S6E2 - Securing the API Gateway: A Deep Dive into Microsoft Defender for APIs - podcast episode cover

S6E2 - Securing the API Gateway: A Deep Dive into Microsoft Defender for APIs

Let's Talk Azure!
Jan 24, 20251 hr 5 minSeason 6Ep. 2
--:--
--:--
Listen in podcast apps:
Metacast
Spotify
Youtube
RSS

Episode description

In this episode, we explore the critical world of API security through the lens of Microsoft Defender for APIs. Join us as we discuss how this tool can safeguard your APIs in increasingly cloud-centric environments.

Topics Covered:

  • Introduction to Defender for APIs
    • What it is and why it matters in today's cloud landscape.
    • Who should care about API security?
  • Key Features of Defender for APIs
    • Inventory management and visibility.
    • Security findings and vulnerability assessment.
    • Real-time threat detection based on OWASP API Top 10.
    • Integration with other Azure and security tools.
  • Benefits for Businesses
    • Enhanced API security posture.
    • Compliance with regulatory standards.
    • Mitigating risks in API lifecycle management.

What did you think of this episode? Give us some feedback via our contact form, Or leave us a voice message in the bottom right corner of our site.

Read transcript

Transcript

Hello and welcome to the let's Talk. Azure podcast with your host, Sam Foote and Anne Armstrong.

If you're new here, we're a pair of Azure and Microsoft 365 focused IT security professionals. It's episode two of season six. Alan and I recently had a discussion around defender for APIs. In this episode, we explored the critical world of API security through the lens of Microsoft Defender for APIs. Join us as we discuss how this tool can safeguard your APIs and in increasingly cloud centric environments. We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey Alan, how are you this week?

Hey, Sam, not doing too bad. How are you? Yeah, really good, thank you. Really good. Officially back into the swing of things in 2025. So, yeah, really good for the, the world to have woken up again, if that makes sense. Yeah, yeah, definitely. Everyone's woken up. There's lots of go, go, go. Christmas is done. I think the, the cutoff period for saying, you know, did you have a good Christmas? Happy New Year is now gone. So everyone's just like, yeah, let's go.

I had a call kicking off a project this week and you'll know this, Alan. We, you know, naturally asked the customer, you know, when are you thinking about kicking this off? And they replied, oh, well, we're completely free, like now, let's sort of go, go, go, do you know what I mean? And typically in my world anyway, usually it's like, oh, well, you know, know we've got all these other things to do that are really important, you know what I mean? So it was actually quite a, quite a nice thing for somebody to say, hey, we're back and we're ready to go sort of thing. Right. So I was a bit surprised by that answer, but excited at the same time because that's what we're, that's what we want to see.

Oh, yeah, definitely. It's always great to have. You'll be able to, well, in our work, in our sort of profession, need to crack on with you supporting customers straight away where we can, you know, fully appreciate that they may be busy or have other sometimes either greater priorities or. Yeah, just, just not the time. Not enough time to spare to, to get it going. Yeah, no, no, no, definitely. Cool. Okay. So what's this week's episode on then? Some.

We, we are going to talk about Defender for APIs. Ooh, nice. Yeah, we're slowly working our way through the many, many products that are inside of the Defender for Cloud suite. So this week will be a continuation on of one of those. It's. Yeah, I'm glad you said it the way you did then actually, because I had a, not slightly off topic, but I had a session with Microsoft this week around Defend for Cloud and they were saying it's not Defender. Cloud isn't a product, it's a portfolio of products.

Yeah. So sweet. Yeah, absolutely. Makes sense. It's not, oh, I've enabled Defender Cloud. It's. I'm using the portfolio of products there.

Yeah. Because what I sometimes found is people would refer to Defender for Cloud, like, oh, you're going to implement Defender for Cloud. And I was like, what the hell does that mean? You don't. Okay. And I think most people are talking about like CSPM when they're referring to like posture management. And I'm like, you know, if, if somebody put on like a statement of work or whatnot, implement Defender for Cloud, I'm like, you do know there's like 10 different products. I, I don't know the exact number. Off the top of my head. I probably should. And some of those are quite scary if, if that makes sense. So. Because they're all, all the workload protections, I would say are very different skill sets and technologies. Right. So, you know, some of the outputs from them, you really do need to know those workloads to get the most out of them. Right. So, yeah, it's. Yeah. Cool. Well, I'm glad Microsoft picked up on, on my collective, you know, term for Defender for cloud. I'll, I'll, I'll take that. But no, I'm only messed it, but I'm, Yeah, I'm glad they, they agree with that for sure.

Yeah. Okay, so let's get started then. So I think probably kind of, as you just said, you know, you need to know the products or the services that the defenders sit on. So I guess it's worth probably talking about, you know, what are APIs? And you know, why, why do we need to protect them? Yeah. Okay.

