​Application morphing to deliver endpoint security

The phrase “security by obscurity” usually means someone doesn’t consider themselves a target for malware and cybercrime as they believe no-one would be interested in accessing their systems or stealing their data.

For infosec professionals, it’s the equivalent of sticking your head in the sand and pretending the outside world doesn't exist.

But what if obscurity became a viable defence? This is the approach Israeli start-up Morphisec has taken this to new level with a novel approach to defeating malware.

By making applications practically invisible while in memory, malware has no target.

Chief Business Officer, Omri Dotan, told us Morphisec was focused on answering one question.

“How do we stop the perpetual cat and mouse game of being attacked, defending against it, being attacked again, defending against it – always one step behind the attackers?”.

The traditional approach to this has been focused on waiting for attacks to occur and then pushing back. Morphisec’s founders saw a different answer. What if the attackers were facing a moving target?

“By moving the targets before the attackers get there, they don’t find the targets they are seeking,” says Dotan.

Having raised US$8.5M and with 21 employees on the payroll, this start up came up with an approach that sounds simple but is very complex to execute.

Read more: ​Security leadership and the role of AI

“All defence products today use the same paradigm. They have a baseline of knowledge. It could be signatures. It can be some learning. They then do continuous detection until they see something. When they see something they compare it to that baseline, whether it’s signatures or AI, to make a decision about whether it looks like an attack and whether to do something about it”.

In contrast, Morphisec changes the attack surface in memory.

When an application executes it stays resident in memory. When a piece of malware reaches the endpoint it looks for vulnerabilities based on where it expects an application to be in memory.

Morphisec’s endpoint protection– the product is currently limited to Microsoft’s Windows client and server platforms – morphs applications as they execute so that when the malware arrives it can’t find a target.

This isn’t application encryption as that is, according to Dotan, a costly and resource hungry activity. The application is moved from where it normally runs to a new location in memory.

In addition, when a piece of malware arrives and looks for an application where it normally resides in memory, Morphisec captures this information and reports it back to the security team.

“Every alert is an attack. There’s not sifting,” says Dotan. We send only the attack. We give very deep forensics. We get a screen dump of everything that was happening on the computer immediately before and after the attack”.

An advantage of this approach is many pieces of malware hide this at the point of attack. But as Morphisec has already moved the application being attacked away, it’s able to trap the programmatic calls and communication attempts the malware is attempting.

Part of the appeal, according to Dotan, is Morphisec’s small footprint. Running as a small 1MB service, it uses almost no system resources so there’s no performance impact.

This approach also means systems that are behind on their patching are less vulnerable, according to Dotan. Even if a system is in a state where a known vulnerability is active and a piece of malware that enters the organisation won’t find its expected target.

As a start-up, Morphisec is working to build its place in the market. Rather than seeking to replace existing software with their customers, Dotan says Morphisec is being installed alongside other endpoint protection tools. As Morphisec’s footprint is so small, this is a viable solution that makes it possible to trial Morphisec without having to decommission current solutions.

Anthony Caruana attended RSA Conference as a guest of RSA Corporation

Read more: ​Quantifying risk: Closing the chasm between infosec and cyber insurance

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerabilities#RSACOmri Dotanendpoint securityRSA Conference 2016cybercrime

More about MicrosoftRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place