1 00:00:00,000 --> 00:00:08,800 Welcome to the Talking Security podcast. 2 00:00:08,800 --> 00:00:21,120 We will talk about items related to Microsoft's security. 3 00:00:21,120 --> 00:00:26,120 Hi everyone, welcome at a new recording of the Talking Security podcast. 4 00:00:26,120 --> 00:00:32,160 My name is Frans Oudendorp, and together with my co-host Pouyan, we are back with a new recording. 5 00:00:32,160 --> 00:00:35,240 This time we have a nice, severe, glass time. 6 00:00:35,240 --> 00:00:44,480 We talked about Defender for DevOps or DevOps security within Defender for Cloud. 7 00:00:44,480 --> 00:00:46,080 What topic do we have today? 8 00:00:46,080 --> 00:00:49,080 And what is the guest that we have Pouyan? 9 00:00:49,080 --> 00:00:51,880 Yeah, it's great to be back again, Frans. 10 00:00:51,880 --> 00:00:57,520 The last week we had in the great session on the whole DevOps set up on Defender for Cloud. 11 00:00:57,520 --> 00:01:04,600 And today we are going to have a great host where we talk about Defender for API, which we will 12 00:01:04,600 --> 00:01:06,040 touch later on. 13 00:01:06,040 --> 00:01:13,280 Well, Ajinkya, last time we met Defender for API was announced, even yet. 14 00:01:13,280 --> 00:01:17,320 Can you please short introduce yourself and the team? 15 00:01:17,320 --> 00:01:19,320 Yeah, definitely. 16 00:01:19,320 --> 00:01:22,400 So, first of all, guys, thank you so much for inviting me. 17 00:01:22,400 --> 00:01:27,960 I'm super, ready to be here and talk about the cool innovations we're doing for API security 18 00:01:27,960 --> 00:01:29,400 in Microsoft. 19 00:01:29,400 --> 00:01:34,200 So, I'm a product manager with Defender for API's team. 20 00:01:34,200 --> 00:01:38,320 So, Defender for API is one of the API focused security solutions. 21 00:01:38,320 --> 00:01:43,680 We are adding to our Cloud Native Application Protection Platform, which is Microsoft 22 00:01:43,680 --> 00:01:45,320 Defender 4 Cloud. 23 00:01:45,320 --> 00:01:50,240 So, it's going to be one of the new different plans that customers can enable to start 24 00:01:50,240 --> 00:01:57,240 adding that application or API specific security into their Cloud architecture. 25 00:01:57,240 --> 00:01:58,240 Amazing. 26 00:01:58,240 --> 00:02:03,200 Thanks for taking, making time for us to join us today. 27 00:02:03,200 --> 00:02:07,640 Well, I think today's topic is really interesting and important. 28 00:02:07,640 --> 00:02:10,400 Definitely in the time that we are in with Cloud. 29 00:02:10,400 --> 00:02:14,840 And lots of development happening and lots of microservices going on. 30 00:02:14,840 --> 00:02:17,920 Cloud technologies. 31 00:02:17,920 --> 00:02:23,840 And I think what that is a lot important to have a lot of visibility, definitely when 32 00:02:23,840 --> 00:02:27,680 it comes to our APIs. 33 00:02:27,680 --> 00:02:35,080 But before we dive deep into the Defender for API and the great features and it has, maybe 34 00:02:35,080 --> 00:02:44,520 it's good to start by for all our listeners to defining what is an API. 35 00:02:44,520 --> 00:02:52,440 And when our APIs typically use, can we give us a general overview for our listeners? 36 00:02:52,440 --> 00:02:59,320 Yeah, I think that is a great starting point to level set everyone's understanding of the 37 00:02:59,320 --> 00:03:03,200 artifact we aim to protect with different of our APIs. 38 00:03:03,200 --> 00:03:08,280 An API which stands for Application Programming Interface is essentially a set of rules 39 00:03:08,280 --> 00:03:12,760 and protocols that allow one piece of software to interact with another. 40 00:03:12,760 --> 00:03:15,240 You can think of it like a waiter in a restaurant. 41 00:03:15,240 --> 00:03:19,720 You give the waiter your order or request and they take it to the kitchen and bring back 42 00:03:19,720 --> 00:03:23,000 the food or the data that you asked for. 43 00:03:23,000 --> 00:03:26,920 The waiter acts as a middleman ensuring that a smooth communication between you and 44 00:03:26,920 --> 00:03:32,400 the kitchen happens without you needing to know how the food was made. 45 00:03:32,400 --> 00:03:38,120 Like similarly, API acts as a middleman between different software systems or services. 46 00:03:38,120 --> 00:03:43,240 API has a everywhere in today's digital age and have become the default mode of communication 47 00:03:43,240 --> 00:03:46,080 between application components. 48 00:03:46,080 --> 00:03:50,760 When you use an app on your phone to check whether book of flight or send a message, 49 00:03:50,760 --> 00:03:54,960 you're often interacting with multiple APIs behind the scene. 50 00:03:54,960 --> 00:04:02,040 For example, a travel booking app may use one API to check flight availability, another 51 00:04:02,040 --> 00:04:07,440 one to process payments and yet another one to send you confirmation email. 52 00:04:07,440 --> 00:04:12,640 Businesses today rely on APIs to interact, to integrate with other systems, expand their 53 00:04:12,640 --> 00:04:15,800 functionality and enhance user experiences. 54 00:04:15,800 --> 00:04:19,600 They are crucial in modern software development, playing role in everything from cloud 55 00:04:19,600 --> 00:04:25,560 applications to internet of things devices to mobile apps and so much more. 56 00:04:25,560 --> 00:04:27,560 Amazing. 57 00:04:27,560 --> 00:04:33,680 So, APIs are actually used everywhere in all kind of scenarios. 58 00:04:33,680 --> 00:04:42,320 As you explained, do you also see an increase in the uses of APIs in the time that we are 59 00:04:42,320 --> 00:04:44,160 in at the moment? 60 00:04:44,160 --> 00:04:47,960 Yeah, right now, like you mentioned, right? 