Under the Microsoft Defender for Cloud umbrella, Microsoft Defender for APIs, offers protection for APIs at every stage of their lifecycle. This service enhances the protections from Web Application Firewalls and API Gateways, resulting in a comprehensive security framework for API endpoints. In this article, we'll dive deeper into how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management (APIM).
Defender for APIs
Defender for APIs provides visibility into crucial APIs. It facilitates a deep dive into your API security, allowing prioritization of vulnerabilities and quick detection of active threats. Key features include a consolidated view of managed APIs with security insights on external, inactive, or unauthenticated APIs, data classifications of sensitive data in API interactions, and machine learning-driven detection of API threats in alignment with the OWASP API Top 10.
Azure API Management
Azure API Management caters to the entire API lifecycle. APIM includes an API gateway, management platform, and developer portal. The gateway manages requests, ensures authentication, transforms requests and responses, caches responses, enforces usage caps, emits logs, and more. Diagram 1 showcases how Defender for APIs augments APIM's functionalities.
Diagram 1: Defender for APIs Enhancements to APIM
Azure Web Application Firewall
Azure WAF provides a centralized defense against web and API vulnerabilities like SQL injections and cross-site scripting attacks. With its rapid virtual patching, Azure WAF offers quick threat mitigation without needing to individually secure every web application.
Each solution is crafted to address particular types of threats and vulnerabilities. For instance, Azure WAF provides in-line prevention against web-based attacks, APIM oversees traffic and data management, and Defender for APIs identifies posture misconfigurations and API-specific threats. Collectively, these solutions protect against diverse threats and offer comprehensive security.
Diagram 2 displays how you can use a single APIM instance for consumption by internal and external customers with protection from Azure WAF and Defender for APIs. The workflow is as follows:
- The WAF on Application Gateway checks the request against WAF rules. If the request is valid, then it will proceed.
- Application Gateway directs the request to APIM.
- APIM accepts and properly maps the requests.
- Defender for APIs inspects API endpoints and gives insight on whether the API is properly authenticated, inactive, and externally facing.
- Defender for APIs monitors the traffic going to and from APIM to classify sensitive data and alert on exploits and anomalies.
Diagram 2: Defense-in-Depth Architecture
Azure WAF Protections
Azure WAF rulesets are designed to provide protection against OWASP Top 10 Web Application security risks, proprietary attack signatures that are unique to Azure, and against bots. With integration of Azure API Management with Application Gateway, the Web Application Firewall (WAF) on Application Gateway checks all incoming requests against the built-in WAF rules and blocks all potentially malicious traffic at the edge, preventing it from reaching Azure API Management. Azure WAF also offers rate-limiting, allowing customers to detect and block abnormally high levels of traffic. If the request is valid, the request proceeds. The redirect URL is then validated for proper URL formatting of the call, for example api.
Defender for APIs Contextual Detections
For any requests that reach Azure API Management, Defender for APIs steps in to offer an elevated layer of security through deep traffic analysis, machine learning detections, OWASP API Top 10 alignment, and contextual alerting with posture insights.
- Deep Traffic Analysis: Defender for APIs analyzes the patterns and details of the incoming API traffic, examining every request and response to detect suspicious activities or anomalies. Besides just looking at traffic patterns, Defender for APIs inspects the API endpoint URI parameters, response latency, HTTP headers, and payload sizes to provide detections.
- Machine Learning Detections: By leveraging machine-learning algorithms, Defender for APIs continuously learns from the API traffic patterns and user behavior to understand and model what constitutes as “normal” for each API endpoint, which helps detect subtle anomalies that may not have been identified using traditional rule-based systems.
- OWASP API Top 10 Alignment: Defender for APIs is aligned with the OWASP API Top 10 threats, ensuring that the most common and critical API vulnerabilities are always monitored and detected.
- Contextual Alerting: In the event of a potential threat, Defender for APIs provides detailed contextual alerts. This means security teams not only know that there's a problem but also can get insights about the source of the threat, the targeted endpoint, the nature of the attack, threat intelligence details regarding the IP address in question, and potential mitigation steps. The targeted endpoint includes security posture information regarding whether sensitive data was discovered and whether the API is authenticated, externally facing, and inactive.
