In this Brand Story episode as part of the On Location Podcast series, Sean Martin chats with Rupesh Chokshi from Akamai about the escalating importance of API security and the innovative methods Akamai employs to safeguard against threats. Tune in to discover real-world examples of API breaches and learn how proactive measures can empower organizations to protect their digital assets.
In this Brand Story episode as part of the On Location Podcast series, Sean Martin speaks with Rupesh Chokshi, who leads the application security business at Akamai. Connecting directly from Black Hat in Las Vegas, the discussion provides an in-depth look into the world of application security, APIs, and the challenges organizations face in today's technology-driven environment.
Rupesh Chokshi starts by highlighting Akamai's evolution from an innovative startup focused on improving internet experiences to a global leader in powering and protecting online activities. He emphasizes that Akamai handles trillions of transactions daily, underlining the massive scale and importance of their operations.
The conversation shifts to the pivotal role of APIs in the digital economy. With every company now being an 'app company,' APIs have become the lifeline of digital interactions, from financial services to entertainment. Chokshi points out that many organizations struggle with cataloging and discovering their APIs, a critical step for ensuring security. Akamai assists in this by employing scanning capabilities and data flow analysis to help organizations understand and protect their API landscape.
A significant part of the discussion focuses on the security challenges associated with APIs. Chokshi details how attackers exploit APIs for data breaches, financial fraud, and other malicious activities. He cites real-world examples to illustrate the impact and scale of these attacks. Chokshi also explains how attackers use APIs for carding attacks, turning businesses into unwitting accomplices in validating stolen credit cards.
Chokshi emphasizes the importance of proactive measures like API testing, which Akamai offers to identify vulnerabilities before code deployment. This approach not only bolsters the security of APIs but also instills greater confidence in the enterprise ecosystem.
The discussion also touches on the broader implications of API security for CISOs and their teams. Chokshi advises that the first step is often discovery and cataloging, followed by ongoing threat intelligence and posture management. Using insights from Akamai's extensive data, organizations can identify and mitigate threats more effectively.
The episode concludes with Chokshi reinforcing the importance of data-driven insights and AI-driven threat detection in safeguarding the API ecosystem. He notes that Akamai's vast experience and visibility into internet traffic allow them to provide unparalleled support to their clients across various sectors.
For anyone looking to understand the complexities of API security and how to address them effectively, this episode offers valuable insights from two leaders in the field. Akamai's comprehensive approach to application security, bolstered by real-world examples and expert analysis, provides a robust framework for organizations aiming to protect their digital assets.
Learn more about Akamai: https://itspm.ag/akamaievki
Note: This story contains promotional content. Learn more.
Guest: Rupesh Chokshi, SVP & General Manager, Application Security, Akamai [@Akamai]
On LinkedIn | https://www.linkedin.com/in/rupeshchokshi/
Resources
Learn more and catch more stories from Akamai: https://www.itspmagazine.com/directory/akamai
View all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Securing the Digital Economy: A Deep Dive into Application and API Security | A Brand Story Conversation From Black Hat USA 2024 | An Akamai Story with Rupesh Chokshi | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] All right, here we are. We are coming to you from Las Vegas. Hacker Summer Camp. Black Hat. Here we are, Rupesh. Yeah. Good, good few days so far?
Rupesh Chokshi: Yeah, great, great. You know, Vegas, I'm here after, you know, a few years.
Sean Martin: I know. That's right. Yeah, there was a little bit of a break.
But, uh, good, good to be back in Vegas. Good to be, uh We'll be at Black Hat, where there's a lot of research. Yes. A lot of, uh, a lot of information from, uh, from organizations like your own. To help us better understand what the threats are and how we can address them. And this is our second story with Akamai.
All right, very good. Very good to have you back. Thank you. And, uh, I'm here, obviously, with, uh, Rupesh Chokshi. And, uh, Rupesh, maybe just a, an elevator pitch of what Akamai does. Just kind of set the stage, and then we'll get into some of the Sure. Specifics we want to touch on today.
