Endpoint Security for APIs

Application Programming Interfaces (APIs) have become an important way for organizations to provide and consume data and services. Many APIs are business-critical, and many of them hold sensitive data, making them an attractive target for attackers. This is making API security an important part of information security for many organizations. 

I’ll show how endpoint security—agents deployed on computer systems to prevent and contain threats—can help enhance the security of your critical API endpoints.

What Is Endpoint Security and Why is it So Important?

Endpoint security helps secure endpoints such as laptops, desktops, and mobile devices. Increasingly, it is being used to protect APIs and the servers that host APIs endpoints. Endpoint protection solutions aim to protect against various threats attempting to exploit endpoints to perform malicious actions. You can implement endpoint security in the cloud or on-premises.

Here are key threats endpoint security helps protect against:

Bring your own device (BYOD)

BYOD is a paradigm that allows employees to use personally-owned devices, such as laptops and mobile phones, for work purposes. These devices connect to corporate networks, allowing users to access sensitive systems and trade secrets. 

BYOD devices are endpoints connected to the network, and if poorly secured, these devices can introduce threats into the environment. However, since these are personally-owned devices, they are not under the visibility or control of the organization’s IT and security team. 

Remote work

While BYOD paradigms allow employees to bring their devices to the workplace—a physical location with a perimeter—remote work paradigms completely shatter the perimeter. A traditional security architecture draws a line that encloses the network and its internal assets together.

Remote work means remote access. Endpoint Privilege Management can be everywhere globally, allowing employees access to corporate assets. As a result, these endpoints are no longer situated within a clearly defined perimeter, and there is no clear visibility to allow proper security. 

Sophisticated attacks

Today’s digital landscape is chaotic, attacks are becoming increasingly sophisticated, and endpoints are constantly attacked to allow entrance into bigger, more profitable targets. Here are key threats:

• Social engineering—cyber attackers employ social engineering techniques to manipulate users to divulge sensitive and financial information or download malware. A phishing attack can use one endpoint to spread malware across other systems, steal data, or leak trade secrets.
• Advanced persistent threats (APTs)—nation-states, organized crime syndicates, hacktivists, and insider threats launch APTs to achieve a certain goal. These attacks aim to breach the network and stay inside for as long as needed to achieve the goal. They can use endpoints as entry points and then move laterally across the network.

In the past, endpoint security consisted mainly of signature-based antivirus software. However, today’s work paradigms and complex architectures created a dynamic digital environment requiring extended end-to-end security visibility.

Today’s endpoint security stack is much more sophisticated, providing comprehensive protection against new and emerging malware and zero-day attacks. It includes features that provide real-time visibility into endpoints to enable quick detection and response to endpoint threats. 

What Is Endpoint Detection and Response (EDR)?

EDR solutions provide real-time continuous collection and monitoring of endpoint data, advanced analysis capabilities, and rules-based automated response. EDR was first introduced as a security category by Anton Chuvakin at Gartner, who coined the term endpoint threat detection and response (ETDR).

EDR solutions monitor and collect activity data from endpoints and continuously analyze collected data to identify threat patterns. Once the system identifies a threat, it notifies security personnel and relevant stakeholders, and responds automatically by containing or removing the threat. It also provides forensics tools to enable investigations into identified threats.

EDR can be used to detect and immediately respond to breaches on servers that host API endpoints. This provide an important layer of security that ensures that even if the API is breached, security teams can quickly understand what happened and contain the attack.

Securing APIs Using Endpoint Detection and Response

The main purpose of EDR solutions is to provide security teams with real-time alerts of malicious behavior. EDR enables fast containment and attack investigations.

Here are EDR security practices you can easily apply to improve security for your API endpoints:

Monitor HTTPS communication

If you communicate over an insecure HTTP protocol, API users can be exposed to risks. Do not make HTTP connection an option – mandate HTTPS. Threat actors can read your secret keys, passwords, and credit card information like plain text with any packet sniffer tool or man-in-the-middle attack.

Monitor API calls

Monitor the number of API calls a client can make in a certain time window and establish a limit of calls clients are allowed to make per minute or hour. Watch for any suspicious behavior.  

Your API can consume excessive system resources – for example if a malicious bot sends hundreds of simultaneous requests every minute. All web development frameworks provide middleware that can limit API call rates. 

Authenticate users

APIs user are authenticated by entering an API ID and key to access an API. A unique string generated for each API user is the API key. An EDR solution can verify that API authentication works properly and alert in cases of repeated login failures or suspicious logins.

Implement access control

All functions of an API are not necessarily allowed for access by authenticated users. For example, some users only require read-only permission. Control user access to APIs through frameworks like OAuth. 

Use JSON Web Tokens (JWT)

Use JWT, a standard way to represent secure user identity for a two-party communication. An EDR system can use a JWT to identify users. This allows two systems to exchange data on every request without sending private credentials. 

Validate input

It is important to check incoming data for the correct format and other anomalies. Many APIs fail at input validation. An EDR solution can scan SQL queries for malicious SQL injection attacks. Attacks like this can bypass the authentication of a web application or page, allowing attackers to retrieve the information stored in an SQL database. 

Conclusion

In this article, I explained the basics of endpoint security and showed how endpoint security and EDR solutions can help protect API endpoints by:

• Monitoring API communications
• Monitoring API calls and rate limits
• Enforcing access controls and authentication
• Validating inputs

I hope this will be useful as you improve the security posture of your mission-critical API endpoints.