It was barely two years ago that the founders of Elastic Beam emerged with a blend of artificial intelligence, machine learning, and APIs to produce a unique security offering just around the same time that APIs were becoming the juiciest of all targets for hackers. The timing could not have been better. In the name of legacy modernization, enterprises everywhere were hitting lightspeed in terms of embracing APIs as the interfunctional glue between the parts of software that once formed their slow moving and inflexibile IT monoliths.
At the time, the various API management solutions were at different stages of maturity when it came to automating API security and none were a Fort Knox, so to say. In aggregate, that glue was vulnerable and in some cases, too easy a target for hackers to resist. As the headlines chronicled multiple API transgressions across various Internet giants (the ones with the most to spend on API defenses), Elastic Beam's API Security Enforcer came to market. Whereas other API security solutions which are largely based on the developer's right to entry (into the API) or using Web security solutions to secure an HTTP API (aka "Web API") endpoint, Elastic Beam saw API security as a problem that was nearly purpose built for machine learning. The logic went like this: if the machine can learn what good API traffic looks like by studying that traffic as it happens, it should be able to weed out the bad traffic through the process of elimination.
It was a good bet.
Barely one year after launch, Ping Identity, a company that was already in the business of identity-based API security, saw how Elastic Beam could complement its existing portfolio and scooped-up the security startup for an undisclosed sum. Now, tracing back to the solution's roots in artificial intelligence, what was once Elastic Beam and Security Enforcer are now respectively referred to as the Ping Intelligence Business Unit and Ping Intelligence for APIs.
Now that the dust has settled from marriage of the two companies, that business unit's general manager Jason Bonds sat down with ProgrammableWeb editor-in-chief David Berlind to give readers an update. For example, according to Bonds, Ping will be looking to leverage its newly acquired expertise in the areas of artificial intelligence and machine learning to enhance its identitybased security solutions. The video and full transcript of that interview appears below.
Editor's Note: This and other original video content (interviews, demos, etc.) from ProgrammableWeb can also be found on ProgrammableWeb's YouTube Channel
Full Transcript of David Berlind's Interview with Jason Bonds
David Berlind: Hi, I'm David Berlind, Editor-In-Chief of ProgrammableWeb. and welcome to another Developers Rock Podcast which will be featured on both ProgrammableWeb.com as well as YouTube. Today my guest is Jason Bonds from Ping Identity. Jason, what is it you do at Ping?
Jason Bonds: Hey David. Pleasure. So I'm the general manager of the Ping Intelligence Business Unit.
David: Okay, what does that mean? What does that business unit do?
Jason: Yeah, a great question. So as most people know, Ping Intelligence grew up traditionally [as an] identity and access management company. Over the years we've gotten into truly into security and cybersecurity. The play we're making these days is around leveraging intelligence. So things like AI and ML, aggregation of scores and different things to provide both intelligence to APIs which I think we will specifically talk about today. But as you'll see in the near future, things like identities, data, and devices as well, to really bring a full broad spectrum set of security and identity access controls to the enterprise.
David: The digital security issue is making all the major headlines today because so many companies are having these infiltrations and exfiltrations of data. A lot of sensitive information getting out there. Just go into a little brief description of how challenging it is? What are the problems that are truly facing organizations today that they didn't have to deal with before?
Jason: Yeah, well I think there's a few things that really provide some challenges for organizations. First and foremost, you've got to keep the lights on. So a lot of the investment and the resources go to just dealing with keeping existing applications and systems running and up-to-date, and then on top [of that] you've got the growth of things like the API economy. You very well know and the audience here knows, APIs are essentially out of control and Gartner will tell you that by 2020 they'll be the largest attack vector that the bad actors go after.
So I think it's a little bit of a reactive posture by most enterprises. We go and talk to them, that they're just trying to keep their heads above water, and then react to the specific problems that they face. A lot of it, you know security unfortunately whether it's with APIs or other systems is not getting the funding and the resources that they truly need to really help protect and defend an enterprise.
David: What are the threats? How are they different today than they were before? I mean because we've been dealing with digital security problems forever. How does the use of the APIs I guess for example change the nature of the threat?
Jason: Yeah, so the nature of the threat is interesting. So we're actually seeing that there's actually more misuses and abuses. In other words, actors with valid credentials getting access to systems and just doing the wrong things in a lot of cases. Not necessarily not meant to do something negative or in a bad way. But just misusing systems. So a developer develops an API that gives people access to some collection of data or some proprietary algorithm or something, and their leveraging that thing kind of above and beyond the [intended] use.
