White Hat Win: Security APIs are Getting Radically Better
 

Technology executives have been talking about APIs and integrations for years now—decades, in some cases. And for good reason, especially in cybersecurity: Application programming interfaces establish a foundation for communication and have provided many opportunities for improving threat intelligence, expanding automation and accelerating response. We were early believers, so Mimecast exposed virtually all of our key functionality through hundreds of fully-documented APIs and built one of the industry’s most extensive integration libraries. Yet many customer organizations are still struggling to leverage these capabilities and haven’t achieved the ubiquitous, seamless integration they need to defend against state-of-the-art attacks in real-time.

That is about to change.

Technology advances and emerging solutions are making APIs far more valuable, easier to use and cost-effective. In this blog post, I’ll introduce five important advances security leaders should understand. Before we drill down, here’s the key takeaway: It’s time to raise your expectations of what APIs make possible, today and in the near future, viewed against what your providers should deliver. For example, you should be able to:

• Integrate with any tool and automate any security process with virtually no programming.
• Fully manage and operate within the admin console or any portal of your choice, even for data derived from other security solutions.
• Maintain all the right data, over extended periods of time, without ballooning costs.
• Leverage more innovation from more sources, so an entire global ecosystem of allies is always there to support your cyber defense.

Here are the five current trends driving these near-future scenarios.

1. Event Streaming APIs

Traditional APIs are request-driven: You poll a data source and get the requested data. To get closer to real-time, you must send more frequent requests. Getting timely data can be difficult and inefficient. Streaming APIs rely instead on a subscription model: You subscribe to a data source and automatically receive the continuous updates you want.

Streaming APIs are typically associated with event-based models that provide more granular control over what data is streamed. Traditionally, if a data source generated 500 data fields, you received all or none of them. At many security organizations, these “firehose” log data dumps lead to huge payments to SIEM providers for storing data that doesn’t add much value. To control costs, companies often limit “live” data to a month or two. But this tradeoff can create blind spots and operational problems, and potentially increase dwell time: By taking older events offline, security professionals—and their automated systems—can miss patterns associated with sophisticated attacks that unfold slowly and deliberately.

With modern streaming and event-based APIs, security professionals can target the data that matters most and keep it online for much longer, so their organizations become less vulnerable. They can also address new use cases that need pinpointed information—for example, only the clicked URLs Mimecast blocked, not all the reasons we chose to block it. Another modern approach to API design, Graph APIs, can also provide greater control over what data you fetch, improving efficiency and flexibility.

Individually or together, these modern approaches to API design free security teams to be nimbler and more tactical through relevant data sets. They can generate and apply threat intelligence much faster, making cyber defenses more effective—and more cost-effective, too.

1. Standardized API Query Platforms

API adoption has often been hindered by a development-heavy approach that requires developers to write PowerShell or Python scripts, or Java code, to perform even relatively simple tasks. Fortunately, popular tools have emerged to ease this burden. At Mimecast, we’ve standardized on Postman and plugged key email security capabilities into it. Users can now create their own customized solutions with our APIs by clicking and dragging inside Postman’s UI. They needn’t write new scripts, even to leverage our most complex API calls. Knotty issues like communication, authentication and sequencing are all handled for them.

This radically reduces barriers to entry. Analysts and other users can build custom solutions and integrations without waiting for programmers to do it for them. (Learn more about using Postman to build Mimecast solutions.)

Postman has become popular wherever APIs can support business process improvement and automation. It’s also becoming more robust, adding table views and basic Tableau-style business intelligence capabilities. As more API providers join Mimecast in adopting it, API integration across tools becomes even easier, and even more security teams can take advantage of it.

1. Low-Code/No-Code Security Orchestration Tools

Targeted security integrations are an ideal application for low-code/no-code tools. These solutions are emerging quickly, and some Mimecast customers already use them in production. They empower non-developers to create entire automated workflows using selective event-based streaming data, plugging in both Mimecast’s APIs and those of other security providers.

Non-developers can now envision solutions based on complex automated workflows that combine many security products. These tools are often designed to work closely with API query platforms such as Postman. We’re collaborating with a growing number of leading tools providers to bake in our API functionality “out of the box.”

Previous orchestration solutions were notoriously technical and code-intensive. But these low-code/no-code tools really can empower analysts to orchestrate all their security resources and data to act reliably and quickly without all that daunting complexity.

1. Shared Customer Solution Exchanges

As customers build more complex custom solutions, some want to share these with others in the interest of common defense. Conversely, of course, more security teams are discovering that they can get rapid value from solutions built by peers. These solutions can take many forms: code snippets that enable new integrations, add-ons to ingest additional data sources or custom reporting templates based on tools such as Splunk.

Some of this content may simply be posted on Github, but we also envision the emergence of secure exchanges—public and/or private, free and/or paid—hosted by solution providers or even customers. Once again, these exchanges build on already-available APIs, helping security teams leverage more of the creativity APIs can unleash.

1. Beyond Portals: Full Functionality from Anywhere

To get the right information and trigger the right actions, security teams have traditionally moved between multiple portals, each with its own interface and logins. But the tools we’ve already discussed make it possible to package common sets of reusable functionality and operate any security technology from anywhere, consuming its capabilities without ever using its portal. Some Mimecast customers already use our technologies this way. We can show you how it’s done—and we encourage you to demand the same capabilities from any security provider you work with.

The Bottom Line

APIs are traveling the same path that powerful technologies ranging from PCs to the internet followed years ago. With their technical foundations solidified, they’re becoming radically more accessible and easier to use, with many vendors offering off-the-shelf plug-ins; therefore, they’re becoming radically more powerful and valuable. In future posts, we’ll drill down further on what this new world will look like and what it will mean to you.