So, yeah, APIs, application programming interfaces, you know, you know, back in the day were all you have in, I'll call it like local or internal APIs on your devices. So if an application that's running on Windows wants to communicate with the operating system, it will use an API. You may have heard of the term SDKs, software developer kits, which are collections of APIs. So that's, I would call those like local, local APIs. Now when we talk about APIs in sort of the cloud, web and distributed system sense, we're talking about discrete systems communicating to each other typically over some type of network connection. Okay, so when you, when you access the Azure portal, you are accessing, let's go with hundreds of different API endpoints or APIs and API calls that you're doing to fetch data about various things. So you would have seen when you load like a, I don't know, a list of devices in the Defender port or in Azure or Resources you might see a spinning like bar or spinning, I don't know, icon in the middle whilst it's waiting to load. Sometimes that is because it's going off to an API to fetch the information that you need. So if you're looking at a, I don't know, a list of devices in Entra, your browser goes hey, hey, hey, Entra, I need the list of devices for Sam. Can you get those for me? And the servers that, the API servers that run Entra will return back and say hey, you're authenticated, you're authorized as well. Yeah, here's the information you want. Show this list of devices to Sam. That's a very basic example. I wanted to use something that people would like, you know, actively use on a day to day basis. But APIs are used behind the scenes. You know, we have distributed systems now where you're a business and you've got many like line of business applications and they need to talk to each other. You will use APIs to do that. Typically we use, today we use probably the most ubiquitous version of APIs in the web sense are REST APIs. I would probably say there are different protocols, but let's just Talk about rest APIs today just to keep it sort of as simple as possible. And that is just a schema or a definition, a language so to speak of how you define and how you transfer data between each other. So if, if me and you talk Rest, then we can talk together essentially and we can define how we communicate with that. But with that the data that is being Transmitted through these APIs is highly sensitive. Well, there's different like levels of sensitivity but typically all data now has some level of sensitivity and value to it. So there is naturally you are exposing data to external third parties for your API. So you know, my, my example of Entra sending me my device list, Entra we'll call it Microsoft wants to know that Sam is sitting at the computer and Sam has got the correct authorization in, in place to do that. So, so, so, so APIs and API security is, is a rather large sort of discipline and topic because just like a website, you want to protect them and you want to make sure that they are functioning, functioning correctly as well.

Yeah. Okay, so just to probably elaborate then and just I think this is right. So yeah, shoot me down if not. But APIs also used to probably kind of like you said, standardize the communication between two systems. And I guess behind an API there could be various services behind that, that. Then let's think about this, that either collects the data or actions what it sent, you know, the API has been, you know, sent, or collects the data to be sent to the requesting server service, that kind of thing. And that behind the API there could be a SQL database, it could be a logic app, a function app, app, service, a virtual machine with some code running a container, etc. And in effect the API is allowing you to sort of normalize that stuff behind that that could potentially chop and change, but you never know that in some form because the API is hopefully kept the same where it can, if that makes sense. Is that fair to say from that sort of side?

Yeah, yeah, definitely. And I think it can become even more complicated than that, that you could have multiple layers of APIs between you and you, your data source, let's say. Right. But yeah, the most, I suppose the most simplistic interaction is, you know, somebody makes a request to an API, then you know, there's a database next to it and they go, hey, here's the record that you need and then send it back to them. But typically larger systems are even more complicated than even that today. So I would say, yeah, layers of APIs is also what needs to be thought about.

Yeah. And I guess then at the same time when you're kind of talking about sort of sensitive information, you know, the APIs then in effect have access to that, that various data sources. You know, it might be to a SQL database with PII data and you know, like you said, just could be, just be sensitive to the organization or you know, to its customers, that kind of thing. So it's made, I suppose, simple to access, makes it simple to access that data, but at the same time it then potentially needs protecting.

Yeah, yeah, definitely, completely agree. Okay, so defender for APIs, could you give us a run through of what it is, what it's got and affect its features? Okay, so I sort of quickly went over sort of authentication and authorization that is typically handled at the developer level or by a layer in front of your APIs. Maybe like an, an API management service. I think we did. Did we do an episode on API management? I think we did. Yeah, we did. Yeah. I'll find it for you.

