Why I Invested on ArecaBay – API Security microScoping in an App Distributed World

I am regularly involved with Angel investing, and I quite like the idea of helping founders and maybe ‘why not’ hit the motherload and be that early investor for the next Uber. Much of what I do when investing has not much to do with my day-to-day job, and that is a strategy I put in place to secure a more balanced financial exposure.

Take Keewi, as an example, a startup disrupting the energy management business with deep analytics, or YotaScale helping enterprises harness the power of machine learning for cloud infrastructure management. Across my small portfolio, one thing is common, the passion for analytics and machine learning as the core enabling tool.

That’s why I am extremely excited about the very real and under-served cyber-security challenge the team at ArecaBay is solving through the use of machine learning and analytics.

First of all, I’m lucky to be friends with the team and be able to be part of their mission; a cracking team, made of engineers and founders of Netskope, McAfee, Google, Juniper, Symantec, and VMware.


The problem…

Gartner and others have already declared that by 2022 API abuse will be the most-frequent attack vector resulting in data breaches for enterprise applications – ID G00342236 – an estimated $600B yearly global security breaches cost for organizations.

This is not surprising given that most SaaS expose APIs for general consumption; furthermore, the trend of application decentralization through the use of clouds and micro-services is creating an API first world.

While API and Web Gateways have existed for a while and they can moderately secure entry points, in this new and decentralized application world API gateways are almost no use. Someone recently referred to the problem as Crunchy Outside, but Mushy Interior.


Courtesy of SourceAllies


If not yet convinced that APIs are the big new target for hackers, looks at the Salesforce API hack in Jul/18 (Salesforce Security Alert: API Error Exposed Marketing Data), or the recent Facebook API hack in Sep/18 (Facebook Security Breach Exposes Accounts of 50 Million Users) or yesterday’s Google+ discovered vulnerability (Google+ to shut down after coverup of data-exposing bug). These are all high profile web companies that should have been protected but they were hacked via API spoofing because there’s no technology available to detect deep API-level malicious transactions, and particularly in a highly distributed app world.

The team first developed a tiny microSensor (remarkably low CPU and memory footprint) that is seamlessly deployed alongside applications and services, in virtual machines, containers as a sidecar proxy, AWS EC2 instances, AWS serverless Lambda functions, edge devices etc. Truly any app, any cloud, and any infrastructure, but the best part is that it is completely transparent to applications, developers and DevOps teams – it’s not a proxy.

Next, they developed a self-adaptive ML element that enables these microSensors to operate at Millions scale and have them cognitively correlate API-level events across every data flow touchpoint where an API call has been terminated – from the user, through web proxies, web servers, microservice pods and services, and all the way to the data repositories.

That’s unprecedented API level granularity, they call it API microscoping.

At the API-level their tech can real-time identify and correlate with very high accuracy degree Context Obfuscation, Authorization Token Reuse, Compromised Credentials, Unintended API Usage, Session Manipulation, User in-App Behaviour Anomaly, API Parameter Tampering, and a Leaky App.

The applicability of this technology is staggering, enabling any connected service or device to be monitored and understood at the API level, including enterprise apps, mobile, and IoT devices – and according to Gartner, there will be 20.4 billion connected IoT devices by 2020, with 5.5 million new things connected each day.

Casino Security And The IoT

There’s a lot more to talk about, but I cannot fully disclose what they are working on.
Go and check their website www.arecabay.com


This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net