How to Properly Leverage Elasticsearch and User Behavior Analytics for API Security

Kibana and the rest of the ELK stack (Elasticsearch, Kibana, Logstash) is great for parsing and visualizing API logs for a variety of use cases. As an open-source project, it’s free to get started (you need to still factor in any compute and storage cost which is not cheap for analytics). One use case for Kibana that’s grown recently is providing analysis and forensics for API security, a growing concern for engineering leaders and CISO’s as companies expose more and more APIs to their customers, partners, and leveraged by Single Page Apps and mobile apps. This can be done by instrumenting applications to log all API traffic to Elasticsearch. However, a naive implementation would only store raw API logs and calls, which is not sufficient for API security use cases.

Why API logging is a naive approach to API security

Raw API logs only contain the information pertaining to execute a single action. Usually the HTTP headers, IP address, request body, and other information is logged for later analysis. Monitoring can be added by purchasing a license for Elasticsearch X-Pack. The issue is that security incidents cannot always be detected by looking at API calls in isolation. Instead, hackers are able to perform elaborate behavioral flows that exercise your API in an unintended way.

Read the full article at