So if we split it down the middle between, okay, the business is like, in order for us to stay relevant, generate revenue, not fire everybody, we need to do these things. Right? But then I get it, but then it starts to creep into the other side of it, which is the security side of it, which is like, hey. Happy to do that and support that, but then we’re going so fast that’s like, well, we have all these exposed APIs in the Internet. You know, we don’t know what’s going on at this point because we gotta, you know, release things faster and faster. So we’ve sort of, you know, try to solve one problem from a business perspective, but then we’re sort of opening up then another one. So in this conundrum now.
Karissa Breen [00:24:36]:
So how does that then work moving forward?
Will Glazier [00:24:38]:
You’re absolutely right. And that’s like it touches on, you know, the great debate between growth and security. It’s always it’s always a tug of war. Right? And those politics, that’s the one thing. Well, AI certainly won’t be able to solve human nature and and the political push and pull, right, between in circumstances like this that that that’ll stay. But I will offer one modest technical solution to that that problem which is the security folks can help reach a compromise with the business folks in this sense by providing better testing in the development pipeline to avoid some of these common problems. The API sprawl, the sensitive data exposure that doesn’t need to be there, the lack of authentication and authorization, you know, maybe in injection API’s vulnerable to injection attacks, especially when we talk about the LLM stuff, like prompt injection types of attacks. But there are common themes of the types of vulnerabilities and risks you can introduce during API development.
Will Glazier [00:25:42]:
So the idea is build some c I some tests inside your CICD pipeline so that you can code those away and the developers don’t have to worry too much about it. They make what they need to make, they move fast, they push the code into the pipeline, the pipeline spits it out and says you failed this test, here’s what you need to do to fix it, And then they go ahead and they move they’re able to move that much faster. Security in that case is an enabler, not a roadblocker. And that’s a big when when organizations work like that and the 2 teams are actually collaborating pretty well, things are good. That that really helps where it’s instead of just like, no. You don’t see it my way. You don’t understand. No.
Will Glazier [00:26:23]:
You don’t under see it see it my way. You don’t understand. That compromise of helping in the testing and development pipeline is one thing we’ve seen work.
Karissa Breen [00:26:32]:
Wanna switch gears now. I wanna talk about you mentioned a lot about API creep. What is that?
Will Glazier [00:26:38]:
Yeah. API creep, I think that’s maybe just, one way to talk about one particular part of that unholy trinity I mentioned of the common types of API breaches take place on, you know, shadow APIs that expose sensitive data and lack authentication. Well, what is that that first element that first thing I said shadow API. What is a shadow API? Effectively, those are shadow APIs are what come from API creep. Right? They are APIs that are undocumented. There is no spec, no no rules of the road for how it’s supposed to function. People don’t know it exists, don’t know what’s out there. They don’t know what kind of traffic even hits it.
Will Glazier [00:27:24]:
You know, good example of those can be APIs that, you know, a lot of businesses whether they’re consumer or b to b, they have to you know, a lot of people, they they all have CRMs to manage a lot of their, you know, their customer relationships, their prospect relationships and track, you know, inventory, order history, order management, all that kind of stuff. And so your CRM will interact with those APIs. Right? And oftentimes only your CRM will interact with those APIs. But are you sure that only your CRM interacts with those APIs? Is that API actually being hit by other stuff? Is it being exposed to the Internet? Is it does it have the proper authentication and authorization that enforces that only your CRM can interact with those APIs? That’s a perfect example of API creep because somebody had to develop that API to make your CRM interact with because otherwise your CRM would not be delivering the value that it needed to deliver to the team who needs that data. So I think that’s a good kind of example of of API creep is shadow APIs, and that those terms I would use somewhat interchangeably.
Karissa Breen [00:28:34]:
So I’m assuming that shadow APIs are pretty common across most companies from what you’re saying.
Will Glazier [00:28:41]:
Yeah. That’s right. That’s right. Typically, that’s one of the first things when we go into an environment and we run we we run crawls from the outside, but also when we’re like, when our software is, installed and people are sending their traffic to us, One of the first things we do is look at how many of the API of the transactions that are coming through the system match any of the documented specs that exist, and how many don’t. And then of those that don’t, a lot of times what we do next is actually take a a representative basket of that traffic and create the definition. If the definition doesn’t exist that was created by a developer, we will create it and say, alright. Here are the new rules of the road based on the math. Once that baseline’s created, things still deviate from them.
Will Glazier [00:29:27]:
Oftentimes what deviates is those types of shadow APIs. Right? And that means we’re, like, I’ve got an API spec and I’ve got traffic that says this API only takes in data. It only accepts post requests. I can, you know, people send the data to this API. And that’s all well documented. It’s all well and dandy where the gates are the gates are locked and the, you know, the guards are standing at the ready. But then all of a sudden that API also accepts get requests. So people are fetching data from that API and that wasn’t really expected.
