Organizations are expanding the use of automation and orchestration in their security operations. An indication of this is the sharp rise in the adoption of Security Orchestration Automation and Response (SOAR) platforms. The security of these platforms is a key concern, and in particular the security of Application Programming Interface (API) keys used by both the SOAR platform and Security Operations Center personnel. The exposure of APIs from security tools is crucial to permitting automation and orchestration, however it is also important to secure the usage of these capabilities. This presentation highlights methods for securing API usage and ways to remediate compromised API keys.
Security Orchestration Automation and Response (SOAR) adoption is predicted to rise from 1% to 15% from 2018-2020. This rapid growth is currently being realized by the explosion of options available within the SOAR marketplace. Organizations are adopting SOAR in order to adapt to the speed and scale of threats in the current cyber landscape. SOAR platforms are becoming a hub within the stack of security tools employed by an organization. This adoption is also driving the increased exposure of features from security tools via Application Programming Interfaces (APIs). These APIs are crucial to permitting the automation and orchestration of security operations, however the exposure of these capabilities provides a new attack surface with which attackers can exploit. To help address this concern, the Integrated Adaptive Cyber Defense (IACD) program has conducted research to help identify best practices for API security. As automation takes on an increasingly larger role in cyber defense, it is important for organizations to secure these new capabilities to ensure they are not abused.
Through our initiatives and pilots in various critical infrastructure sectors, IACD has found that most SOAR platforms provide basic mechanisms to protect API keys. However, IACD believes that the usage and security of these APIs is often overlooked, and more should be done to secure them. Recent findings have found that many of these keys are issued and utilized with more access features than needed for specific tasks and are occasionally distributed widely throughout an enterprise's infrastructure. There have also been instances where API keys have also been compromised by attacks and used by cyber attackers to access sensitive data.
This talk will provide a summary of recent research and current industry best practices to protect API usage through gaining visibility to all API requests, rapid banning and re-issue of compromised API keys, controlling which requests an API may issue based on the asset making the request, and controlling which assets are allowed to use which API key for specific requests. A Q&A session with the audience will be held at the end to discuss current concerns with API security.
This talk will be provided by the IACD integration team, which has hands-on experience with a large variety of SOAR solutions and has been developing capabilities for security orchestration and cyber information sharing since 2014. IACD has continuously provided impartial technical guidance for all enterprises and has been instrumental in the creation of a large community throughout academia, industry, and critical infrastructure to further the use and development of the IACD framework.
Attendees will learn techniques to address the risks associated with the rising convenience of automation, proactive vs. reactive automation practices, and will help mitigate current security gaps faced by organizations with and without security automation.
Key take-aways:
Attendees will learn best practices for managing API usage through the use of an API gateway. Additionally, remediation methods will be explored to address compromised access of security tools via stolen API keys.