Okay, cool. Just to just shout. So, yeah, so you might have your, your API and in front of it you might have put an API management service and that might give you things like a way to collate your APIs, maybe put authentication and protection in front of it. But API management really is more around, as the name suggests, management, I would say, more than anything else. Okay. Defender for APIs is really around applying a technology to your API inventory to give you different levels of security protection detection and also response coverage for APIs. So kind of imagine this like, you know, you use defender for endpoint to protect an endpoint or a device. This is this, it's not the same type of technology. It's a completely different type of technology, but the same type of principle but for a, an API. And as I've mentioned before, these APIs are business critical endpoints for organizations. Imagine you're a bank and you're holding the financial information for one of your customers. Being able to send their bank balance to your, you know, proprietary mobile app is business critical information. It's highly sensitive information as well. So there is, there, there, there are going to need, there, there is going to be a need and a desire to have as much protection on those types of endpoints. And it's, it's, it's usually driven by the criticality of, or the sensitivity of the data. Right. But we are, we are now seeing so much regulation and don't say that in a bad way because as sort of security professionals we, we sort of live and breathe this every day. I myself used to be a programmer, So I built APIs. I, I know what it's like on, on the other side, a lot of teams that build APIs are really focused on feature, feature improvements. I'm not saying that they're not security aware or they're negligent in any way, but there's definitely the building and architecting of these systems and also securing them and putting protection on them as kind of can be two separate disciplines. A lot of development teams handle the security of their APIs as well. So if there are technologies that you can layer on top that can be beneficial to those teams, it can make them more efficient, get them back to doing the business value adds of feature development and architecture. Anyway, so let's talk about what can you do with it. So it does give you an inventory, a separate inventory of all the managed APIs that you're looking at and as I said just before about the different disciplines in a large organization, it might be somebody else's role to manage and protect these API endpoints. So having a separate inventory is helpful from that perspective. When you apply it, you do get a number of security findings. So it analyzes the APIs, it gives you information about whether an API is used externally, whether APIs are unused, potentially maybe they're redundant, they've not been used for a long time and also any APIs that are unauthenticated. So this is quite a typical thing that we see in cloud resources where maybe a configuration change has been made. I don't want to be hyperbolic and scaremongering, but these things do happen in the, we have seen these in the real world where you know, you build a secure API endpoint, you make a configuration change and that API becomes unauthenticated for some reason. We see it with storage accounts, other different types of resources, you know, on different cloud providers. But what I'm sort of getting at is the state in which you deployed something doesn't mean that in the lifecycle of that resource that it's going to keep that same state. So having something, you know, watching over is always, always a good thing you and that, that forms a security posture so that you, you sort of get to see all of those findings in, in one place and it's, it's easy to, to digest. It does add a layer of threat detection so as API traffic is ingested it will monitor for real time threats as, as requests come into those APIs. And Microsoft makes a big statement about it covers items that are in the owasp API top 10 critical threats. So that's a separate listing of sort of the top 10 sort of biggest vulnerabilities that OWASP are seeing and they re rank that I think it's every year but you know a common attack type such as SQL injection, cross site request forgery, cross site scripting, those types of, those types of attacks can be, can be relatively trivial to detect. I say that lightly because or what, why what I mean is when I say it's trivial detect maybe not from it being built, but these types of products are there today and this threat detection is in real time. It is live. This is not a singular one and done review of the endpoints. This is running 24 7. It also integrates with Defender CSPM which is a paid tier of Defender for cloud cloud security posture management. But it also integrates into the cloud security graph so that you can do. Graph, what do they call it? It's graph. It's. It's blank in my mind now. I'll come back to that because I've got it in another section. So we will come back to that. But it does integrate into the wider CSPM offering from Defender Cloud. It does integrate with Azure API management. So it's all together. It can. It is all also together in one portal. So even if you have different people looking at it, it is all still what it like in one cohesive space essentially. And it does integrate with a SIEM so sentinel so that threat detection and logging can be pushed into your SIEM solution as well. You get a lot of rich information about when you see these security findings. You'll. You'll see the. That because. Because APIs are made up of a bunch of endpoints. So what it, what it will do is it will look at the API and it will drill down into each one of the endpoints for you and it will show you the endpoints that are maybe have issues. So yeah, whether it's been used in the last 30 days, whether it's authenticated or unauthenticated, and whether external traffic has actually been transmitted to and from that. So with that quite clear information, you can really get a good visual representation of what's going on with each endpoint because you could have hundreds or even thousands of endpoints. There is a reference list of the security alerts that, that you can get. So unlike other, unlike other protection mechanisms. I'm just going to just check this because I don't actually know if they've list just two seconds knowing that this. But okay, I'm going to call it out that not all of the detections that you see with security tools you get reference access to because. Because sometimes they're like black boxes. Think like spam detection, that type of thing. But there is a list of all of the different alerts that can be triggered from Defender for APIs. So I'll just. I'll just. The main reason why I'm calling this out is that you can actually see this before you purchase this to see if these are the types of detections that you feel you. You don't have today and are valuable to you because it is sometimes hard with some security tools to sort of prove the value of what you're going to see on the other side of it, if that makes sense. Because you don't have a lot of raw information about it. So a suspicious population level spike in API traffic to an API endpoint. So this is looking at a correlation between historical traffic patterns between specific APIs, APIs, IP addresses and to that specific endpoint looking at like flooding, distributed denial of service, that type of attack vector, unusually large request bodies. So this is quite an important one for APIs is when you're building an API, you have to tell your web server or your API how much data somebody can transmit to that API. Because if you can imagine if somebody, let's say an endpoint that you uploaded like a profile image for your, for a social media app, what, what would happen if you uploaded a 2 gigabyte image profile image? You could potentially flood and exhaust server side information. Now that's a very simplistic example, but you can look at, you can look at those maximum sizes and also look at historical traffic patterns from the last 30 days to look at anomalies of payloads being uploaded. So that can be very helpful for you to one, whether you've got the correct limitations in place and two, whether users are using your system in the right way. Previously unseen parameter used in an API call. So if you use specific, like these are parameters, so URL parameters or API headers. As an example, if you're, you know, your application that you've built uses the same ones over and over again. If somebody's doing reconnaissance on your API APIs, they might try to use different combinations of say URL parameters to try and enumerate what they can actually do. So those types of, those types of traffic patterns. And, and a lot of these are, look, look at patterns of, patterns of usage over 30 day periods. So it's not exactly like, it's like, oh, whoa, somebody just randomly sent like a random header one day. It's, it's like, no, actually over the last 30 days we only see, you know, that, that parameter being used 10 times and today it's been used a thousand times. That might need to be looked at. So yeah, so there is a reference list of the security alerts. So that is worth checking out in on the documentation. The Cloud Security graph, the graph explorer. Just circling back to that because I couldn't remember the, the name of it, which is absolutely terrible, I do apologize. But it does integrate all of the information back to the Cloud Security Explorer. So you can use it to filter, to say you could create a search in the Cloud Security Explorer looking at, show me all of the API endpoints that expose the Internet that are unauthenticated. So if you, if you are a team that is utilizing the Defender for cloud portal for a lot of these insights across your organization, you can build template searches there. You don't have to go drill down into the actual product itself. Um, I do just quickly want to talk about. Actually, no, I won't talk about anything more for the moment about. I do actually just want to talk about sensitive data exposure quickly actually, because this is quite a big, a quite big thing at the moment. Okay. Sensitive data exposure. We, we've had big regulation change with data protection, classification and management. I think it's fair to say. Alan, DLP is like a thing now. It's always been a thing, but I think it's a thing now. Does that make sense?

