Vorlon, a SaaS-based security startup, has launched a new offering to help customers with API visibility and associated attack surfaces with a âshift-rightâ focus that the company claims legacy solutions lack.
The SaaS-based offering, which was available under beta to select customers since August 2023, has been made generally available for purchase on subscription.
âVorlonâs idea is to expand the definition of API Security to also include the enterprise-as-consumer side, enabling organizations to proactively manage third-party APIs, monitor the data in motion, identifying legitimate versus illegitimate traffic, and quickly remediate issues as they arise â not months after a leak is made public,â said Alex Yakubov, head of marketing at Vorlon.
Vorlon is a cloud application security startup with API security as its first offering. The offering will be available as an annual subscription with access tiers based on the number of third-party applications observed, data storage, and retention.
Shift right approach to API security
Vorlonâs API security is a tool targeted at enabling visibility of an organizationâs third-party dependencies and associated APIs, while in operation. This is a step up from the legacy âshift leftâ approach which focuses on API security during development and integrations, according to Vorlon.
âHistorically, API Security tools have focused on ensuring the APIs the organization publishes are safe and secure,â Yakubov said. âThe reality is that an organization consumes far more third-party APIs than the number of APIs it publishes.â
The idea of âshift leftâ was to incorporate security earlier in the development phase, but because of the complexity and the nuanced nature of every API, API Security as a market simply ignores the consumer of the API and has not historically provided a means to manage, monitor, and control the data in motion, according to Yakubov.
In its efforts to bring security to the consumption side, Vorlonâs platform will employ tools to take an inventory of an organizationâs existing third-party integrations, scan the API used and the data transmitted through them, and visualize the exposure and risks associated with these integrations.
Since November 2023, Vorlon claims to have observed over 50 million API calls and helped its early customers handle critical issues including over-permissive connections, abuse of API secrets, exposed multi-use secrets, malicious IP access, and abnormal activities from third-party applications.
âVorlon helped us understand not just the APIs we were using but also what systems these APIs were connecting to and the data that was enabled on top of the APIs,â said Avishai Avivi, an early Vorlon user and chief information security officer at SafeBreach. âVorlon provided me with quite a bit of telemetry and threat intel around our API usage â which is especially game-changing for the third parties that might as well be a black box to us. The biggest takeaway for us is the sheer size of the attack surface generated by third-party vendors connecting to our data both directly and indirectly.â
Machine learning for anomaly detection
Vorlon processes a large amount of API data and analyzes it in ânear real timeâ, and the feat has been made possible through the employment of proprietary machine learning engines.
âOur behavioral analysis leverages machine learning so Vorlon can identify anomalous activity for a customerâs specific instance of an observed third-party app,â Yakubov said. âWhat might be normal for one organization may not be for another.â
Additionally, Vorlon automates API analysis by running them through existing threat intelligence to identify known malicious API communications. Machine learning further enables handing out custom remediation instructions tailored specifically for the applications involved.
âI think most CISOs already know this, but third-party APIs are right now probably one of the Achilles heels of our world, with a very wide usage and almost no visibility unto themâ, said Eric Richard, chief information security officer at Hubspot. âThe goal, through a tool like Vorlon, is you can bring that out of the shadows and into the light and can start to put the same sorts of controls in API security that weâve put on all sorts of other security over the last decades.â Vorlon is currently working on increasing the number of observable applications to add to its catalog, along with tailored remediation insights and capabilities.