Microsoft Defender for Cloud PoC Series - Microsoft Defender for APIs

  • Thread starter Thread starter walnerdort
  • Start date Start date
W

walnerdort

Introduction​




This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for specific Microsoft Defender plans. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender plans, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article. 



Defender for APIs provides full lifecycle protection, detection, and response coverage of your APIs published within Azure API Management Platform. Defender for APIs includes unified visibility across your Azure API Management services within your Azure subscriptions, security insights with hardening recommendations, sensitive data classification integrated with Microsoft Purview supporting sensitive information types and labels, and continuous monitoring of APIs with machine learning and threat intelligence-based detections to alert against top OWASP API risks.



Preparation​




Every customer is entitled to a 30-day free trial of Defender for APIs when enabling for the first time. This provides a great opportunity to evaluate the functionality of Defender for APIs and its benefits.

To enable Defender for APIs you must have the proper level of privilege within Microsoft Defender for Cloud (Pre-requisites are listed below).

1 - Azure account

You need an Azure account to sign in to the Azure portal.

2 – Azure API Management Service instance

At least one with at least one or more supported APIs in an Azure subscription. Currently Defeder for APIs only supports REST APIs. Defender for APIs is enabled at the level of a subscription

3 - Onboarding permissions

To enable and onboard Defender for APIs, you will need API Management Service Contributor role access, along with the permissions outlined in the User roles and permissions for enabling Microsoft Defender plans.

4 - Onboarding location

You can enable Defender for APIs in the Microsoft Defender for Cloud portal, or in the Azure API Management portal. Onboarding can also be completed via API and via onboarding scripts for enablement at scale.



Planning​




As a part of your Defender for APIs PoC you will need to identify use case scenarios that you want to validate. Some of these scenarios include demonstrating secure posture available in Defender for APIs via the API inventory dashboard, recommendation remediation, integrations with cloud security explorer, and attack path analysis for risk prioritization. You will also want to demonstrate the value of alerts sent by Defender for APIs.



Implementation and Validation​




Now that you have Defender for APIs enabled in your environment, you must onboard your API resources to Defender for APIs before you can validate. Next, we can validate specific scenarios for demonstrating the value of Defender for APIs.



A. Validate inventory of APIs across onboarded subscriptions and APIM services​




After onboarding the API resources, you can track their status in the Defender for Cloud portal > Workload protections > API security:

643x324?v=v2.png

You can also navigate to other collections to learn about what types of insights or risks might exist in the inventory:

651x319?v=v2.png

B. Assess security posture of the APIs to drive risk-based prioritization​




Once your APIs are onboarded, Defender for APIs starts monitoring your APIs for sensitive data exposure. APIs are classified with both built-in and custom sensitive information types and labels as defined by your organization's Microsoft Information Protection (MIP) Purview governance rules. If you do not have MIP Purview configured, APIs are classified with the Microsoft Defender for Cloud default classification rule set with the following features.

Within Defender for APIs inventory experience, you can search for sensitivity labels or sensitive information types by adding a filter to identify APIs with custom classifications and information types.

647x135?v=v2.png

C. Review API hardening recommendations for best practice policies and protections against OWASP Top 10 API risks​




  1. In the Defender for Cloud portal, select Workload protections.
  2. Select API security.
  3. In the API Security dashboard, select an API collection.

647x267?v=v2.png



4. In the API collection page, to drill down into an API endpoint, select the ellipses (...) > View resource.

650x182?v=v2.png

5. In the Resource health page, review the endpoint settings.

6. In the Recommendations tab, review recommendation details and status.



D. Runtime monitoring and threat detections via alerts​




Within the API’s Resource Health page, select the Alerts tab to review security alerts for the endpoint. Defender for APIs monitors API traffic to and from endpoints, to provide runtime protection against suspicious behavior and malicious attacks.

651x205?v=v2.png



With Defender for APIs and data sensitivity integration into API security alerts, you can prioritize API security incidents involving sensitive data exposure.