So because APIs are so obfuscating and so decoupled of an implementation that we're finding that both the bad actors are doing everything they can to get access to that data. One because APIs of old were "hey tell me the location of XYZ company's different stores and a little bit about their product catalog.' Today it's customer information, credit card information, all kinds of proprietary details about different individuals or pieces of data that are just sensitive. So the bad actors are going after them, and at the same time we're having to expose more of this stuff to partners and internal [developers] and they're either misusing it or abusing it in many cases. So you're not just protecting if you will your four walls, you've having to protect from within.
David: So there's an internal threat. What percentage, I don't know if you know this or not, like what percentage of the problems that have surfaced over the years in the headlines and stuff came as a result of some internal threat versus some sort of external threat?
Jason: Yeah, don't quote on an exact percentage but I would say it's well over half of the ones that I would say the audience here would have heard of. You know, recently those big names that you hear like a Facebook or a T-Mobile or Panera Bread or others that have publicized some bad activities. But if you kind of aggregate over the last year, year and a half, we would say well over half of the experiences we have, and in fact I was on a call this morning with a Ping customer and they were saying that they're seeing it closer to 70 percent of the bad actions taken against their APIs are actually by good actors.
David: Wow. So and are those just mistakes?
Jason: Yeah, they're mistakes or the developer didn't properly scope the API and in a lot of the cases. So they thought they'd kind of brought it down to what was the needed functionality. But maybe they opened it up a little bit just because and so they didn't apply the right OAuth toke scopes to it or something, and a good actor goes in there and says, 'Hey I need this but oh I can also use this data over here that I actually have access to. So I'll just use it.' Right? So it's not necessarily they want to do it for bad purposes to go sell it on the dark web and then bribe you to pay money so that they won't expose that data.
Sometimes it's just people don't know better on the internal side. Other times it is a bad action of an employee's disgruntle or maybe just looking for trouble so to speak and so we see a little bit of both. But most of the time it's not necessarily meant to be malicious, and so we definitely still see that on the outside all the time but from the internal use it's typically not a malicious, it's more of an abuse or an accident.
David: Okay. So it's a brave new world out there. What is it that Ping does to make it easier for Ping's customers to address the problem? Keep a lid on things so to say.
Jason: Yeah, so we're kind of augmenting the traditional capabilities that most organizations have today. So most people have an ADC or CDN, some WAF Technology. They'll have a bot detection capability in front of some of their web login forms and they'll have typically some sort of an API gateway managing the API's lifecycle and doing some basic security like validating OAuth tokens and rate limiting and those types of things. But what Ping's bringing to the table is essentially the ability to find the anomalous behavior.
So looking at an individual API's historical behavior through its metadata and building through and leveraging AI and ML technologies to understand what an API's behavior should be, and when we find anomalies we're going to bubble those up. So you might have a good actor make it through all those systems but they're using it in a way that the text is an anomaly and that's why we'll find those internal misuses as an example, as well as things like API takeovers where somebody does present a valid OAuth token that they've hijacked and they come in and they take over an API and start doing something different with it where they've reverse engineered it and now we're accessing different components and systems. So we're seeing that those types of attacks leveraging our AI modeling because it's done on an API basis, is able to detect and find those needles in a haystack I like to call them.
David: So yeah, artificial intelligence is starting to sound like the cure to everything that ails an organization or even an individual. More recently we've seen other companies come out and talk about how their security solutions are AI driven. So how is Ping's AI different from let's say any competitors that are claiming to do the same thing?
Jason: Great question. I would say our AI's probably not that much different, it's how we apply it. Right? So the fact that we are looking at things on an API by API basis and leveraging that to [not just] make a point in time decision but [also] to make [machine learned] models. So I think a lot of model it and then look at the behavior of time but then make inferences about specific pieces of data or instances in time. I think what happens with a lot of the folks out there, they're doing AI security so to speak. They're leveraging the AI to look at an individual transaction in a point in time and make a decision about its specific data that it presents. So whatever the metadata is about that individual call. They're not leveraging it to look at models over time, and or they're also looking at the API traffic through the entire gateway as an example. So if you have thousands of APIs that are deployed on a gateway, they're leveraging that technology to sift through all the data and not break it down on an API by API basis. Which is easier, right? But to get to the true root of the problem and find those anomalies you need to be able to look at the data on an API by API basis.
