Security tools must be provided with the API program

No cloud API is an island

The evolution of cloud services has coincided with the development of advanced application programming interfaces (APIs) that allow developers to link cloud services together, making its data and functionality available to other programs. Increasingly, these APIs are also being leveraged for security orchestration and automation, providing valuable data and granular controls to organizations managing complex cloud applications and cloud-based network infrastructure.

The more a cloud application connects and communicates, the easier it is for security teams to have the visibility, data, and controls they need.

DevOps Connect: DevSecOps @ RSAC 2022

Try it free
LogicHub MDR Jump Start for AWS

A perimeter mentality is too simplistic

However, as APIs become more central to security, it’s disappointing how primitive APIs remain for many legacy security tools. Many conventional security tools, such as firewalls, IPSs, WAFs, and SIEMs that are widely deployed today, were designed with a perimeter mindset – “keep the bad guys out and keep the bad guys out.” good things inside”.

This fortress mentality also meant that communication with other tools was secondary, and even considered a security issue. But in the more than 20 years that many of these tools have been around, the world of security has changed dramatically.

Which legacy security tools are wrong

Many of these legacy tools were designed to analyze a small slice of security, make decisions through hard-wired rules, and provide insights in the form of alerts. This involved several things that, over time, proved to be problematic:

  • The security tool knows best.A good firewall, with the right rules, can certainly make good decisions about what is good or bad. No – not even close.
  • They know the context of what is happening.Like a mall cop, these tools monitor traffic and try to guess what people are doing and why. Sorry, Paul Blart – profiling is not working.
  • They can track the volume of threats.In fact, they can…if you disable detection. But if you really want to detect and answer, you’re out of luck.

It’s probably not fair to ask legacy tools to deal with threats that weren’t envisioned when they were designed. In fact, many of these tools see traffic and collect data that could provide valuable context to more sophisticated modern analytics systems. But that would require them to communicate well and provide deep, granular APIs.

Obviously, APIs weren’t a priority when we had disparate islands of network security. Each tool just had to do its job, deliver alerts, get the occasional rules tweak, save logs, and rely on an army of security analysts to pick the pieces and figure out what was going on.

More (contextualized) data is needed

But in today’s reality, where threats are rampant and security experts hard to find, data sharing is key and context is everything. Tracking billions of events requires AI systems that can manage large amounts of data, continuously learn what’s good, bad or suspicious, understand “normal” behavior by drawing lines of base on millions of data points and ultimately automate routine decision making. .

To do this, more data is needed – not less, and that’s where advanced APIs come in. For example, a modern threat will arrive through multiple network channels and cloud applications. Indications of phishing can appear not only in emails, but also in social platforms, financial applications or even CRM systems. A newly discovered vulnerability may be critical to some unpatched systems, but not of concern to others, and all of this critical information may be contained within your ITSM system – often not even within the security loop.

Osterman Research explores why organizations that early adopters of MDR services report a higher security posture across multiple dimensions in
The MDR Rush: Delivering on the Promise of a High Security Posture.

Identify weak links in the legacy security chain

Modern security tools, using excellent APIs, can scan all channels, find patterns in all areas, consolidate redundant noise, and take action to block threats, file ITSM tickets, and alert parties stakeholders via any communication channel.

Ironically, the weak link in these scenarios are the limited APIs of legacy security pillars like firewalls and SIEMs. While they are in a prime position to see plenty of security data and more advanced cross-channel tools could find valuable clues and context, their APIs are often too primitive to provide relevant data quickly.

The good news is that modern cloud APIs, from AWS, Azure, ServiceNow, Salesforce and many other platforms are fueling this new approach to security and inherently understanding that sharing more data, more context and more granular controls can dramatically improve security outcomes. , and strengthen the security of these cloud applications over their legacy network counterparts.

You don’t necessarily need to get rid of legacy security tools, but when evaluating them, carefully examine their APIs and compare them to modern cloud APIs. If they’re not playing well with others, it’s probably time to pull the plug.

The Definitive MDR Buyer’s Guide: Everything You Need to Know to Choose the Right Managed Detection and Response Service

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. Of small teams with security challengesat large teams automating SOCsLogicHub makes advanced detection and response simple and effective for everyone.

*** This is a syndicated blog from Security Bloggers Network from Blog | LogicHub® written by Willy Leichter. Read the original post at:

Ryan H. Bowman