​Application morphing to deliver endpoint security

The phrase “security by obscurity” usually means someone doesn’t consider themselves a target for malware and cybercrime as they believe no-one would be interested in accessing their systems or stealing their data.

For infosec professionals, it’s the equivalent of sticking your head in the sand and pretending the outside world doesn't exist.

But what if obscurity became a viable defence? This is the approach Israeli start-up Morphisec has taken this to new level with a novel approach to defeating malware.

By making applications practically invisible while in memory, malware has no target.

Chief Business Officer, Omri Dotan, told us Morphisec was focused on answering one question.

“How do we stop the perpetual cat and mouse game of being attacked, defending against it, being attacked again, defending against it – always one step behind the attackers?”.

The traditional approach to this has been focused on waiting for attacks to occur and then pushing back. Morphisec’s founders saw a different answer. What if the attackers were facing a moving target?

“By moving the targets before the attackers get there, they don’t find the targets they are seeking,” says Dotan.

Having raised US$8.5M and with 21 employees on the payroll, this start up came up with an approach that sounds simple but is very complex to execute.

“All defence products today use the same paradigm. They have a baseline of knowledge. It could be signatures. It can be some learning. They then do continuous detection until they see something. When they see something they compare it to that baseline, whether it’s signatures or AI, to make a decision about whether it looks like an attack and whether to do something about it”.

In contrast, Morphisec changes the attack surface in memory.

When an application executes it stays resident in memory. When a piece of malware reaches the endpoint it looks for vulnerabilities based on where it expects an application to be in memory.

Morphisec’s endpoint protection– the product is currently limited to Microsoft’s Windows client and server platforms – morphs applications as they execute so that when the malware arrives it can’t find a target.

This isn’t application encryption as that is, according to Dotan, a costly and resource hungry activity. The application is moved from where it normally runs to a new location in memory.

In addition, when a piece of malware arrives and looks for an application where it normally resides in memory, Morphisec captures this information and reports it back to the security team.

“Every alert is an attack. There’s not sifting,” says Dotan. We send only the attack. We give very deep forensics. We get a screen dump of everything that was happening on the computer immediately before and after the attack”.

An advantage of this approach is many pieces of malware hide this at the point of attack. But as Morphisec has already moved the application being attacked away, it’s able to trap the programmatic calls and communication attempts the malware is attempting.

Part of the appeal, according to Dotan, is Morphisec’s small footprint. Running as a small 1MB service, it uses almost no system resources so there’s no performance impact.

This approach also means systems that are behind on their patching are less vulnerable, according to Dotan. Even if a system is in a state where a known vulnerability is active and a piece of malware that enters the organisation won’t find its expected target.

As a start-up, Morphisec is working to build its place in the market. Rather than seeking to replace existing software with their customers, Dotan says Morphisec is being installed alongside other endpoint protection tools. As Morphisec’s footprint is so small, this is a viable solution that makes it possible to trial Morphisec without having to decommission current solutions.

Anthony Caruana attended RSA Conference as a guest of RSA Corporation