<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">

Four Fundamentals in Building a Security Stack

Posted by Omri Dotan on August 27, 2018
Find me on:

Better cyber security stack

Cybersecurity is an enormous investment with even more enormous consequences for mistakes. To build an optimal security stack you need to balance residual risks with total cost of ownership of the cyber security stack and with minimal disruption to operations.

Unfortunately , we have reached an impasse. In today’s security landscape the incremental contribution to risk reduction provided by each additional layer has an exponentially diminishing return in an already bloated and expensive stack. For far too long we have looked at the problem through the same eyes: build a business case for each solution or tool we add, again and again and again, with little consideration to optimizing the stack as a whole. I suggest a different premise: focus on balancing residual risk, TCO and business disruption with smartly built security stacks based on a new set of criteria.

Certainly each organization has its own unique security and business requirements and there are many “right” decisions. Nevertheless, whether a multinational enterprise or a smaller business, creating this right balance and maximizing the effectiveness and efficiency of a stack comes down to four fundamental principles: time, vectors of attack, simplicity and ROI. Any tool should be evaluated against these criteria, in the context of building an optimal stack.


By the time a zero day or new fileless attack is detected, it could have been out there for days and months. The ultimate prevention conceptually happens before an attack is ever conceived. Industry research indicates that, on average, attackers move from the initial compromised endpoint (machine zero) to other machines in the network, or escalate privileges, in just two hours. Time zero +2 – that was enough for Wannacry, CCleaner and other attacks to take down companies wholesale. To keep safe, organizations must terminate attacks in the first couple of minutes. Yet according to a Ponemon Institute study, mean dwell time – the amount of time an attacker lurks in an environment before being detected – is 191 days! Given that there’s a direct relationship between the time an organization takes to contain a breach and breach costs, the earlier you can stop an attack, the better.

Vectors of Attack

All existing detection-based security products – regardless of their respective technology: signature, behaviour, AI, ML, etc. – focus on identifying, analyzing and then stopping individual pieces of malware. In fact, one vaunted measure of assessment is how many millions of malware samples are stopped by a solution. This is an irrelevant measure and an unimpressive approach. Regardless of the number of malware and their variants, attacks occur via a finite set of pathways and vectors.

In order to avoid detection based products, attack frameworks usually end up leveraging something in the memory. A focus on dismantling the memory pathways by which malware eventually comes is far more effective than hunting each specific malware and variant. To borrow from war, destroying the bridge via which an army will pass is far more effective and immediate than hunting and destroying each soldier in that army (the standard security approach).

There are known vectors for known types of malware – these are currently well protected by Perimeter Defense, Access Management, and Signature based AV. Then there is the rapidly growing world of unknown attacks that needs to be addressed by innovative memory protection. Given that no single solution can address all vectors, a smart stack would categorize the key vectors and apply the right tool for each vector.

Simplicity in security stack

It’s a false assumption that a more complex solution offers better protection. It is borne from the failure of security solutions to stop the bad guys, leading to ever more incremental layers of detection, each a single point of failure, all combining into an overwhelming IT and security nightmare. And the most frustrating part is that this massive, unwieldy stack still can’t address the unknown unknowns. CISO are left with high residual risk in the form of millions of unpatched vulnerabilities and unknown vectors. If a product takes too long to implement and configure, requires too many resources to operate properly, creates business and user disruptions and a profusion of useless telemetry, then you have built a very complicated environment.  

A recent survey by ESG found that 25% of cybersecurity and IT professionals state their security teams spend too much time responding to and investigating alerts, many of which are false alarms. Simplicity of deployment, caring and operations, minimal disruption to users and business are key metrics in your stack building journey. This brings us to the fourth aspect, Return On Investment.


Unless your organization has an unlimited budget and doesn’t care about Capital and IT resources, then total cost of ownership is always an issue. The more complex a solution, the more the associated labor costs. The heavier and more intrusive the solution, the greater the costs in terms of CPU power and worker productivity. The more erroneous telemetry, the less vigilant a company becomes. And then we have to add costs of business disruptions, damage from breaches by unknown advanced attacks, GDPR penalties, etc. This is true for large enterprises but is especially true for the 80% of businesses in the world that are confronted with regulations and advanced attacks, but have limited financial and human resources for IT Security.

“Security has no ROI” is a false tenet. If we define ROI in terms of total reduction in Costs of Ownership, Costs of Disruptions to Business and Costs of Residual Risk (i.e. potential cost of exposure), then we can build an optimal stack that will be 20% of today’s TCO, will have 50% lower Residual Risk with little to no disruptions.  That would be the holy grail.  Is it possible?  A sound approach to security would seek to find that combination.

How Does Morphisec Measure Up?

Morphisec took into account all four of these principles when developing its Moving Target Defense technology. Morphisec works alongside more traditional protection layers such as Perimeter, Access Management and AntiVirus as part of an overall defense-in-depth posture.

  1. Time – Morphisec stops threats at the very earliest stages, reducing prevention time of unknown attacks to zero – days, weeks and months before any existing detection based product does.
  2. Vectors of Attacks – Morphisec uses Moving Target Defense (MTD) to prevent most evasive attacks stemming from memory exploitations, vulnerability exploitations, lateral movements and more by focusing on “closing” the complete attack vector and “dismantling” the kill chain delivery mechanism, rather than focus on hunting attacks and attackers. In addition, as Morphisec handles the unknown unknown deterministically at time zero, it not only reduces the residual risk of a company to unprecedented levels 50% lower than today, but it also keeps the unknown risk to a constant low level.
  3. Simplicity – Morphisec is a “set & forget” product that is not only simple to deploy but does not generate alerts to investigate or chase and does not require any database or prior knowledge, any updates and does not consume any resources. It plays very nicely in IT environments with a slim 2MB user mode service.
  4. Return on Investment – Morphisec reduces significantly the capital costs of current detection based security stack, and reduces its TCO by more than 70%. It also reduces agent bloat by simplifying the stack.

To learn more about building an optimal endpoint security stack, contact a Morphisec expert today.


Subscribe to our blog

Stay in the loop with industry insight, cyber security trends, and cyber attack information and company updates.

New call-to-action

Search Our Site

    Recent Posts