61 00:04:47,960 --> 00:04:51,720 So earlier we had like monolithic application architecture, right? 62 00:04:51,720 --> 00:04:58,200 So where you had maybe tens of hundreds of requests going to one or handful of servers. 63 00:04:58,200 --> 00:05:05,000 Now as microservices have become the default architectural paradigm and people are constructing 64 00:05:05,000 --> 00:05:11,680 much smaller nimble applications that are independent for independent quite a bit, 65 00:05:11,680 --> 00:05:16,520 APIs have become like I said, the mode of communication for these individual components, right? 66 00:05:16,520 --> 00:05:22,640 So now you have hundreds and thousands of requests going to hundreds and thousands of different 67 00:05:22,640 --> 00:05:24,240 microservices. 68 00:05:24,240 --> 00:05:30,640 So in effect, the complexity of our applications has increased exponentially and also with 69 00:05:30,640 --> 00:05:38,000 that the shared amount of APIs that we developed has increased significantly. 70 00:05:38,000 --> 00:05:39,000 Yeah. 71 00:05:39,000 --> 00:05:49,120 And well, with all that microsignation is of course, so you can also say a lot of things are isolated. 72 00:05:49,120 --> 00:05:54,120 So why is APIs security then so important? 73 00:05:54,120 --> 00:06:01,120 Okay, give us some examples of the risks associated with APIs. 74 00:06:01,120 --> 00:06:02,320 Yeah, absolutely. 75 00:06:02,320 --> 00:06:08,040 Like, APIs security is a better amount, right, for any organization. 76 00:06:08,040 --> 00:06:13,920 Because I mentioned earlier, APIs act as the gateways for different software systems to communicate. 77 00:06:13,920 --> 00:06:18,640 If an API is not secured correctly, it can become a vulnerable entry point for malicious 78 00:06:18,640 --> 00:06:27,680 actors to exploit, gain an authorized access and potentially compromise the system. 79 00:06:27,680 --> 00:06:33,920 One of the reports from Akamai mentioned that a staggering 83% of web traffic today is coming 80 00:06:33,920 --> 00:06:35,560 from APIs, right? 81 00:06:35,560 --> 00:06:39,280 So that's significant percentage. 82 00:06:39,280 --> 00:06:44,480 This isn't surprising though, like I said, given the recent technological shifts, we are 83 00:06:44,480 --> 00:06:49,600 seeing towards migration to cloud adoption of microservices, right? 84 00:06:49,600 --> 00:06:52,840 So this is expected to happen. 85 00:06:52,840 --> 00:06:58,040 And the beauty of microservices is that they are independent, you're they are independent, 86 00:06:58,040 --> 00:06:59,040 right? 87 00:06:59,040 --> 00:07:06,800 So this approach while incredibly powerful and flexible brings with it a heightened level of complexity. 88 00:07:06,800 --> 00:07:10,840 You should think about the sheer volume of interactions that are happening between microservices. 89 00:07:10,840 --> 00:07:13,120 It's exponential. 90 00:07:13,120 --> 00:07:16,440 And it's not just about internal communications. 91 00:07:16,440 --> 00:07:22,800 The plurif, the pluriferation of apps and demand of interconnectivity means that publicly 92 00:07:22,800 --> 00:07:26,000 exposed APIs are skyrocketing, right? 93 00:07:26,000 --> 00:07:30,520 So now the communication is not just happening internally within your application or within 94 00:07:30,520 --> 00:07:38,240 your VNet, enterprises are exposing APIs for external public as well, right? 95 00:07:38,240 --> 00:07:43,040 Current projections suggest that we will see over 1 billion APIs. 96 00:07:43,040 --> 00:07:45,640 It's basically exposed APIs by 2030. 97 00:07:45,640 --> 00:07:49,360 Now just imagine the security implications of that number, right? 98 00:07:49,360 --> 00:07:55,840 So and one more thing, why API security is important is APIs by their very nature deal 99 00:07:55,840 --> 00:07:57,760 with sensitive data, right? 100 00:07:57,760 --> 00:08:05,520 A bridge in an API doesn't just risk exposing this data, the consequences can be catastrophic. 101 00:08:05,520 --> 00:08:11,360 We have seen instances of full accountic hours, disruptions and services and data breaches. 102 00:08:11,360 --> 00:08:16,840 If you look at the most recent API related attacks, a clear pattern will emerge and it's 103 00:08:16,840 --> 00:08:22,040 very apparent to see that the threat is really real and no organization, irrespective of 104 00:08:22,040 --> 00:08:26,480 their size, bigger small, no one is immune from this threat, right? 105 00:08:26,480 --> 00:08:33,080 So the aftermath of a compromised API isn't just technical. 106 00:08:33,080 --> 00:08:34,600 It really has a ripple effect, right? 107 00:08:34,600 --> 00:08:43,240 It can lead to loss of customer trust, it can damage a company's PR, there is significant 108 00:08:43,240 --> 00:08:50,280 financial repercussions, in forms of regulatory fines or revenue losses, right? 109 00:08:50,280 --> 00:08:53,720 And in some cases, we're talking about millions of dollars. 110 00:08:53,720 --> 00:09:00,200 So the cost of a API breach is pretty high. 111 00:09:00,200 --> 00:09:05,320 Some organizations can sustain it, not every organization can take that on their bad 112 00:09:05,320 --> 00:09:09,120 and sheets and still operate as if nothing's happened, right? 113 00:09:09,120 --> 00:09:10,120 So yeah. 114 00:09:10,120 --> 00:09:14,280 So yeah, if you want to even talk about specific risks, right? 