It's required now. It's required, yes. Rather than being. Yeah, so you should, it's not a should could, it's now a, it's a must.

Yes, agreed. So what this, what this can essentially do is it can monitor the data that goes through your APIs and actually allow you to filter that data based on sensitive information types. And, and you can even create custom classification information types. So where you would say you might label content in a SQL database that is quite, I would say an advanced labeling. If you're an organization that is applying a labeling taxonomy to structured data in SQL databases and things like that, congratulations, you are doing really well. But as that data leaves those systems and we call that data lineage, as that data leaves that system and flows through other systems, it can end up getting, well, you know, the external point of that can be these API endpoints. So you can, can apply data classification to these, to, to these endpoints. And what that really can do is then if you do have a security alert, you get that rich sensitivity context and you can say, hey, you know, the sensitive information that's used on this endpoint is like credit card numbers. So actually the sensitivity of this endpoint is even higher than potentially others that are in your, your collection of, of. Of endpoints. So I think that's a really great addition to it as well. And it, that that sensitivity does link back to the cloud security Explorer as well for attack path analysis when you're actually seeing the sensitive information that is potentially being exposed there when maybe it shouldn't because of a security misconfiguration.

Yeah, okay, so yes, definitely a lot there. That's just if I quickly, I say quickly try and recap that in a few sentences, going to be difficult. So collecting inventory of your managed APIs finding security findings, analyzing them, understanding how they're used and whether or unauthenticated in effect integration well, cloud security posture management security posture of those APIs and with recommendations to in you know, to meet best practice or to you know, make sure that you're reducing the risk of attack for the kind of as I say, obvious methods there being able to classify the data or at least the APIs based on the data that Defender API is seeing going through those APIs. So it gives you more enriches the context of an incident etc or a threat against that API. So you know, understand what type of data is going through it and then you've got in effect threat detection so identifying like you said, the top 10 OWASP APIs, you know, attacks, understanding those and identifying when they are being attempted at least or being executed on those APIs. That's fair to say. And also you know, integration with siems so that you can then use those seams to then create a response from, from an instant.

Yeah, quick short. Yep, you got it. Okay, got that right. Win, win, win for me. Okay. So I mean this kind of hearing about information, you know, it kind of to me seems obvious that you should do that to have that information. I mean but that's the context of I suppose me being in this, the security world, this environment. So I guess why would organizations that maybe are not thinking around, you know, in this security space directly, why would they implement defender for APIs?

