It’s cool to win banks as customers – it’s even more cool when they go public with the news!
We’re proud to share this news, given how essential security is to financial institutions. The combination of working under extensive regulations and the criticality of protecting customers’ sensitive financial data sets the bar for security pretty high.
I especially enjoyed my conversation with Ryan Melle, SVP and CISO at Berkshire Bank. He’s a pragmatist, and he gets things done quickly. As with so many banks, Berkshire Bank is leveraging APIs to build a broader ecosystem with FinTechs and innovate fast. This skyrocketing use of APIs comes with a price.
“We’re seeing an increase in the number of API transactions, but we’re also seeing an increase in API attacks. We have to keep our data secure and our regulators happy, and we can’t get in the way of digital transformation – Salt fits right into that,” said Melle.
Because traditional solutions, such as web application firewalls (WAFs) and API gateways, lack the ability to correlate API activity over time, they can’t adequately protect this expanding attack surface. Bad actors have to probe APIs to understand the business logic and look for vulnerabilities. This reconnaissance means API attacks are low and slow, and API security solutions must be able to spot this behavior as it occurs and before the bad actors achieve their targets.
Just as WAFs can’t correlate traffic over time, VM- or server-based API security solutions also fall short, lacking the scope of data and real-time analysis needed to build context to spot API attacks. Only cloud-scale big data, with sophisticated ML and AI doing real-time analysis yields the context needed to identify API attacks, which often unfold over days, weeks, and even months.
Berkshire Bank is tapping the Salt Security patented API Context Engine (ACE) architecture to get a full inventory of its APIs, perform API design analysis, ensure data protection by evaluating all traffic leaving the bank, and deliver runtime protection to stop API attacks.
According to Ryan,
“We considered other solutions, but they didn’t provide the range of capabilities we needed – we found the Salt architecture to be unique. The Salt system got stood up in a day, so it’s been simple operationally too.”
With Salt Security, Berkshire Bank can protect its APIs from account takeover (ATO) and ensure the safety of their services. Read more about how Berkshire Bank uses the Salt API security platform in this case study.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.