Introduction
This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for specific Microsoft Defender plans. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender plans, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article.
Defender for APIs provides full lifecycle protection, detection, and response coverage of your APIs published within Azure API Management Platform. Defender for APIs includes unified visibility across your Azure API Management services within your Azure subscriptions, security insights with hardening recommendations, sensitive data classification integrated with Microsoft Purview supporting sensitive information types and labels, and continuous monitoring of APIs with machine learning and threat intelligence-based detections to alert against top OWASP API risks.
Preparation
Every customer is entitled to a 30-day free trial of Defender for APIs when enabling for the first time. This provides a great opportunity to evaluate the functionality of Defender for APIs and its benefits.
To enable Defender for APIs you must have the proper level of privilege within Microsoft Defender for Cloud (Pre-requisites are listed below).
1 - Azure account
You need an Azure account to sign in to the Azure portal.
2 – Azure API Management Service instance
At least one with at least one or more supported APIs in an Azure subscription. Currently Defeder for APIs only supports REST APIs. Defender for APIs is enabled at the level of a subscription
3 - Onboarding permissions
To enable and onboard Defender for APIs, you will needAPI Management Service Contributorrole access, along with the permissions outlined in theUser roles and permissionsfor enabling Microsoft Defender plans.
4 - Onboarding location
You can enable Defender for APIs in the Microsoft Defender for Cloud portal, or in theAzure API Management portal. Onboarding can also be completed via API and via onboarding scripts for enablement at scale.
Planning
As a part of your Defender for APIs PoC you will need to identify use case scenarios that you want to validate. Some of these scenarios include demonstrating secure posture available in Defender for APIs via the API inventory dashboard, recommendation remediation, integrations with cloud security explorer, and attack path analysis for risk prioritization. You will also want to demonstrate the value of alerts sent by Defender for APIs.
Implementation and Validation
Now that you have Defender for APIs enabled in your environment, you must onboard your API resources to Defender for APIs before you can validate. Next, we can validate specific scenarios for demonstrating the value of Defender for APIs.
A. Validate inventory of APIs across onboarded subscriptions and APIM services
After onboarding the API resources, you can track their status in the Defender for Cloud portal >Workload protections>API security:
You can also navigate to other collections to learn about what types of insights or risks might exist in the inventory:
B. Assess security posture of the APIs to drive risk-based prioritization
Once your APIs are onboarded, Defender for APIs starts monitoring your APIs for sensitive data exposure. APIs are classified with both built-in and custom sensitive information types and labels as defined by your organization's Microsoft Information Protection (MIP) Purview governance rules. If you do not have MIP Purview configured, APIs are classified with the Microsoft Defender for Cloud default classification rule set with the following features.
Within Defender for APIs inventory experience, you can search for sensitivity labels or sensitive information types by adding a filter to identify APIs with custom classifications and information types.
C. Review API hardening recommendations for best practice policies and protections against OWASP Top 10 API risks
- In the Defender for Cloud portal, selectWorkload protections.
- SelectAPI security.
- In theAPI Securitydashboard, select an API collection.
4. In the API collection page, to drill down into an API endpoint, select the ellipses (...) >View resource.
5. In theResource healthpage, review the endpoint settings.
6. In theRecommendationstab, review recommendation details and status.
D. Runtime monitoring and threat detections via alerts
Within the API’s Resource Health page, select the Alerts tab to review security alerts for the endpoint. Defender for APIs monitors API traffic to and from endpoints, to provide runtime protection against suspicious behavior and malicious attacks.
With Defender for APIs and data sensitivity integration into API security alerts, you can prioritize API security incidents involving sensitive data exposure.
In the alert's extended properties, you can find sensitivity scanning findings forthe sensitivity context:
- Sensitivity scanning time UTC: when the last scan was performed.
- Top sensitivity label: the most sensitive label found in the API endpoint.
- Sensitive information types: information types that were found, and whether they are based on custom rules.
- Sensitive file types: the file types of the sensitive data.
Defender for API sample alerts
In Defender for Cloud you can use sample alerts to evaluate your Defender for Cloud plans, and validate your security configuration.Follow these instructionsto set up sample alerts and select the relevant APIs within your subscriptions. To see the alert process in action, you can simulate an action that triggers a Defender for APIs alert.Follow the instructions in our Tech Community blogto do that. To simulate alerts in your own environment, you can follow exercise 6 here.
E. Perform proactive threat hunting in Cloud Security Explorer and Attack paths
Integration with Cloud Security Explorer
In Defender CSPM,Cloud Security Graphcollects data to provide a map of assets and connections across organization, to expose security risks, vulnerabilities, and possible lateral movement paths.
When the Defender CSPM plan is enabled together with Defender for APIs, you can use Cloud Security Explorer to identify, review and analyze API security risks across your organization.
- In the Defender for Cloud portal, selectCloud Security Explorer.
- InWhat would you like to search?select theAPIscategory.
- Review the search results so that you can review, prioritize, and fix any API issues.
- Alternatively, you can select one of the templated API queries to see high risk issues likeInternet exposed API endpoints with sensitive dataorAPIs communicating over unencrypted protocols with unauthenticated API endpoints
Attack Paths
When the Defender Cloud Security Posture Management (CSPM) plan is enabled, API attack paths let you discover and remediate the risk of API data exposure.
- Select the API attack pathInternet exposed APIs that are unauthenticated carry sensitive dataand review the data path:
- View the attack path details by selecting the attack path published.
- Select theInsightsresource.
- Expand the insight to analyze further details about this attack path:
5. For risk mitigation steps, openActive Recommendationsand resolve unhealthy recommendations for the API endpoint in scope.
Explore API data exposure through Cloud Security Graph
When the Defender Cloud Security Posture Management CSPM plan is enabled, you can view sensitive APIs data exposure and identify the APIs labels according to your sensitivity settings by adding the following filter:
Conclusion
By the end of this PoC you should be able to determine the value proposition of Microsoft Defender for APIs and the importance to proactively mitigate risks in your environment.
P.S.Subscribeto our Microsoft Defender for Cloud and Microsoft Defender plans Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
Additional Resources
Pricing - Customers may be interested to understand the potential cost of enabling Defender for APIs in their environment. For this refer to our cost estimation workbook - Microsoft Defender for API Security - Estimate Your Plan Cost Easily - Microsoft Community Hub.
Prerequisites - For more information about roles and privileges, visit
Alerts - For more information, seeDefender for APIs alerts.
Attack paths - For more information, seeData security posture management in Defender CSPM.
Reviewers
Ajinkya Gore, Senior Product Manager - Defender for APIs
Haris Sohail, Product Manager 2 - Defender for APIs
Preetham Anand Naik, Senior Product Manager - Defender for APIs
Yuri Diogenes, Principal PM Manager - CxE Defender for Cloud