Rupesh Chokshi: Okay. Sounds good. Yep. So Rupesh Chakshi, you know, I run the application security business at [00:01:00] Akamai, uh, and if I raise it up, you know, Akamai has multiple sort of, you know, businesses and it sort of was born as this, uh, innovative startup at the early days of the internet, right?
And it was all about making the experiences of internet better. And now it's all about. Powering and protecting life, you know, trillions of times a day in terms of just the volume and the data that we see. And the security space is where we are very focused on driving, you know, growth for the business, but protecting the customers globally.
And it is all about securing the applications, you know, everywhere, every time. So that is where we are focused.
Sean Martin: And no lack of applications. Being built, I think. Right? What is it? Every company's an app company now, I'm not mistaken. That's one of those things. Um, so you, you have your hands full there? I don't any, any, pretty much [00:02:00] every sector You mentioned globally.
Yeah. Do you have customers that sit in multiple continents and everything? Yes. Yes. Um, can you tell us a little bit about some of the, uh, yeah. Some of the sectors and organizations that you work with?
Rupesh Chokshi: Sure, sure. So we definitely have, you know, global. Multinational companies that we serve in. It's very interesting to see, you know, how they all have their own sort of, you know, local needs, but they are also very global in nature.
So, for example, we serve the financial services sector, right? Majority of the banks in the U. S. majority of the financial services, you know, insurance companies, you name it. And then you take that sort of globally, and you have, you know, European companies who are big banks are our customers. You go to Asia, APJ, um, the same.
The commerce sector is very big for us, and then you start to kind of get into a lot of like, you know, gaming entertainment, right? So we are sort of the backbone that provides a [00:03:00] lot of when you see the FIFA World Cup or you see, you know, in Asia pack, you know, cricket and other sports, you know, NBA or NFL, etc.
So we play a role. Um, in all of those and enabling and protecting, enabling and protecting, right? Yeah, that's the, that's the key. And, uh, with some of the newer things that we're focusing on with API security, we're expanding the, the vertical and the industry focus, right? Because when you start to think about API is being sort of, you know, the lifeline of the digital economy, you know, you, you have.
Healthcare companies or even manufacturing companies or industrials. You know, everybody is starting to think about it in terms of what they need to do. Yeah, things like open banking, right? Yes.
Sean Martin: Part of anything you can do now.
Rupesh Chokshi: Yes, yes.
Sean Martin: So, and, so that's, that's like a, well the API is basically our services embedded into other services.
Which may or may not be embedded in other things as well. Right. And certainly we have a supply [00:04:00] chain and all that stuff connects. Yeah. So, Talk to me about what you're seeing in terms of, uh, the growth of APIs. I was kind of joking, every company's an app company now. App company, yeah, yeah. Um, so they're building apps, they're using apps, they're connecting apps.
Yeah. Right? They're working with their partners and exchanging the supply chain. If you look at automotive supply chain, it's got a total API driven. Yeah. So what are you seeing in terms of activity, traffic, and anything else related to that space?
Rupesh Chokshi: Explosive growth, right? Just the sheer, in all dimensions, right?
So as you mentioned, every company is a technology company, every company is an app company, every company is focusing on innovations of experiences, right? If I'm, you know, an automotive company, what's the experience that I want to do? If I'm an airline, what's the experience? If I'm a digital, you know, commerce company, whatever, you name it, right?
And underneath that, we are connecting With this whole supply chain, digital economy, hyper connected with [00:05:00] APIs are sort of the, the lifeline, the arteries, the connected tissue. So when you go to the enterprise and say, Hey, how many do you have? And many times they don't even know. Is it 1000? Is it 10, 000?
Is it 100, 000? You have shadow APIs. So we see a lot of customers come to us and say, Hey, just even help me. Catalog what I have. And then when we go and talk to them and say, Hey, you know, we, we publish, uh, uh, the, the SOTI report, which is the state of the internet report. And one of the ones that we did earlier, we, through our own data found that 109%, so 109 percent increase in attacks on API is year over year, right?
