端点防护 edr
More and more organizations provide access to APIs in order to enable a wider audience to use their information. This is why securing API access has become a critical concern. With the increasing adoption of mobile, cloud and hybrid environments, the security perimeter is expanding. Back-end systems have become more accessible to external developers through APIs, and as a result more cyber threats, such as DDoS attacks, target enterprise applications.
越来越多的组织提供对API的访问权限,以使更多的受众可以使用其信息。 这就是为什么保护API访问已成为至关重要的问题。 随着移动,云和混合环境的日益普及,安全范围正在扩大。 通过API,外部开发人员可以更轻松地访问后端系统,因此,更多的网络威胁(例如DDoS攻击)将针对企业应用程序。
什么是API端点? (What Is an API Endpoint?)
From a security perspective, an endpoint is any device or node located outside of the corporate firewall. An endpoint could be a tablet, laptop, mobile phone or server. When an API communicates with another system, the touchpoints of this communication are considered endpoints. Endpoints are the source of information for APIs. For example, an API endpoint can be a URL of a server or web service that contains the requested information.
从安全角度来看,端点是位于公司防火墙外部的任何设备或节点。 端点可以是平板电脑,笔记本电脑,移动电话或服务器。 当API与另一个系统通信时,此通信的接触点被视为端点。 端点是API的信息源。 例如,API端点可以是包含所请求信息的服务器或Web服务的URL。
API端点安全性的重要性 (The Importance of API Endpoint Security)
Businesses depend on secure communication, especially when it comes to communicating with external systems. There are consequences to security breaches that go beyond financial loss. Let’s explore and highlight some deadly impacts of API endpoint attacks.
业务依赖于安全通信,尤其是与外部系统进行通信时。 安全违规造成的后果不仅限于经济损失。 让我们探索并重点介绍API端点攻击的一些致命影响。
Business loss
业务亏损
While for some businesses a security breach can cause a couple of hours of downtime, for others (like currency exchange) it can be a disaster. A breach in an API endpoint can take a lot of time to recover from, thus leading to a significant loss of money.
对于某些企业来说,安全漏洞可能会导致几个小时的停机时间,而对于其他企业(如货币兑换),则可能是一场灾难。 API端点中的违规可能要花费大量时间才能从中恢复,从而导致巨额资金损失。
Compliance issues
合规问题
Any business that works with the banking or healthcare industries must secure the API it provides. The cost of serving insecure APIs can result in massive compliance and legal troubles, such as audits and fines, especially in the European Union.
与银行或医疗保健行业合作的任何企业都必须保护其提供的API。 服务不安全的API的成本可能导致大量合规性和法律麻烦,例如审计和罚款,尤其是在欧盟 。
Reputational damages
名誉损失
A successful attack on business endpoints can have a negative impact on its brand image. Even if there was no actual data loss, your customers may think twice before doing business with you. For example, Sony was a victim of several cyber attacks, and became a laughing stock in the security circles.
对业务端点的成功攻击可能对其品牌形象产生负面影响。 即使没有实际的数据丢失,您的客户在与您开展业务之前也可能会三思而后行。 例如,索尼是几次网络攻击的受害者,并成为安全界的笑柄。
Inflated infrastructure bills
夸大的基础设施账单
APIs consume infrastructure resources like memory, CPU and bandwidth. Threat actors can force insecure APIs to do pointless functions like running large database queries. As a result, your infrastructure bills will suddenly inflate. For example, AWS provides automatic scaling of resources, which hackers can exploit easily.
API消耗内存,CPU和带宽等基础结构资源。 威胁参与者可以迫使不安全的API执行毫无意义的功能,例如运行大型数据库查询。 结果,您的基础架构 账单会突然膨胀。 例如,AWS提供资源的自动扩展,黑客可以轻松利用。
Competitor’s gains
竞争对手的收获
Competitors can gain from your breach whether they were behind it or not. If they were behind the attack, and it was successful, they will get your trade secrets. If they weren’t behind the attack, they can jump on the opportunity to route their services over yours. They haven’t experienced a breach, after all.
无论您是否违规,竞争对手都可以从您的违规中受益。 如果他们是攻击的幕后黑手,并且成功了,他们将获取您的商业秘密。 如果他们没有受到攻击,他们可以抓住机会将服务路由到您的服务上。 毕竟,他们还没有遇到漏洞。
使用端点检测和响应保护API (Securing APIs Using Endpoint Detection and Response)
The term Endpoint Detection and Response (EDR) refers to a set of practices and tools designed to monitor and identify endpoint security threats and prevent attacks by implementing automatic security measures on endpoint devices.
术语“端点检测和响应(EDR)”是指旨在监视和识别端点安全威胁并通过在端点设备上实施自动安全措施来防止攻击的一组实践和工具。
The main purpose of EDR solutions is to provide security teams with real-time alerts on malicious behavior, thus enabling fast containment and investigation of attacks.
EDR解决方案的主要目的是向安全团队提供有关恶意行为的实时警报,从而可以快速遏制和调查攻击。
EDR concepts are based on three key features:
EDR概念基于三个关键功能:
Continuous endpoint monitoring — collects data on endpoint user access and authentication, communication protocols and other security-related events.
