How API discovery Provides a North Star View to Attaining Security Compliance
Traceable’s API Catalog provides detailed API discovery and risk posture management, at scale, enabling data insights provider NextRoll to meet compliance and bug resolution requirements.
Customer: NextRoll, a leading Marketing data insights company, uses machine learning to generate insights that improve its customers marketing strategies by targeting buyers in strategic ways from one platform.
Challenge: NextRoll needed to discover and catalog its current inventory and growing use of APIs to best secure their data flows and to remain compliant.
Solution: Traceable’s API catalog and API attack protection capabilities allow NextRoll to perpetually maintain an up-to-date inventory of all APIs and to immediately secure their sensitive data flows, reducing the potential for data breaches.
8x increased visibility
Mean time to triage has reduced from 1 day to less than one hour
12x cost savings by reducing triage time
Replacing WAF solution
Traceable platform eliminates the need for 3 separate security tools
Close customer relationship helps Traceable to scale with NextRoll
NextRoll confronts API security head on with Traceable
In today’s world of abundant applications, the overwhelming concern of data privacy creates unique challenges for security and compliance teams. Maintaining a delicate balance of data gathering and analysis – while protecting that data from exposure and attacks – requires the right platform.
Companies that collect and process large amounts of data via APIs also have to be cognizant of protecting that data in new ways to remain compliant with ever-changing regulatory mandates. “One of the biggest focuses we have is on end-users’ data rights. We need to be extremely conscious that the data is being used correctly and is protected,” said Nicolas Valcárcel, Head of Product Security at NextRoll.
A company that processes and interprets market data to deliver strategic insights, NextRoll felt the significant impact of an unknown API catalog and attack surface. Such API sprawl and an unknown – and therefore vulnerable – attack surface comes as a major concern. Aside from adhering to compliance standards, Valcárcel recognized a problem requiring remediation as part of their drive to better understand their APIs. “In order to have privacy context, I need to look at the APIs to see where the data flows. And in order to secure the data and prevent data leakage, I need to secure those APIs as well,” explained Valcárcel.
Cataloging their APIs without the proper solution was an insurmountable challenge. The frequency of changes to APIs began to create serious difficulties in understanding risk posture, and without an accurate API inventory, it’s even harder to prevent data loss, exfiltration, and attacks. “We have a very big microservice architecture – a lot of microservices, and a lot of moving parts. We’re processing petabytes of data a day on internet traffic related to people’s preferences. And some of those microservices or even pipelines do not have a data store. They just go through an API that collects data, processes it, and outputs it to another API,” said Valcárcel.
The lack of visibility into their APIs made it hard for the Product Security team at NextRoll to manage their large data sets in a way that will scale with the ever-changing industry regulations. Their concern became how to remain compliant in protecting their APIs and the end-users’ data without slowing down their data processing.
Head of Product Security, NextRoll
With Traceable, now I understand where the data is going. We knew we had data that was at risk, and with Traceable we are able to find and secure all data flowing through APIs using a single platform”
Outdated security practices leaves security teams blindfolded
Valcárcel leads both the product security and the security engineering teams. They prioritize two aspects of API security: API cataloging and API protection. According to Valcárcel, “we have to decide what information is processed where and with what controls. Once the correct controls are in place, we have to monitor our APIs and alerts.” Valcárcel leads the cataloging aspect, and SecOps protects and monitors APIs.
Processing so much data presents security and visibility challenges. Without an adequate API Security platform, the team cannot track what data they are using and processing. Earlier standards of database monitoring and Web Application Firewalls are not enough to secure that data. According to Valcárcel, “The way we did this before is the typical way the industry has done it for years, and it is generally inaccurate. Looking into databases does not provide a picture of where the data is going or what is being processed. Monitoring systems design’s manually we cannot see it all and we can make mistakes, so the information we deliver can be misleading. Updates after the fact are not taken into account, so data is quickly inaccurate. This manual data cataloging is never enough, it’s never accurate.”
The practice of maintaining WAFs (Web Application Firewalls) does not solve the security problem presented by the widespread use of APIs. “The typical perimetral WAF defines the security of my network, my realm. This was useful and it was the correct way to look into data until some point, and that was when APIs became more common,” Valcárcel said. “Now I need to be careful with data both inside and outside of my network, data controls are necessary even within my network given regulations and the risk for sensitive data exposure. I need sensors outside the perimeter to protect any data flowing outside of my network through APIs. I cannot use the WAF perimeter and call it a day anymore.”