So just the volume is there in terms of the data and the transactions, APIs, and then you start to see. The abuse and the attack surface also expand and the number of attacks increase, right? So it becomes a very sort of, you know, ripe space for the bad guys and the hackers to go [00:06:00] at. And we've seen some marquee brand names and customers in, you know, recent months have a big impact.
Sean Martin: And can you share either or both, um, what the attacks are after? Are they looking for accounts? Are they looking for data? Are they looking for Access to other stuff. Are they looking to manipulate and I don't know, misinformation on social, social apps or changing records for banking app or whatever. What are some of the things you've seen?
So
Rupesh Chokshi: I think, you know, it's a, it's a number of things, but let's, let's do the most common things that we see is there's definitely a, a data breach, right? So what the attackers are doing is that they'll find, In an abuse, an API authenticate, unauthenticated type of information once they are penetrated into the enterprise system, right?
So the, the API transactions are a method to sort of get in and once they're in what they're doing is just kind of [00:07:00] bringing all of that data out, right? So they're going after, you know, again, public information. You hear, you know, T Mobile, uh, Telephone mobile carrier had a breach, some 37 million records that they were able to trace back to API abuse.
Uh, you know, recently Dell was in the news, you know, 49 million records, data breach, API abuse. So you start to see, you know, again, you know, big companies having to deal with that. So that's one. Then you start to get into, some of the hackers are more interested in, you know, sort of, you know, monetization, right?
So you have a loyalty program or something like that. So they could go in and start to manipulate that and, you know, shift information or get points into a new account or buy something or utilize it. So we see a lot of, you know, financial fraud take place too. And, uh, some of it is like, you know, tens of thousands of dollars.
But it's not just the dollar amount. If you think about you and I as consumers, right? [00:08:00] We all flew in over here to Las Vegas. We're at Black Hat. You know, we probably got some loyalty points on our airline. And a week from now you wake up and you don't have your 100, 000 miles, right? And how would you trust, right?
The fact that you are trusting the enterprise or the company or the brand that you're working with is sort of like compromised. Um, you know, you also see a lot of, you know, financial. Related abuse where money is, is moved and, and all of that, you know, one example I'll give you was very interesting. What the hackers did is that they went to this sort of, you know, um, television service company and they did
Sean Martin: a streaming service.
Rupesh Chokshi: Yeah, like, uh, you know, uh, satellite provider, right? Yeah. And they, they, they did a carding attack. So what they were doing was this going in, utilizing the APIs, the transactions to validate the tens of thousands of stolen credit cards that they had. So they're not taking anything away from that business, but now they know [00:09:00] which cards are active, that they can misuse somewhere else.
Now, this business is now part of this process, right? Which is unfortunate that nothing was stolen from them, but they are now an accessory. to what happened. So there are so many different angles, right? That the bad guys have figured out how to monetize, how to utilize. And they keep, you know, folks like myself and my team and others, you know, on the toe, right?
Because we're trying to figure out, you know, what's the next area of attack? What's the detection? How do we go about it? What does that armor look like? You know, do you focus on discovery, posture, runtime? And, and so many, you know, more things to do. Uh, one of the examples that we are working on is API testing, which is saying that let us go upstream, right?
To the developer and say, before you deploy the code or before [00:10:00] you deploy the API, let me test it and I can tell you what are the known vulnerabilities and exposures and authentication issues or attacks. And utilize all of that to make what you have much more foolproof, right? And then we'll still protect you in runtime.
But at least what you're pushing out is a lot more secure by design, right? And, uh, and that is, you know, again, a lot to do, a lot happening in this space. And we are just, every day, working with our customers.
Sean Martin: So on that point, so many, many moons ago, I, I did some of that testing for a vendor, actually, back in the NLM days.
But it was about testing the limits, testing the inputs and the outputs, testing what it should and shouldn't do. Right. And not just itself, but in the bigger picture as well. And so how, how can, let's speak to the CISOs for a moment, [00:11:00] because you mentioned they don't know how many APIs are being used.
