Interviews | October 12, 2021

API's Present a Very Attractive Target for Attackers

Noname Security | Tenable | ThreatLocker

Karl Mattson
Chief Information Security Officer

Noname Security

Q1. You were recently appointed as the first CISO at Noname Security. What are your immediate priorities in this new role? How do you see your previous experience as a security leader in the financial services space helping you carry out your mission as CISO of Noname?

My first priority is to ensure that our internal security posture is at the top of sophistication and effectiveness. Coming from financial services, I arrive with a clearly formed view of our priorities to protect Noname and our customer environment. Financial services firms are amongst the most targeted entities in the world, which has driven our teams to pursue sophisticated, efficient, and robust defenses. My objective is to also to demonstrate the quality of these defenses for our customers transparently, meeting and exceeding their expectations in due diligence and risk assessments. As a security company, our customers expect more.

Second, my priority is to serve as the "customer-in-residence" to ensure the voice and requirements of our customers are continuously driving product innovation. Noname's API security platform has quite literally been born out of customer demand, and it continues to evolve each day as we build new functionality and integrations that strengthen our customers' security posture. We will continually foster dialogue with customers to be where they need us to be.

Q2. Noname Security has so far raised $85 million in total investor spending since emerging from stealth mode in December 2020. What's driving investor and enterprise interest in your technology?

In short, APIs are fundamental to our digital life today. Business and retail consumers expect new services, data, and functionality to be at their fingertips, the expectations for which are very commonly satisfied by the adoption of API-based services. For example, it wasn't too many years ago that we would log into our personal bank account to see our account balance and nothing more. Today, even small institutions have a mobile apps which can show a credit score, offer a credit card, send payments through multiple services, chat with a service agent, and many more features. Nearly all of which are enabled by APIs. Consumers want more, and APIs open the doors to more and better products and services, as companies can deliver a better experience and more service at a fraction of the cost of traditional application development.

Meanwhile, API security breaches are announced almost daily, affecting some of the world's largest companies and known brands. These events involve stolen sensitive data and reputational damage that simply cannot be ignored.

The threat trend is clear - APIs, when unprotected, represented a very attractive target to attackers. They are a direct line into sensitive data and systems, and their attractiveness grows as their usage grows.

For the investor, API security is the sweet spot of opportunity - the trend of technology spend overall and the threat landscape trend, both converging on a new category for investment.

Q3. What do you want organizations at Black Hat Europe 2021 to know about your company and its technology?

We want security teams to take away two things: First, we want to illustrate the anatomy of API security risks. Protecting APIs is not the same as traditional web applications or endpoints. We want to share how API attacks unfold and why stopping API tacks necessarily requires us to adjust our control layers. Traditional application security mainstays - SAST and DAST testing, coding standards, web application firewalls, API gateways - these are and will continue to be vital to API and application security. However, for APIs, they are not enough. Gaps, misconfigurations, lack of visibility, and lack of business context limit our current defenses against API attacks. It is the misconfiguration that is most commonly exploited today. We want to first illustrate an API attack's anatomy to set the stage for what new strategies we need to undertake to stop them.

Then, we want to pivot to defensive strategies. What is notable about API security is what is also notable about API functionality itself - developer-friendly, lightweight, and employed expediently. Noname's approach doesn't introduce a whole new layer of inline controls, filters or chokepoints. We can be smarter and move faster to actually reduce the time and friction of API security protections - to lighten the load on the security team, not add to it. We can capitalize on cloud, gateway and network services already in place.

Our API strategies are simple: 1) Manage API Inventory and Posture, 2) Detect and Block API Threats and 3) Continuous Test and Improve API Code. Unlike workstation, server or traditional application endpoints, Noname's platform can serve as one platform to tackle all three objectives. The distance and lift from wherever we are today to where we are going, is surprisingly short and simple. We are excited and honored to partner with security teams to get there.

Luc Delsalle
Vice President, Engineering


Q1. A recent survey that Tenable conducted showed that many organizations are attributing recent business-impacting cyberattacks to vulnerabilities in technologies that were put in place during the pandemic. What kind of vulnerabilities did the new technologies introduce, and what should enterprise organizations be doing to address them?