115 00:09:14,280 --> 00:09:20,440 Yeah, so indeed, so the research you mentioned, I think it's really also common in the 116 00:09:20,440 --> 00:09:26,760 time that we are in with organization going towards the cloud and facing that everything 117 00:09:26,760 --> 00:09:31,440 is now publicly has a public endpoint, I think that's in the same similar as what you 118 00:09:31,440 --> 00:09:35,040 are describing with the APIs. 119 00:09:35,040 --> 00:09:41,080 And also that there is no total visibility, everything is micro segmented and you don't 120 00:09:41,080 --> 00:09:48,800 have a fully charged, what we had in the data center time, everything was behind the 121 00:09:48,800 --> 00:09:51,640 firewall. 122 00:09:51,640 --> 00:09:59,880 So if this is such a big topic for organization, if the numbers are so high and rising constantly 123 00:09:59,880 --> 00:10:06,840 and the rest I'll bring with it, like you mentioned, like one API can lead towards data 124 00:10:06,840 --> 00:10:13,440 leak and getting the whole platform compromised and all kinds of scenarios. 125 00:10:13,440 --> 00:10:20,120 Then the question raises, like, is it what are the challenges for organizations? 126 00:10:20,120 --> 00:10:29,640 Because to face and protect their APIs, is it that hard for them to do it or what 127 00:10:29,640 --> 00:10:31,640 are the common challenges in that? 128 00:10:31,640 --> 00:10:37,000 Yeah, I think that's a great question and you tell me how much time do we have covered 129 00:10:37,000 --> 00:10:38,000 this. 130 00:10:38,000 --> 00:10:40,400 So there are so many, so many, right? 131 00:10:40,400 --> 00:10:45,800 So if you guys have become integral to modern business processes, right? 132 00:10:45,800 --> 00:10:49,960 And while they bring many benefits, they also introduce unique challenges when it comes 133 00:10:49,960 --> 00:10:51,960 to protection. 134 00:10:51,960 --> 00:10:54,080 Think about the complicity of more modern architecture. 135 00:10:54,080 --> 00:10:55,560 We talked about a bit, right? 136 00:10:55,560 --> 00:11:03,000 So the shift to microservices and decentralized architecture means there are often many more 137 00:11:03,000 --> 00:11:05,240 APIs to manage. 138 00:11:05,240 --> 00:11:12,600 Imagine, you know, organization, how many developers are writing code versus how many security 139 00:11:12,600 --> 00:11:16,640 personnel you have, protecting that threat surface, right? 140 00:11:16,640 --> 00:11:22,640 So each one represents a each API represents a potential attacker, a vector, making the task 141 00:11:22,640 --> 00:11:24,720 of protection more complex. 142 00:11:24,720 --> 00:11:27,480 Then there is lack of visibility, which is a big one, right? 143 00:11:27,480 --> 00:11:32,960 Many organizations don't have a comprehensive understanding of all the APIs that they have, 144 00:11:32,960 --> 00:11:33,960 right? 145 00:11:33,960 --> 00:11:35,400 It's like a wild waste for them. 146 00:11:35,400 --> 00:11:36,800 There are certain APIs. 147 00:11:36,800 --> 00:11:42,640 It really comes down to like the, the organization culture and how deldaged application 148 00:11:42,640 --> 00:11:46,800 development teams are in the reporting and documenting the APIs, right? 149 00:11:46,800 --> 00:11:52,480 So at any given point, if you're a security operator, you need to have a very comprehensive 150 00:11:52,480 --> 00:11:56,760 understanding of which APIs are being developed, why are they being developed, what kind 151 00:11:56,760 --> 00:12:01,360 of data do they access, who has access to that data, right? 152 00:12:01,360 --> 00:12:02,840 So it becomes a very complex problem. 153 00:12:02,840 --> 00:12:05,200 So there is lack of visibility. 154 00:12:05,200 --> 00:12:08,000 Then you think about rapid development cycles, right? 155 00:12:08,000 --> 00:12:15,000 So when speed to market is of critical essence, right, for business to have a very thriving 156 00:12:15,000 --> 00:12:23,200 presence in the market, when almost for everything that you have has several other alternatives, 157 00:12:23,200 --> 00:12:26,880 rapid application development is of critical essence for innovation. 158 00:12:26,880 --> 00:12:32,000 And then how do you keep your security practices at peace with that rate of development 159 00:12:32,000 --> 00:12:35,400 is another challenge, right? 160 00:12:35,400 --> 00:12:41,000 The question we can talk about is inconsistencies, insecurity policies, right, adopted by 161 00:12:41,000 --> 00:12:44,400 different teams, that can lead to vulnerability. 162 00:12:44,400 --> 00:12:50,400 So you could have as the scale of organization increases, it's obviously a lot more difficult 163 00:12:50,400 --> 00:12:55,000 to have really consistent security standards implemented, right? 164 00:12:55,000 --> 00:13:00,960 So then you start getting a very patchy or you get to develop blind spots in your security 165 00:13:00,960 --> 00:13:03,960 strategy. 166 00:13:03,960 --> 00:13:05,800 So there's a system, that's a big one. 167 00:13:05,800 --> 00:13:11,800 So right now, I think we've been in the shift from lexas systems to cloud architecture 168 00:13:11,800 --> 00:13:16,840 for over a decade now and it's still not, it's still an ongoing trend, right? 169 00:13:16,840 --> 00:13:23,440 So many businesses still rely on older systems that are not designed with modern security 170 00:13:23,440 --> 00:13:25,120 mindset, right? 171 00:13:25,120 --> 00:13:30,320 So integrating those old lexas systems with the new API is or introducing API is to do that 172 00:13:30,320 --> 00:13:35,200 into integration also introduces vulnerabilities. 173 00:13:35,200 --> 00:13:36,920 And there are more of these things, right? 174 00:13:36,920 --> 00:13:44,400 There is third party integrations where you bring in maybe some functionality from an external 175 00:13:44,400 --> 00:13:45,400 party. 