Rupesh Chokshi: They,
Sean Martin: It's difficult for them to even begin tackling this problem.
So do you find that they're, that they're working with the app dev teams and the SecOps teams to secure what they have at least, and then they're just hoping the other stuff doesn't surface. So talk to me about what, how they approach this problem and how they then work with you and the team at Akamai to reinforce and make it more robust.
Rupesh Chokshi: So, you know, as you mentioned, like the number one challenge that we see for the CISOs is just the. The ability to even have a catalog, right? Like, I want to know what type of API is for what type of apps. Is there something that is user web facing? Is there something B2B? Is there something internal? Do I have shadow?
What all do I have? Which ones are dormant? Which ones are active? You know, a lot of questions. And it's, it's unfortunate, but in the field of IT, you also have a lot of [00:12:00] like, developer churn and people churn, right? And the best of the developers are not the best keepers of their notes, right? They don't document everything, etc.
So the CISO doesn't even know where to start. So when we work with them, it's first about discovery. So let us help you catalog. Let's help you discover, right? Some of it we can do from the data flow. Some of it we have scanning capabilities. Some of it we can. See, okay, you know, these things are happening in the production environment.
You know, did you know about it? Etcetera. So we're able to kind of bring all of that, you know, internal, external and catalog it and discover it. And then, you know, we can take the intelligence that we have from a threat perspective, vulnerability perspective and provide posture. That said, how many of these things?
Yeah. And what do you need to do about it? Like, is this something you need to, like, you know, immediately focus on? Or you have a little bit of time, [00:13:00] uh, to, to figure that out. Uh, so that is where, you know, bulk of it. And I think what is going to start to happen is that there will be more and more, you know, governance type of need, right?
Which is even internal to the organization. How are we going to manage all of these things? You know, what is the cataloging? What is even the, the record? Like, what is a single truth to all of it, right? And, uh Does it sit under the CISO at the moment? I mean, I think so, because I think now it is, you know, the CSO would say, Hey, I can only protect what I know.
Right? So if I don't even know, right? If my teams don't even fully understand, you know, I shared this thing with somebody the other day is that if you went to a CSO of a large enterprise and say, Hey, here's a laptop, that's part of your network, and you don't know about it, would they allow that? No, right?
They're so focused on, you know, Endpoint security, like every laptop, every person, every cell phone, anything [00:14:00] that connects to their network, they want to know. For people and systems. Right, right. Now, what if that laptop was an API, right? Would you allow that? Right now, you don't know. And APIs are, in fact, designed to communicate externally.
Sean Martin: Never cross inside, yeah.
Rupesh Chokshi: Right. So the risk factors that are involved are very, you know, explicit, very massive. The threat landscapes are very different. You know, the classic perimeter thinking cannot like the firewalls, all of that cannot protect, right? Because you might say, Hey, you know, I'm going to put a firewall and anything that goes in and out is through the firewall.
But you have so many apps, so many interactions that are designed to go in and out. And we live in a, you know, hyper connected supply chain economy, right?
Sean Martin: So what are some of the signs? Let's assume for a moment there's a false sense of security. We think we have, I know [00:15:00] you said they tell you explicitly they don't have a complete view.
Right. But we think we have a view of the stuff that matters most. Let's make that assumption for a moment. Um, what can they do? They're not quite ready to engage with the full. discovery process. Are there any signals or signs that could trigger them to say, I have something I need to dig deeper into here and I need to call Rupesh into?
Rupesh Chokshi: Yeah, yeah. So I think a lot of times, you know, when you start to think about business logic abuse, you start to see some of that, that they can internally start to see, right? I mean, the example of the, the rewards program or loyalty program, you know, that customer. Was sort of like sensing this is something not right here, but they were not able to figure out What was there and the moment we deployed the API security solution and we showed how?
