Mitigating OWASP API Security Risk: Insufficient Logging & Monitoring using F5 XC Platform

Introduction: 

Application Programming Interface (APIs) holds a prominent place in this emerging technology world. API users have increased exponentially and so are the attacks. Improper design, internal testing APIs exposure, PII leakage, lack of API authentication, lack of rate limiting, and improper logging are some of the commonly observed reasons for the API attacks. OWASP API Security article provides detailed explanation on Top 10 API vulnerabilities. 

Insufficient logging and monitoring are observed as some of the common reasons in majority of the attacks. Having an improper logging system will make it difficult for an organization to analyse and identify the issues, unusual activities and breaches as it needs a lot of time and human efforts in troubleshooting. The impact will be huge and can be worse if the logs cannot provide sufficient data or the attack is not identified in the early stage. F5 Distributed Cloud (XC) provides efficient logging and monitoring solutions to overcome these difficulties. This article explains more about the logging capabilities of F5 Distributed Cloud. 

Overview of Logging and Monitoring facility with F5 Distributed Cloud: 

F5 Distributed Cloud Platform (F5 XC) not only provides API protection features like Rate limiting, API Discovery, PII safeguard and Bot Defence but also provides Performance and Security monitoring GUI dashboards to monitor the logs in a convenient and user-friendly manner.  

F5 XC continuously monitors and actively collects all the data related to load balancer like Request rate, throughput, latency, security events, requests, alerts, API Discovery, top attacked API endpoints, location from where the request is being generated, bot attacks, malicious users and presents it in a very organised manner which helps to monitor the data with ease. F5 XC centralized log management provides a flexible approach to monitor the dashboards continuously, correlate security events and analyse them. Filtration of data using timestamps and different key values helps to monitor the data more accurately. 

With F5 XC Security Monitoring, the administrator can: 

• View the Dashboard which provides details of the overall traffic, security events, top attacks with respect to different classifications etc. This helps in identifying the suspicious activities at the earliest. 

F5 XC centralized monitoring dashboard displays security events classification, source IP, country and other details.

F5 XC dashboard also displays Top attack details based on different classifications.

• Monitor the Security events that were generated/blocked as part of API Protection. An event provides all the details like source, request type, response codes, endpoint details, attack detection and the policy that got enforced. This helps in identifying the malicious actor details. 

Different security events that were generated.

A security event contains all the necessary details to identify the event occurrence..

F5 XC detects and displays malicious user and activity.

• Observe Top attacked API Endpoints, Top API Calls that are generated, API Graph which displays discovered shadow API endpoints in centralized Dashboards. 

Discovered API endpoints.

• Monitor the alerts which gets generated when any abnormal activities are noticed. Alerts can be received over an email/SMS/PagerDuty/Slack by configuring alert receivers. Please refer Send Alerts to PagerDuty article for detailed explanation and configuration steps. 

F5 XC generates alerts when something unexpected has occurred.

Routine monitoring of security events, alerts and requests data can help the admin to notice the abnormal actions happening if any and can immediately take protection measures.  

With F5 XC Performance Monitoring, the administrator can: 

• Monitor overall application health, requests rate, Throughput, TLS/SSL Cipher Stats 

Performance monitoring dashboard provides Application metrics such as Healthscore, Throughput, Latency, Requests details.

• View Pictorial representation of traffic flow. 

This picture provides pictorial overview of traffic flow from source site to origin server.

•  Observe all the incoming request details. 

Overall incoming requests can be monitored, and they get classified according to the response code.

Request provides all the details such as response codes, source details.

Global log receiver feature of F5 XC helps in sending the tenant logs from F5 Distributed Cloud Regional Edge (RE) Sites to an external log collection system such as Amazon S3, Splunk, Azure Blob Storage and many more. The request(access) logs, security events, and audit logs for all HTTP Load Balancers and sites can be preserved in the external log collection systems. Please refer Global log receiver document for more details. 

Conclusion: 

Insufficient logging and improper monitoring are the reasons organisations fail to deal with the security breaches. F5 XC helps to overcome these challenges by providing efficient logging and monitoring solutions which helps organizations to identify abnormal events, malicious requests well in advance and remediate security weakness faster. F5 XC has gained a remarkable attention due to their centralized visibility dashboards and monitoring solutions. 

For further information click the links below: 

F5 Distributed Cloud WAAP 

F5 Distributed Cloud Services 

OWASP API Security