The independent study, conducted by Forrester Consulting on behalf of Tenable, identified managing the atomized attack surface as a significant vulnerability created by the New World of Work. Particularly challenging for security leaders is that many remote employees are using personal devices to access company data from home Wi-Fi networks that multiple users can also access. Leaders have limited visibility on this extended attack surface. Another factor is the rapid onboarding of new tools to accommodate work from home mandates, often without proper security controls. Threat actors have capitalized on this opportunity, with many actively targeting remote employees.

Attackers thrive during times of uncertainty, and this acceleration of digital transformation and remote work models offered them plenty to target. The study found that 92% of global organizations experienced a business-impacting cyberattack or compromise in the past 12 months, with 70% falling victim to three or more attacks. Sixty-seven percent say these attacks targeted remote workers, and 74% say at least one attack resulted from vulnerabilities in systems put in place as a response to the COVID-19 pandemic.

With defenses falling, we need a new approach to cybersecurity practices. One where security is woven throughout the network — with users, endpoints, applications, and files on the network and in the cloud monitored and authenticated at every access point.

Q2. Active Directory and other critical enterprise infrastructure have become major targets for cyber attackers over the past year. What challenges does this pose for security organizations? What capabilities are required for addressing these threats?

The increasing threat and severity of cyberattacks have been well documented, with governments, businesses and even civilians all questioning how safe their personal information really is. More recently, this concern has intensified as we've seen threat actors target the infrastructure that underpins our lives — from water purification plants and oil refineries to medical facilities and transportation systems. It appears nothing is off limits.

Traditional perimeter security simply isn't enough to protect multiple environments against today's cybercriminals. This presents an opportunity for security leaders to rethink how they define risk, looking beyond software flaws and device compliance to achieve a holistic view of their dynamic and disparate environments.

In tandem, they need to invest in adaptive user and data risk profiles to disrupt attack paths by accounting for misconfigurations in Active Directory (AD) and the cloud and step-up security based on changing conditions, behaviors, or locations.

Finally, they must take a hard look at the limits of traditional, perimeter-based security architectures to consider more sophisticated options that continuously monitor and verify every attempt to request access to corporate data at all levels, whether that's a device, app, user, or network attempting to make that connection.

Q3. What are Tenable's plans at Black Hat Europe 2021?

Our focus for Black Hat Europe will be Tenable's powerful combination of risk-based vulnerability management and Active Directory security solutions that help organizations prevent threat actors from getting a foothold in the corporate environment, stopping attacks before they can begin.

Our cybersecurity experts will be on hand to demonstrate how our solutions help security teams minimize and eradicate potential threats. We're looking forward to having impactful conversations and discussing the most effective ways for customers to navigate and reduce cyber risk in the digital era and hope all visitors will leave with a thorough understanding of our Active Directory security solutions.

Danny Jenkins
CEO & Co-founder


Q1. How exactly does application whitelisting and ringfencing technologies help organizations defend against ransomware, attacks involving fileless malware and other new and emerging threats?

Denying application access by default allows organizations to worry less about the efficacy of threat detection as well as their employee's ability to detect and avoid clicking on suspicious phishing emails. In most organizations, applications and software have too much privilege with the ability to access everything the user does.

Q2. What's driving the accelerated adoption of zero-trust security models over the past year? How do you see the trend evolving over the next few years?

It is required in the federal government, recommended by analysts, and many businesses are now required to implement zero-trust frameworks for compliance.

Q3. What do you expect will be top-of-mind issues for your customers—and potential customers—at Black Hat Europe 2021? What do you want them to know about how ThreatLocker can help address these issues?

Ransomware. Businesses must move beyond detection technologies like antivirus and threat hunting and embrace endpoint security controls like application whitelisting and Ringfencing to stop ransomware attacks.

ThreatLocker allows you to change the paradigm so you're in control of your environment, which significantly reduces the risk of applications being weaponized against you.

Sustaining Partners