ON-DEMAND WEBINAR: Morphisec's Top 10 Security Predictions - Outlook into 2024
arrow-white arrow-white Watch now

Don’t Secure Linux Servers With Windows Solutions

Posted by Bill Reed on June 21, 2022
Find me on:

Shoe shops and security operation centers have something in common. One size fits all solutions are not a great idea in either area. Unfortunately for security professionals trying to secure Linux servers, purpose-built Linux solutions are frustratingly hard to come by.

Even solutions marketed as protecting Linux servers are not purpose-built to defend against advanced threats like ransomware and targeted malware. This is partly due to a lack of awareness among vendors and customers. The myth that “Linux doesn't need antivirus” is still common. And unfortunately, solutions developed for Windows environments don’t fully cover the attack surfaces created by Linux server deployments—regardless of what a vendor’s marketing material says. 

(For a deep dive, read the white paper—Linux Servers: How to Defend The New Cyberattack Frontier.)

Linux and Windows Servers Now Face a Similar Threat Level 

The Linux kernel might have a historic reputation for being more secure than Windows. But building layered security on Linux servers has become critical since the Covid-19 pandemic shifted almost all white collar work to home offices that rely on cloud and web applications that are overwhelmingly powered by Linux.

This is obvious just by looking at the growing volume of threats targeting Linux. In 2021, there were 35 percent more attacks on Linux servers than in 2020. Just as worrying is the growing variety of threats either ported to Linux or specifically targeted at Linux servers. There are over 500 distributions of Linux in use today. But the world’s reliance on open-source operating systems means it now makes sense for threat actors to invest time and resources in creating Linux-focused malware. 

The increasingly target-rich Linux environment has shifted threat actor priorities. There were over five times more Linux-focused strains discovered in 2020 than in 2010. Newer programming languages such as Go also make compiling cross-platform malware easier. As a result, Linux servers increasingly face the same advanced threats as their Windows counterparts, including LockBit ransomware and hacked versions of Cobalt Strike. Linux specific threats like ExtraBacon exploits, Golang-based Spreader, QNACrypt ransomware, and Silex malware are highly evasive and bypass signature- and behavior-based antivirus. 


Linux attack surfaces are also growing, from misconfigurations to confusion over where security responsibilities lie during cloud deployments. Even when security teams proactively harden Linux servers to avoid common misconfiguration issues, the fundamental issue of Linux vulnerabilities remains a growing problem. A 2021 Trend Micro report found threat actors targeted 200 Linux vulnerabilities in one six month period.

Windows software does not have the same volume of eyeballs searching for bugs that Linux does. But as more applications are developed to run on Linux, more vulnerabilities are overlooked. There are over 100 bug fixes to the Linux stable kernel each week. So teams working to secure Linux servers already face difficult patching choices. Most opt to prioritize using MITRE’s CVE list. But with Linux CVE reporting significantly delayed, vulnerabilities inevitably end up missed, compounding organizations’ breach risk.

Windows Security Controls Don't Fit

All this means prioritizing Linux server security is increasingly important. However, even when security teams invest time to shut down attack vectors and reduce access routes with solutions such as endpoint detection and response (EDR), on their own, these kinds of detection-based solutions don’t stop human-operated Linux threats like RansomExx


Against increasingly targeted, advanced threats, Linux servers urgently need another layer of defense. Critically, organizations need a solution that mitigates the risk of Linux-focused vulnerabilities while also defeating advanced threats like ransomware before they can deploy. 

Solutions developed for Windows can’t do this. Unlike Windows server environments, Linux operating environments keep resource use at the bare minimum. This leaves little space for security solutions that require constant scanning to work. But solutions like EDR and traditional and next-generation antivirus (NGAV) are major resource-hogs that negatively impact end-user performance. 

To avoid false positive alert overload, most tools used to protect Linux are down-tuned by vendors and security teams to the point where they increase breach risk. 

Due to different processes, control systems, and applications, Linux cloud deployments don’t fit the Microsoft mold of cloud workload protection.


With resources at a premium and a large part of risk coming from vulnerabilities—many of which are unknown, the traditional paradigm of signature-based defense is incompatible with Linux servers’ security needs. Instead of relying on recognizable threat signatures, a fit-for-purpose Linux security solution will make both on-premise and cloud Linux instances safe against advanced threats. 

Secure Linux Servers with Morphisec Knight 

Morphisec Knight for Linux is purpose-built from the ground up to protect  Linux servers. It works as a lightweight, deterministic solution to magnify the Linux kernel's inherent security advantages. Morphisec Knight doesn’t waste network or server resources hunting for threats. It doesn’t need signatures or machine learning to recognize threat behaviors. Instead, Knight uses patented, revolutionary Moving Target Defense (MTD) technology to proactively prevent advanced attacks against servers in on-premise, public, private, and hybrid cloud Linux environments. 

MTD constantly morphs device memory in real-time to transform and reduce Linux servers’ attack surface. It deterministically blocks threats, regardless of whether they use polymorphic defense evasion, in-memory deployment, or other advanced tactics. Morphisec Knight secures Linux servers with no impact on performance, no maintenance, no need for continuous network connectivity, and, critically, no false alarms. Other solutions say they work on Linux. Only Morphisec Knight is purpose-built for Linux with no compromises. In fact, independent test lab MDSec tested Morphisec Knight and confirmed it prevents MITRE ATT&CK tactics and techniques typically used by adversaries. To learn more, read the white paper—Linux Servers: How to Defend The New Cyberattack Frontier.

New call-to-action