Diagram 3 displays the “better together” feature sets of Azure WAF and Defender for APIs. This Diagram assumes that the API endpoints are published in Azure APIM for central management purposes.
Diagram 3: Azure WAF and Defender for APIs Better Together
Continuous Monitoring and Mitigation
The combination of Microsoft Defender for APIs, Azure WAF, and Azure API Management ensures complete monitoring and end-to-end security for APIs through immediate threat detections, incident response, and adaptive security.
- Immediate Threat Detection: Azure WAF identifies and blocks web-based attacks based on OWASP Top 10 Web Application security risks. For those threats that require a deep understanding of the API behavior, Defender for APIs is there to monitor the traffic continuously, looking for anomalies or API-specific attacks.
- Streamlined Incident Response: Integration ensures that once a threat is detected, the response is immediate and efficient. Whether it's blocking a suspicious IP address, raising an alert, or auto-scaling resources to counteract a DDoS attack, the joint efforts of these solutions result in a rapid and decisive response. Note that Azure DDoS protection in combination with Application Gateway can also help to protect against DDoS attacks.
- Adaptive Security: The continuous feedback loop between these tools means that they learn from each other. For instance, an anomaly detected by Defender for APIs can lead to a customer deciding to update a rule within WAF, which ensures that security protections evolve and adapt to new threats.
Real World Example
To illustrate the benefits of combining these three solutions, let's consider an example of a global financial corporation, Contoso, that began a journey to enhance API security through four key phases.
Phase 1: Manage Business Critical APIs with APIM
Contoso started their journey by centralizing the management of its mission critical APIs using APIM. In this example, these API endpoints are responsible for facilitating financial transactions between customers, which makes them incredibly sensitive by nature and prime targets for attackers. By hosting these APIs in APIM, Contoso was able to streamline how they published, maintained, and monitored their API ecosystem with central policy enforcements, a centralized developer portal, and analytics that display the usage patterns of each API endpoint.
Phase 2: Deploy WAF for Web Application Threat Protections
Recognizing the vulnerabilities associated with web-based services, Contoso decided to set up Azure WAF. This layer of protection was especially valuable in identifying and blocking threats. Within days of its implementation, Azure WAF successfully blocked multiple SQL injection attempts, thereby strengthening the API infrastructure.
Phase 3: Enable Defender for APIs for Advanced Detections
While Contoso was confident in the measures they had taken, they were ready to enhance their defenses even more. This led to them deploying Defender for APIs. With Defender for APIs, Contoso was alerted to an unusual activity that may have previously gone unnoticed. In this example, Defender for APIs noticed a suspicious spike in the API response payload size coming from a single IP address targeting one of the API endpoints. With its machine learning capabilities, Defender for APIs analyzed the historical traffic patterns over the last 30 days and created a specific baseline representing the typical API response payload size between each individual IP address and each individual API endpoint. The alert was raised because the API response payload size had a stark deviation from this learned historical baseline, hinting towards a potential data exfiltration attempt. Additionally, using posture management capabilities from Defender for APIs, Contoso was able to see that the API endpoint under attack is unauthenticated, externally facing, and transfers sensitive financial data.
Phase 4: Automatically Remediate Threats
Understanding the gravity of this alert, the company deployed a workflow automation in Defender for Cloud using Azure Logic Apps. Within minutes of the alert being raised, an automated Logic App was triggered that swiftly created a new rule in Azure WAF to block all incoming requests from the suspicious IP address and enabled authentication on the APIM instance hosting the API endpoint. The entire process, from detection to action, was seamless, rapid, and required minimal human intervention.
The synergy of Microsoft Defender for APIs, Azure WAF, and Azure API Management forms a strong defense against API threats. As cyber threats advance, a collaborative and comprehensive security strategy is indispensable.
- Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud
- Mohit Kumar, Senior PM Manager, CxE Azure Network Security
- Sunil Pai, Principal PM Manager, Defender for APIs
- Gunjan Jain, Principal PDM Manager, Azure WAF
- Luke Nowak, PM 2, Azure WAF
- Ajinkya Gore, Principal PM, Defender for APIs
- Preetham Anand Naik, Senior PM, Defender for APIs
- Haris Sohail, PM 2, Defender for APIs
- Liana Tomescu, PM 2, CxE Defender for Cloud
- Moshe Israel, Principal Data Science Manager, Security Research