Dan's Take

Making Endpoint Devices Moving Targets

Morphisec's unusual take on Windows security.

• By Dan Kusnetzky
• 02/13/2017

I recently had a briefing with Moriphisec's Chief Business Officer, Omri Dotan, during which he offered his company's rather interesting take on securing Windows-based endpoint devices. We discussed today's rather serious security and privacy challenges, what most in the industry are doing about it and why a different viewpoint and the resulting technology addresses the issue in a new way that is both simpler and less costly.

The Challenge
Today's Windows desktops and laptops pose a difficult security and privacy challenge. The attack vectors are changing and adapting faster than the suppliers of technology, and thus, their customers can't keep up. As soon as one attack is discovered, the vendors create a new patch or add something to the knowledgebase that drives their security product. It's not long after before the black hats learn how to go around the updated security software.

Systems may be penetrated weeks or months before data is stolen or changed. Enterprise IT departments may not discover that their defenses have been breached until long after valuable information has been stolen.

Furthermore, if the attacker has found (or created) user credentials they can use to enter systems, they may be able to simply go around enterprise protection by being seen as "one of their own."

Morphisec points out that enterprises are engaged in "asymmetric warfare: predictable defenses vs. unpredictable attacks." Windows APIs are known and relatively static, and the same is true of most major applications. If an attack can get by their defenses even once, seeds of further penetration are likely to have already been sown.

Similar Security Approaches
Most suppliers of operating systems, applications and security software are using similar approaches to address the constant stream of attacks. Once an attack has been identified, these suppliers determine its signature, its behavior and develop heuristics designed to combat it. All it takes is for an attacker to change the attack's approach or, even worse, develop an attack that changes over time (also known as polymorphism); once that happens, the new version of the attack must be discovered again.

The cycle repeats itself on a daily basis, making it difficult to impossible for enterprises to keep up even though they're investing heavily in personal firewalls, VPNs, enterprise firewalls and acquiring tools that use machine learning and predictive analysis to detect anomalies by sifting through operational logs.

A New View
Morphisec has developed a different viewpoint that, the company hopes, will turn things around and put the attackers in a defensive position, rather than the enterprise IT team. Morphisec decided that the reason the attackers succeed is that the environment and its defenses are known and largely static.

What would happen, they said, if the in-memory environment changed each and every time an application was loaded? Then it would we easy to stop attacks cold because they simply wouldn't know where important memory structures were.

Outing the Thief
Morphisec has created a small, user-mode dynamic-link library (DLL) designed to load first and then "obfuscate" the process's in-memory environment in ways that allow the application to execute at normal speed, but be impossible to attack in the normal ways. This library also leaves enough of the original environment in place to allow an attacker to think they had penetrated the system. When a penetration is attempted, the changes are logged, reported and the attack is trapped. Dotan suggested this was a bit like making a thief go out into the street and yell to everyone "I'm trying to steal something!" I liked that image.

Moriphisec's software has been tested and is known to work properly on Windows 7, 8, and 10 desktops and laptops, and Windows Server 2008, 2012 and 2016-based servers. Since the magic is happening in user mode, the company seldom has had problems with incompatibilities showing up at customer sites. Morphisec suggests that its customers only need a good antivirus package to protect their applications, combined with Morphisec software, to create an easy-to-use, low-cost and secure environment.

Dan's Take: Efficient Protection
I thought that this approach was very clever and would be likely to work as advertised. IT pros wouldn't have to concern themselves with downloading and installing an ever-changing set of databases of attack vector characteristics.

At the beginning of our conversation, I thought it was somewhat like Bromium's approach of using microvisors to protect applications. As the discussion continued, however, it's clear that my initial impression was wrong. Morphisec's approach is much lighter weight, imposes much less overhead and is far less likely to create incompatibilities since there isn't a layer -- however small -- of VM software. The performance penalty, if there is one, would be imposed only when an application loaded into memory. Once the application image had been prepared, there would be no performance penalty during execution.

I really liked the "set and forget" attributes of Morphisec's approach as well. Attacks would simply be stopped cold and the process would be quick and painless for the user.

The only limitations I could see to this approach is that it is, today, Windows-centric and wouldn't be helpful at all for iOS, Android, macOS or Linux-based environments. Many of today's enterprise computing environments contain a mix of PCs, laptops, smartphones and tablets as endpoints.

Morphisec would have to get their technology into the system at the bootloader level, so that all applications would have to pass through their technology as they were being loaded into system memory. iOS, Android and to a far less extent macOS systems' loading software is locked down and under control of the operating system supplier.

Windows-Centric
When I asked about this, I was told that the company started work on Linux first and had made the technology work. But Linux-based workstations aren't common in most enterprises (with the exception of developers, academicians, students and researchers), so the company focused on Windows because there's a huge installed base to protect.

Getting the technology into iOS and Android is a bit more difficult because Apple and Google control their platforms. I think this approach could be made to work on those platforms if Morphisec is able to convince those suppliers to allow the technology to be loaded into the OS. I guess we'll all have to wait to see what happens here.

The bottom line is that if your enterprise is concerned about securing Windows-based client and server computing environments, it would be smart to find out what Morphisec is doing.