Why API Security Demands an Identity-First Approach

In complex decision-making, a one-size-fits-all approach is rarely effective. And nowhere is this more evident than in the realm of digital security. Applications and users are unique and threat patterns are constantly evolving, requiring a keen understanding of why and how behavior varies across requests in order to determine how to handle each one. 

While it’s becoming clear that a dynamic approach to security is needed to detect fraud in this changing landscape, API security solutions often fail to consider the same identity context when assessing risk signals — despite the increasing convergence of API security and fraud detection. 

This blog will dive deep into how shifting to an identity-first approach can improve API security, outline some of the main detection capabilities that are used in this approach and discuss how orchestration can help utilize those risk signals to improve decisioning and optimize detection.

API security: from an infrastructure-centric to a user-centric approach

Traditionally, API security has been infrastructure-centric. This method employs firewalls, intrusion detection systems, and encryption with a set of static rules applied uniformly to every access request. Once an access request meets these criteria, trust is extended.

But digital trust is not static. As APIs evolve and users change, the risk associated with each request must be continually assessed due to:

• API vulnerabilities and injections, which change over time due to emerging attack techniques that constantly adapt to circumvent protections and evade detection. 
• Unauthorized access, such as upgrading to a higher tier of membership, that require changes in permissions to avoid unauthorized access
• Compromised user identities that enable attackers to bypass authorization and authentication for API requests 
• Account takeover that gives fraudsters to access to APIs across the user journey
• Outdated or compromised APIs that enable data breaches, transaction manipulations and malicious code injections 

And as generative AI and organized fraud makes it easier for attackers to launch sophisticated attacks, static detections are becoming outdated even faster, leaving APIs vulnerable while teams rush to update security rules.  

Identity context enables continuous risk assessment

Identity-first security replaces static security measures with a dynamic approach to threat detection that continuously monitors user behaviors to pinpoint suspicious or unusual patterns. To protect APIs, identity context can be used to understand which APIs are being consumed and who is making the requests based on the individual users’ historical behavior and the overall usage patterns of specific APIs. 

This user-centric approach is also used in fraud detection solutions to detect anomalies in requests that may indicate threats. For example:

• Phishing attacks, where fraudsters are able to access users’ accounts by tricking them into entering their credentials onto attacker-controlled websites, can be detected through IP reputation, behavioral biometrics, and device fingerprinting. 
• Device takeover, which gives fraudsters remote control over devices to pose as the device owner, can be detected by analyzing mouse movements and checking if actions were performed using a remote desktop connection.
• APP fraud — where fraudsters convince users to authorize fraudulent transactions by impersonating a trusted contact — can be detected by detecting anomalies in user’s behavior during transactions.  

However, detection tools that only assess risk in account activity fail to detect the root cause of attacks that leverage broken, vulnerable or outdated APIs to gain fraudulent access to user accounts. To gain a complete picture of the attack MOs that enable fraud and detect threats as soon as they emerge, these solutions must be extended by applying the same identity context to API security.

Detection context for identity-first risk decisioning

An identity-first approach to API protection requires the continual assessment of a wide variety of signals to detect suspicious behavior in:  

• Time Series Analysis, which analyzes time-stamped data points to pinpoint changes in API requests over time, such as IPs, devices and client binding, or abnormal usage patterns.    
• Network/IP, such as access requests that are inconsistent with the users’ typical geographic location, IP and network, as well as any global risk signals like known fraudulent IPs or impossible travel  
• Bot Detection, such as high-velocity authentication requests that indicate credential stuffing, the use of automation frameworks such as OpenBullet and information about the machine’s OS as inferred through TCP/IP fingerprinting.
• Request-level data, such as credentials, endpoints, active user sessions and the body and headers of the request. 

A single risk signal or detection framework rarely provides enough context to deliver a strong indication of risk, especially as behaviors change from user to user. To gain a complete picture, AI-based detection models leverage advanced algorithms to aggregate these risk signals into a unified calculation of risk based on anomalies in specific users’ requests, rather than static, infrastructure-centric rules that assess whether or not the request fits into predefined patterns of malicious behavior. 

This enables AI-based, user-centric detection methods to find fewer false positives and deliver more up-to-date protection than human analysts would be able to find on their own and provides a more robust solution that adapts to changing attack methods. By detecting anomalies based on past user behaviors to their interactions with both APIs and customer accounts, businesses can gain a unified calculation of risk that can be leveraged to block, challenge, allow or trust the request through real-time action triggers.   

However, ensuring the efficacy of these real-time detection models may also require batch analysis of datasets too large to assess in real time. This offline analysis provides the ability to detect trends that occur over time, enables IP and device profiling and can pinpoint anomalies in client binding. In addition, anomalies detected in large datasets can be fed into link analysis tools to visualize suspicious connections between users, such frequently reused IPs. 

Offline analysis tools complement real-time detection by assisting human experts in providing feedback to real-time detection models. These experts also perform a range of critical tasks such as documenting investigations and updating security controls to stop large-scale campaigns and other threats targeting their applications. To perform these tasks, they must be able to understand how risk is calculated within AI-based systems — a task known as model explainability. 

The crucial role of identity orchestration

In order to react in real-time to anomalies or alterations affecting user risk levels, permissions, or authentication during API requests, another crucial component is needed in identity-first security solutions: identity orchestration. 

Orchestration empowers teams to complement API security with fraud detection, whether teams are using either a consolidated solution or multiple third-party tools. With it, various sources of identity data that impacts risk decisioning can be combined using a single risk engine that provides a 360-degree view of each user’s interactions with the application. 

Rather than using complex code to combine these data sources, orchestration enables the use of no-code or low-code tools to fine-tune how and when various data sources and solutions impact decisioning. These same tools also simplify the process of building user journeys that trigger automated responses in identity security services, such as stronger authentication or identity proofing in response to specific risk indicators. 

For example, businesses can use orchestration to: 

• Adjusting access permissions instantaneously when anomalies or major changes are detected in user behavior or authentication techniques.
• Prompting users for additional authentication steps based on perceived risks before granting access to sensitive APIs.
• Standardizing risk signals from user accounts and API requests to improve the synergy between fraud detection and API security.

Conclusion

End-to-end protection for online accounts demands security measures that are as dynamic and evolving as the threats they aim to counter. An AI-based, user-centric approach to API security that continuously evaluates trust through identity context can not only deliver enhanced and always-up-to-date API protection, but improve the efficacy of fraud detection systems that leverage the same risk signals to secure the customer lifecycle.

Transmit Security’s AI-based detection capabilities analyze hundreds of detection methods to build unique profiles for each end user, which are used to detect anomalies and deliver out-of-the-box recommendations for responding to risk signals. Model explainability provides insight into the top reasons for each recommendation, while industry-leading orchestration enables teams to standardize risk signals from various data sources to optimize decisioning and customize user journeys using low-code and no-code tools. 
By leveraging these same capabilities for API security, enterprises can gain a more comprehensive understanding of their applications’ threats and vulnerabilities and streamline their responses to a range of attacks on both APIs and end user accounts. Contact Sales to find out more about API security and fraud detection with Transmit Security.