In the alert's extended properties, you can find sensitivity scanning findings for the sensitivity context:

  • Sensitivity scanning time UTC: when the last scan was performed.
  • Top sensitivity label: the most sensitive label found in the API endpoint.
  • Sensitive information types: information types that were found, and whether they are based on custom rules.
  • Sensitive file types: the file types of the sensitive data.

medium?v=v2&px=400.png



Defender for API sample alerts​


In Defender for Cloud you can use sample alerts to evaluate your Defender for Cloud plans, and validate your security configuration. Follow these instructions to set up sample alerts and select the relevant APIs within your subscriptions. To see the alert process in action, you can simulate an action that triggers a Defender for APIs alert. Follow the instructions in our Tech Community blog to do that. To simulate alerts in your own environment, you can follow exercise 6 here.



E. Perform proactive threat hunting in Cloud Security Explorer and Attack paths​




Integration with Cloud Security Explorer​


In Defender CSPM, Cloud Security Graph collects data to provide a map of assets and connections across organization, to expose security risks, vulnerabilities, and possible lateral movement paths.

When the Defender CSPM plan is enabled together with Defender for APIs, you can use Cloud Security Explorer to identify, review and analyze API security risks across your organization.

  1. In the Defender for Cloud portal, select Cloud Security Explorer.
  2. In What would you like to search? select the APIs category.
  3. Review the search results so that you can review, prioritize, and fix any API issues.
  4. Alternatively, you can select one of the templated API queries to see high risk issues like Internet exposed API endpoints with sensitive data or APIs communicating over unencrypted protocols with unauthenticated API endpoints

Attack Paths​


When the Defender Cloud Security Posture Management (CSPM) plan is enabled, API attack paths let you discover and remediate the risk of API data exposure.

  1. Select the API attack path Internet exposed APIs that are unauthenticated carry sensitive data and review the data path:

689x266?v=v2.png



  1. View the attack path details by selecting the attack path published.
  2. Select the Insights resource.
  3. Expand the insight to analyze further details about this attack path:

676x283?v=v2.png

5. For risk mitigation steps, open Active Recommendations and resolve unhealthy recommendations for the API endpoint in scope.



Explore API data exposure through Cloud Security Graph

When the Defender Cloud Security Posture Management CSPM plan is enabled, you can view sensitive APIs data exposure and identify the APIs labels according to your sensitivity settings by adding the following filter:

706x302?v=v2.png

Conclusion​




By the end of this PoC you should be able to determine the value proposition of Microsoft Defender for APIs and the importance to proactively mitigate risks in your environment.

P.S. Subscribe to our Microsoft Defender for Cloud and Microsoft Defender plans Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.



Additional Resources​




Pricing - Customers may be interested to understand the potential cost of enabling Defender for APIs in their environment. For this refer to our cost estimation workbook - Microsoft Defender for API Security - Estimate Your Plan Cost Easily - Microsoft Community Hub.

Prerequisites - For more information about roles and privileges, visit

Alerts - For more information, see Defender for APIs alerts.

Attack paths - For more information, see Data security posture management in Defender CSPM.



Reviewers​




Ajinkya Gore, Senior Product Manager - Defender for APIs

Haris Sohail, Product Manager 2 - Defender for APIs

Preetham Anand Naik, Senior Product Manager - Defender for APIs

Yuri Diogenes, Principal PM Manager - CxE Defender for Cloud

Continue reading...
 

Similar threads

S
Web app and API vulnerabilities, and how to secure them with Azure and Fortinet
Replies
0
Views
1
srijarallam
S
V
Azure API Management Turns 10: Celebrating a Decade of Customer-Driven Innovation and Success
Replies
0
Views
1
vladvino
V
S
Platform API Catalog for Azure API Center
Replies
0
Views
1
Sreekanth_Thirthala
S
J
The Rising Significance of APIs - Azure API Management & API Center
Replies
0
Views
1
JuliaKa
J
B
Announcing API Management and API Center Community Live Stream on Thursday, September 26
Replies
0
Views
1
budzynski
B
Back
Top