176 00:13:45,400 --> 00:13:52,200 So with that comes vulnerabilities that you don't even know about that may exist in your architecture. 177 00:13:52,200 --> 00:13:54,400 So there are so many more challenges, right? 178 00:13:54,400 --> 00:14:00,280 So like I said, we can do a full podcast, just talk about challenges in our, or maybe 179 00:14:00,280 --> 00:14:01,280 a few more initial updates. 180 00:14:01,280 --> 00:14:10,760 So the first point that you mentioned was really interesting is the giving the security 181 00:14:10,760 --> 00:14:15,080 teams the access to see what's going on. 182 00:14:15,080 --> 00:14:22,160 And I think that aspect is also applicable for the whole developers, but also here. 183 00:14:22,160 --> 00:14:37,160 I mean giving the security team, letting them assess and react on certain incidents is really important that working together is really key. 184 00:14:37,160 --> 00:14:53,160 So what are some real word examples of the case, take a share of some of those incidents or attacks on APIs that highlighted the need for improvement in security? 185 00:14:53,160 --> 00:14:57,160 Are there any known cases that you can share with us? 186 00:14:57,160 --> 00:15:12,160 Yeah, like see these are happening day in day out, right? And like there is plenty of examples I can share. But let's focus on some of the high profile attacks that have happened in recent years, right? 187 00:15:12,160 --> 00:15:27,160 So like right before we started our podcast recording, we're talking about optos in Australia, right? So in September 2022 optos is Australia's third largest telecommunications company. 188 00:15:27,160 --> 00:15:42,160 So for the data breach of victims, of current customers and for more customers through an unprotected and publicly exposed API, what it meant is this API did not require any user authentication before facilitating a connection. 189 00:15:42,160 --> 00:16:02,160 So anyone that could have discovered the API on the internet could connect to it without submitting a username or password, right? So that's one example that comes to mind. Overall the amount of customers that got impacted, they are proportional to like 40% of Australia's population, right? So that's huge. 190 00:16:02,160 --> 00:16:14,160 Yeah, then you talk about Facebook and Cambridge Analytica, right? So this is probably the most infamous example because it got a lot of media attention. 191 00:16:14,160 --> 00:16:24,160 But Cambridge Analytica harvested personal data of millions of Facebook users without consent, all made possible through Facebook's API. 192 00:16:24,160 --> 00:16:37,160 So now technically this is not a breach since the API worked as intended. It's a cautionary tale about the need for strong access controls and understanding the downstream consequences of data access. 193 00:16:37,160 --> 00:16:56,160 And then there was when more data leak that happened, when more which is a popular payment sample left its transaction API open to public. As a result, a researcher was able to scrape details of nearly 7 million transactions, including using names and transaction descriptions, right? 194 00:16:56,160 --> 00:17:08,160 And then go on and on with the list of like high profile attacks that have happened. And this is that's why I said, early or that the 30s very real and really no one is immune from it. 195 00:17:08,160 --> 00:17:31,160 Yeah, that because software development and development of infrastructure is good and so on is much more and more. So the need for an security system that is controlling and monitoring APIs must be there. And we're talking about 196 00:17:31,160 --> 00:17:54,160 the Fender for API within Defender for Cloud. It's a public preview at moment of recording that where we have this recording. What can you say about Defender for API? How that is helping protecting organizations within API with the APIs that they are facing or that they are using. 197 00:17:54,160 --> 00:18:10,160 Yeah, definitely. So I would love to talk about different of the APIs, but maybe we should also talk about types of security risks, right? So I know we are an asked about this question and I skipped over it, but what kind of security risks exist right with API. 198 00:18:10,160 --> 00:18:25,160 So before diving into what the solution is, what are the risks? Let's talk about the problem. Yeah, let's talk about the problem, right? So we talked a bit about information exposure, right? That has happened in the recent attacks. That's very real. 199 00:18:25,160 --> 00:18:40,160 Then there is second problem of broken authentication or authorization, right? So if APIs don't implement robust authentication mechanisms attackers can impersonate legitimate users leading to an authorized access to data, right? 200 00:18:40,160 --> 00:18:55,160 And this can be your customers sensitive data like PI information. It could be your organizations in selection icon, right? So anything that you've that is very critical to the success of the business can get compromised. 201 00:18:55,160 --> 00:19:14,160 There are injection attacks. So just like databases or web apps, APIs are susceptible to injection attacks where attackers and malicious data as input in the API to trick it to behave as a certain way and do unintended outcomes get on ended outcomes. 202 00:19:14,160 --> 00:19:29,160 And also, APIs can be extruded for like if there is no proper late rate limiting on how many requests a specific user should get or how do you handle that certain spike in request right? 203 00:19:29,160 --> 00:19:44,160 So without proper rate limiting an attacker can send a large number of requests to APIs in the short amount of time potentially leading to a denial of service attack, right? So those are like some of the risks that exist. 