Yeah, and I think it really comes back to the not want but need now that we have for real protections and real time threat threats security solutions for every part of our infrastructure. Right. You know, endpoint security, antivirus, EDR quite staples nowadays, you know, modern management techniques APIs because they're not forward facing to a lot of people, they kind of get forgotten about in some respects. So maybe the, the more popular ones in your organization that are actually sending data, you know, to, to your, to your users potentially because they are maybe public facing, you know, they're exposed to the, we'll call it exposed to the Internet still authenticated and authorized. But you know, there are tons if not thousands of internal APIs that need to be thought about as well. So the fact that there is a plug and play solution to that that you can just purchase and you do not have to build as a pass offering is a massive benefit to organizations because the cost and the cost and effort that is required to build these types of systems into your APIs like you can do a lot of hardening of APIs with your APIs and your web servers and what you're running off there. But if we're talking about real time threat detection, so measuring payload sizes over a 30 day rolling period and then tracking about whether they've deviated from their norms, that isn't something that you particularly want your development team building. Right. So you either think about it like that isn't a risk to me and I don't need to protect against it, or I'm going to buy a solution to do that. Right. And that's where Defender for APIs does come in. And we see so much now of these attack vectors with threat actors. They will utilize these common techniques to probe, run reconnaissance on companies, infrastructure, public, we'll call it public infrastructure to look for an attack path into, you know, those data stores, if that makes sense. And I think if organizations do have especially highly sensitive information, and now we are seeing that countries, governments, you know, regulatory bodies are now classifying, you know, people's personal information is highly sensitive, you know, you know, organizations now have a duty to protect these, these APIs as much as they possibly can. So is it an insurance policy? No. But are you going to get extra threat detection and security posture awareness from this product? Yes. And I, you know, and some people in organizations, it's their role and their duty and their responsibility to minimize risk as much as possible. And a system like defender for APIs is going to help them achieve that.

Yeah, and it kind of always comes down to at least the, the first stage of it. I mean, it's that discovery, isn't it? Understanding actually where your data or your exposed points of entry are because, so it can be quite difficult to actually see that even though you've got, you know, if you're in Azure and your API manager, you don't have any endpoints on that API manager or. Yeah, APIs are on there and what they're doing, if that makes sense or what they're accessing per se.

Yeah, yeah, exactly. So be able to seal that at least in a list or being able to, well, just literally just identify them just gives a, gives you more context as always.

As we all like, if you're an organization, would you want to be notified of every single public, unauthenticated API that is published into Azure? I would want to know that from a posture management perspective, we build this new feature, we forget authentication on one of the API endpoints that does happen. That's not some malicious insider threat, that's not negligence, that's just potentially a mistake, a gap in QA as an example. So having that visibility is I think really important.

Yeah, it's that, but it's also, I'm trying to think of a reason why you wouldn't maybe wouldn't authenticate an API. Maybe there's an API that you don't need to make, doesn't access the sensitive data, but it's needed to pull an image or pull content, maybe for a site, maybe it doesn't need to be authenticated.

But think about it like this, right? A login API call where you provide your username and password. We'll forget about password. Passwordless exists just for the moment, right? A username and password API endpoint. Hopefully you're using some third party identity management system. But anyway, let's just say that your application runs its own identity system. Okay? Your login, your forgot password call as an example, will need to be unauthenticated. So it doesn't necessarily mean that every unauthenticated publicly exposed API is bad. But you do also want to work out if those APIs are being abused. So that's why just, just the context of whether it is authenticated or not isn't enough, really, you know.

No. And what kind of, where I was going with it was that even if you do have legitimate unauthenticated APIs, at least from a business perspective, you can sign off the risk or identify, you know, why it's unauthenticated. You get that context, get it written down in a risk, a risk register, or like you said, you've got context about if it's being abused or not kind of thing.

Yeah, yeah, exactly. And you know, when you see things like, you know, like paas or low code systems like your logic apps, things like that, we've had this before where you know, you might use a logic app internally, but actually it's got publicly, it's publicly accessible to the Internet. You know, maybe you haven't, you know, maybe it's just an intermediary step for two other systems to communicate to or whatever it is. Right. You know, those are the types of scenarios where it trips up organizations because like I said, the quotes, popular ones, you know, your, your, your front end for your, you know, SaaS app or, or something like that. But your, you know, your behind the scenes logic app could have as much, could, could pull and push as much sensitive information as anything else. You know, if it's not set up correctly or have something in front of it, then you need to know about that.

Yeah, exactly. Okay, so we've talked about what it does and why you'd want to do it and what an API is. I guess I think you kind of alluded to this a little bit, but how do you implement it? Is it, you know, hours of work?

So what you first need to do is you need to look. No, you don't need to really do anything. Well I say you don't really do anything. It is very simple as long as you've got your prerequisites in place. Not every cloud region is supported, so all the main ones are. So for our UK listeners, both UK south and UK west are as an example. But do check to make sure that yeah, it's in the location that you, you are running in. You do need Azure API management in front of your APIs as your inventory layer in order to enable it. So you do have an interconnected dependency with another. Sorry, what was our episode? Alan, did you go back and get the.

It's in the notes. It is episode 15 in season three.

