OK, full disclosure - this is one of my pet peeves, so let me get this out of the way right out the gate: in my humble opinion, a server workload is not an endpoint. Sure, they’re all hosts, but what I think of as an endpoint is different in so many ways from a workload, including computing characteristics, their respective role in the cyber security kill chain, not to mention buying centers. Defining an endpoint as broadly as "anything with an IP address" fails to acknowledge these differences. As such, as an industry, we should be mindful to make note of these distinctions when referring to what types of hosts are being secured.
We live in an age of multi-device end-users where mobility rules the day with most of us tethered to a slew of devices – laptops, smartphones, tablets, and now wearables. And, yes, some of us still use desktops. There, that’s a definition of endpoint, and the term that should be secondary in how we talk about such devices because it’s about protecting us, the user, and our data and, as an extension, our devices from intrusion and compromise as an entry point to the real target, workloads and their associated data.
While the macro shift in endpoints is mobility, that sea change in server workloads is API-driven automation where servers went from being virtualized to now also being ephemeral, on-demand entities. (I could have said “cloud” but that’s another rant for another time.) And what about containers? In this context, they’re a higher-level workload abstraction, and clearly not an endpoint. So, let’s put them in the workload family for now, OK? Ah, but pricing for containers, now there’s a fun product management exercise!
OK, fine. So, with those definitions, what’s the big deal, right?
Endpoints are highly variable, while workloads, in contrast, are much more static. How we interact with our end-user computing devices varies widely from day to day making establishing a baseline of normal activity from which one can declare a single deviation an indicator of compromise nearly impossible, hence the preponderance of false positives and the heavy lifting of constant policy tuning associated with applying HIPS to endpoints. And since endpoints are operated directly by human beings, they are an all-too-attractive soft spot for adversaries who prey on our gullibility and browsing habits. This is why advanced threat detection techniques that correlate executable activity with threat intelligence and dynamic analysis (i.e., sandboxing) are being brought to bear to protect end-user computing. Workloads, after all, don’t get spear phished, users do, at least unless an admin does something, well, stupid, and browses or checks e-mail whilst logged into a server, which would be detected and prevented with the appropriate workload security controls. As the entry point, the endpoint hosts the delivered malicious payload staging itself for lateral movement typically to a workload front-ending the data assets of interest.
Workloads in an auto-scaling group are akin to ghosting off a gold image such that workloads that are automatically provisioned on demand have identical configurations. This makes continuously checking system integrity (file system processes, netflow, etc.) an appropriate method for detecting possible compromises as there should not be even a single deviation. As with fixed function systems, such workloads are also an ideal candidates for application control where the finite set of known-good software authorized to run makes whitelist management operationally doable. Additional functional requirements for securing software-defined workloads include being tag-aware for policy assignment, triaging alerts, and reporting, a highly applicable management convention for transient systems, including those in a blue-green cutover scenario, where shelf-life can be oh so short. Doesn’t sound like an end-user device to me. Just sayin’.
Workloads are things of the data center managed by an infrastructure team with DevOps methodologies for cloudy environments, and typically by sys admins for virtual and static environments, although with the advent of hybrid clouds, roles are morphing. In contrast, endpoint security is often the domain of IT Ops, although the use of more sophisticated threat detection and response products is necessitating close collaboration with network security. While new architectures and products are creating a shift in IT organizations, endpoint and workload security connects at the C level strategically, but normally not at the day-to-day operational level.
Calling everything an endpoint fails to recognize the fundamental differences between workloads and end-user devices highlighting the need for appropriate sets of security controls. These controls can, and should, share certain architectural elements for operational efficiency, but should be priced, positioned, and packaged according to the resource being protected.
Wait, what about IoT devices as an endpoint? Yet another rant for another time…