Ep 12. Astrix Security on Threat of 3rd Party API Connections and Non-Human Identities

Show Notes

Innovation Sandbox finalist and Astrix Security Founder Idan Gour discuss the rising attack surface created by API-to-API connections and non-human identities. How no-code orchestration tools, low code tools, and generative AI, like ChatGPT, are causing non-technical business users to build integration apps that access and sometimes share sensitive data.

Idan discusses mapping this web of API-to-API connections, which traffic sensitive data from SaaS apps like Google Workspace, 365, Calendly, and SalesForce. The Circus.AI breach is explored. Idan and Paul also discuss the rising problem of non-human identities which access APIs and data, with Astrix citing their study which found 45X more non-humans than human employees.

You can find Astrix online at Astrix.security, on LinkedIn.com/company/astrix-security, or Twitter at @AstrixSecurity

Send feedback to host Paul Shomo on Twitter @ShomoBits or connect on LinkedIn.com/in/paulshomo.

Transcript

In terms of generating a new API to access your data with generative AI, how easy is that today? Yeah. So I think that you know every week it's becoming easier. But I think that the last thing that you know but I thought that, okay, this is crazy. So let's take two months ago.
Two months ago, in order to create a new app in your organization, you had to know I don't know exactly how to one of the low code / no code platforms in order to actually create it, which is already very easy because you don't have to be a developer, you can be a regular person with a logically mindset, but now you can actually do it in two sentences. You can write to something. Okay, I would like to take data from that place.
During this and that product. And then, all right, all of a sudden, you have an app. And now it is that easy. And you can see that the very first integration is happening already. And this is the new world that we are going to have, which is amazing. But also creates new risks. The genealogy of cybersecurity is a new kind of podcast. Here we'll interview notable entrepreneurs, startup advising cisos, venture capitalists, and more.
Our topic, the problems of cybersecurity, new attack surfaces, and innovation across the startup world. Welcome. I'm your cybersecurity analyst, Paul shomo. So my name is Zidane, and the city of cross founder at Astrix and prior to Astrix was about ten years in the Israeli army. Mainly on the offensive side, started from the world of technological analysis of magic strategic weapons, and then moved to the cybersecurity field, both on the hands on and leading positions and this is where I met my cofounder as well.
So we know each other from 2007. We did all sorts of things together. And following this ten years, I left as a major and I joined the company called de instinct. It's a next gen Antiverse company based on deep learning before generative AI became a thing. And there was a lot of development there. It's product manager as well. And nowadays is as the CTO in charge mostly on their product customer success. And some of the sales that as well, yeah.
Well, congratulations on making innovation sandbox. It's a great promotional platform for a startup and a nice validation of what you've done so far. Thank you. Thank you. We are very excited to be nominated. And I'm very happy to be able to demonstrate what we do and how we all customers. New malware families are vulnerabilities don't typically start cause new startups or product categories to arise. In my experience, startups are typically arising to cover a brand new attack surface.
And APIs have been around for a while, and we've had products that secure an API by itself, but you're protecting really it's really a new attack surface. Can you explain this API to API connection problem? Yeah. So I think that's what happened along the last couple of years, maybe a decade as well. Technological trends that also are reflected in organizations because organizations want to take advantage of technology constraints, obviously, to drive productivity, and the first one is that it is centralization.
The fact that urbanizations have different departments, holding accountable for different solutions that they have. Then we have a SaaS explosion coming with certain bundling, allowing not having just, let's say, a web SaaS, but also an API only based SaaS to solve just sometimes a niche, but important problem that organizations are willing to pay.
And on top of that, new platforms and entire platform platform move for, let's say, the Salesforce of the world, and the Google Workspace of the world, the 365s of the world, adding to that low code and no code. And I think that I wasn't used to say it, but the thing that now with generative AI, the ability of things to be created so fast, being based on API best access to where the data exists is actually also driving another driving force.
And all of this together is actually allowing the organization to take advantage of the data that is mostly stayed in one specific place, maybe you call it the platform, and that is relevant for their organization. But also to allow connectivity and to allow to better utilize and connect more and more utilities, products, solutions, in order to take advantage of it. And with the level of democratization that exists, it makes it super hard for organization to actually know what is connected to what was it connected correctly.
What is the level of the exposure that is being created? It happens both on the external side of the internal side. So a lot of new issues are felt about the risk that the current GRC solution people, the processes themselves, and not manage the amount of new opportunities that are coming to the organization, but also from an internal standpoint. So I think that creates the problem space. It sounds like a big issue that I don't think we're thinking about.
Also, you mentioned generative AI for those that haven't really explored it in terms of generating a new API to access your data with generative AI, how easy is that today? Yeah. So I think that you know every week it's becoming easier, but I think that the last thing that I thought that, okay, this is like this is crazy. So let's take two months ago. Two months ago, in order to create a new app in your organization, you had to know Zapier or Workato one of the low code / no code platforms.
One of the local node code platforms in order to actually create it, which is already very easy because you don't have to be a developer. You can be a regular person with a logically mindset. But now you can actually do it in two sentences. You can write to something. Okay, I would like to take data from that place doing this and that for that. And then, all right, all of a sudden, we have an app, and now it is that easy. And you can see that the very first integration is happening already.
