Cequence UAP - API Gateway Integration

Overview

Cequence Unified API Protection (UAP)  reduces API risk at every phase of the API protection lifecycle by improving API visibility, discovery, detection and defense,  and providing tools for API governance.   The result is reduced costs associated with fraud, business logic abuse and data loss. 

Cequence UAP is comprised of

• API Spyder:  SaaS-based API attack surface discovery tool
• API Sentinel:   API discovery, visibility, and governance
• Bot Defense: Bot and business logic attack detection, analysis, and mitigation

CQAI, serves as control plane and includes the core analytics engine  and management modules for API Sentinel and Bot Defense.

Network activity is gathered and sent to CQAI by data plane components Cequence Defender and Cequence Sensor.  Bot Defense defined Policies (both pre-defined and custom) specify bot mitigation, reporting, and event logging to external SIEM, SOAR, and logging services. 

Site Deployment and Integration

Cequence UAP is available in a Cequence hosted SaaS environment, fully on-premises, or integrated within a hybrid model.  Cequence Defender and Sensor modules are usually deployed in the application service environment or close to the application data flow in order to minimize latency.  Deployment can be configured to monitor application traffic in either passive (Defender and Sensor) monitoring or active (Defender only) monitoring and mitigation deployment modes.

• Passive deployment:  Receives transaction traffic via an API Gateway, traffic-ingestion APIs (API Sentinel), network tap, span, or traffic mirror.  Attributes:
  • No impact to application performance
    
    
• Active deployment: Application traffic is routed through Cequence Defender
  • Ability to directly mitigate
  • Efficient - minimal impact to application traffic performance

Passive Deployment

API and website transactions are monitored without disruption to the existing traffic flow. Cequence Defender/Sensor receives a copy of network flow.   Cequence Defender and Sensor modules collect,  filter, and normalize network traffic, forwarding a continuous stream of captured transactions to CQAI for analysis.

Traffic capture options

(a) Traffic Ingestion using Cequence Defender / Cequence Sensor

Defender or Sensor are configured to receive traffic from an API Gateway, network tap, span port or traffic mirroring configuration. 

(b) Traffic Ingestion via API (API Sentinel)

API transactions are  provided to Cequence via POSTS to API Edge Traffic Ingestion REST API.  Endpoints: 

/<Site_API_Edge>/api-request (POST a single transaction)
/<Site_API_Edge>/api_requests (POST multiple transactions)

API Sentinel Passive Deployment Services

• • API Inventory
    • non-conformant APIs identification
    • shadow API detection
    • unknown APIs in use
    • OAS/Swagger definition generation from observed traffic
  • Sensitive Data Exposure Detection
    • weak authentication
    • sensitive information exchange
  • API Request Meta-data analysis
    • source and client identification

Bot Defense Passive Deployment Services

• • Bot use detection, attack,  and risk analysis
  • Sophisticated counters, fingerprinting, and detection
  • Policy based threat detection, notification, and logging actions (See Event Notification via REST API).

Active Mode Deployment

Active deployment  routes traffic through Cequence Defender enabling threat policy-based mitigation guided by sophisticated Bot Defense detection and risk analysis. 

Integration

In active deployment, network flow is configured through Defender between the client and the application servers. The primary configuration styles are termed  inline-upstream and inline-hairpin.   Inline hairpin configuration, as shown above works well for API Gateway based environments. The API Gateway is configured to route requests first to Cequence Defender allowing it to log and mitigate as needed before returning the request, allowing the API Gateway to forward it  to the applications server(s).  Each message reflected back to the API Gateway contains an injected Cequence request header using pre-shared key,  letting the API Gateway know the message has been scanned so it can safely forward the message to the application servers.

Responses from the application server(s) are handled similarly, and are first routed through the Defender for logging and mitigation, and then returned to the API Gateway as a response to the client. 

Cequence Defender mitigation actions are based on Defense detection and mitigation policies.  Policy information is continuously asynchronously updated by CQAI and Bot Defense.  Decoupling and asynchronous updates ensures high-performance processing of network traffic, while keeping each Defender current based on changes to policy or changes based on analysis.

API Gateways should be configured to 'fail-open' to forward traffic directly to the application servers, in the rare case that the API Defender should be unavailable. 

Services

All of the analysis services provided by API Sentinel and Bot Defense,  listed above for passive mode integration are also available in active mode integration.

Bot Defense capabilities are expanded to include active mitigation. 

Mitigation

Bot Defense employs a set of  sophisticated threat and risk analysis methods supporting threat analysis using expression-based policies leveraging a rich set of direct and derived criteria generated by CQAI. This enables both defensive mitigation actions and cooperative interaction with an application.    Expression criteria available:

• • Extracted message body and header content and message meta-data
  • Derived client IP, organization, host ISP, country of origin, etc. 
  • Counter and aggregator gathered from the prior messages
  • Connection authentication and session status
  • Message fingerprints
  • Rule-based confidence scores
  • User assigned application tags
  • User and system defined reference data sets

Policies specify mitigation actions to be executed when policy criteria is met.  Policies can be defined to recognize illegitimate sources of requests, or those with known bad fingerprints, etc. Mitigation actions: 

• Block  - A response is generated with a specified code and reason. The message is not forwarded to the application server.
• Rate limit - Message responses are held and delayed before forwarding with configurable delay periods. 
• Deception - Messages are diverted to an alternate (phony) server supporting sophisticated misdirection back to wanna-be attackers.
• Header injection - A configurable header  is injected into the message before forwarding.
• Allow - The message matches criteria and initiates a 'mitigation' event but is allowed to proceed.

Bot detection and mitigation events can also initiate a data export action such as logging to a HTTP enabled logger, Syslog server, or S3 object store, enabling additional notification or other mitigation actions. 

Cooperative policies can scope or limit services from an application such as limiting API access to a particular set of clients.  Often, scope limiting can be more easily accomplished using Bot Defense Policies than in the application itself.  For example, an API service intended for administrative or authentication control could be limited to HTTP / API requests from a particular geographic area, IP source range, and/or time of day.

Support Services

Cequence Support and Cequence Prime service groups have deep knowledge and experience deploying Cequence into a variety of API Gateway based environments.  They will bootstrap a deployment with a set of site relevant policies.