David: Now what's the solution called?
Jason: The solution. I haven't brought it up yet. Thanks for asking. It's Ping Intelligence for APIs.
David: Okay, Ping Intelligence for APIs. When it spots an anomaly, what happens?
Jason: So a couple things can happen. If the traffic's running through our product directly we can determine to block it. You know, send them an error page, reroute them somewhere, destroy an OAuth token. If it's some kind of a user flow. we could re-authenticate them and revalidate them – we'll do that. if it's running through one of the gateways and we're working in what we call a sideband mode – an integrated mode where they're essentially sending us the metadata body in every call – we can respond back to them and tell them that, 'Hey we believe this is not valid call' and we can send back an okay or a 403, and when they get that 403 they can decide to do some of those things that I just described or they can let it through and say we'll deal with this in a postmortem fashion.
So depending on the type of transaction it is, some organizations will say, 'We want to know about it and get visibility into it but we don't necessarily want to stop it just in case there is a false positive'. Which when you're in the AI world, false positives do happen. So that's why training the models and doing things in advance to build up the data sets is so important to our product set.
David: Is training something that's constantly ongoing as you use the product? Like you know, like you train it maybe for some period of time, I don't know, three, four weeks. Set it loose on the traffic. But then you'll see some sort of false positive rate. But meanwhile you're constantly retraining and saying, 'No, no, no, no. That was a false positive. Don't flag that', and a year later things are much more secure than they were when you started maybe in the first three or four weeks?
Jason: Yeah, absolutely. So our training kind of runs, you know, you can kind of run on it on a floating slice of time, right? So we do a few things. One, we tell people you can train in a non-production environment and actually migrate that training data over into your production environment when you turn that API on in production so that you have a nice set to start with. Or you can run in an unsupervised mode and let it train for a period of time and then we've got a few knobs if you will, that you can tune to allow the turning to kind of look at it in a few dimensions to say, 'Hey we need to kind of loosen this up so we're not getting so many false positives', or, 'We need to tighten it up to we're not getting any'. Which would be really scary, right?
So because we know they're out there. So we give you a few a different ways to do that, both kind of ongoing, you're always rebuilding the model but as a starting point, you can train and then upload that data. Or you can just go in an unsupervised mode right away. So there's a variety of things you can do, and then of course it's integrated with all your major players out there, whether it's a Splunk or Q-Radar or any of the other DevOps/SecOps type tools so that those folks have visibility from that kind of flashing red light, green lights, to go look at what's going on and correlate it with other things in the environment.
David: And if let's say I'm currently using some sort of API management system out there. Does this work with all of them? Can I just plug it right in or does it only work with some and not others?
Yeah, no absolutely. So we can work with all of them. There's really two kind of possibilities. One is just we sit either in front of or behind the API gateways. Right? It kind of is a, it would be the typical pattern if we're running what we call in line. So we work with all of them at that point our product kind of will kind of look to the traffic as a transparent reverse proxy to wherever it's coming from and going to, right? And then secondly is that side band mode I mentioned earlier. So we do have integrations are ready with most of the major gateways out there today and we're building kind of the rest of that top ten, fifteen list right now. So by the end of March we expect to have the majority of the top ten largest gateway players with a few more to come in the next few months.
David: Scary that there's such thing as a top ten in this marketplace. But I suppose you're right.
Jason: Yeah, and in the gateway world there is quite a few. It's surprising me. We find a new one about every one or two weeks now that I've never heard of.
David: Likewise, I get emails all the time and I'm like, 'What? I've never heard of these guys and they say that they're a leader in the market?', and I'm like, 'Wow, how could they be? I've never heard of them and I've been doing this for a long time. What other problems do you solve in addition to just securing the API traffic?' I imagine there are organizations out there that have all kinds of challenges, compliance for example. Do you address any of those?
Jason: Yeah absolutely. So we very much so help with compliance. So an audit type capabilities that postmortem forensic capable visibility that we provide. So because we're looking at the models on an API by API basis and leveraging every data call to figure out and build and rebuild the models, we have that data available to us. So most folks, most of the other products that people would have in their API world are not going to store and have that large data set available to them. I mean this is a big data problem at the end of the day. So you're going to be able to refer to that and go back and look at it and say here's where these people access this from, where they were going, what else they did with this session cookie or from this IP address.