And this is the new world that we are going to have, which is amazing. But also creates new risks. It's good to have people like you on that are keeping an eye on it because people are having trouble keeping up with it for sure. But can you help us understand the magnitude of the problem, the API-to-API connection problems? So, you know, Fortune 1000 company, roughly speaking, how many APIs do they typically have and how much connections are there between them?
Yeah. So I can tell you from platforms that we monitor for Fortune 1000, also Fortune 500 companies that will help with this problem space. And they would have thousands, if not tens of thousands of API based connections to their environments, and what I'm saying API based connections are include all sorts of things. So these are applications.
And these are workflows of all sorts that are just one integration on one side, but all sorts of other integrations on the other side moving the data taking advantage of it. This is another thing. And everything that relates to API keys, service accounts, secrets, all sorts that exist and are moving and migrating inside of the organization. Outside, by the way, mostly outside of the production environment, or where application security teams are highly focused on.
And this is allowing to ops teams to take advantage of the different possibilities that they have. But it's not yet where organizations are actually seeing this as, I don't know, as an existing thread, but there are already other personal impressive companies that we work with, obviously, see it. And I think that it's very easy to explain where it is important also. But this is how things look like. So thousands of integrations, thousands of API based connections.
You run up a good point there in that if you're inside of DevOps here inside of the purview of application security that there are people that do this that no security or have certain certain standards or qualities for quality assurance. But anybody in the business side can just create an integration between two apps. So it's got to be the wild wild west compared to just straight APIs.
And I think that you know sometimes we ask who is responsible or who is accountable for that and to what extent of responsibility do you hold people in their organization? And I think that we see that so I'm not going to talk about the product, but I want to just to mention that when we see how with our organization to bridge the gap and bring the security language, the language of the admins of the other platforms that we monitor for them.
Okay, so it makes sense for them. And by the way, in some cases you know, we have a head of teams team leaders of let's say automation platforms of all sorts. And they're saying, okay, we have a team. And we also don't have the level of governance to understanding the ability to make sure that everything that is going over down here, which is amazingly good for the organization in terms of automation, is actually following policies, rules, and accepted behavior and is actually moving just the positive value of it.
So it's very hard outside of the DevOps work. So can you give me some examples of sense of data that's being passed recklessly between APIs? Yeah. So first of all, everything that you could imagine and a bit more than that. But I can share with you cases that we saw connectivity or connections to Salesforce platforms within admin level permissions to a random third party with an individual developer that has access to the entire sales information of the company without anybody actually knowing that.
Sometimes it's not even in use. It's not that people are actually taking advantage of this specific integration or application, but the data still moves over that. So this is like one example. Another example is documents for all sorts that are, let's say, the ones that most companies really want to keep just to themselves and just like a very few people that are, let's say, VIPs inside of the organization, but all of a sudden, they have an awesome application that integrates on top of it, and have access to all of these documents, and they are actually taking this document.
Maybe they're not doing anything with it, right? But the fact that something that is so we are talking a lot when we're thinking about third party risk in this perspective, we're talking a lot about the trusted platforms and the much less trusted platforms and how do you how do you close this gap that exists over here and how they reduce the effects of that you might have? This is another in our case, for instance, but I can also share it you know from the engineering side.
So in later December, Circus.AI incident erupted, and you know everybody wanted to change their keys. I can show you that you know with companies that are not necessarily customers, but in the pipeline, colleagues as well. And you know they're coming from a security in the security ecosystem and we need to be helpful for people whenever there's a so for many customers that we have, they were not even using Circus.AI.
Somebody feels it still had access to production environment to cover repositories and even to their snowflake or to their slack, right? Because this is how things work in this interconnectivity world. If I would show you a map of how interconnected suppliers are actually accessing digital suppliers, actually accessing a different types of platform. So it's not just a one solar system with everything just around a bit, but it's a very complex map and understanding of what is actually connected to what and who is holding what integration.
And then have there been any high profile breaches we may be heard about in the news that were related specifically to these API to API connections. Yeah, so definitely. So I mentioned Circus.AI as a one example in this particular December Circus.AI was bridge. I think that they have 1000 customers of the toolkits that these customers provided to serve PCI in order to help with their CI/CD pipeline.
So access to their production environment access to their GitHub virtual GitLab access to all sorts of other places in the organizations. All of these tokens, this is what seems to be based on the use and the requests from Circus.AI that everybody really brought it. The case that they can rotate to deploy it is every single day. This was a major problem for many organizations, not only organization that are not necessarily utilizing Circus.AI, but it was integrated to them. But everybody that this is their production environment.
