Caber combines dedupe and DNA-sequencing to scalably trace data at the byte-level across APIs to help incident detection/analysis teams find unauthorized movement of data between services (data-in-use) and at egress points. The solution requires no code changes, and deploys automatically.
Central to the product is using existing policies and permissions on stored data, files, objects, database records, etc., and applying those permissions to the unique byte-sequences that belong to those data objects.
This approach enables the product to build a ‘call-graph’ (https://en.wikipedia.org/wiki/Call_graph) of how an incident happened including the individual API requests and responses involved and the data they contained. We then use AI to analyze these graphs across the entire application to determine the problem source and provide remediation options.
For 2 years I was head of product for a security tool you’re likely familiar with. I talked with over 120 enterprise security teams. Their #1 complaint was a complete inability to see or control where data goes in modern applications — not sensitive data as in ‘my company’s data’, but protected data as in user Bob’s last file upload that other users should not access. It’s that data security defenses are supposed to protect (NIST CIA Triad -- https://www.nccoe.nist.gov/publication/1800-26/VolA/index.ht...) and that data we see reported when breaches happen.
Storage systems do a great job protecting data with access controls when it’s at rest. Web application and API protection tools do a terrible job protecting it when it’s in use or in transit. There is no standard for sending permissions with data in APIs. Even if there were, interpreting them would be difficult as APIs frequently slice, aggregate and transform data from multiple sources. Caber is built specifically to operate under these conditions.
The co-founders of Escape posted here (https://news.ycombinator.com/item?id=39215779) a great summary of the API security market and some of the problems like BOLA that security tools aren’t detecting. The issue is that these tools look at HTTP headers, signatures, and other parameters that are ‘indicators of compromise’. Data loss prevention (DLP) tools similarly use signatures to classifying sensitive data. In neither case can these indicators be strongly correlated to permissions making the detection of authorization failures difficult.
Enterprise Digital Rights Management (eDRM) and Google’s BeyondProd/Zanzibar (links below) come the closest to addressing this lack of authorization for data APIs carry. Deployment and management have made these tools difficult to apply to the general market.
We made deployment and management of Caber our top priority. We designed it to work with a minimum of two observation points, storage log ingest, and an API gateway plugin. It deploys from a SaaS-like management portal using CI/CD and Terraform, but the solution lives inside a customer’s cloud application environment to mitigate data handling risks.
More information and a free, self-service demo of the product are available from the website. Because it’s designed to install into a customer’s AWS application environment, account creation is needed for the demo.
Thank you for reading about Caber. We look forward to hearing your thoughts.
I’m Rob, founder of Caber.
Caber combines dedupe and DNA-sequencing to scalably trace data at the byte-level across APIs to help incident detection/analysis teams find unauthorized movement of data between services (data-in-use) and at egress points. The solution requires no code changes, and deploys automatically.
A ~2 min video is here: https://vimeo.com/923537694?share=copy
Central to the product is using existing policies and permissions on stored data, files, objects, database records, etc., and applying those permissions to the unique byte-sequences that belong to those data objects.
This approach enables the product to build a ‘call-graph’ (https://en.wikipedia.org/wiki/Call_graph) of how an incident happened including the individual API requests and responses involved and the data they contained. We then use AI to analyze these graphs across the entire application to determine the problem source and provide remediation options.
My first post here on Caber (https://news.ycombinator.com/item?id=39793796) stank so thank you for the opportunity to clarify why this product is interesting.
For 2 years I was head of product for a security tool you’re likely familiar with. I talked with over 120 enterprise security teams. Their #1 complaint was a complete inability to see or control where data goes in modern applications — not sensitive data as in ‘my company’s data’, but protected data as in user Bob’s last file upload that other users should not access. It’s that data security defenses are supposed to protect (NIST CIA Triad -- https://www.nccoe.nist.gov/publication/1800-26/VolA/index.ht...) and that data we see reported when breaches happen.
Storage systems do a great job protecting data with access controls when it’s at rest. Web application and API protection tools do a terrible job protecting it when it’s in use or in transit. There is no standard for sending permissions with data in APIs. Even if there were, interpreting them would be difficult as APIs frequently slice, aggregate and transform data from multiple sources. Caber is built specifically to operate under these conditions.
The co-founders of Escape posted here (https://news.ycombinator.com/item?id=39215779) a great summary of the API security market and some of the problems like BOLA that security tools aren’t detecting. The issue is that these tools look at HTTP headers, signatures, and other parameters that are ‘indicators of compromise’. Data loss prevention (DLP) tools similarly use signatures to classifying sensitive data. In neither case can these indicators be strongly correlated to permissions making the detection of authorization failures difficult.
Enterprise Digital Rights Management (eDRM) and Google’s BeyondProd/Zanzibar (links below) come the closest to addressing this lack of authorization for data APIs carry. Deployment and management have made these tools difficult to apply to the general market.
We made deployment and management of Caber our top priority. We designed it to work with a minimum of two observation points, storage log ingest, and an API gateway plugin. It deploys from a SaaS-like management portal using CI/CD and Terraform, but the solution lives inside a customer’s cloud application environment to mitigate data handling risks.
More information and a free, self-service demo of the product are available from the website. Because it’s designed to install into a customer’s AWS application environment, account creation is needed for the demo.
Thank you for reading about Caber. We look forward to hearing your thoughts.
Rob
eDRM: https://www2.deloitte.com/ch/en/pages/risk/articles/enterpri...
Google BeyondProd: https://cloud.google.com/docs/security/beyondprod
Google Zanzibar: https://research.google/pubs/zanzibar-googles-consistent-glo...