Team Traceable
Webinar Recap: FFIEC Compliance and What It Means for API Security
Earlier this month, Traceable announced our capabilities for FFIEC compliance – but you may be wondering, what exactly are the new FFIEC new guidelines, and what does that mean for API Security?
To answer your questions, Traceable’s CSO Richard Bird, hosted a webinar discussing what the FFIEC Guidelines mean for API Security, and how your security and risk management teams can begin to implement those guidelines across the organization.
FFIEC Compliance: What it Means for API Security
Richard Bird, CSO of Traceable, is uniquely positioned to discuss the implications of the updated FFIEC guidelines, having been a CISO for some of the largest financial services institutions in the country.
With 11 years at JP Morgan Chase, Bird led his teams through a tremendous amount of regulatory demands, and has particular understanding of how far-reaching even minor updates to FFIEC guidelines can be.
In this webinar, he first outlines what exactly is occurring within the US Federal Government regarding changes affecting your API security practices, then addresses what you can do about it.
API Security: What’s the big deal?
APIs seem to be everywhere, because they are! The use of APIs have boomed over the past decade, with the rise of microservices and distributed applications.
However, despite being around more than a decade:
- APIs have been developed and deployed with little to no security framework
- Limited API monitoring and security tooling creates a void of security intelligence that is now required to remain compliant with the updated FFIEC guidelines.
- API Sprawl is the biggest security concern; with the use of APIs being deep and wide, and with so little in the way of security, APIs are creating vulnerabilities that open your organization up to malicious attacks and exploitation.
FFIEC Timeline: Updates to API Security Requirements
The FFIEC is the interagency organization responsible for creating, distributing, and monitoring the efficacy of standards and reporting requirements associated with Financial Institutions.
Because the FFIEC serves so many different organizations, it’s a massive effort to get agencies on the same page, and it takes a long time to make changes. Which is why their recent updates related to API security, and their timing, are so significant.
In October of 2022, the FFIEC released a Cybersecurity Resource Guide for Financial Institutions, giving all the info points and resources for banks and organizations to understand actions needed regarding prior year’s changes.
The changes that have happened recently mark particular significance, as they occurred much more rapidly than any previous changes.
Why is the timing of these FFIEC updates important?
Consider that these updates come after a lengthy delay, from 2011 to 2021, to changes of key components of identity authentication, access, and other parts of Information Security banking programs.
Bird explains how this time lapse is both troubling and informative. Consider that, for a decade, substantial changes have occurred within identity and access management, access control, authorization and authentication which had not been addressed by the FFIEC until August of 2021.
And for the first time, APIs were called out specifically as requiring inventory understanding and assessment.
Take note: the FFIEC introduced rapid changes to their API security requirements in response to the boom in API use. APIs are becoming front and center.
Unfortunately, because this updated requirement of API cataloging was surrounded by many other updates, a lot of banks overlooked the impactful change to the security landscape, and came into 2022 ill-prepared to meet the obligation of providing an organizational API Inventory/Catalog.
What does it mean to become compliant with your APIs for the FFIEC?
First of all, APIs are front and center now, having been addressed globally by various compliance organizations, and now by the FFIEC.
The responsibility for the use and distribution of APIs have been highly fragmented across organizations. In order to secure your APIs, you need:
- Toolsets capable of discovery and catalog
- Risk assessments
- Visibility in what APIs can access
The Reckoning is upon us: Financial Institutions are now required to create API Inventories. But more will come.
Clearly, the FFIEC is not going to simply stop at API Catalog and Inventory. There will be an expectation for proof that APIs are secured based upon a risk formula that mitigates problems related to data privacy, financial risk, and operation risk.
Risk assessment and authorization and authentication components will be demanded.
That is the next stage. API Security expectations are coming.
API Security: Your Top Priority for 2023
If you haven’t yet mastered the Cataloging requirements, Bird recommends this as your top priority this year, because it’s unlikely that the FFIEC will extend a grace period: as the top vector for data breaches, API exploits are making headline news on a regular basis.
The largest attack surface of 2022, we saw API-based attacks against Optus, Uber – and now only weeks into 2023, we’ve already seen the second major attack via APIs, now at T-Mobile.
API Sprawl is an operational issue that does not become a security problem…until it does.
The operational problem of API Sprawl has complicated the efforts we need to embark on to address the FFIEC requirements and demands.
The FFIEC is saying that you MUST have an inventory and an understanding of your APIs. So, if you either do not have this, or have insufficient processes, you are exposed.
Problems caused by a Lack of API Inventory
As our CSO explains, we are virtualizing all the way up to layer 7, and APIs are a natural avenue for bad actors to exploit. Banks with heavy online presence have suffered ATO and fraudulent account creation borne of APIs. API attacks are now specifically poised to bring down applications: application based DoS.
All of these vulnerabilities lead to not only potential attacks, but the unfortunate outcome of you not meeting the demands of the FFIEC. In such a reactionary environment, you are not in control – only mitigating and remediating in order to meet obligations rather than dictating your own terms on how you meet these security obligations.
Most organizations do not have a formalized API security program with a discrete budget for API security. Essentially, organizations aren’t doing anything about API security.
Traceable API Security: Meeting the FFIEC Requirements
According to Bird, the good news is that even an incremental change will mitigate some risk, and focused attention will rapidly reduce the unmitigated risk of your security, data privacy, exfiltration, etc.
This means that this is the worst it could possibly be if you get started today. However, it will get much worse if you do nothing. API use is exploding with 100% growth across all industry types. By 2024 the risk will be larger: with more APIs your organization will be even more vulnerable.
How do you meet the guidelines of the FFIEC?
- API Inventory
- Security posture management
- Identify sensitive data
- Conformance analysis
- Full API Risk Assessment
We understand that this is a lot of information to absorb, but the most important takeaway for you is our CSO’s final warning.
You can’t fulfill a complete risk assessment, as expected by FFIEC, without evaluating the business risk of those APIs.
You can watch the full on-demand webinar here.
About Traceable API Security
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.
