Salt Security, a cybersecurity startup developing a threat protection solution that discovers APIs and detects vulnerabilities, has raised $20 million. It plans to use the new capital to renew its investments in product development and expand its sales and marketing teams.
APIs (application programming languages) dictate the interactions between software intermediaries. They define the kinds of calls or requests that can be made, how they’re made, the data formats that should be used, and the conventions to follow. And as over 80% of web traffic becomes API traffic, they’re coming under threat. Gartner predicts that by 2021, 90% of web apps will have more surface area for attacks in the form of exposed APIs than frontends.
Salt’s platform aims to prevent such attacks with a combination of AI and machine learning techniques. As CEO Roey Eliyahu explained via email, it begins with architecture. “The problem is that every customer … has a unique API that consists of unique logic and vulnerabilities. A single API alone can have a significant amount of complexity when it comes to logic,” he told VentureBeat. “On top of that, many organizations build applications that combine multiple APIs, sometimes from multiple teams, resulting in new levels of complexity … If that weren’t challenging enough, development practices like CI/CD mean things are in a constant state of change, which is near impossible for humans to keep up with when it comes to configuring security.”
Salt analyzes a copy of the traffic from web, software-as-a-service, mobile, microservice, and internet of things app APIs. It uses this process to gain an understanding of each API and creates a baseline of normal behavior tailored to customers and their apps. From these baselines, Salt identifies anomalies that might be indicators of an attack during reconnaissance, eliminating the need for things like signatures and configurations.
Eliyahu says Salt leverages dozens of behavioral features to identify anomalies. Its machine learning models are trained to detect when an attacker is probing an API, for instance, because this deviates from typical usage. They analyze the “full communication,” taking into consideration factors like how an API responds to malicious calls. And they correlate attacker activity, enabling Salt to connect probing attempts performed over time to a single attacker, even if they attempt to conceal their identity by rotating devices, API tokens, IP addresses, and more.
Confirmed anomalies trigger a single alert to security teams with a timeline of attacker activity.
“API attacks can be thought of as low and slow, as the attacker is trying to understand the API logic during reconnaissance. Proxy-based solutions that look at each API call individually have a narrow view and simply can’t collect enough data and don’t have enough context to correlate this type of activity and identify these attackers using subtle probing methods,” Eliyahu added. “For API security, you really need context for a deep understanding of the API, including logic and how it is intended to be used under normal conditions.”
Salt is similar in approach — but not identical — to Elastic Beam, an API cybersecurity startup that was acquired by Denver, Colorado-based Ping Identity in June 2018. Other rivals include Spherical Defense, which adopts a machine learning-based approach to web application firewalls, and Wallarm, which provides an AI-powered security platform for APIs, as well as websites and microservices.
But Eliyahu claims Palo Alto-based Salt is doing brisk business, with customers like Gett, City National Bank, TripActions, and Armis. “[We use] big data and patented AI to address the uniqueness of APIs, the methods of attackers targeting APIs, and the complexities of API vulnerabilities outlined in the OWASP API Security Top 10 and more,” Eliyahu said, referring to the Open Source Foundation for Application Security’s standard awareness document for developers and web app security. “Our approach to API security is very different from traditional solutions [in that it’s more] scalable and practical.”
Tenaya Capital led the series A investment in Salt, with participation from S Capital (formerly Sequoia) cofounders Haim Sadger and Aya Peterburg, Check Point Software cofounder and chair Marius Nacht, and former Palo Alto Networks CMO René Bonvanie. Tenaya Capital’s Tom Banahan joined the board of directors as part of the round, which brings Salt’s total raised to $30 million, following a $10 million seed round.