Security Tools Need to Get with the API Program

No cloud API is an island

The evolution of cloud services has coincided with the development of advanced Application Programming Interfaces (APIs) that allow developers to link cloud computing services together, making its data and functionality available for other programs to use. Increasingly, these APIs are also being leveraged for security orchestration and automation, providing valuable data, and granular controls to organizations managing complex cloud apps, and cloud-based network infrastructure.

The better a cloud app connects and communicates, the easier it is for security teams to have the visibility, data, and controls they need.

Try the Free LogicHub MDR Jump Start for AWS

A perimeter mindset is too simplistic

However, as APIs become more central to security, it’s disappointing to see how primitive the APIs remain for many legacy security tools. Many conventional security tools, such as firewalls, IPS, WAFs, and SIEMs, that are widely deployed today, were built with a perimeter mindset – “keep the bad guys out, and keep the good stuff in.”

This fortress mentality also meant that communication with other tools was secondary, and even considered a security liability. But in the 20+ years that many of these tools have existed the security world has dramatically changed.

What legacy security tools get wrong

Many of these legacy tools were designed to analyze a small slice of security, make decisions via hard-wired rules, and deliver information in the form of alerts. This assumed several things that over time have proved to be problematic:

• The security tool knows best.Surely a good firewall, with the right rules can make good enough decisions on what’s good or bad. Nope – not even close.
• They know the context of what’s going on.Like a mall cop, these tools watch the traffic, and try to guess what people are doing and why. Sorry, Paul Blart – profiling doesn’t work.
• They can keep up with the volume of threats.Actually, they can… if you turn off detection. But if you want to really detect and respond, you’re out of luck.

It’s probably not fair to ask legacy tools to keep up with threats that weren’t imagined when they were designed. In fact, many of these tools see traffic and collect data that could provide valuable context to more sophisticated, modern analysis systems. But this would require that they communicate well and provide deep and granular APIs.

Clearly, APIs were not a priority when we had disparate islands of network security. Each tool just had to do its job, deliver alerts, get the occasional rule tune-up, save logs, and rely on an army of security analysts to pick of the pieces and figure out what’s going on.

More (contextualized) data is required

But in today’s reality, where threats are rampant and security experts are hard to find, sharing data is critical and context is everything. To keep up with billions of events requires AI systems that can handle vast amounts of data, continuously learn what is good, bad, or suspicious, understand “normal” behavior by establishing baselines across millions of data points, and ultimately automate routine decision-making.

To do this requires more data – not less, and that’s where advanced APIs come in. For example, a modern threat will come in through multiple network channels, and cloud applications. Indications of phishing might show up not just in email, but in social platforms, financial apps, or even CRM systems. A newly discovered vulnerability might be critical for some unpatched systems, but not a concern for others, and all this critical information might be contained in your ITSM system – often not even in the security loop.

Osterman Research explores why organizations early to embrace MDR services report higher security posture across multiple dimensions in The Rush to MDR: Achieving the Promise of Elevated Security Posture.

Identifying weak links in the legacy security chain

Modern security tools, with the help of great APIs, can analyze all channels, find patterns across domains, consolidate the redundant noise, and take actions to block threats, file ITSM tickets, and alert stakeholders through any communication channel.

Ironically, the weak link in these scenarios are the limited APIs from legacy security stalwarts like firewalls and SIEMs. While they are in a prime position to see lots of security data, and more advanced cross-channel tools could find valuable clues and context, their APIs are often too primitive to deliver relevant data quickly.

The good news is that modern cloud APIs, from AWS, Azure, ServiceNow, Salesforce, and many other platforms are fueling this new approach to security, and inherently understand that sharing more data, more context, and more granular controls can dramatically improve security outcomes, and make these cloud applications more security than their legacy network counterparts.

You don’t necessarily need to get rid of legacy security tools, but when you evaluate them, look closely with their APIs and compare them to modern cloud APIs. If they don’t play well with others, it’s probably time to pull the plug.

The Definitive MDR Buyer’s Guide: Everything You Need to Know to Choose the Right Managed Detection and Response Service

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.