PANCast™ Episode 40: Prisma Cloud API Discovery Using WAAS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter
No ratings

 

Episode Transcript:

 

John: 

Hello and welcome back to PANCast™.
Today we have Jayakumar Prakasam from the Prisma Cloud team, and we will discuss the API discovery feature on WAAS.

 

Jayakumar:

Hey John, thanks for inviting me today and giving this opportunity to deliver another great episode of PANCast™. My name is Jayakumar Prakasam and I am a Staff Technical Support Engineer working in the Prisma Cloud and Compute domain withJayakumar Prakasam is a Staff Technical Support Engineer at Palo Alto Networks, specializing in the Prisma Cloud and compute domain. With years of experience in Cyber Security, Jayakumar is dedicated to enhancing the Cloud security and protecting the Cloud infrastructure from potential threats. With a passion for knowledge sharing, Jayakumar actively engages in sharing insights and best practices through various platforms. He is committed to fostering a culture of continuous learning and collaboration in the cybersecurity community.Jayakumar Prakasam is a Staff Technical Support Engineer at Palo Alto Networks, specializing in the Prisma Cloud and compute domain. With years of experience in Cyber Security, Jayakumar is dedicated to enhancing the Cloud security and protecting the Cloud infrastructure from potential threats. With a passion for knowledge sharing, Jayakumar actively engages in sharing insights and best practices through various platforms. He is committed to fostering a culture of continuous learning and collaboration in the cybersecurity community. years of support experience in cyber security.

 

John: 

So can you remind our audience what is WAAS? And what is the use case for the API Discovery feature?
 

Benefits from Using API Discovery 

 

Jayakumar:

Sure , WAAS stands for Web Application and API Security. WAAS helps organizations protect their web applications and APIs from various threats such as OWASP Top 10 vulnerabilities, API abuse, and account takeovers. I also recommend taking a look at the PANCast™ Episode 31 that details the WAAS feature.
Prisma Cloud WAAS API Discovery is a feature of Prisma Cloud that helps organizations discover and secure their APIs used in web applications. It scans cloud environments to identify APIs and provides insights into their usage, dependencies, and potential security risks. This information helps organizations ensure that their APIs are properly secured, compliant with regulations, and efficiently managed. Prisma Cloud WAAS API Discovery enhances visibility into API landscapes, enabling organizations to improve their security posture and governance of cloud-native applications.

 

John: 

OK, so API discovery improves our customers' security posture by inspecting all the APIs on their web applications. Can you tell us a bit more about APIs?
 

Jayakumar:

Certainly! APIs, or Application Programming Interfaces, are a set of rules and protocols that allow different software applications to communicate with each other. They define the methods and data formats that applications can use to request and exchange information.
 
In the context of web applications, APIs are crucial for enabling various functionalities. For example, an API might allow a web application to retrieve data from a server, update a database, or interact with third-party services like payment gateways or social media platforms.
 
APIs play a key role in modern web development, enabling developers to build more dynamic and feature-rich applications. However, they also introduce security challenges, as they can be a target for attackers looking to exploit vulnerabilities or gain unauthorized access to sensitive data.
 
By inspecting and monitoring all the APIs used in web applications, API discovery helps improve the security posture of customers by identifying potential vulnerabilities, ensuring compliance with security policies, and detecting and preventing malicious activity.
 

John: 

Great! So how does the discovery work?
 

Jayakumar:

Sure, let me explain how the API discovery works, when API discovery is enabled, the Defender inspects API traffic routed to the protected app. Defenders learn the endpoints in your API by analyzing incoming requests and generating a tree of API paths. Every 30 minutes, Defender sends the Console a diff of what it has learned since its last update. The Console merges the update with what it already knows about the API.

The API discovery subsystem attempts to ignore all HTTP traffic that doesn’t resemble an API call.

 

John: 

OK, so we are inspecting publicly exposed resources to detect the APIs to protect. From your experience, who can benefit from using the API discovery and what are the use cases?
 

Jayakumar:

Yeah, the answer is pretty much anyone who needs to secure web applications and APIs. If you're running an e-commerce website, online banking application, or government portal, you need to keep your web applications and APIs secure. And if you're moving to the cloud, WAAS provides scalable and flexible security that can grow and adapt with your needs. Basically, if you've got a website or API, you need WAAS.

Prisma Cloud WAAS API discovery offers several use cases to enhance the security of web applications and APIs , like building an inventory of the discovered APIs that helps in understanding the API landscape and the dependencies within your applications.
Enforcing security policy by ensuring only the approved APIs are accessed. API discovery helps in threat detection and prevention by monitoring the API traffic and identifying the vulnerabilities in APIs, while also ensuring the Compliance with regulatory requirements by monitoring API usage.

You can also implement fine-grained access control policies based on API discovery insights to restrict access to sensitive APIs and data.
 

