People walk past a symbol of a cloud for cloud computing at the Deutsche Telekom stand at the 2016 CeBIT digital technology trade fair on the fair's opening day on March 14, 2016, in Hanover, Germany. Neosec completed $20.7 million in Series A funding to combine XDR with behavioral analytics for APIs. (Photo by Sean Gallup/Getty Images)

Neosec on Tuesday announced that it had completed $20.7 million in Series A funding aimed at combining established techniques from extended detection and response (XDR) and behavioral analytics to focus on uncovering threats and business abuse hiding inside APIs.

According to Neosec, while some security products claim to protect APIs, most rely on traditional signatures that let API calls pass without any usage checks. These systems have no way to recognize bad behavior within APIs, and they let authenticated clients freely interact with them, assuming the clients are safe and authorized.

Without the ability to assess the behavior of APIs, organizations cannot know if business partners are abusing APIs or if bad actors are producing fake orders, or if attackers are scraping data from inventory APIs or conducting espionage. Neosec also pointed out that attackers can divert money to criminals via an API accessed by a compromised partner.

"Today, APIs contain both money and data as well as govern key interactions within a business and to customers, partners and suppliers," said Puneet Agarwal, partner at True Ventures, one of the main investors. "Every API is a window into an organization's business systems and potentially exposes key business logic and processes. Ignoring this blind spot is no longer an option, so the need for a new approach to API security is critical."

With the rise of SaaS services, APIs cross the cloud, integrating services with desktop, IoT, and mobile devices, said Skip Hovsmith, principal engineer and VP Americas at Approov. APIs exposed in the cloud, even when well-tested and properly configured, are open to API abuse through bot and credential stuffing attacks, fake app PII manipulation, and unauthorized aggregation with other services, Hovsmith said.

“In an API-connected cloud, you can lose your reputation, your profits, and even control of your business in seconds,” Hovsmith said. “New authorization techniques are required to extend API trust from service to your users anywhere in the cloud.”

Cloud environments cannot operate safely without zero-trust strategies implemented — and API security has become an important part of that, said Marc Woolward CTO and CISO at vArmour. Woolward said the security industry will likely expect see more businesses addressing this need.

“The size of the threat to cloud security shows there’s benefit in exploring whether restricting access can fully secure APIs, for example, with a defense-in-depth model that minimizes an organization's attack surface and restricts access,” Woolward said.

Michael Isbitski, technical evangelist at Salt Security, added that APIs are the heart of applications, powering business functionality, and serving up data.

“API security is rightly getting a lot of attention these days,” Isbitski said. “The headlines about API vulnerabilities and ‘leaky APIs’ just keep coming — the recent disclosure of an Azure vulnerability involved APIs, and we’re all familiar with the data exfiltration that Peloton, Experian, and LinkedIn all suffered at the hands of bad actors manipulating APIs.”