Randomized Rethinking of AV

The 1973 Chevrolet Impala has a unique history: Originally a top-seller for GM during the waning years of Nixon's Administration, the full-sized vehicle surged in retro-interest during the 90s when it appeared as Kramer’s car on Seinfeld. This seems less noteworthy, however, than the fact that it was also one of the first cars to include an airbag. This design decision was much debated within GM, however, because airbags emphasized crashes over speed.

Standard inclusion of airbags in cars brings to mind familiar debates about Windows security. That is, for as long as one's mind can travel back, the canonical approach for consumers has been to purchase a Windows PC, remove its stickers, and then decide whether to install anti-virus software from some non-Microsoft vendor. This add-on decision, of course, was not automatic, because anti-virus software is no fun to maintain.

Well – with the rollout of Windows Defender, the decision process for third-party anti-virus software is now changing. Microsoft’s new embedded security software evolved from a downloadable spyware removal program for XP into a comprehensive anti-malware solution built into Windows 10. The software scans for malware in real-time, and early reviews are positive. Defender looks to be excellent at dealing with traditional viruses.

Embedded security and Windows Defender came up today during a technical review with Ronen Yehoshua, CEO of Morphisec. Founded in 2014, with offices in Israel and Boston, Morphisec offers a preventive capability that complements traditional anti-virus. Yehoshua offered a view of how Windows (and Linux) users might extend their standard protection with Morphisec’s implementation of a technique called Moving Target Defense.

“With the emergence of Windows Defender for Windows 10, users will migrate from paying for PC anti-virus to a new situation where they will be looking for opportunities to invest the savings from using Microsoft’s standard solution,” Yehoshua explained. “The Morphisec preventive control is the perfect complement to Windows Defender, especially in the area of stopping unknown, zero-day, fileless, and other evasive malware threats.”

Morphisec mitigates unknown threats using a memory management technique called Moving Target Defense. The new method stops threats from utilizing legitimate memory resources by morphing and randomizing not only addresses, as one finds with traditional address space layout randomization (ASLR), but that now extends the randomization to process run-time memory structures, tables, and other resources.

The goal of Morphisec’s implementation of Moving Target Defense is to prevent memory-based attacks by denying the attacker from using the memory resources on the targeted system. Such advanced memory scrambling complicates the ability for an attacker to penetrate and execute malware. It provides zero-day protection without the need for signatures and other less accurate security methods.

“The advantages of using this new approach to randomization are many,” explained Yehoshua. “First, the technique is perfect for dealing with unknown zero-day and fileless threats, which are less easy to prevent using traditional anti-virus methods such as Windows Defender. Second, the method can be implemented in a lightweight 2MB user mode agent that imposes virtually zero impacts on PC, VDI, and server protections.

“The greatest benefit, however, is that our extended randomization perfectly complements the signature and behavioral focus of Windows Defender, or any other type of popular anti-malware solution – and this goes for both Windows and Linux. We now have many customers who have adopted Defender for PCs, and then invested their AV savings into the Morphisec solution to focus on improving prevention of all forms of malware.”

I asked Yehoshua about Morphisec’s go-to-market platform strategy. What I learned is that the company offers a so-called Unified Threat Prevention Platform that includes the various functions customers have requested. This includes protection of endpoints such as desktop, laptops, VDI, and hybrid cloud workloads, such as servers running Windows or Linux. The protection in each case is based on the preventive method discussed above.

From an analyst perspective, it is hard to find much weakness in either the technical or marketing messages provided by Yehoshua. I spent a couple hours this evening reviewing as many Windows PC security strategy resources as I could find, and the Defender certainly looks like it evolving to a winner. The idea that Morphisec complements this standard, embedded solution with its memory protection approach thus seems well-timed.

If you are rethinking your enterprise anti-malware strategy for PC, VDI, or server endpoints, then a call to Morphisec seems like a great idea. Ask to see how their new randomization algorithms work and ask to see how the company can help integrate security management of both Windows 10 and Windows 7. Like with airbags in cars, I suspect this idea of embedding AV from Microsoft and then complementing with additional controls will become our new norm.

As always, after your meeting, please share with us what you learn from Morphisec.