204 00:19:44,160 --> 00:20:01,160 And there is no like there are secretary solutions that do bits and pieces of coverage for this, but there really you cannot use like one size fits all solution when it comes to APIs, right? 205 00:20:01,160 --> 00:20:17,160 And you need to understand how an API behaves and what it uses patterns are and then have a very purposeful solution for it. So with that I'll take a pause and then we can talk about different for APIs. 206 00:20:17,160 --> 00:20:40,160 I mean to sum it up, I think, can we say that the fan of our API does partially security, I mean when it comes to API security, it's partially configuration partially an only detection like what behavior, so something can be felt but misused in certain ways. 207 00:20:40,160 --> 00:20:52,160 And you also mentioned things like injecting like adding data to proper sorts of some kind of SQL injection behavior but baselines API wise. 208 00:20:52,160 --> 00:21:03,160 Right, yeah, so also so these problems for exist like the APIs and the way we are approaching this right so for let's talk about different of API's still here. 209 00:21:03,160 --> 00:21:09,160 So now the time how is the vendor for API is exactly going to fix this or help us. 210 00:21:09,160 --> 00:21:23,160 So we talked about the security risks that exist with the APIs. Now let's dive into how different of our APIs is crafted to comprehensively protect your API infrastructure, right, especially in environments like Azure. 211 00:21:23,160 --> 00:21:48,160 So I talk about first the security posture piece, right, so this is where you want to understand your API landscape first, so we help with building a unified inventory of APIs. So like we talked about the disparity in number of developers building APIs was a security operator so trying to protect the landscape. 212 00:21:48,160 --> 00:21:57,160 So with different of our APIs, organizations can achieve central visibility into all the APIs management Azure API management. 213 00:21:57,160 --> 00:22:09,160 Now once we have detected these APIs and brought into a single pane of class, we look at security insights and API hardening, right, so we tell you what can we learn about these APIs. 214 00:22:09,160 --> 00:22:35,160 So we are able to pinpoint APIs directly exposed and they are no longer in use, so this could be APIs that you assume were deprecated, maybe they are legacy API versions that shouldn't be lingering around which typically do not receive the most latest security patches, for example, then we can easily point them out and as a security persona, you can work with the development team should duplicate those. 215 00:22:35,160 --> 00:22:50,160 Different of APIs is comfortable at identifying high risk misconfigurations, especially scenarios where there are no authentications are in that equitly authentication is set up, right, so. 216 00:22:50,160 --> 00:23:04,160 And the last piece in API hardening is very alertly assist the security controls of Azure API management gateway against recognized best practices, right, so that's the secure posture piece. 217 00:23:04,160 --> 00:23:17,160 Another aspect here is also around sensitive data classification, so you know how. 218 00:23:17,160 --> 00:23:36,160 So we use the same classification that customers define to classify APIs based on data they're handling that way you have the visibility into data in motion. 219 00:23:36,160 --> 00:23:50,160 So that's the secure posture piece. Next there is like proactive threat hunting right so with different CCS PM cloud secure posture management plan. 220 00:23:50,160 --> 00:24:13,160 And then we have integration into cloud security explorer and attack attack path analysis, so security personals can swiftly prioritize and mitigate risks by querying different particular aspects of APIs to look at what vulnerabilities may exist in the organization. 221 00:24:13,160 --> 00:24:23,160 And the last piece is around threat detection and with continuous monitoring. Different of the APIs is equipped to detect top OS API threats. 222 00:24:23,160 --> 00:24:35,160 We have a set of machine learning based models and full based models to detect active threats against your API APIs and generate an alert based on it. 223 00:24:35,160 --> 00:24:50,160 So based on that again, since we are part of the MDC platform, Microsoft different to the cloud. All of these insights that we generate or alerts that we generate can be streamed into your popular seam solution. 224 00:24:50,160 --> 00:25:06,160 And then instant response teams can respond or trigger a predefined automation to to remediate that vulnerability. 225 00:25:06,160 --> 00:25:27,160 Protection technologies that you describe. And before we dive more in details later on on the technologies and I think what are the most important options is when it comes to security these days is integration. 226 00:25:27,160 --> 00:25:48,160 You mentioned at the end for example the integration with Sentinel. What other marks of security products does the Fender for API integrates but gave us also some ideas on what we can achieve after those integrations. 227 00:25:48,160 --> 00:25:58,160 Yeah, like three things come to mind, right, so the current offering that we have comes with initial set of integrations and we will be adding more. 228 00:25:58,160 --> 00:26:02,160 The first one is like I talked about Microsoft Sentinel integration. 229 00:26:02,160 --> 00:26:09,160 So as Microsoft cloud native seam which is security information and event management solution. 