Okay, wow. Okay. But so yeah, you use API management to inventory your APIs. You can store, you can, you know, host your APIs in other areas and then have your, your clients interact through API management as sort of like a proxy essentially. Defender for APIs doesn't currently work for APIs that are using self hosted gateways or managed using API management workspaces. Just a heads up and it can only analyze today rest APIs. So there are other API types that can be used within API management. It only is functional on rest APIs which is a vast amount of APIs that are created today, especially sort of public facing ones. As I mentioned you do need to have Defender CSPM enabled in order to use that API security risks through the cloud security explorer. So if you want to do that then you obviously need that as well. You need to have at least one API management instance in the Azure subscription to enable it at the level of a subscription. You do need various permissions as well. The other one that I wanted to just talk about is you cannot use it with. Let me just double check this with consumption tier API management instances. So that is quite a cost jump because of that. So you need a non consumption based API management tier which there is a new. There are new SKUs there. So I'm not sure about the mapping of what's prod. I was going to say you shouldn't be using anything, but you shouldn't be using consumption for prod, but I think there is a serverless prod environment now for API management so.

But yes, I was Gonna say it's probably because you haven't got your own instance of it, have you? So it doesn't know specifically maybe IP things like that. Yeah, consumption based one. It's like yeah, free will, DNS based, isn't it really in effect then?

Yeah, yeah, exactly. So yeah. How do you enable it? You go into Defender for Cloud environment settings and you toggle it on essentially like you would any other, any other workload protection. You do have to pick a plan but I'll talk about that afterwards when we talk about costs. And then you, you enable it and you select which APIs that you want to onboard and you will see the APIs as they, as they're in API management and they'll be shown in, in the portal. Then your, you know your, if you look at workload protections, it's like a, what's the best way? It's like a dashboard inside of the cloud. You should start to see those, those Defender API numbers increase and then once you've done that you, you can obviously look through, go via the workload protections in Defender for Cloud to see your API security dashboard. So to see all the different endpoints, what their posture is, the resource health for them. So you'll see warnings or recommendations like API endpoints in Azure API management should be authenticated as an example. But as we've spoken about, it can be legitimate that some API endpoints should be unauthenticated and you know, things like the ones that are unused, you'll get a recommendation for that as well. There are remediation workflow automations, there's a GitHub repository for those. So you can do things like disable unused endpoints. You can do APIs should like use encrypted protocols. So it'll force specific encryption protocols to be used on your endpoints, those types of things. So there is actually a git repository with each one in them. And then. Yeah, and then once you start to get that information, you'll get those alerts in Defender for Cloud. You can bubble them to where you need to as well. And yeah, it's really then just to go through those findings. Those recommendations use the Cloud Security Explorer to see, you know, to use that as a tool to, to query against them. Oh, there are also two template queries in the Cloud Security Explorer. One for Internet exposed API endpoints with sensitive data. So that's quite good. And then APIs communicating over unencrypted protocols with unauthenticated API endpoints. So some organizations have regulatory requirements that require all communications to be encrypted. So this can give you that type of information as well to make sure that you're compliant to those types of requirements.

Okay, so is it fair to say then with the implementation, is it actually onboarding into Defender API, enabling it stuff is relatively simple to get that done. That actually the most work for the actual implementation really is around operational, you know, operational tasks and actually using it. So you've got the bit around looking at the recommendations and remediations and checking as you know, as services are built to make sure that they do comply, you know, or as Microsoft change the recommendations or enhance them, etc. You're checking, you know, in effect checking the posture as a, as a process, you know, a business process. And then as well as, you know, then looking at the side of it from the threats side of things, making sure that's then being looked at by your soc, your security team, your managed service kind of thing. And that's been the next thing other part to it because you're right, you can turn it all on. But if you don't do anything with it or you, you look at it, you know, day one, do some fixing and then you forget about it, then you're not, you're not getting the benefits, are you of making sure you're always, it's always, you know, secure or you know, close to your posture, being as good as it can be kind of thing.

Yeah. You've got to think about the impact that it's going to have on your security operations protocols and procedures and policies. Right. You know, if you're using Defender for cloud today, a lot of these recommendations and alerts are going to bubble into the same places that you, you're used to, if that makes sense. It is going to add extra load into your security ops team that might be the same as your admin team but you know, there is extra scope that they're going to have visibility of. Okay. And we sometimes have pushback from organizations because when you enable these tools you can get a lot of findings that you didn't know you were, you were naive and unaware of these challenges inside your organization. And, and, and that can be a, that, that can be a challenge, you know, for some organizations. So yes, it is real time. It's not one off, you know, it isn't just cspm. You are going to get actual actionable intelligence and alerts out of the system in real time. Yeah. Okay. One thing I did miss out is just the difference between web application firewalls and Defender for API. Because There is a bit of crossover there. Now, Web application firewalls, the guidance from Microsoft is, is they are more tuned for applications, not APIs. Okay. So they can, they do have a level of protection on them which does apply to API endpoints, but the detections for APIs are more tuned and specific to actually APIs with Defender for APIs. So it's Microsoft's recommendation that Defender for APIs is used. Now, if you are a company that's currently using WAFS and the cost of API management and Defender for APIs is too much to stomach and tackle, I think you're going to have to do a comparison between the detections that are used on both sides and whether you're really getting adequate coverage from, from your, your wafs.

