API Security Best Practices

Read the guide

Securing APIs With Salt Security Using Agentless Amazon VPC Traffic Mirroring

Elad Koren
Sep 9, 2021

Overview

AWS-based applications and API-based applications are nearly synonymous – APIs form the core of today’s modern, cloud-based applications. APIs enable business-critical services and exchange sensitive data such as customer account details, credit card numbers, and other personally identifiable information (PII). APIs by nature expose the inner workings of applications (API logic) as well as the data used by these applications – this combination has made APIs a top target for attackers looking to extract valuable customer data, execute fraudulent transactions, or disrupt services. Protecting API-based applications from these threats has become a top priority for every API-rich organization, enabling them to ensure they can protect customer information, prevent service disruption, and meet compliance requirements.

Salt protects the APIs at the core of all modern applications. Our platform continuously analyzes API traffic, applying our patented artificial intelligence (AI) and machine learning (ML) to build a rich context of API usage and behavior. In our analysis, we discover all APIs running in your environment, uncover sensitive data exposure, detect and stop attacks, and provide insights to help you eliminate vulnerabilities and continuously harden your APIs. AWS customers can secure API traffic with Salt Security by leveraging Amazon VPC Traffic Mirroring.

Mirroring VPC Traffic to Salt

Our fully automated process makes it quick and easy to set up VPC Traffic Mirroring and enable advanced protection for your APIs. The Salt Security Mirroring Policy for AWS uses the native Amazon VPC Traffic Mirroring capability to capture a copy of network traffic directly from supported AWS EC2 instances and send that copy of traffic to our solution for analysis. VPC Traffic Mirroring supports inbound and outbound traffic rules and packet truncation so that you can define the exact traffic you want sent to Salt for analysis and API protection. Our solution is not inline with network traffic, and using VPC Traffic Mirroring with our mirroring policy will have no impact on your AWS workloads, application performance, functionality, or availability.

Get the comprehensive list of best practices to guide your API security journey.

Using Mirrored Traffic To Protect APIs

The Salt architecture is built on patented AI and ML and continuously analyzes the copy of API traffic sent to our platform’s big data engine. By continuously analyzing API traffic, we provide advanced protection for APIs that includes:

Automated, granular API discovery 

We automatically identify all the APIs in your AWS environment, uncover where those APIs are exposing sensitive data, and maintain an up-to-date catalog with granular details for each API. With continuous analysis of API traffic, you’ll know when a new API is introduced to your environment, when an existing API is updated, and when sensitive data exposure changes. This insight helps you maintain a complete, up-to-date view of your attack surface, understand risk, and meet the requirements of compliance mandates.

Real-time API attack detection and prevention

A core function of Salt is to analyze API traffic to identify attacker activity and block attacks; something impossible to do without big data, AI, and ML. By continuously analyzing the traffic sent through VPC Traffic Mirroring, we create a baseline of normal behavior for each API and from that baseline we gain the context needed to identify behavior that falls outside of normal activity. Simply identifying these outliers is not enough, so our platform also correlates activity, associating it back to the attack source. Through correlation of activity, we separate benign anomalies from malicious ones to nearly eliminate false positives and pinpoint attackers early in their reconnaissance process.

Correlated activity sent from Salt provides security teams with the full timeline of attacker activity and the details needed so they can quickly analyze and take action to block potential attacks with confidence. We block attackers by integrating with tools that already exist in your AWS environment, such as the Amazon API Gateway, AWS WAF, or other existing inline enforcement points. We can automate blocking by interfacing directly with enforcement tools or integrating with your existing incident response workflows.

Continuous API security improvement

Remediation of API gaps is another important Salt capability enabled by the analysis of API traffic. Only Salt is able to turn attackers into penetration testers and gain insights from their activity as they probe your APIs for vulnerabilities. These insights allow you to identify high-priority vulnerabilities missed by development security efforts and those that can be found only at runtime. Insights are sent directly to development teams and include details such as endpoints with potential vulnerabilities, how attackers attempted to exploit those vulnerabilities, normal behavior for those endpoints, and recommendations for remediation. 

We also provide valuable API security posture insights that include OAS (documentation) analysis comparing manually created documentation with the running API to identify incomplete and inaccurate documentation. In addition, by analyzing each API, we identify potential vulnerabilities and provide teams with clear guidelines on improving security early in the development process to avoid releasing APIs with vulnerabilities.

If you want to learn more about the Salt API Protection Solution, reach out for a personalized demo and learn how we can protect your APIs in AWS and across all your environments.

Go back to blog