New API security startup claims edge over legacy protection capabilities
The idea of “shift left” was to incorporate security earlier in the development phase, but because of the complexity and the nuanced nature of every API, API Security as a market simply ignores the consumer of the API and has not historically provided a means to manage, monitor, and control the data in motion, according to Yakubov.
In its efforts to bring security to the consumption side, Vorlon’s platform will employ tools to take an inventory of an organization’s existing third-party integrations, scan the API used and the data transmitted through them, and visualize the exposure and risks associated with these integrations.
Since November 2023, Vorlon claims to have observed over 50 million API calls and helped its early customers handle critical issues including over-permissive connections, abuse of API secrets, exposed multi-use secrets, malicious IP access, and abnormal activities from third-party applications.
“Vorlon helped us understand not just the APIs we were using but also what systems these APIs were connecting to and the data that was enabled on top of the APIs,” said Avishai Avivi, an early Vorlon user and chief information security officer at SafeBreach. “Vorlon provided me with quite a bit of telemetry and threat intel around our API usage — which is especially game-changing for the third parties that might as well be a black box to us. The biggest takeaway for us is the sheer size of the attack surface generated by third-party vendors connecting to our data both directly and indirectly.”
Machine learning for anomaly detection
Vorlon processes a large amount of API data and analyzes it in “near real time”, and the feat has been made possible through the employment of proprietary machine learning engines.
“Our behavioral analysis leverages machine learning so Vorlon can identify anomalous activity for a customer’s specific instance of an observed third-party app,” Yakubov said. “What might be normal for one organization may not be for another.”