So we see a lot of people actually almost more valuable to them above and beyond blocking believe or not and protecting their APIs is the visibility they get into what's going on both while it's happening and in a postmortem fashion. So compliance is huge along with the audit folks and then just people just really don't know what they don't know, and they just kind of let things happen and this is going to provide them a much more detailed level. And it is funny how many people say it's not going to happen to us and in our experiences, we put this thing into people's environments and very quickly you see, of course, you find those needles in a haystack, those anomalies. People are like, 'I don't know what that is? Or why that's coming from there?'
Then the other thing which we haven't talked about is we actually above and beyond doing the AI with our Ping Intelligence for APIs product, we provide a deception or honey potting capability and so that's really interesting as we can expose an API to the public and it will look and we'll name it something very similar to everything else. Then very quickly something on the internet starts calling it and we very quickly throw those things into our blacklist, we grab about four pieces of data about that call, whoever is that client and we stick that into the blacklist and if they go to try to actually hit real system APIs, we can block those immediately without even having to model. So we're leveraging both AI and honey potting to provide security. But again also visibility and just into who's hitting what.
David: And does the honey potting work across your customers? So if you catch somebody trying to infiltrate one customer and you know they're a bad actor you apply that. You let your other customers know or somehow get that information into their systems?
Yeah, not today. We are looking at some sort of a shared service that is, we're road-mapping, kind of trying to figure the feasibility of how that would actually operationalize.
David: Crowdsourced security if you want to call it that.
Jason: Right, I mean I think absolutely we could definitely supply the API, the IP addresses for those callers of those APIs that we quarantine. Some of the other components around session cookies and tokens and things like that might be unique to an individual organization. So we are kind of working through that with some of our customers now to figure out exactly what we could share. The other thing is we also do import whitelist and blacklist from third parties. So if you do have some service that you're using today to get blacklists as an example, we can leverage those and we also be exported to then share with those other services.
David: There are third party blacklist providers just for APIs?
Jason: Not necessarily just for APIs but they provide more generically these IP addresses are known to be for malicious offenders and those types of things. Right?
David: Right, okay I get that. Yeah. Okay, well one question that everybody's going to have is how much? How much do I have to pay to get this advanced artificial intelligence solution that will lock down my APIs and perhaps keep me out of the headlines more importantly?
Jason: Sure. So we at Ping license the Ping Intelligence for API product on a transaction-based model on an annual subscription. So we've got different buckets that obviously grow with your transaction volumes, and so you can start off as little as around $75K a year and even a little bit less maybe, depending on your volumes. But typically about I would say $75K is that annual subscription starting point for most of our customers. Obviously, it grows from there when you start to get into the billions and billions of API calls. So yeah, it's available, it's accessible, it's easy to start with. We have a cloud trial where you just need to install our agent to get going and so we can show you in advance and kind of prove to you that there is this visibility and this capability that will help your organization and we're willing to do that upfront at no cost. And then take you from there. So yeah.
David: So a kind of try before you buy option. What if it's an on-prem solution?
Jason: Yeah, so our production solution is on-prem. We believe you're going to want to own that data, have that data lake, be able to look at it for other reasons, have your data scientists and your analysts own and have that data available to them because it is such a big data problem. You know we're working through what would be a viable cloud option for a production world, right? Versus a trial world. So it will be software on-prem that they'll own or subscribe to and be able to report on the number of transactions and to look at it from that perspective.
David: Alright, great. Obviously, this work of securing people's API gateways and just their APIs, in general, is taking you all over the world. I see you're coming to us from a hotel room. Where are you right now?
Jason: I'm in San Francisco. I actually attended the IBM Think Conference as well as meeting with customers and prospects here this week in San Francisco.
David: Well thanks very much Jason. We wish you great luck in your travels. We've been speaking with Jason Bonds, General Manager of Ping Intelligence. They're describing how they use artificial intelligence to trap malicious API traffic and keep your APIs secure. Jason thanks very much for joining us.
Jason: Thanks David, have a great rest of your day.
David: Okay, thank you too. I'm David Berlind, Editor-In-Chief of ProgrammableWeb and this is the Developers Rock Podcast. If you have questions, concerns, comments, let us know. You can leave the comments underneath the video on our YouTube channel or you could just write to us by going to ProgrammableWeb.com.