all Technical posts

Exploring Azure Defender for APIs

Microsoft Defender for Cloud has announced a new component and it's worth looking into. The new solution is called Azure Defender for APIs and brings security insights, ML-based detections, and unauthenticated assessment in the APIs that are exposed via Azure API Management.

Codit and Microsoft worked together to shape the solution in something helpful for users who want to get insights and secure their APIs. We'll explore what the solution has to offer in the following blog post.

Written by
11 May 2023
Arnaud Meersschaut
Massimo Crippa

How to onboard your APIs

Onboarding APIs to the Defender is fairly simple. Before you can onboard an actual API however, a few steps are necessary. Firstly, you need to register the `Microsoft.APISecurity` Resource Provider for your subscription(s). This might take a few minutes, but once the provider shows up as registered, you will need to enable Defender for APIs on your Azure subscription (Microsoft Defender for Cloud > Environment settings > your subscription > Defender plans).

You can now go to the Defender for Cloud, where you will have the recommendation to onboard Azure API management APIs. In that pane, you will have the option to onboard APIs from within different Azure API Management services. And that’s it!

As part of the onboarding procedure, the Defender will go over the APIs to detect all the endpoints (operations) hosted by the selected APIs. Next to that, the API Management traffic is transparently mirrored to Defender in order to build an understanding of how the APIs are used and what kind of information is passing through.

Note: Onboarding APIs to Defender for APIs may increase the compute, memory and network utilization of your Azure API Management service. Carefully evaluate which APIs to onboard, monitor the service capacity and scale it out if needed.

What the solution has to offer

Inventorization

After onboarding is finalized, the information that is gathered will be used to create an inventory. This is a centralized place where you will be able to get more insights on what is exposed across the Azure API Management services.
All APIs and endpoints within the APIs will be added to the inventory, even if there is no traffic.

Detection and alerting

The solution is backed by Machine Learning and this comes with some great benefits. The Defender will analyze the traffic going to the API and the request content. By doing so, the solution can provide ML-based detections and address security breaches or incoming attacks next to the OWASP API risks. For example, if the load on a certain endpoint for a particular IP is drastically higher than what is usually expected, an alert would be raised. The alerts are visible within the Microsoft Defender for cloud and give a proper overview of which resource is affected, as well as details about the endpoint and caller.

Other use cases covered by the solution are:
  • Uncommon payload size coming from a single IP to an API endpoint
  • Suspicious spike in API latency between single IP and an API endpoint
  • Uncommon parameter used towards your API endpoint
  • Parameter enumeration

Insights

APIs allow different software applications to interact and exchange information, enabling the creation of complex and integrated systems. However, as APIs become more prevalent and widely used, they also become a prime target for cyber attacks.

In order to secure APIs and protect against potential security threats, it is important to have a deep understanding of API security. Insights in API security can help developers and in this case, non-technical people, to identify and address vulnerabilities. Without proper security measures, APIs can be vulnerable to things such as injection attacks, broken authentication and authorization, and cross-site scripting. Therefore, gaining insights into API security is crucial for any organization that wants to ensure the confidentiality, integrity, and availability of its data and systems.

When going to the API Security feature, you will see the general overview with all the collections. A collection is basically an API within Azure API Management that contains all the endpoints available.
In the general overview of the collection level, you will see:
  • if there are any sensitive data or unauthenticated endpoints;
  • the number of API endpoints within the collection;
  • in which API Management service the collection was discovered;
  • the number of inactive endpoints (these are endpoints that are not used within 30 days);
  • if there is any external traffic observed.
By observing the APIs and their traffic, the Defender executes data classification, to show what kind of data is exposed through a certain endpoint. Having this kind of information can be useful in situations where you are the owner of the API Management service but not the APIs that are created within your service.
In the following image, the API Defender is telling us we are having an unauthenticated API that exposes sensitive data. Publishing this API to an external audience can have serious consequences such as identity theft, reputation damage, and more. The API has to be fixed ASAP!

 

When you go deeper into a collection, you can see the different endpoints and their name. Next to that, you can also view which endpoint can be accessed without authentication and if it was used in the last 30 days.

Why use this solution?

There are a couple of reasons to begin using this solution. First of all, with only a few clicks you can increase the security posture of the company assets exposed in Azure API Management and get alerted when something suspicious is detected. Since this solution is running within Azure there is no integration cost, nor impact on the current development or the release procedure. Last but not least, the user-friendly onboarding experience and the ability to quickly access security insights make the solution shine.
We love to see the progress that has already been achieved with this solution, but are excited about what extra features the future could bring!

Subscribe to our RSS feed

Related articles

Demystifying Role-Based Access with System Assigned Managed Identities in Azure

Traditionally, security between Azure components is assured through the use of SAS tokens. For some time, you have been able to use managed identities between Azure components. In this blog post, we'll go over how to leverage this.

Customer Care: A Deep Dive into CloudBrew 2023

CloudBrew 2023 ran from December 7th to 8th this year, and a team from Customer Care immersed ourselves in a variety of insightful sessions presented by engaging speakers covering diverse topics. In this blog post, we’ll take a deep dive into three talks that left a lasting impression on us.

Navigating the Future of IT Infrastructure and Security: Insights from CloudBrew 2023

As the main system administrator in our company, staying ahead in the ever-evolving landscape of IT infrastructure and security is not just a responsibility but a necessity. Recently, I had the opportunity to attend a series of enlightening sessions at CloudBrew, which focused on the latest advancements in IT infrastructure,…

Send blog to my inbox

Invalid email address

Submit

Thanks, we've sent the link to your inbox

Invalid email address

Submit

Your download should start shortly!

Stay in Touch - Subscribe to Our Newsletter

Keep up to date with industry trends, events and the latest customer stories

Invalid email address

Submit

Great you’re on the list!