They're continuous development continuous integration to actually working less than that. This is one example. Nobody is monitoring what we call non human identities, right? Or this kind of keys app, et cetera, et cetera, allowing this thing to happen. So people can go back and look at circus AI or slack the slight bridges if they wanted to get an example. You mentioned non human identities, there is a lot more of those than humans in organizations these days, right? Yeah. Yeah.
So I think that there was a research in the last couple of months talking about 45 times more identities of non human existence in person to identities. And actually, I was in Gartner IAM Summit in London a few weeks ago. And one of the leaders that one of the leaders analysts over there said that actually everybody are calling all of the rental companies that are doing identity are calling their central identity companies.
But it's actually not fair because there are so many non human identities. So if the other companies that are sometimes doing and human identities like Astrix and others should be like the regular ones. And the other should be that non non human identities companies we're talking about majority in terms of the title yeah yeah. And then just another question here. These identities these APIs, they're connected together in kind of a web are you using the term there's a cyber mesh that is a SaaS mesh?
Are you calling this like the API mesh? Is the mesh the right term that you use? So we sometimes use the word mesh yeah. It's a good wording. I just think that sometimes people think about it only from a SaaS perspective, which is a bit misleading because it happens to SaaS and to PasS like in the other viruses. It happens in IS environment, the cloud environments themselves. It's happening in integration platforms. It happened in your service mesh, it happens in your ETLs.
It's all around the place. So it's not uniquely for SaaS, even though really helps it to grow exponentially, I think. Beyond identifying these connections, this mesh at connections, what can you tell us is being done between two APIs on a single connection? Yeah. So you know it was time it depends. And it depends on the platform itself, and the ability of us to digest the data.
But for the metadata to be specific, over there, but in many cases, we can talk about the level of usage. And specific permissions. And the regular behavior of a specific whether it's an internal one or an external one, we are able to cross correlate it with a project intelligence, which is something that is pretty rare to find in this domain as well. So it's also part of the things that we are doing in order to create a better database or better understanding of knowledge based to be exact.
And you know how things are actually changing, what is the life cycle of these non human identities, people putting much of the system on human identity life cycle, but a lot is happening just behind the scenes and things identities and normally don't see it. And it's not closely related to a person, right? So there is no source of truth for this world. There isn't like the HR system that has all the people of the organization and based on that they're human digital identities.
Over here, it's a different sphere, right? I'm just understanding how your product works a little more. So are you asking these APIs what they shared through their APIs or you have to analyze their code or use some kind of proxy? What does it look like? Yeah. So our current solution is actually we don't need methods that are already. So we integrated to a platform that the organization wishes to monitor.
So as I said you know, these are the major platforms for each organization normally, SalesForce, the Office365 is that these are the center of gravity, if you would like both in terms of data in terms of ops for the organization and best in that we are doing this kind of analysis, which is like internal external, right? So to understand what is accessing this specific one, we're going to map them. And once we have information from all sorts of different platforms, we can also cross correlate them and talk more about a supplier perspective perhaps, right?
So it's not like just the perspective of one platform that we monitor, but the entire understanding of the organization and how things are actually connected. But are you actually looking at the traffic or are you asking each app? Okay, you are. Okay. So again, it depends on the method that exists. We are currently not a proxy. But it is something that we are looking into down the road.
As I said, maybe at the beginning, we really want to help organization to bridge the gap between trusted platforms and less trusted platforms. And in some of the cases, there is kind of an artificial problem that was created because of the insufficient level of monitoring, auditing, granularity of permissions, et cetera, which creates an opportunity as well in this space to better help organizations.
You mentioned a few of the central data repositories you said 360 five. Let's go back over that a bit. So what were those again and how do you deploy there? Yeah. So it's actually by two clicks. So in many cases, we're either getting a key part of the ability to interconnect. I think so we either get a key, which is a read only method, or an app that is just two clicks. And it will be like an app in Salesforce marketplace.
It would be an app in 365, all sorts of these kind of platform marketplaces or just a very simple key. And that's it. We are connected. Okay. So you'll be an app in the marketplace of really their central data hubs that their business revolves around. Okay. Well, tell us where we can reach Astrix security online. Yeah, so it's very easy. Astrix.security. This is our website, and we have a very good LinkedIn profile as well.
They are very interesting blogs as well in the website and that we try to highlight things that should be important for organization, a bit less, I don't know, trying to solve and a bit more trying to explain. And it's super important for us. We understand that we are in a new domain organization or that the risk and the problems is no sufficient enough in order to put prioritization and we are very eager to hope.
Yeah, it's a brand new attack surface and that's one of the reasons to go to startups innovative startups and read the resources because you probably have this attack service in your organization. And that's also why I have this show because learning about these new attack surfaces, it's a big deal. I would imagine when you show one of your customers the visualization in your product and they see all the connections, they're probably pretty surprised at them. Yeah, there is a small.