You’ve probably seen the term ‘endpoint’ talked about in the press recently in the context of information security. Lets chat about what a network endpoint is, why securing endpoints can dramatically strengthen your overall security posture and why big vendors like Intel Security (formerly McAfee) and a number of startups are launching products that focus on endpoint security.
What is an Endpoint?
An endpoint traditionally is a device on a network that a human interacts with, as opposed to the network itself. In the old days of PC’s and floppy disks, the PC was the endpoint attached to a local area network or modem. Since then we’ve added networkable printers, managed switches and routers, and the Internet of Things (IoT) has arrived. Many of these connected devices don’t provide direct human interaction, but they are all points of termination on a network that need to be protected.
The old definition of an endpoint would fit into: “Something networked that a human interacts with”
Today I would change the definition of an endpoint to the following: “Something networked that can be attacked, contains valuable data, resources or a target and may be usable for further reconnaissance and attacks of a network.”
What Makes WordPress an EndPoint?
WordPress, our favorite publishing platform is a great example of an endpoint, both in the traditional and contemporary sense. It is networked and provides a broad attack surface because it is complex and provides many methods an attacker can interact with it.
WordPress has useful data in the form of it’s database and files. This includes personally identifiable data (PII), hashed and salted passwords which are crackable and may have been used elsewhere, all unpublished posts, all site comments with the poster’s email and much more.
WordPress also provides valuable resources in the form of a fully functional PHP application platform that can be used to launch other attacks, send spam email and it even includes a back-end database that malware can use to get the job done. Those resources include CPU, memory, disk for storage and of course a fast network connection that is usually at least 10 megabits per second.
WordPress also provides many targets. This includes the website administrator themselves and the users of the site. An attacker may infect a WordPress site with the goal of cracking a particular user’s password in the hope they’re using it on other systems like GMail. They may want to fool the administrator into visiting a malicious website, or they may want to see draft posts hours or days before they are published to gain intelligence about the site admin as a human target.
Moving from Traditional IDS to Endpoint Threat Detection and Response (EDR)
There are several ways to secure your network without securing endpoints directly. These may include a network intrusion detection system (NIDS) that monitors all traffic flowing on the network, looking for known attack patterns. You might use a cloud provider to filter your website traffic before it reaches your web server e.g. an external cloud based WAF or Web Application Firewall. You might also use external scanners to regularly scan your network for vulnerabilities and signs of a hack.
All of these are not endpoint security because they execute away from your network and they lose some of the advantages that security on the endpoint includes.
In 2013, Anton Chuvakin from Gartner coined the phase “Endpoint Threat Detection and Response” to describe a new paradigm in how we approach protecting devices and networks. Rather than centralizing security, this suggested should secure the endpoint directly. And rather than just detection, the endpoint should also be able to respond to the threat.
Intel Security (formerly McAfee) yesterday rolled out their next generation EDR solution which detects unpatched bugs, suspicious events, can remediate the problems it finds and shares attack data with the rest of the security network. They’re able to provide this kind of advanced security because their product executes directly on the endpoint and has access to much more data and can interact at a deep level with the endpoint during remediation.
There are also a slew of startups with significant VC investment that have emerged in the EDR space hoping to capitalize on this new approach to security.
We Pioneered EDR for WordPress
In 2012, our approach with Wordfence started by securing WordPress as an endpoint. We started by providing tools to detect if you have been hacked.
We knew we could do better than just blocking attacks and we realized that successful attacks are inevitable, so remediation is needed. We added the ability to see changes in affected WordPress files if a hack occurs and to repair those files using Wordfence.
A few months after our initial release of Wordfence, we added the Wordfence Security Network that shares sources of attacks among our WordPress sites to help protect those sites before an attack starts.
Wordfence today is a full EDR or Endpoint Threat Detection and Response solution for WordPress. We stop attacks, detect compromise, remediate in the case of compromise and all endpoints get smarter as attack data is shared.
After launching Wordfence in 2012, we never read Anton Chuvakin’s report in 2013 that popularized the term EDR. It seemed to us when we started Wordfence that providing those abilities in a security product would do a better and more efficient job of protecting our customers. We continue to think about WordPress security in this objective way. We keep asking the question “How can we make our customers more secure while reducing their workload and making their systems run faster and more efficiently?”
To this end our team has been working on ambitious projects to help achieve these goals. They’re not ready for announcement yet, but they are a product of this thought process and we think you’ll be as excited as we are about them.