230 00:26:09,160 --> 00:26:24,160 Sentinel offers fast thread detection and response capabilities different for APIs feeds its recommendations and alerts into Sentinel allowing for a holistic view of the threat landscape and called in into response across various platforms. 231 00:26:24,160 --> 00:26:26,160 So that's the first one. 232 00:26:26,160 --> 00:26:38,160 Second is integration with Azure API management. So different for APIs is not just another both on solution. It's natively integrated into Azure API management portal. 233 00:26:38,160 --> 00:26:46,160 This integration means that the user do not have to have between multiple platforms to get a comprehensive view of API security. 234 00:26:46,160 --> 00:27:02,160 By providing this native experience in the AP importal different for API ensures that developers operation teams and security professionals was centralized familiar and efficient environment to manage and secure the APIs. 235 00:27:02,160 --> 00:27:24,160 And then one of the third integrations which is under works right now or may be live by the time you publish this podcast is different for APIs, leverages Microsoft overview again for data discovery and classification capabilities to better understand the types of data that APIs handle. 236 00:27:24,160 --> 00:27:35,160 And this would provide added protection for sensitive or regulated data types ensuring that API endpoint handling such data are easily identified for risk prioritization. 237 00:27:35,160 --> 00:27:45,160 And last time we talked about the depth of security there was really easy to put that on was a one checkmark for example. 238 00:27:45,160 --> 00:27:56,160 How easy is it for the API security within different for cloud to enable that for customers so how easy is it to start with different the 5 p.r. 239 00:27:56,160 --> 00:28:09,160 Yeah, it's a great question right so getting started with different for APIs is designed to be straightforward and seamless, especially for those who are already familiar with Microsoft different for cloud. 240 00:28:09,160 --> 00:28:23,160 Different for APIs shows up as one of the new different plans in the different in different of a cloud customers can navigate to the different plan space to review planned details in enable API security at a subscription level. 241 00:28:23,160 --> 00:28:40,160 Today you can select which APIs you would like to protect from a given subscription. Soon we will also add an option for customers to protect all APIs under a given subscription at scale. Likewise there is also a native experience in Azure API management. 242 00:28:40,160 --> 00:28:54,160 Where on the side navigation under security there's a new of new label for different of a cloud and customers can follow that link within the Azure API management portal. 243 00:28:54,160 --> 00:29:00,160 To enable different of APIs right so there is a native experience there in itself. 244 00:29:00,160 --> 00:29:09,160 So it's really straightforward for customers to enable that at the moment in public preview. 245 00:29:09,160 --> 00:29:11,160 Yes, that is correct. 246 00:29:11,160 --> 00:29:29,160 Yeah, it's amazing to see how easy is some complex and issue can be fixed by just going towards the developer cloud and enabling some settings. 247 00:29:29,160 --> 00:29:48,160 So I think you mentioned a lot of the security risk and I was curious is like what is in your opinion the significance of an of API security in today's digital world and why should organizations pay special attention to as you mentioned a lot of the risks. 248 00:29:48,160 --> 00:29:53,160 But what would be the key for you to focus on? 249 00:29:53,160 --> 00:30:10,160 Yeah, like in today's hyper connected digital world the role of APIs has never been more prominent right so making APIs the securities most paramount problem to solve right so. 250 00:30:10,160 --> 00:30:22,160 I think it was a god news study that pointed out that APIs are the top at a vector that bad actors use for exploiting an enterprise right so we talked about flow reflux. 251 00:30:22,160 --> 00:30:41,160 So we talked about digital transformation so as companies adopt more and more cloud infrastructure or microservices and they are dealing with legacy systems. 252 00:30:41,160 --> 00:30:54,160 So these APIs are fueling a lot of that transformation so again that is important there is sensitive data handling through APIs. 253 00:30:54,160 --> 00:31:08,160 And I think one thing that we haven't touched upon is the regulatory scrutiny right so again with data protection laws like GDPR, CCPA or hip and others coming into play. 254 00:31:08,160 --> 00:31:16,160 So there are under stringent regulations to protect users data right in security, peers can lead to non compliance. 255 00:31:16,160 --> 00:31:30,160 Result in heavy fines and legal ramifications so again like that like underscores the motivations for the organization to invest in a security. 256 00:31:30,160 --> 00:31:42,160 And and if you if you would look on the organizations type which type of business organization will benefit the most in your opinion from max of the fan of right at the moment. 257 00:31:42,160 --> 00:31:48,160 Yeah I think that's a great question and I have a lot of relays to go through right so. 258 00:31:48,160 --> 00:32:04,160 The the great thing is that a different for APIs is designed with versatility versatility in mind right so aiming to address broad spectrum of api security concerns that organizations face today. 259 00:32:04,160 --> 00:32:18,160 So that's it let's look at specific sectors or businesses right that can really benefit so first is large enterprises right especially those with complex art IT infrastructure. 