Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a business case
arrow-white arrow-white Download now

Automated Moving Target Defense included in the Gartner® Hype Cycle™ for Endpoint Security, 2023

Posted by Michael Gerard on October 19, 2023
Find me on:

For the first time, Automated Moving Target Defense (AMTD) has been included in the 2023 Gartner Hype Cycle for Endpoint Security as a technology in the ‘on the rise’ category. Morphisec is named as a Sample Vendor in the AMTD category. This Hype Cycle illustrates the most relevant innovations in the endpoint security space to assist security leaders in planning adoption and implementation of emerging technologies. Endpoint security innovations focus on faster, automated detection and prevention, and remediation of threats powering integrated, extended detection and response (XDR) to correlate data points and telemetry from solutions such as endpoint, network, web, email and identity.” As Gartner indicates, “Businesses need cutting-edge solutions to defend endpoints against attacks and breaches.”

Gartner Endpoint Security Hype Cycle

Historically, endpoint security has focused on detection and response technologies. “AMTD shifts from ‘detect and respond’ to ‘proactive deception and unpredictable change’ to make it tougher for attackers to exploit vulnerabilities in a targeted IT environment.” As a preventative solution, we believe AMTD’s inclusion in the report signals a tectonic shift in the industry and recalibrates endpoint security best practice recommendations. Here’s why.


Threats are becoming more sophisticated—and more evasive

Detection and response technically started with the introduction of anti-virus (AV) software. AV conducted static assessments of binaries and files to ascertain their alignment with known malware.


Next-generation anti-virus (NGAV) software and endpoint protection platforms then introduced dynamic analysis, which entailed the execution of files within a confined environment while monitoring their behavior.


The next innovation in endpoint security introduced the industry’s current class of EDR and extended detection and response (XDR) technologies, and managed detection and response (MDR) services. These offerings use behavioral analysis to monitor the execution of processes on a computer, intercept critical functions and investigate to gain real-time insights into behavior. This approach scrutinizes not only the binary, but also the contextual factors surrounding the execution.

Today, NGAV, EDR and XDR provide the baseline security to detect and respond to signature-based and known threats. However sophisticated and undetectable threats including in-memory, fileless and ransomware attacks increasingly bypass traditional security controls like NGAV and EDR, and now account for 30 percent of attacks detected in the wild.

Recent examples include a new variant of Chaes Malware targeting financial and logistics companies, GuLoader, an advanced threat targeting legal and investment firms in the US and InvalidPrinter, a highly stealthy loader that had zero detection on Virus Total for an extended period.

According to the Gartner report: “AMTD technologies have emerged that are capable of delivering new value in defending against the backdrop of an overemphasis on detection and response strategies that are failing to prevent breaches.”


Gartner Report on Continuous Threat Exposure Management


Obfuscation and polymorphism powered by AMTD can repel attacks


Attackers invest heavily in reconnaissance to uncover vulnerabilities and exploitation opportunities. They use sophisticated techniques like fileless malware and in-memory attacks to conceal behaviors and evade detection.


Defenders can apply similar tactics using AMTD technology to dismantle attacks before they even begin. AMTD borrows proven military strategy that a moving target is harder to “hit” than a stationary one. In the realm of cybersecurity, AMTD deploys tactics that choreograph shifts or alterations within IT environments spanning the attack surface. This polymorphism-based approach serves to heighten the level of unpredictability and intricacy faced by potential attackers.


In a never-ending cyber arms race, attackers will leverage AI to generate threats capable of bypassing AI-based protection solutions. Generative AI further increases attack sophistication, speed and scale, so security leaders must look to harden defenses with proactive and preventative technology that precedes reactive and resource-heavy detection and response solutions. (read “Outsmarting Generative-AI Attacks” to learn more) It’s time for a paradigm shift. As Gartner indicates, “AMTD helps average companies combat emerging AI threats. AMTD is an alternative for organizations when they do not have the budget, staff or time for using AI.”