Certain APIs were being abused for certain type of [00:16:00] information flow. What was going out it all started to come together Right and and that is where I think it's important, right? So they might be Be sensing that there's something not 100 percent right. Now, the fear with APIs is that, you know, a lot of the customers don't feel comfortable blocking their transactions, right?
Because think of the intensity of the transactions. It's happening so fast, right? Well, that's usually the business, right? It's a customer being onboarded or a transfer of money going or something. Something happening, right? Let's take an example of, you know, hey, You're, you're booking a ride share on the app, right?
There's like so many transactions that are happening in the back. And many of them are API centric. And you, you, you don't want to block it. You're concerned. But you want to know if there is something wrong happening. And how do you figure that out? Um, so a lot of, you know, the threat research and what we focus on is, is that.
Is the data [00:17:00] telling me something? Have I, am I seeing certain patterns? We also have a lot of, you know, um, client reputation or IP reputation. So we know which IPs are good, which IPs are bad because we see a bulk of the traffic on the internet. So you take some of those intelligence and you can say, okay, if something is, is being abused from a bad IP.
Then there's a very high probability that, you know, the hackers and the adversaries are, are breaking in.
Sean Martin: So a lot of this stuff you can see outside the organization. Some of you have to be inside. Right. Um, the last moment we have here, the, the value of the, the data you see across all your customers. Yeah.
Both publicly and working with them. How does that help you then have a more informed conversation to Help the CSO and their teams understand because we're talking about multiple teams here, right? Yeah. Get a sense of [00:18:00] here's how we should move forward.
Rupesh Chokshi: Yeah. Yeah. No, that's a great, great point and question, Sean, which is, you know, at Akamai, we see tremendous amount of data, right?
We see majority of the, you know, transactions taking place on the Internet. We see the enterprise inside data. And what we're doing is two things. So one is. Some of this data is utilized by our threat research and the AI ML models that we have to learn, right, in terms of what is happening. You know, we have bot mitigation models where we can identify which ones are human being related transactions or bots are coming in and buying sneakers or, you know, trade.
I mean, they go buy tickets to a big event or something like that, right? So we're able to do that, have the AI models, you know, do that. And then when we have the conversations with the customers, we're able to show them time series, right? Look, this is what [00:19:00] happened. Some of the hackers came, the bots came, the attackers came.
They tried to penetrate over here. These places they were able to get through. These places they were not able to get through. What's the next layer of defense? How do you do defense in depth? All of that, right? And, and, and. The data helps, you know, tell that story, gives the confidence. It's all about, all about the story.
Yeah. And the story, story's in the data. Story's in the data. Story's in the data. And the other advantage we have is that we're also able to see, sort of, you know, within the, let's say the vertical, right? So let's say the financial services, right? So if I'm seeing a Layer 7 attack or a DDoS attack on Bank A, right?
I can go make sure Bank B, C, D, E, F, G, Are more protected? Are they kind of in the right posture? Because sometimes we see the adversaries hit up the entire sector. And we're seeing more and more of that with infrastructure too, right? We're seeing more and more with, uh, You know, operational technology companies, right?
You [00:20:00] know, oil company, manufacturing company, you know, infrastructure. Well, they're just coming up to speed on all this stuff as well. Right, right.
Sean Martin: They need that insight. Yes, yes, yeah. Well, amazing, Rupesh. I appreciate chatting with you and, and, uh, getting to meet you in person here in Las Vegas.
Rupesh Chokshi: Great, thank you.
Sean Martin: And, uh, always happy to have a chat with the Akamai team. And hopefully If you're here in Vegas still, if this is, uh, if you're listening to this and it's still Vegas week at Black Hat, be sure to stop by the booth and, uh, say hi to Rupesh and, and, uh, if not, connect with him online. Visit the directory page and there will be resources as well as part of the show notes, so.
Great. You can, uh, you can learn more about Akamai and all the API goodness that they provide. And everything else that enable and protect businesses that we all probably use at some point.
Rupesh Chokshi: Great. Yes. Thank you.
Sean Martin: Thanks everybody.
Rupesh Chokshi: Thanks for Pet. Thank you.