Yeah, I, funny enough I was going to ask about that and you might not beat me to it. I was going to leave it.

I know I, I had a big capital letters in my notes going, talk about wafs, because it was my, it was like my first and I was like, you know, I was like, we've already got something to do this, haven't we, basically? So, yeah, they're different even though they're intermixed and you can run, you know, on app service you can run APIs. Right. So there is a bit of intermingling of technology stacks, pass offerings and it's all a bit insular, should I say? But, but yeah, defender for APIs is the way that Microsoft is pushing people.

Yeah, I mean, Defender for API has been out for, I'm gonna say eight, just over 12 months. I think it is because it went GA or publicly announced kind of thing, not 2024's Ignite, it was 2023. So yeah, they've definitely made enhancements since they came out as well. So it's definitely a key area for Microsoft to improve. Yeah, definitely. Yeah. Okay. How much it cost, how much it costs for the SKU or the solution within Defend for Cloud?

Yeah, I'm just actually getting the pricing up for API management because like it's a needed prerequisite, isn't it? And it's, it's changed recently. So I'm just gonna get us back to, back to that, basically. Okay, so, right, so you've got Defender for Cloud cspm if you want the integration of Cloud security explorer, that's $5 per month per resource. Is that right, Alan?

Okay, so I've got some context here because again, this came from Tuesday when I was, Was it Tuesday? Yeah, when I shoot up at Microsoft. So Defender CSPM is licensed for vms, storage accounts and SQL in that subscription. It's not done on how many defend or APIs you have. So the CSPM part, as long as you've got Defender CSPM enabled on that subscription, all APIs can be included. It's just the other resources are the ones that are classed as billable resources.

Okay, great. So if I had a subscription that had an app service in it, an API management and nothing else, I would enable Defender CSPM on it and it would cost me nothing to run. I believe so, yes. I don't know if you need one billable resource or not. That's a good point. I don't know that. Okay, but even if you just had one VM in there and you had 100 APIs, you'd only get paid for the one VM.

Yeah. Okay, yeah, but it's not app service, is it? So if you'd built your app service, your API on app service, you wouldn't be charged for that? No, in theory. Okay, fine. But let's, let's just give the caveat that you have to have Defender CSPM on. So just be cautious of. Not cautious, but be aware of the $5 per month per bit of a work. Yeah.

Workload. Workload, yeah. Okay. API management pricing has changed. We had classic tiers of pricing which did include consumption, but again consumption was, I believe consumption was really around like lightweight testing, non production use. Basically the guidance from Microsoft was always to go to the basic tier previously for entry level production use cases which was $150 a month. Now with the V2 basic is shifted up slightly to $150 a month and then it goes up standard V2, $700 a month, premium V2, $2800 a month. We won't get into all of the nitty gritty of those, but all I'm calling out there is it, it seems to me like the serverless or the consumption based API tier API management tier is gone. With the new v2 tiers, I assume you can still get classic pricing. But anyway, so you're looking at a minimum of $150 a month. Really for, for your team to, to, to get access to API management today or going forward. And you are charged for the amount of API requests that you put through API management. You get 10 million API requests per month on the basic version and then you pay $3 per 1 million additional API. So but if you, yeah, go up to that premium, you get unlimited API requests anyway, so. And that, that self hosted gateway is no longer supported in v2 tiers anyway. So that's all your prereqs. Sorry, Alan. You got anything you want to add there?

No, I was just going to say that, that, that. That's the reasoning then, isn't it? That if you can't get those other. If the v2 is the ones that are going to be going forward for API manager, and that's why Defender for API doesn't support the other ones, because they're not going to exist in the future, I guess.

Yeah, that would be my. That would be my assumption. So Defender for APIs, it has multiple plans. So plan one, plan two, plan three, plan four, plan five. In our world, different numbered plans mean different functionality. But that's not what it means here. So plan one is $200 per subscription per month and that gives you up to 1 million API calls. So just to rejig your memory on that new basic v2 API management tier, you got 10 million API calls included. So only your first million API calls are covered in that Plan 1. Plan 2 jumps you up to $700 per subscription per month and gives you 5 million API calls. Then it's a very big jump to plan three. It goes up to $5,000 per month and that gives you 50 million API calls. Plan four is 100 million API calls at $7,000 a month. So you know, double for double the amount of API calls for less than double the cost. And then if you go over 100 million API calls, it's $50,000 per subscription per month for 1 billion API calls. Okay, so your API calls are sort of aggregated up at the subscription level to make things, I'm guessing, easier for billing, right? Because you'd be like, oh, I need a plan for this API and a plan for this endpoint. It would be mental, wouldn't it? But what I will say is, you know, a starting cost of $200 per subscription is unfortunately going to, going to. It's not a substantial cost, I wouldn't say in the enterprise, but for smaller startups, things like that. But the only thing I will say is you are getting, you know, a workload threat protection at that cost. It's not just CSPM, it's actually analyzing all of those up to 1 million API calls for $200 a month.