Will Glazier [00:30:01]:
It wasn’t documented. That’s an example of a of a shadow API. That’s a common theme of sort of that method, the, you know, divergence and expected and normal methods, which interact which APIs are used for are used with. Excuse me. Yeah. We see that a lot and it’s one of the earliest things we we we tackle with customers and and oftentimes the percentages of APIs that are shadow APIs. Like, it’s not uncommon to see, you know, 10, 20, 30% of the API state is a shadow API. The variance depends mostly on how how many definitions they had before they started with us or not.
Will Glazier [00:30:40]:
It’s not uncommon. People shouldn’t feel, like, bad or embarrassed if they have a bunch, when they start, but it’s all about making that line of how many exist trend in the right direction and just keep chipping away.
Karissa Breen [00:30:52]:
Okay. So this is interesting. I wanna get into this deviation stuff. So how often is that happening?
Will Glazier [00:30:58]:
Yeah. That that happens not just at the beginning. Like you I I I mentioned how that was the first thing we do, right, is looking for, you know, you wanna get the lay of the land, figure out how many APIs they exist and what hosts they’re on, what sensitive data exists, and what the authentication profile is. But, after you get the baseline, the most important thing you can do, like, that’s a lot of focus at the beginning. Right? And then you think you’re good, but what you really need to after that moment in time, what matters the most next is anomaly detection. That’s a that that that’s the key of it. Right? If you can’t detect anomalies, again based on math really and and math and models, like, if you can’t do that, you’re going to struggle to scale and support over the long term because a year from today, some business priority is gonna change. Something’s gonna happen.
Will Glazier [00:31:49]:
Somebody’s gonna need to develop something, and something new is gonna happen that hasn’t happened before, and you need to know when something new has happened. And so that’s a key part of where API security and bot mitigation are the same thing because they rely, like, effective effective manifestations of both rely on quality anomaly detection. And so whether it’s anomalies based on what you see right now in in day 0 of a deployment or anomalies on day 365, you just need to be able to know that, you know, something’s happened. And to relate it back to something I mentioned earlier, right, I talked about those aggregators, and you have good bots and you have bad bots and they’re all coming through the same channel. Well, the anomaly detection in this case is kind of the bad bot detection. Right? Like, usually everything is coming in at the same time. Usually everything is always succeeding because the app already has people’s credentials or the tokens associated with them. But then when one day that success rate drops from 90 to 70, That’s weird.
Will Glazier [00:32:53]:
That’s an anomaly. Right? That’s what we have to identify. Very similar on API, the the API sprawl stuff and the catching those those those shadow API, shall we say. It’s really that anomaly detection, that one get request I talked about where now data’s being fetched and not pushed. Usually, there’s a lot of transactions flowing through these APIs so one request may not stand out. Certainly won’t to the human eye, but that’s where tooling and automation comes in comes in play to help defenders.
Karissa Breen [00:33:23]:
So when you’re sort of presenting this back to a client, are any of them sort of blindsided by this? Like, oh, well, I thought that was all taken care of in terms of, like, the documentation, etcetera, you know, what’s being fetched, for example.
Will Glazier [00:33:35]:
Yeah. Yeah. There’s always cases where people are are surprised and and find it interesting, certainly. I tell you, though, I do think oftentimes people are not surprised that there’s no documentation. That’s again trying to fight you trying to fight human nature is trying to make engineers do better documentation. So that’s kinda why that feature exists of generating the specification and documentation from the traffic because that’s a little way to bypass human nature, shall I say, instead of trying to fight it. I might also not be the best person to speak representatively on that question because a lot of times when I’m working with our clients, they’re we’re talking for a reason. They’re focused on this problem.
Will Glazier [00:34:15]:
They kinda know what things they’re hoping to find in the tool, so it’s not that it’s earth shattering. They always always appreciate that stuff. I’d say where a lot of times maybe people do get surprised is once we move into the attack area, once we move into, like, okay, we’ve identified all the APIs and got all the inventory stuff handled and now we’re talking about one API is getting attacked and getting abused, the scale and scope and sophistication of some of these actors hitting those APIs is crazy. And the arsenal of the the ecosystem that those attackers have to support them, to scale themselves, to obfuscate themselves is quite immense. Like, there are when you’re talking about how to anonymize yourself from an attacker’s perspective, the holy grail of an attack is you’re gonna send a 1,000,000 requests from a 1,000,000 different IP addresses, all of whom belong to the exact same residential IP providers that your target’s customers come from. Right? So being here in the states, that’s like I want Comcast, Verizon, Spectrum, T Mobile IP addresses because when I’m attacking an American target, American people are their primary customers. Right? And you could draw a same parallel to to Australia with, like, with, you know, Telstra IP addresses, Office IP addresses. Those are that’s the ideal ecosystem that an attacker wants access to.
