Security startup Elastic Beam launched its flagship product, an artificial-intelligence powered software platform that blocks attacks on application programming interfaces (APIs).
Eighty-eight percent of enterprises use APIs in their business. They drive revenue and improve speed-to-market, according to a CA Technologies report. For these and other reasons, more companies are deploying APIs in mobile, Internet of Things (IoT), and hybrid cloud environments.
APIs also represent a security risk because they make it easier for hackers to reach into business applications, systems, and databases.
To address this security risk and give companies visibility into their API infrastructures, Bernard Harguindeguy and Uday Subbarayan founded Elastic Beam. The startup recently emerged from stealth mode and announced its new software, API Behavioral Security (ABS).
Harguindeguy is a former CEO of web security company GreenBorder, the first security company Google acquired in 2007. Subbarayan was a founder of API management startup Apigee, which Google acquired for $625 million in 2016.
API Behavioral Security
The product protects APIs from hackers without credentials probing for vulnerabilities to attack an enterprise’s data and systems, Harguindeguy said. This includes data theft or destruction, API-specific Distributed Denial of Service (DDoS) attacks, complete host takeovers, and attacks on authentication systems.
“We can detect and block these attacks,” Harguindeguy said. “No tools today can detect an attack past that API log-in. We are the only ones who can do that. The main value we bring is that when someone is looking into your API, we use AI and we can tell you what is happening in great detail.”
The software also prevents hackers from reconnecting after termination. When attackers are identified, enforcement nodes automatically block access across all sites, including hybrid clouds.
In addition to securing APIs, the product produces detailed reports on API activity for forensic or compliance reporting. This includes all actions on all APIs such as every method and command used.
And it uses decoy APIs to trap hackers. These fake APIs capture attack information for analysis and reporting.
The software integrates with other API management products such as IBM API Connect and Google’s Apigee.
Customers include government agencies, banks and financial firms, and health care organizations, Harguindeguy said.
API Security Threats
Last year security analysts showed how unsecured Nissan Leaf APIs unwittingly allowed hackers to access car features such as climate control and battery charge management.
In 2015 hackers stole tax information from more than 100,000 taxpayers using the IRS’ Get Transcript API.
“Elastic Beam’s technology would have blocked those attacks,” said Gartner analyst Mark O’Neill. “Until recently people had to adapt either website security products or general purpose API management products for API security. None of those really were providing built-for-purpose solutions for API security.”
Startups like Elastic Beam, Distil Networks, and Shield Square meet this need, he said.
“The other thing that is smart with Elastic Beam is their machine-learning approach,” O’Neill added.
Predicting API traffic is tricky. You don’t want to inadvertently block a legitimate traffic spike — such as Black Friday shoppers using Target’s mobile API.
“Using machine learning is a way to ensure you don’t have unsophisticated rules that wouldn’t be able to adapt and learn the difference between good traffic and bad traffic,” O’Neill said. “It also saves clients time as well because they don’t have to spend time configuring the rule for each API.”
Likely Acquisition Target
451 Research analyst Carl Lehmann praised the company’s specific focus on API security. “Elastic Beam is on to something good,” he said.
API security management typically means authentication and rights and privileges.
“Elastic Beam goes into another level of detail: memory attacks and stolen cookies and various forms of attacks on data,” Lehmann said. “And all the possible use cases where APIs can be exposed to risk — they address each type of risk with this platform. Those security capabilities are a very much needed detail in security strategy for API use.”
Elastic Beam and vendors like it are going to be in high demand — and are likely acquisition targets, Lehmann said.
“I don’t see these companies lasting a very long time by themselves. They’re likely to be made an offer they can’t refuse.”
Its API security software makes an attractive addition to a platform-as-a-service offering or hybrid integration platform, he said. “You can go down the list: IBM would want something like this. Amazon, Google, Oracle, SAP would want it. Any and all players in application development, DevOps, integration, and PaaS would like to acquire a company like Elastic Beam.”