One, one thing as well to add to this, and again, this is new intel for me, is that, you know, with Defender Cloud you can get a trial, 30 day trial for it. What I believed it to be was that it was a, it was A. A trial for the whole portfolio. Here we go. I'm using the words portfolio kind of thing, but actually if you've never turned on one of the workloads since that subscription, when you turn it on, you do get a 30 day trial per workload. Okay, nice.

Which I didn't know about. I thought it was a you turn it on once and then that's it, you've burnt your defect. Like you said, the Defender for cloud trial. Yeah, but it's not. It's now apparently recently changed to each one. There is a way to work out if you've already burnt or used your trial on that workload. There was a mention about that, which I'm gonna try and find out. But yeah, in effect, if you've never turned it on, you may have never done because it's been, it's been new. I said, you know, 12, 18 months and you want to try it out, you can just turn that workload on and trial it for 30 days.

It is worth noting that those limits per plan of API calls is not a hard limit. There are overage charges that can apply. So like on plan, I'm not going to go through each one, but on plan one, the first one per API call, the overage cost is $0.0002 per API call, which I think is actually quite expensive, even though I said it was a lot of zeros. So you're going to want to make sure that you're on the right plan. But there is going to be a tipping point, isn't there? You know, of when you move to that next plan versus the overage. I haven't worked that calculation out, but yeah, that's true.

Cool. Okay, so anything else, Sam? I mean we were, we're an hour now.

Oh my days. I apologize to everyone. No, I think, you know, if you, if you are looking for like a application firewall type product and you are utilizing or planning to utilize Azure API management, this is definitely a product that you should potentially consider. I do think the hard requirement to API management is, is a little bit hard to swallow because, you know, not all developers are utilizing that service. That's another service that you've got to add on. But I don't think we can deny the coverage of the workload itself. It's. Yeah. Pretty comprehensive, I would say. Yeah.

And it's probably fair to say actually as well that there is a, a reservation now for Defender for cloud workloads overall. You know generally that any, the amount spent there can be reduced if you pay up front. So maybe if you've got other workloads, this puts you over tipping point to get a 10 saving or up to 22%. I think it is if you pay up front. So that's also worth mentioning as well to maybe help with that cost if you know you're going to use it.

Yeah, exactly. And you know, for a real time, you know, workload like this, you know, the engineering time alone to build some of these types of detections into your own system would dwarf 200amonth just in brain power and maintenance and potentially even hosting. So actually as a, you know, enable it and get value from it immediately, you know, can be turned on and off as well, you know, so it's not exactly like you're locked into it for a long period, is it? You're not like, it's not like an enterprise piece of software that you've just acquired. You know, it's 200 per subscription per month. I'm not going to tell you to turn it off because of the ongoing insights and, you know, and alerts, but if you do want to try it out and you want to get those posture benefits as well and recommendations, then you can certainly try out with relative, like you say, the free trial and even the $200 commitment for the first month.

Yeah, cool. Yeah. Previous episodes, you said Season 3, Episode 15, the Azure API Manager. Kind of feels like we need a refresh of that one from the sound of it. Yeah, there's. There's, there's quite a lot. There's quite a lot of changed in it. Cool. Alan, what's, what's our next episode? So I was gonna do something else, but I've been inspired by your sort of feel of. By me, Alan. The defense. Yeah. By the defend for cloud. Oh, sorry.

Sort of bits. No, from, from, from the conversations you've had. But I think it's probably worth revisiting Defender CSPM again to highlight what's in it and what's kind of there. Because there's been some enhancements especially I think, since the last time we did it or I did it, about what's included, what's the data you actually get, not just generally around it, because I think it's fair to say that a lot of it is believed to be, like I said, you have to pay to. Yes, A resource is paid, like the APIs. They're not included in the cost kind of things included in the general service. There's a few others like that I think we need to probably highlight to show the value of it as well, so I think that'd be a good episode to run through and refresh. Cool. So did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify, or YouTube. This really helps us to reach more people like yourselves. If you have any specific feedback on this episode or any of our other episodes, or you have suggestions for some of our future episodes, we have a link in our show notes to get words out, get in contact with us.

Yeah. And if you've made it this far, I apologize for 65 minutes for APIs. Thanks ever so much for listening and we'll catch you on the next one. Yeah, thanks All.

Transcript source: Provided by creator in RSS feed: download file