Security team efforts must be prioritized with high-fidelity alerts


As complex and undetectable threat vectors (like the aforementioned fileless, in-memory and zero-day-based techniques) bypass traditional security controls and detection and response technologies, breach risk and alert fatigue ensues.


Unknown and undetectable attacks account for a growing number of breaches, with more than 30 percent missed by AV and EDR systems. In response, IT and security teams set detection system alert models to their highest settings to flag anomalous behaviour. But these settings negatively impact system performance and produce high volumes of alerts, which now account for roughly 40 percent of total notifications.


Gartner Automated Moving Target Defense


Security teams are drowning in false positive alerts and time-intensive alert investigations. This was the case for TruGreen, a nationwide lawn care and treatment services provider. TruGreen used a multi-layered security model, yet they weren’t confident it could protect them against evasive attacks. It had significant performance overhead and created high volumes of false-positive alerts, requiring hours of team analysis every day. The team needed an operationally efficient solution with negligible performance impact.


Morphisec helped TruGreen slash false positives by 95 percent; principal security architect Dale Slawinski noted: “With our previous security platform, we used to get as many as fifty alerts each day. Now (with Morphisec AMTD) we get maybe one or two.”


Morphisec's deterministic mechanism creates high priority and fidelity alerts that help to prioritize remediation efforts by security teams. Morphisec prevents an attack by stopping it cold and killing the malicious process, buying security teams time. With Morphisec AMTD the malicious process is no longer active; by comparison EDR technology may only create an alert while the malicious processes are still active.


Gartner Report on Continuous Threat Exposure Management


Adopting a preventative approach to security with AMTD

Coupling current endpoint security solutions together with AMTD is the next evolution of cybersecurity and a must for organizations to defend against the evolving threat landscape, particularly when it comes to safeguarding legacy systems. As new integrations layer on top of old servers and devices, the attack surface widens, and so to do the risks associated with legacy IT.


In often unpatchable legacy systems, even well-known attack vectors such as internet explorer vulnerabilities are still causing data breaches. For example, in 2021 18% of attacks utilized vulnerabilities that were disclosed in 2013 or earlier. With Windows 7 and 8 leaving support since then, this figure is likely to be much higher now.


Automated Moving Target Defense (AMTD) is a proven response to the challenge of securing legacy systems. It overcomes endpoint security's architectural, technological, and cultural challenges by preventing rather than reacting to threats.


Through an extremely lightweight (6MB) agent, Morphisec's AMTD morphs runtime memory when a system is in use. It reduces the legacy attack surface by moving system assets and leaving decoys in their place.


Here are a few additional benefits for IT or security leaders considering AMTD:


  • Defense in Depth—All organizations face increased risk of ransomware, supply-chain zero-day and fileless attacks; polymorphic defense hides exploits from polymorphic attacks.
  • Operational efficiency —AMTD addresses legacy security concerns and is fully compatible with the NGAV, EDR and XDR technologies you already use, without needing additional staff or performance resources to run it.
  • Reduce spend—By stopping attacks before they begin AMTD reduces false positive alerts, thereby reducing IT support tickets and staffing requirements to triage and analyze alerts.


According to the CISO at a leading US-based hedge fund, “Morphisec provides novel in-memory protection technology that’s low maintenance and needs little overhead. Within our tech stack, Morphisec requires the least amount of care and maintenance—it’s exceptional protection with sweet ROI.”


AMTD technology marks the next evolution in cybersecurity. Unlike detection and response technology, it’s focused on prevention and stopping attacks before they can even begin. Schedule a demo today and see why more than 7,000 companies trust Morphisec to secure over 9 million endpoints and servers.


Get a Demo of Morphisec


Gartner, Hype Cycle for Endpoint Security, 2023, Franz Hinner, Satarupa Patnaik, Eric Grenier, et al, 1 August 2023


GARTNER and HYPE CYCLE are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.