Transcript
Hi Mike Matchett with Small World Big Data. We are here at RSAC 2025, crawling the floor looking at the latest and greatest cybersecurity vendors. And we are going to look at something pretty innovative right now. I've got Tim here. Tim, welcome. Thank you Mike. Happy to be here. Now is that while ARM is that pronounced. That is wall. Arm. You got it right. All right. Uh, talk to us a little bit about where in the cybersecurity space you guys fit in. Sure. So ARM is fundamentally an API security company. So our our mission in life, if you will, is to detect and block API attacks. Uh, so APIs as an attack surface have really grown not only with just automation in general, the velocity of development, but now with AI and generative AI, which all runs on top of APIs. We're really seeing an explosion of APIs inside of organizations and APIs exposed to the world, and we're all about protecting those APIs. So I've coded a few things that have APIs and used a lot of APIs in my illustrious programing career, which hasn't been that long, um, despite the gray hair. Uh, so when you say protecting APIs, are you saying if I'm, if I'm exposing an API, you're helping protect it on my side. Or if I'm using APIs, you're helping me there. If you're exposing an API. So if you either build and deploy APIs for your customers or your partners, or if you purchase products that have APIs that get exposed, either external to your organization as a service or even inside your organization to other employees or partners or developers, all of those APIs, we're interested in protecting them from being attacked. We also, of course, you can't protect what you don't know about. So part of what we do is to inventory and catalog those APIs and tell you what you have so that you can then protect it. I mean, does this include I'm just going to throw things out like SaaS apps that have APIs and container environments, microservices with thousands of APIs. Does it go that whole gamut? It does. So if you're if you're building those APIs and exposing them, if you're a SaaS provider as an example, and you provide those APIs. Absolutely. Okay. So are you sitting in the middle then between the things going to the API or coming out of it, or are you monitoring from the edge? How does that work? So most of what we do, not 100%, but most of what we do is focused around traffic analysis. So we have lots of different ways to deploy the solution, because there are lots of different kinds of environments out there. But what we're really after ultimately is for you to send your API traffic through what we call our filtering nodes so that we can analyze it. We use that data to do API discovery and then to identify attacks and block them. All right. And just give us a quick example of some of the kinds of attacks people might do against an API. Absolutely. So I break attacks into two big categories. There are stateful attacks which are behavior based. So we're looking at the behavior across an API session. And we're looking for anomalies. So that would be things like uh, you know scraping data or account takeover attacks. And then there are more the classic sort of traditional attacks that are stateless. We can detect those in one request that's like SQL injection or remote code execution, that kind of thing. All right. Which is so so you're not necessarily in the middle in that sense of like having it go through you, but you're looking at the analysis of what's flowing back and forth and doing that, doing that observation. Generally speaking, we are in the middle. As I said, there are lots of different ways to deploy it so we can be really, truly in the middle. As an inline component, we can integrate with an API gateway that's already in the middle, so we don't want to replace it, we just want to integrate with it. We can deploy in your Kubernetes environment as a Kubernetes ingress controller. There are like 1520 different ways to deploy. So I won't list them all. All right, all right. Well definitely check out check them out in more detail if you have APIs. So let me ask you this. We're here at RSAC. There's 25,000 people here. If you wanted to get a message out to everyone about improving their security posture, obviously around APIs, what kind of message would you like them to take away? Well, I think there there are two key messages for me. One is to really understand that the APIs that you have and expose are a huge part of your attack surface today, attackers are targeting those APIs because they provide a programmatic way to interact with your applications, with your data. Second is around AI. All of AI apps, all those AI agents, they're built on top of APIs. They interact with APIs. It's API security on steroids, if you will. So we expect to see that AI growth drive API growth as well. All right. So it's kind of a layered approach. And there's definitely big AI theme here both good and against AI. We want to protect against malicious use, and we want to use it for the forces of good. But that means there's more APIs out there for AI. Definitely, definitely see it. Yeah, that's exactly right. And that's what we're looking to protect. All right. If someone wants to learn a little bit more then about Waltham, check it out and say like, oh, you know, I probably have some APIs. I probably am vulnerable because I haven't done anything specific about APIs yet. What would you point them at as a good place to get started? Well, you'll be shocked and surprised. I'm going to point to Alarm.com resources there. We've got our blog there. We've got product information, data sheets, best practices. So it's a great resource. All right. So start at alarm.com. Um, if you had one sort of like final place where you'd say, like, hey, here's where you should get started. What would that be? Well, I think the, the if you're looking for something like the OWASp Foundation is a good example, owasp API top ten is a good place to get started. Just learning about API security and understanding what the threats are. All right. So all right Tim, thank you very much. Thanks, Mike. Appreciate it. All right. Check out Walmart if you've got API's. And you all do.