连续的端点监视 -收集有关端点用户访问和身份验证,通信协议以及其他与安全相关的事件的数据。
Detect user behavioral anomalies — establish behavioral guidelines for each device, detect suspicious user activity, and identify when it is considered malicious.
检测用户行为异常 -为每个设备建立行为准则,检测可疑用户活动,并确定何时被认为是恶意的。
Incident reporting — provides real-time information about endpoint security incidents. Security teams use this information to investigative and prevent attacks.
事件报告 -提供有关端点安全事件的实时信息。 安全团队使用此信息来调查和防止攻击。
There are many easy-to-implement and clear EDR security practices that you can apply to your API endpoints. Below, you’ll find a review of the most common practices.
您可以将许多易于实施且清晰的EDR安全性实践应用于API端点。 在下面,您将找到最常见做法的评论。
Monitor HTTPS communication
监控HTTPS通信
Your API users could be exposed to great risks if you communicate over a non-secure HTTP protocol. Any packet sniffer tool or man-in-the-middle attack can read your secret keys, passwords and credit card information as plain text. For that reason, always make HTTPS the only option available. An http connection should not even be an option.
如果您通过非安全的HTTP协议进行通信,您的API用户可能会面临巨大的风险。 任何数据包嗅探器工具或中间人攻击都可以纯文本形式读取您的密钥,密码和信用卡信息。 因此,始终使HTTPS成为唯一可用选项。 甚至不应该使用http连接。
Monitor API calls
监控API调用
Monitor the number of API calls a client can make in a given time window. Unless your API is used by millions every minute, it is a good idea to establish a limit of calls and monitor any suspicious behaviour.
监视客户端可以在给定的时间范围内进行的API调用次数。 除非每分钟都有数百万人使用您的API,否则最好限制呼叫并监视任何可疑行为。
Malicious bots can send hundreds of simultaneous requests every minute and make your API consume system resources for no particular reason. All web development frameworks should provide a middleware to limit API call rates.
恶意漫游器每分钟可以发送数百个同时请求,并使您的API无需特殊原因即可消耗系统资源。 所有的Web开发框架都应提供一个中间件来限制API调用率。
Authenticate users
验证用户
An EDR solution must identify if a user has permission to use your API. To access an API, a user must go through an authentication process by entering his API ID and key. The API key is a unique string generated for each user of the API.
EDR解决方案必须确定用户是否有权使用您的API。 要访问API,用户必须通过输入其API ID和密钥来进行身份验证过程。 API密钥是为API的每个用户生成的唯一字符串。
Implement Access Control (AC)
实施访问控制(AC)
Authenticated users do not necessarily have permission to access all functions of an API. For instance, some users require access only permission (get), but they can not make any changes to information. EDR solutions can control user access to APIs with frameworks like OAuth.
经过身份验证的用户不一定具有访问API所有功能的权限。 例如,某些用户只要求访问权限(获取),但不能对信息进行任何更改。 EDR解决方案可以使用OAuth之类的框架来控制用户对API的访问。
Filter IP addresses
过滤IP地址
B2B services that use APIs from different locations, must restrict access to certain IP addresses. EDR solutions can monitor and verify that each incoming request from a new client has a legitimate IP address.
使用来自不同位置的API的B2B服务必须限制对某些IP地址的访问。 EDR解决方案可以监视和验证来自新客户端的每个传入请求均具有合法IP地址。
Use JSON Web Tokens (JWT)
使用JSON网络令牌(JWT)
JSON Web Tokens are a standard way (RFC 7519) to represent user identity securely during a two-party communication. When two systems exchange data, an EDR system can use a JWT to identify users without having to send private credentials on every request.
JSON Web令牌是在两方通信期间安全地表示用户身份的一种标准方式( RFC 7519 )。 当两个系统交换数据时,EDR系统可以使用JWT来标识用户,而不必在每个请求上都发送私有凭据。
Validate input
验证输入
Many APIs fail at this simple yet important process. Input validation means checking the incoming data for correct format and other anomalies. For example, an EDR solution can scan an SQL query for malicious SQL injection attacks. This kind of attack can bypass the authentication of a web application or a web page and retrieve the information stored in an SQL database.
许多API在这个简单而重要的过程中失败了。 输入验证意味着检查输入的数据是否有正确的格式和其他异常。 例如,EDR解决方案可以扫描SQL查询是否存在恶意SQL注入攻击。 这种攻击可以绕过Web应用程序或网页的身份验证,并检索存储在SQL数据库中的信息。
Conclusion
结论
There are many commercial, open source and hybrid API security solutions and tools available. Tools based on EDR concepts provide continuous monitoring to detect and mitigate threats and offer increased visibility. By leveraging EDR solutions, organizations can monitor more stages in the endpoint attack lifecycle so they can identify and block threats more effectively.
有许多商业, 开源和混合API安全解决方案和工具。 基于EDR概念的工具可提供连续监视以检测和缓解威胁并提高可见性。 通过利用EDR解决方案,组织可以监视端点攻击生命周期中的更多阶段,从而可以更有效地识别和阻止威胁。
翻译自: https://medium.com/@eddies_47682/using-endpoint-detection-and-response-edr-concepts-to-secure-apis-6f0238accddf
端点防护 edr