260 00:32:18,160 --> 00:32:33,160 So the API spanning across different departments or branches will find significant value the centralized visibility aspect that we bring is like a boom for security operator. 261 00:32:33,160 --> 00:32:44,160 Financial institutions is another one think about banks payment gateways or when they start up that rely heavily on API is for transactions data transfer or third party integrations. 262 00:32:44,160 --> 00:32:54,160 Other organizations with APIs facilitating data exchange between medical devices patient record systems another Health platforms. 263 00:32:54,160 --> 00:32:59,160 Data privacy and meeting regulatory standards like hip hop, become crucial. 264 00:32:59,160 --> 00:33:04,840 commerce platforms. These are businesses relying on APIs for payment processing inventory management, 265 00:33:04,840 --> 00:33:14,120 customer data handling, telecommunications like we talked about optas in Australia. So, that's one 266 00:33:14,120 --> 00:33:21,640 area. Start up in innovators like we talked about large organizations on the top end, smaller 267 00:33:21,640 --> 00:33:28,200 organizations as well, who are especially those in the take-dome in right. So, often building their 268 00:33:28,200 --> 00:33:34,040 entire business models around digital platforms. These young companies can establish strong 269 00:33:34,040 --> 00:33:42,520 security foundations early on by leveraging solutions like different FIAPIs. So, really, the answer 270 00:33:42,520 --> 00:33:52,760 is almost everyone can benefit. That was almost my real-time. Yeah. Exactly. So, it's awesome to see 271 00:33:52,760 --> 00:33:59,800 that to hear also that the product is developed not only for the enterprise, but also accessible 272 00:33:59,800 --> 00:34:09,160 for a youngware and a smaller organization. That means that you guys have simplified the stepping 273 00:34:09,640 --> 00:34:17,880 for those organizations as well. And the product is able to do advanced configuration for enterprises, 274 00:34:17,880 --> 00:34:24,040 for example, maybe. So, now we talked about the organization types. Maybe it's also also 275 00:34:24,040 --> 00:34:31,240 some to deep a little bit deeper into the product and how the vendor for API operates as well. 276 00:34:32,040 --> 00:34:37,160 For instance, what technologies or methodologies are used for trade detection response? 277 00:34:39,000 --> 00:34:44,920 Right. Let's see, what can I share? I can't talk a ton about the products 278 00:34:44,920 --> 00:34:50,200 interworking thread now because we are in the preview phase. But at the heart of different 279 00:34:50,200 --> 00:34:56,120 for API's thread detection mechanism is a combination of advanced machine learning models. 280 00:34:57,240 --> 00:35:02,520 These models analyze API patterns and identify anomalies that deviate from the baseline. 281 00:35:03,080 --> 00:35:08,520 For example, if there is a certain spike in the request volume or unexpected data transfer, 282 00:35:08,520 --> 00:35:15,400 the system recognizes it as anomalous and triggers an alert. Once a thread is detected, 283 00:35:15,400 --> 00:35:20,680 customers can orchestrate trade response via custom logic apps or workflow automation. 284 00:35:21,240 --> 00:35:28,280 So, this could include isolating the affected API blocking malicious IP addresses 285 00:35:29,160 --> 00:35:37,560 or initiating a predefined recovery protocol. Similarly, one of the cool things is around 286 00:35:37,560 --> 00:35:43,480 sensitive data classification. So, the data from a organization perspective are like ground 287 00:35:43,480 --> 00:35:49,800 jewels and they invest a lot in protecting data in different storages. So, that's data at rest. 288 00:35:50,760 --> 00:35:56,520 What we bring to the table is same type of data classification or identification 289 00:35:56,520 --> 00:36:00,920 when the data is in motion through APIs. Now, you get that complete picture of 290 00:36:02,120 --> 00:36:06,040 how the data resides in different storages. At the same time, while it's transiting through 291 00:36:06,040 --> 00:36:12,840 APIs, we are able to use the same classification that you may have defined to call that out. 292 00:36:15,640 --> 00:36:21,080 Amazing. So, all this technology that is used on there is also technologies for example, 293 00:36:21,080 --> 00:36:28,120 used by products that you mentioned like perfue. I mean, this is because there is a lot of integration 294 00:36:28,120 --> 00:36:37,560 going on. And looking towards the future, looking at the products and the integration that are 295 00:36:37,560 --> 00:36:44,360 now in place, like you mentioned integration with seam building your own response there or 296 00:36:44,360 --> 00:36:54,680 integration with perfue or other topics, what are the future developments and what can we expect 297 00:36:54,680 --> 00:37:02,040 to see even more based on what you can share, of course, in the Fender for API. 298 00:37:03,880 --> 00:37:10,680 Yeah. Like, without giving too many specifics, right? So, I think in general, like 299 00:37:10,680 --> 00:37:15,800 API security space, spans across or short span across full API lifecycle, right? 