Will Glazier [00:35:43]:
There are these things that we’ve we go into term bulletproof proxy networks, but it’s these residential proxy networks that exist that provide that fuel for the fire that they’re kind of the the oil that makes the engine go of for a lot of these bot attacks. People definitely get surprised at the scale and the scope of those. I’m talking, like, that 1,000,000 request from 1,000,000 IPs, that’s not that big. And a 1,000,000 IPs, that’s like that’s a decent chunk. And that’s not that big in when we talk relative to the types of attack volumes we see, there are pools of proxies that are in the tens of millions, which is pretty crazy when when you think about it. So that ends up being one of the areas where people kinda their eyes get a little bit bigger when when they see the scale and scope of those things.
Karissa Breen [00:36:29]:
Just on that note, just as you’re speaking, what was kinda from my mind was, getting API security is one of those things that sort of flies beneath the radar a little bit. Like, I wouldn’t say people forget about it, but there are, you know, there’s other things out there, you know, like business email compromise. You you know, people like you know, you can see it maybe a little bit more tangible or, like, data breaches, etcetera. But API security just feels like it’s a bit of a a background character.
Will Glazier [00:36:52]:
Yeah. Maybe. I mean, again, hard for me to speak authoritatively when I spend too much of my time living it right, here here here at Sequence. But I think maybe the 2 a a nice way to think about the difference you just called out is that some of those but business email compromise, great example, like social engineering types of of of of security risks. Consumers are the ones that feel the pain from from some of those from from a lot of those. Right? Like if you are the victim of the, shall we say, it’s not a prank, but the the the theft where someone has impersonated your CEO and convinced you to buy $250 of gift cards and send them to them, you are the one who feels that heat. Right? Like you lost money. Generally things I think that make people directly financially harmed makes the news a little bit more.
Will Glazier [00:37:45]:
The API breaches that hit the news, right, those tend to be data leakage issues. Right? This massive soup of data, million records, 2,000,000 records, whatever million records it is, of customer information gets leaked. Now when that happened, you or I right then did not lose anything right then, any money right then. Right? The pain was less acute at that very moment, but it’s all about what happens after. Right? Next comes the fraud, the identity theft, all of those terrible follow on second order effects that take place with that data that’s been leaked. So I think maybe that speaks to some of the newsworthiness or lack thereof, at least the difference between the two categories you called out there. I’ve certainly seen I feel like API security has definitely had its day in the sun as far as, buzz and notoriety. We’re kinda witnessing some of that consolidation, some of that realization that, man, bot management, bot mitigation wasn’t a solved problem.
Will Glazier [00:38:46]:
API security’s quite closely related to it. We gotta be able to solve these. And so it’s just, you know, it’ll be interesting to see where it goes, I think, for sure. And I’m definitely not trying to, by that example or explanation, like, try to downplay the damage of associated with millions of records of purse of PII being leaked. Right? That’s that’s, like, really damaging and really bad, and that’s why a lot of countries are upping their regulatory regimes to try to make sure there are consequences to things like that.
Karissa Breen [00:39:16]:
So, Will, do you have any sort of closing comments or any final thoughts you’d like to leave our audience with today?
Will Glazier [00:39:21]:
The common journey and the common themes between, you know, API security and bot management, I think if I could leave people with one thing, it’s that those two things are inseparable and that one or the other is not a solved problem. 1 or the other can’t be handled independently. Those teams who use the tools designed to solve those need to work together. Ideally, they need to be using a tool that’s capable of all of the above. And that would be my first biggest takeaway. My second maybe biggest takeaway is that I think we’re still in the early days of growth of API first companies, API centric ecosystems. Right? As the new this new wave of companies is gonna be built on top of LLMs exposed as a service, LLMs and models exposed via API, we are going to see entire companies, entire organizations built on top of these APIs. So it’s so core and fundamental to those businesses that you get on top of this problem early.
Will Glazier [00:40:23]:
When you get on top of this problem early and you have a good understanding from the beginning, it does make it a lot easier. In the end, it’s that that I find is quite a difference in perspective when we talk with companies where, you know, they’re already there’s there’s tons of sprawl and legacy issues versus companies that are, you know, in their national stages where they they can at least can see, you know, you can you can get your head head around the the problem. So I think those are those are maybe the two thoughts I could say is we’re early days in, you know, the API in growth of a p I first companies and definitely don’t ignore bot management and bot mitigation as part of API security.