Legacy Microsoft operating systems (OSs) will probably be with us until the universe’s heat death. OS usage statistics show the total market share of legacy operating systems is still above 10 percent. With the total Windows installation base of 1.3 billion, roughly 150 million endpoints are still running legacy operating systems.
Hundreds of thousands of organizations have endpoints and servers powered by an out-of-support OS. If you are in manufacturing, finance, healthcare, or education, you’re probably highly aware of the security issues that come with legacy systems.
A recent SANS Institute survey found 54.3 percent of companies report one of their biggest security challenges is integrating legacy technology with modern ICS and OT systems.
Legacy IT Systems’ Risks
Many companies face cultural challenges to removing legacy applications from their environments, too. I.e., the "If it ain't broke..." fallacy.
Legacy environments can continue to function perfectly well; that's how they become legacy in the first place. For many corporate decision-makers looking at the costs of migration, it can make sense to keep out-of-date systems in place for as long as possible.
Unfortunately, the risks of hosting legacy IT systems compound over time, as evidenced by the continued appearance of vulnerabilities in defunct operating systems. Windows 7, for example, had over 43 CVEs published in 2023 after it entered “end of life,” while Windows Server 2008 had 95 CVEs.
Legacy applications such as defunct versions of Microsoft Office or custom business applications expand attack vectors. Older applications are a gold mine for threat actors, and their vulnerabilities can be recycled into new exploits long after their discovery. For example, an obscure 2004 Apache Web server CVE was exploited for crypto mining. Hardware aspects of legacy systems, such as un-patched bios, can add to this risk.
Modern systems aren’t perfect. But in general, the older a system or application is, the smoother the path to compromising an organization becomes.
The Legacy IT Security Challenge
Legacy Windows systems have design limitations which lack the security architecture EDRs need for visibility into the operating system and process communications. Specifically, older operating systems have limited event tracing (ETW) and lack advanced anti-exploitation features common to modern systems. E.g., AMSI, CFG, ACG, etc.
This lack of visibility significantly limits their detection capabilities. From a prevention standpoint, many EDRs rely on Microsoft Defender AV for baseline protection, including Microsoft’s signature and machine learning-based detection, threat intelligence, and response capabilities. But Defender AV was only released with Windows 10 in 2015, so EDRs running on pre-2015 Windows systems offer limited prevention capabilities. From a compute perspective, legacy systems have OS design limitations, and can't usually run advanced security solutions like endpoint protection platforms (EPPs) and endpoint detection and response (EDRs).
As a result, legacy systems are often only protected by basic, outdated antivirus (AV) solutions. For organizations that otherwise rely on advanced EDRs to protect their newer systems, this creates a highly inconsistent attack surface.
To address these challenges, Morphisec conducted a webinar with Microsoft expert Adam Gordon from ITProTV. We discussed:
- The security risks of running legacy systems
- Which is a greater legacy challenge—endpoints or servers
- Why it’s so difficult to migrate legacy endpoints to modern operating systems
- Why traditional EPP and EDR tools struggle to protect legacy systems
- Practical recommendations for improving legacy systems’ security posture
Watch the webinar for useful insights! Legacy Linux, which powers many essential workloads, is even more of a problem. Few security solutions can protect Linux environments against advanced threats. Fewer still can protect legacy Linux systems.
Secure Legacy IT Systems With Automated Moving Target Defense
Legacy systems are low bandwidth environments that lack the OS architecture and computing power to support scanning-based security solutions like next generation anti-virus (NGAV), EPP, and EDR/XDR.
However, Morphisec's Automated Moving Target Defense (AMTD) can secure Windows and Linux legacy systems against advanced cyberattacks like fileless attacks, in-memory attacks, ransomware, and supply chain attacks. At 6MB, Morphisec is light enough to run on a Raspberry Pi, needs no updates for signatures or indicators of compromise, doesn’t rely on visibility capabilities legacy operating systems lack, and because it doesn’t require an internet connection, can even secure air gapped systems.
Morphisec's AMTD works by morphing the runtime memory environment, moving system assets and leaving decoys in their place. Trusted system processes can run without issue, hidden from attackers, while any code that tries to engage with a decoy is trapped for forensic analysis. Gartner is calling AMTD “... an emerging game-changing technology for improving cyber defense."
Morphisec stops advanced threats in legacy systems without prior knowledge or performance impact to deliver highly effective protection for legacy Windows and Linux operating systems. To learn more, read the free white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy.