Shifting the Security Mindset: From Network to Application Defense

Until recently, when businesses thought about securing their organizations, they had one focus: network security. The spotlight was on protecting network infrastructure against cyberthreat actors and data breaches. This included connected devices such as computers, servers and wireless networks.

Fast forward to today: The growth of web applications has skyrocketed.

With the modernization of application development and microservices-based architectures, the requirement for application programming interfaces (APIs) to access services, data, and other applications has become critical. According to Akamai, 83% of web traffic now goes through APIs. As the reliance on APIs grows, application layer attacks have significantly increased, creating a greater need for API threat detection and security, as well as API performance and availability.

The Risks: Why We Need a Security Mindset Shift

Both network and application security share the common objective of protecting organizations against cybersecurity threats. However, CISOs and security analysts need to shift their mindsets. Businesses are just beginning to understand that the attack trend is shifting from the network to the application level (sometimes called the behavioral level). Attackers know that organizations are increasingly vulnerable at this level since API activity is often the largest challenge to security teams.

API security often falls through the cracks. After all, security teams don’t know applications, and DevOps teams don’t know security. The responsibility of API security traditionally falls to both the IT security and DevOps teams, causing confusion and an inability to keep up with the frequency of change. But now is the time for organizations to break down internal silos to understand how to protect vulnerable APIs and, in turn, the business and its customers.

APIs bring great risks to every organization. According to Kong Inc., the average cost of a security breach is $6.1 million. Web application development and usage are at an all-time high, and businesses aren’t sure how and what APIs to monitor. By nature, APIs are open, and many are available over public networks, making them easy to access and to leave a trail. Due to these characteristics, attackers can easily reverse-engineer API requests and take the sensitive data they seek.

Achieving the Mindset Shift

Gartner recently advised that “organizations must put in place security controls to protect against the evolving API threat landscape.” To do so, CISOs and security teams must identify application-level threats, create strategies and adopt practices that move the needle. For example, security teams versed in network operations are comfortable detecting attacks and blocking IP addresses. But businesses must also protect the application side with API threat monitoring and security.

A new Cloudflare report also shows that organizations struggle to identify and manage API cybersecurity risks. While Web Application Firewalls (WAF) and API gateways help to monitor and control HTTP traffic, businesses should also incorporate threat detection and response for APIs to ensure that attacks don’t simply go around perimeter defenses. Additional proactive strategies are needed: Identifying and monitoring all APIs, protecting these APIs and recording common threats and API security breakdowns based on API request and response data.

The before and after are also critical. Businesses should conduct a risk assessment score to gain insight into API vulnerabilities and develop a baseline to identify areas to be strengthened. According to a recent study by Enterprise Strategy Group, 88% of organizations feel it’s critical or important to have an accurate inventory of APIs and cloud services relating to software supply chain security. If an API security breach occurs, organizations must have all the data on hand, including visuals, to reset and assess how to better protect the company and the customer.

The bottom line is that education on modern security for both network and application defenses plays a critical role. There is a great need to protect the organization on all fronts – not just at the network level or perimeter. Organizations must have unified and comprehensive defenses to protect all aspects of the businesses’ key assets.