Introducing Actions and Alerts in Advanced API Security
Shelly Hershkovitz
Product Manager, Google Cloud
Varun Krovvidi
Product Marketing Manager, Google Cloud
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.
SubscribeAPIs provide direct access to application functionality and data, making them a powerful developer tool. Unfortunately, that also makes them a favorite target for threat actors. Proactively identifying API security threats is top of mind for 60% of IT leaders according to Google Cloud’s 2022 API Security Research Report. Most of the current approaches to securing APIs focus on detecting security vulnerabilities, but rapidly reacting and responding to API security issues once they are detected is just as important in maintaining a strong application security posture.
This is where Advanced API Security for Apigee API Management can help. It’s an add-on that automatically detects misconfigurations, malicious bot attacks, and critical abuses, and today, we're excited to announce the public preview of two new Advanced API Security capabilities:
- Alerts are notifications that inform you about security threats or anomalies as soon as they are detected.
- Actions are automated operations, triggered in response to security threats or anomalies, based on predefined conditions.
Actions and Alerts enhance Advanced API Security capabilities by reducing the time between threat detection and resolution through automation, minimizing the potential impact, and making your API security approach more proactive.
Actions in Advanced API Security
Actions automate operations including allowing, denying, flagging, and redirecting API traffic from specific clients. You can choose to specify these clients manually or rely on built-in detection rules in Advanced API Security. These detection rules identify known API threats or patterns detected by our machine learning models pinpointing malicious activities, such as API scraping or anomalies.
To stop API attacks, developers often need to manually exclude specific IP addresses via their Web Application Firewalls (WAF) or through implementing policies — a process requiring a full development cycle for each change. Worse, these processes are often ineffective against adaptive attacks that constantly change IP addresses. But now, with Actions, developers can automatically defend against malicious traffic.
How does it work?
Before your API proxies process traffic, you can choose to apply the following actions:
- Flag requests by adding up to five headers in the request sent to an API proxy, allowing you to precisely define the behavior of the traffic inside the proxy. For example, you may not want to intercept suspicious traffic, but rather track and observe it for further analysis.
- Deny requests that meet certain conditions, such as originating from a scraping activity. You can even customize the response code that is sent back to the client. For example, you can deny traffic from specific clients previously isolated and identified as suspicious.
- Allow requests by overriding any traffic that would otherwise be blocked by a deny action. For example, you can allow traffic from specific clients even if they are captured in a detection rule associated with a deny action.
Creating an Action in Advanced API Security
You also have the option to pause all active security actions, ensuring uninterrupted API requests. You might want this capability as a failover mechanism or allow all traffic in a few controlled scenarios. You can further refine the security measures by analyzing API traffic data associated with specific actions.
Analyzing API traffic data associated with actions
Alerts in Advanced API Security
Alerts inform relevant stakeholders when a potential security incident or anomaly is identified. With our new Alerts capability, you are notified of any unusual API traffic (as identified by the detection rules) or of any changes to your security scores.
Today, users have to constantly monitor their security scores or dashboards to identify new attacks. Now with Advanced API Security, you can configure an Alert to send notifications by text, email, or other channels upon detection of unusual traffic.
How does it work?
You can use Cloud Monitoring to set up the alerts to be notified about potential security incidents or even customize how you receive these alerts, be it through text, email, or other channels.
For instance, if there's a sudden spike in suspicious requests from a particular region, you can set up an alert to be notified immediately. This alert ensures that you're always in the loop and can take swift action.
Next steps
Minimizing the time it takes to detect and mitigate an API security threat is one of the most important ways to minimize negative business impacts. Advanced API Security shifts most of that burden to the platform, allowing developers to minimize overhead while maintaining precise control. Advanced API Security is offered as an add-on to Apigee API Management.
Check out our technical documentation to learn more about these new capabilities or explore them hands-on by getting started with Apigee.