John: 

Great! Anything we need to be aware of?
 

Jayakumar:

Well, definitely there are a few criteria for identifying which requests to inspect:
  • Requests must have non-error response codes.
  • Requests must not have extensions (like .css, and .html).
  • Requests Content-Type must be textual (text/), application (application/), or empty.
On the API discovery database, when new path entries for images or API endpoints are added, the Console uses the 'Last Observed' date to delete the older entries to optimize the available resources. When an image or API endpoint is deleted from the database, an alert is generated, and the details are written to the Console logs.

 

John: 

Thanks Jayakumar, how about the implementation of the API discovery? How complex is it?
 

Jayakumar:

API discovery is enabled by default when you create a WAAS policy and it is not so complex to implement.

You would need to log in to the Prisma Cloud Console and navigate to the 'Defend' tab. From there, you can access the Web Application and API Security (WAAS) module, which offers a range of deployment options to suit your needs.
Depending on your architecture, you can choose between different deployment modes, including Container (Inline/Out-Of-Band), Host (Inline/Out-Of-Band), App-Embedded, Serverless, or Agentless. Each mode is designed to provide comprehensive security without compromising your application's performance.
Whether you're looking to protect containerized applications, host-based environments, embedded applications, serverless functions, or require agentless protection, Prisma Cloud WAAS has you covered. Select the deployment mode that best fits your infrastructure and security requirements, and start securing your applications with ease. Select an existing rule and enable API endpoint discovery.

There are several potential pitfalls to consider to ensure the feature is properly configured and effective, like ensuring that the API discovery mechanism captures all APIs used by your applications. Incorrectly configured discovery settings can lead to missed APIs or false positives, impacting the accuracy of security policies and threat detection , so you need to ensure that there are no misconfigurations. You certainly need to ensure that your infrastructure can handle the increased load without affecting performance since the API discovery can introduce additional network traffic and processing overhead.

If you want to learn more, be sure to check out the Palo Alto Networks TechDocs for Prisma Cloud documentation, videos, and tutorials. And remember, if you need any help getting started, Palo Alto Networks is here to assist you every step of the way. Here’s an essential checklist that you can prepare when raising a support case with us:
  • Screenshots help to describing the issue, including the current WAAS configuration, Screenshots from the API discovery page and the error or issue you are facing
  • Defender log
  • Console log
 

John: 

OK, so we have enabled API discovery, what’s next?
 

Jayakumar:

Great question! Now that API discovery is enabled, it is now about inspecting the discovered API endpoints and protecting them.

In the Monitor section of the Prisma Cloud Console, specifically under Web Application and API Security (WAAS) and API Discovery, you'll find an endpoint report that provides a detailed overview of the APIs discovered within your environment. This report categorizes APIs based on their path, HTTP method, associated application, and more. It includes essential information such as the path, HTTP method, number of hits, API protection status, path risks, the workload responsible for the APIs, image risk factors, resource vulnerabilities, App ID, and the date when the API was last seen.

One of the key aspects highlighted in the report is the 'Path risks' column, which flags critical risks associated with specific endpoints.
This report serves as a valuable tool for understanding the security posture of your APIs, allowing you to identify and address potential vulnerabilities and risks proactively.

 

John: 

Awesome, So, How exactly do we protect the endpoints?
 

Protecting the Endpoints 

 

Jayakumar:

Well, this is just a click of a button, Select ‘Protect’ next to a resource to protect a path, set effects for all API endpoints discovered in the App, and select Protect all. This enables you to protect all the API endpoints in the resource path identified within an app to the WAAS policy rule, not just the selected path. When there is an event generated from a new endpoint, you have to explicitly Protect it.
 

John: 

Lots of things to remember today, can you summarize in a few takeaways?
 

The Episode Takeaways 

 

Jayakumar:

Sure, John , here are some key takeaways:

WAAS API Discovery helps organizations discover and secure their APIs used in web applications.

By inspecting and monitoring all the APIs used in web applications, API discovery helps improve the security posture of customers by identifying potential vulnerabilities, ensuring compliance with security policies, and detecting and preventing malicious activity.

WAAS provides scalable and flexible security that can grow and adapt with your needs. Basically, if you've got a website or API, you need WAAS.

WAAS API discovery offers several use cases like building the discovered APIs inventory , enforcing the security policy by allowing access to only approved APIs, threat detection and compliance monitoring

 

John: 

Thank you Jayakumar. Some great info today. PANCasters remember the transcript and useful links for this episode can be found at live.paloaltonetworks.com.
 

Jayakumar:

Thanks again John for having me today, I hope to join in another episode soon.

 

Related Content:

Prisma Cloud 

Rate this article:
(1)
Comments
L2 Linker

Great topic, and thank you for sharing your insights!

  • 2027 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎04-11-2024 12:50 PM
Updated by: