High-stakes API Security – Protecting Armis’ Security Platform
Remember the adage “the cobbler’s kids have no shoes”? Well, the opposite happens at security companies – security is everyone’s obsession, so imagine how fun it is to run security for a security company. Such is the position Salt customer Curtis Simpson holds. As CISO for the IoT security company Armis, he must manage all the challenges of the typical CISO role – with the added pressure of doing it surrounded by security experts and for such a high-stakes environment. After all, breaches are tough on any company, but they can be irrecoverable for security companies.
Like every company, Armis faced enormous upheaval and change with the onset of the COVID pandemic. Enabling its own folks to work from home was the easy part – now suddenly all of Armis’ customers needed the company’s monitoring, threat hunting, and risk assessment capabilities extended to myriad new devices their customers’ employees were using at home.
To support all those new devices, Armis dev teams suddenly had to create dozens and dozens of new product integrations – and really fast.
“For us, every integration means we build a set of APIs. When we had a relatively short list of integrations to support, we had the time to document all our APIs and do code analysis and pen testing on each new API we wrote, before releasing them. With COVID, we went from 10s of APIs to 100s of APIs in just a few months, and we were tweaking them every week.”
What happens when multiple teams are developing a bunch of new stuff, all in parallel and really fast? Well for one thing, risk goes up – way up. Suddenly the manual approach Armis had been using to document, scan, and pen test its APIs just couldn’t keep up. And the problem wasn’t temporary – the past year has shown that this faster pace of development is here to stay. Armis’ customers will continue to need support for lots of new device types even as the world returns “to normal” because their customers’ employees will retain a hybrid mode of work, spending some days at the office and others working from home.
Curtis and the security team at Armis were no novices to application security, of course. They had all the controls in place you’d expect – firewalls, WAFs, policies on API gateways.
“But protecting APIs is totally different from protecting your web apps. Our gateway couldn’t show us where we were exposing too much info in an API response, and it couldn’t show what data was being consumed. If one of our APIs were being exploited, I would never know – a gateway doesn’t know what ‘normal’ is for API behavior – knowing that takes context, and a gateway has no context. It processes one transaction at a time and has no notion of state beyond that single transaction. Same with a WAF – it can help when you’re getting pummeled in a high-volume attack, by doing rate limiting, but that’s it. It also has no notion of context – it doesn’t know the logic of an API. And in the API world, attacks are all about exploiting the logic of an API, and all your APIs are different, so defending them requires context.”
Get the free customizable API Security Best Practices Checklist.
Download NowBeyond understanding where APIs are exposing sensitive data and blocking API attacks, Curtis was also focused on tapping an API security solution to help with compliance. “Compliance is all about ‘relevant protections.’ If you have a breach, and you don’t have API security, now you’ll get fined because you didn’t have relevant protections in place.”
Curtis wanted an approach to API security that would cover the full lifecycle of APIs – both build and runtime. After researching a few options, the Armis team picked Salt.
“Our immediate priority was to make sure no one was exploiting any of our APIs. We built so many so fast, and we needed to ensure they were protected.” Leveraging Salt for runtime security provides that instant and ongoing relief that if a hacker did find a way to start to penetrate an Armis API, the Salt platform would immediately flag that anomalous behavior and trigger an alert or stop the attacker automatically if the Armis team configured Salt to do so.
Curtis was also drawn to the “shift left” capabilities of the Salt platform. “DevOps teams don’t want reactive protection – they’re all about proactive detection. Salt provides actionable info our dev teams can use to make the security of our APIs inherently better.”
For Curtis, the sequencing of these protections matter. “First I want to get protections in place. Using Salt’s API runtime security means we get value right now.” Getting API remediation details to the dev teams comes second. “You can’t shift everything left at once – you need to get protected, and then you can focus on getting your developers the remediation insights.” Salt surfaces these remediation recommendations immediately upon deployment – Armis is working to integrate Salt with its CI/CD pipeline and send those actionable remediation insights to the right dev teams automatically.
Armis has also appreciated other big wins in deploying Salt – the team uses Salt to track how their APIs are used, tooling the dev team would have had to build otherwise. Salt has also helped Armis automate the documentation process and achieve compliance – Salt’s data was key to Armis’ FedRAMP activities.
“What I really love is that Salt’s been a partner every step of the way. Every environment is different, and we’ve needed new capabilities to run Salt effectively in our systems, and the Salt team has worked hand in hand with our team to get us the functionality we need.
“As our business grows, we’ll need more of Salt just to keep up, because we’ll keep creating new APIs by the dozens. We couldn’t ask for a better partner on this journey.”
We here at Salt are super proud of customer success stories like this one. You can share the full case study as well. But don’t just take Curtis’ word for it – request a demo so you can see for yourself how Salt provides runtime security and remediation insights for APIs.