Solving for API security needs and regulatory requirements at scale
With APIs as the new standard, industry regulations are rapidly changing to meet the changes of the technology. “The data privacy space is in its infancy, it’s just starting. There is no privacy engineering yet, it is slowly evolving. We have been evaluating for two or three years the question of how to secure our data to protect privacy,” said Valcárcel.
When they began their search, the API Security market was immature, and Valcárcel says, “the players in the market at the time were either Traceable or ad-hoc point solutions.” As the market evolved, Valcárcel recognized “more players of different pieces, but none that solved the entire problem. These solutions may solve aspects of the industry regulatory direction, but not the entire problem in a scalable way.” Valcárcel and his team at NextRoll wanted to be ahead of the curve, and to find a solution that solved not only current regulatory concerns, but those they anticipated.
Despite NextRoll having their deployment in the AWS cloud, the team did not consider the AWS WAF solution. They knew they needed more than a WAF solution, which remains an incomplete solution to API security. Similarly, they opted out of using Signal Sciences for API security. According to Valcárcel, “I had been working with Signal Sciences for a couple of years already. They were good at replacing WAFs, but they were not monitoring the APIs and the data being moved and painting that picture. And we were looking for a more privacy-focused solution than the typical application security. We wanted an application security team that had some privacy components done. They did not offer that privacy component.”
Other solutions claiming to secure APIs also fell short of the mark. According to Valcárcel, “We had conversations with Salt and NoName at that point, but again, they were trying to replace our Signal Sciences Web Application Firewall rather than providing details about my APIs and data flow, these API solutions and did not offer a data privacy component.”
Traceable provides the key to full API catalog and protection
“Traceable offered the privacy and API Security component that was closest to what we were looking for. In fact, Traceable was able to develop that aspect of the product further by integrating our feedback. It has since been even more developed.”
Traceable also eliminated the need for 3 separate security tools. According to Valcárcel, “Before Traceable, we would have needed at least three tools: the WAF, runtime application security, and the data scanner.” By partnering with Traceable, the NextRoll team were able to save money on separate tooling, and were able to minimize context switching for their team.
Traceable validated their belief that their data passing through APIs needed to be closely monitored. Said Valcárcel, “Traceable confirmed our suspicions. We knew there were data privacy concerns that we had not uncovered using traditional methods, but without Traceable cataloging our APIs, I was not able to prove it. It was more like a hunch.” Valcárcel confirmed that Traceable was not only able to confirm his suspicions, but also able to provide a full picture of his API attack surface. “Once we got access to the Traceable API, I was able to build up a full data map of where data was flowing and which endpoints were getting what information. So, after some scripting, I was able to get a very clear picture,” he said.
According to Valcárcel, “Visibility of APIs went from 10% at best to now close to 80%,” which he considers a massive improvement based on the limitations of their own high-volume data intake and performance-sensitive systems. The depth of visibility helped both the security and development teams understand what needs to be addressed and to not only provide a fix, but also to secure their APIs going forward.
Traceable maps the path to bug resolution
With Traceable, NextRoll drastically improved their mean time to resolve (MTTR) bugs. Said Valcárcel, “We have a bug bounty program, and it will identify bugs and their URLs paths, and it directs us to various applications to take action. This presented the problem of understanding how to follow that URL path and how to direct the engineering team to a fix. The usual process involves looking into the configuration to determine which microservice serves that path and using that to troubleshoot.” Such a complex process of trial and error takes time.
“With Traceable, because I have an agent in that microservice already, now I can see the URL path and what it serves much faster. Traceable helped us identify ownership on different incidents at a much faster rate. With Traceable I have the agents, I can tie URLs to microservice.” With Traceable, their mean time to triage has been reduced from one day to less than one hour, and they are able to find and resolve security issues before bug hunters do.
What’s next for NextRoll
Going forward, NextRoll will offboard Signal Sciences, and move everything into Traceable. Traceable eliminated the need for point solutions, in turn removing the pain of context switching for his team, and saving NextRoll both time and money. “We are using Traceable to replace our need for WAF, runtime application security, and data scanners,” said Valcárcel, “We are replacing Signal Sciences with Traceable at the end of August, 2022.”
The security team at NextRoll plans to implement greater focus on Traceable’s expanding API catalog offering, focusing particularly around data privacy and protecting sensitive data.
Valcárcel values knowing that Traceable’s products will scale with their needs. For Valcárcel, “I think that the thing I love the most about Traceable is the Traceable team. We have very open communication, they are super open to bouncing ideas, hearing feedback, and moving the product in a direction that actually works for us.”