300 00:37:17,160 --> 00:37:22,600 Which includes discovery of APIs, understanding what you can learn about those APIs, 301 00:37:22,600 --> 00:37:27,080 then there is protection, what can you do to protect your existing threat landscape, 302 00:37:28,360 --> 00:37:33,960 detection, which is runtime. How do you monitor APIs, what's flowing through the APIs, 303 00:37:33,960 --> 00:37:38,680 who's accessing those and then response, right? So, if you detect and anomaly, 304 00:37:38,680 --> 00:37:44,040 you're a threat, how do you respond to it? So, we will continue investing along all of those 305 00:37:44,040 --> 00:37:50,680 areas, right? So, from a discovery side, for example, today we support APIs managed in 306 00:37:50,680 --> 00:37:57,960 Azure API management. So, we'll look to add even more sources of APIs, depending on 307 00:37:59,720 --> 00:38:05,320 where we feel is the biggest customer ask. So, there is will expand our discovery capabilities, 308 00:38:06,200 --> 00:38:11,080 in terms of understanding, we'll look at understanding the context of access or 309 00:38:13,080 --> 00:38:17,080 understanding the intent behind an API creation, for example. 310 00:38:17,080 --> 00:38:28,120 In terms of protection or I think shift left is another thing that is interesting for us, 311 00:38:28,520 --> 00:38:34,520 right? So, how can you find vulnerabilities before the end-up introduction? 312 00:38:35,880 --> 00:38:43,160 That's an area of interest. And lastly, the detection piece, right? So, we already have a robust 313 00:38:43,160 --> 00:38:49,320 set of machine learning detections. So, we'll continue finding tuning those in terms of accuracy 314 00:38:49,320 --> 00:38:56,760 and adding more actionability to those detections. And then what more can we do in terms of 315 00:38:56,760 --> 00:39:05,800 finding new threats that keep evolving? Amazing. I think a lot of good to look forward for. 316 00:39:05,800 --> 00:39:14,520 I think definitely listening to you and then hearing that so many APIs are around the world, 317 00:39:15,560 --> 00:39:23,320 definitely taking it to a broader scene or giving more coverage over the APIs would be really awesome. 318 00:39:25,160 --> 00:39:28,840 Yeah, I think we covered a lot. You covered a lot today. 319 00:39:28,840 --> 00:39:35,720 If you look into the future, I want to take the opportunity to make another appointment, 320 00:39:35,720 --> 00:39:39,080 maybe in a few months or in a half year or so. 321 00:39:40,360 --> 00:39:47,960 Can we come back and do another recording later on if the product is GA for example in the next 322 00:39:47,960 --> 00:39:53,720 future, because we're now still in public preview. Somewhere, it will be GA. 323 00:39:53,720 --> 00:40:01,560 If it's GA, can we do another one as well to talk about what's new and how we can 324 00:40:01,560 --> 00:40:06,280 organize that? Yeah, definitely. I would love to come back and speak with you and your 325 00:40:06,280 --> 00:40:13,080 audiences about the cool innovations we continue to do on the platform. It's exciting space. 326 00:40:13,080 --> 00:40:18,760 We are innovating every single day. So, there will always be more to talk about. So, 327 00:40:18,760 --> 00:40:21,240 I would love to come back sometime in the future. 328 00:40:21,240 --> 00:40:28,360 Shall we? Let's do that. One last question. Is there some remark for our listeners that you 329 00:40:28,360 --> 00:40:35,560 want to make or is there a highlight that you want to point out regarding the Fender for API or is 330 00:40:35,560 --> 00:40:42,840 a call or a call to action or something else? Is there something you want to say to our listeners? 331 00:40:44,040 --> 00:40:48,200 Yeah, I would keep it simple. Great. I go right out. 332 00:40:48,200 --> 00:40:55,240 We are like like to say typically when I go talk to customers. We are on the ground floor right now. 333 00:40:55,240 --> 00:41:01,000 Right? So, this is the time when you get to touch and feel the product and shape it. 334 00:41:01,000 --> 00:41:06,440 So, try it out. Give us feedback and we'll act on it. 335 00:41:07,080 --> 00:41:09,000 I mean, it's really easy to turn it on. 336 00:41:11,000 --> 00:41:13,000 Yeah, actually. 337 00:41:13,000 --> 00:41:21,080 Yeah, thank you, Jinkha, for joining us today. I think it's some really great topic. 338 00:41:21,880 --> 00:41:27,400 Also for our listeners, at least to be aware of the fact that this is going on. 339 00:41:27,400 --> 00:41:34,760 I think a lot of organizations aren't aware of this topic or that it's good to point it out. 340 00:41:35,400 --> 00:41:41,800 Thanks for joining us. Thanks for sharing your feedback to our listeners. 341 00:41:41,800 --> 00:41:54,520 How to get started? What to watch for? The importance of this topic for us for all of us. 342 00:41:55,560 --> 00:41:56,200 Yeah, thank you. 343 00:41:57,640 --> 00:41:58,760 And thanks, Jinkha. 344 00:41:58,760 --> 00:42:02,760 Thank you, as a listener. Thanks for listening to this episode. 345 00:42:02,760 --> 00:42:09,880 I'm listening because we don't have a video of this at the moment, but later on we will do that as well. 346 00:42:09,880 --> 00:42:17,880 But hopefully we see each other next time. But before next time, when we record, 347 00:42:17,880 --> 00:42:24,760 you can hit the subscribe button on YouTube or on our podcast platforms to subscribe. 348 00:42:24,760 --> 00:42:31,160 Because if you do that, you know when the latest recording will be online. So please do that. 349 00:42:31,160 --> 00:42:37,240 If you have feedback on our recordings, please let us know that there can be on our socials 350 00:42:37,240 --> 00:42:42,360 or on our website talkingsure.nl. You can see everything about it. 351 00:42:42,360 --> 00:42:48,600 And yeah, we continue this Defender for Cloud series. Next time, probably with a Defender for 352 00:42:48,600 --> 00:42:53,640 Containers or Defender for OT. Let's see a lot of great sessions in the planning. 353 00:42:53,640 --> 00:43:13,320 So yeah, we have a lot of a lot to do. So thank you for now. And let's see each other next time. Thank you.