Microsoft announced the availability of Defender for API in Public Preview during the RSA security conference.

What exactly can we accomplish with the Defender for APIs?

• Inventory: You may receive an aggregated view of all managed APIs through a single dashboard.
• Analyze the findings on API security, including information about unauthenticated, underused, or external APIs.
• Reviewing and implementing security suggestions to improve API security posture and harden at-risk surfaces is the first step in improving security posture.
• Classifying APIs that receive or react with sensitive data to facilitate risk prioritisation requires the classification of those APIs.
• Ingest API traffic and monitor it using runtime anomaly detection, machine learning and rule-based analytics, to detect API security threats, including the OWASP API Top 10 most critical threats.
• Integrate with Cloud Security Graph in Defender’s Cloud SecurityPosture Management (CSPM) to provide organization-wide API visibility and risk assessment.
• You can receive API security recommendations and alerts on the Azure API Management interface if the Defender for APIs plan is enabled. This integration is made possible by Azure API Management.
• Integration with Security Information and Event Management (SIEM) Systems: Integrate with security information and event management (SIEM) systems to make it simpler for security teams to investigate existing threat response workflows. Find out more.

Organisations can “gain visibility into business-critical APIs” with the assistance of the new Microsoft Defender for APIs solution that is part of the Microsoft Defender for Cloud service. According to the description of this Microsoft document, Microsoft claims “full lifecycle protection, detection, and response coverage” with Microsoft Defender for APIs.

Inventories of an organization’s managed APIs can be shown as a dashboard, where users can search for “external, unused, or unauthenticated APIs.” A machine learning procedure is used to evaluate the APIs in light of the OWASP Top 10 most dangerous software vulnerabilities. Also, Microsoft Defender for APIs will reveal the APIs accessing confidential data. It makes it possible for organisations to strengthen the configurations that are utilised with the APIs.

Information about Microsoft Defender for APIs is displayed in either the Microsoft Defender for Cloud Portal or the Azure Portal. Microsoft Defender for APIs displays alerts in addition to security recommendations, and it is compatible with a wide variety of security information and event management (SIEM) systems.

APIs enable communications between “users, cloud services and data,” but according to the announcement made by Microsoft, they tend to be “loved by developers and threat actors alike.” APIs are used to enable communications between “users, cloud services and data.”

According to the release, “threat actors are increasingly using APIs as their primary attack vector to breach data from cloud applications,” meaning API security has become a vital concern for chief information security officers (CISOs). It went on to say that conventional security measures based on perimeters are deficient in “API behavioural knowledge, which leaves a big hole in API security.”

An example given by Microsoft is the hack that occurred at the Aussie telecommunicationss company Optus. This hack exposed customer information because “an unprotected and publicly exposed API” did not require user identification for connections.

Microsoft has announced that the preview version of Microsoft Defender for APIs is “now available in most Azure commercial regions.”

Enabling API Protection

API security findings

Examine the inventory as well as the security findings for APIs that have been onboarded using the dashboard for Defender for Cloud API Security. The dashboard provides a breakdown of the number of onboarded devices according to API collections, endpoints, and the services provided by Azure API Management.

You can drill down into the API collection to review security findings for onboarded API endpoints.

FAQ: Microsoft Defender for APIs in Defender for Cloud

Q: What is Microsoft Defender for APIs?

A: Microsoft Defender for APIs is a cloud-based security solution designed to protect APIs published in Azure API Management services and API endpoints. It provides threat intelligence, anomaly detection, and runtime protection against suspicious API calls and data exfiltration attempts.

Q: How does Defender for APIs provide cloud security?

A: Defender for APIs provides cloud security by monitoring API traffic in real-time and applying machine learning algorithms to detect anomalous behavior. It also integrates with other Microsoft cloud security solutions such as Azure Defender and Microsoft Sentinel to provide a comprehensive security posture for cloud platforms.

Q: What are the key features of Defender for APIs in public preview?

A: Defender for APIs in public preview provides threat intelligence feeds, automatic onboarding of APIs published in Azure API Management services, data classification, security findings for onboarded APIs, and a cloud API security dashboard.

Q: What is Azure Defender and how does it relate to Defender for APIs?

A: Azure Defender is a cloud security posture management (CSPM) solution that provides centralized visibility and control of security for cloud platforms. Defender for APIs can be integrated with Azure Defender to provide advanced security analytics and incident response for APIs published in Azure API Management services.

Q: Can Defender for APIs be integrated with SIEM solutions?

A: Yes, Defender for APIs can be integrated with SIEM solutions using its APIs. It provides a RESTful API and a security events stream for integrating with SIEM solutions such as Microsoft Sentinel.

Q: How can I onboard APIs to Defender for APIs?

A: APIs can be onboarded to Defender for APIs using the Azure API Management portal. APIs published in Azure API Management services can be automatically onboarded to Defender for APIs using its automatic onboarding feature.

Q: What is the Cloud Security Graph and how does it relate to Defender for APIs?

A: The Cloud Security Graph is a centralized security analytics dashboard that provides visibility into security incidents across cloud platforms. Defender for APIs integrates with the Cloud Security Graph to provide security incident response and triage for APIs published in Azure API Management services.

Q: How can I view Defender for Cloud alerts and recommendations?

A: Defender for Cloud alerts and recommendations can be viewed in the Azure Security Center portal. It provides a comprehensive view of security alerts and recommendations for cloud platforms and services.

Q: What is the incident response process for suspicious API calls detected by Defender for APIs?

A: The incident response process for suspicious API calls detected by Defender for APIs involves analyzing the security findings and taking appropriate actions such as blocking the API endpoint, disconnecting the API subscription, or escalating the incident to the security team.

Q: What is data exfiltration and how does Defender for APIs prevent it?

A: Data exfiltration is the unauthorized transfer of data from a protected system. Defender for APIs prevents data exfiltration by monitoring API traffic and applying anomaly detection algorithms to detect suspicious API calls that may indicate data exfiltration attempts.