<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">

There’s a Madness to the Method - Surreal Logic in Cybersecurity

Posted by Arthur Braunstein on June 14, 2016
Find me on:



Imagine a conversation like this.

ASPIRING VIOLINIST:  Maestro, what should I do to be a violin virtuoso?

MAESTRO: You must practice 48 hours every day on the tuba. I will sell you a tuba.

ASPIRING VIOLINIST:  But there are only 24 hours in a day. Did you say tuba?

MAESTRO: If you won’t follow my advice, I can’t help you.

More Madness than Method

It sounds absurd, but conversations like this unfold daily when enterprise cyber practitioners meet with industry vendors and security consultants. The industry tells them that they are not doing enough. They must install more security technology, hire more analysts, and patch more frequently. This may seem simple; merely a matter of budget and execution. But the technology is not up to the task and the cost of following this advice to the letter would force enterprises to spend themselves out of existence. And it still wouldn’t work. Not enough hours, wrong instrument.

Overheard at the Endpoint Clinic

For example, when asked how to handle the fact that zero-day attacks defeat all defenses some of the time and some defenses all of the time, the response from the industry is: add another layer of malware detection. Yet the incremental benefit of each layer is minimal. All the world’s AV and HIDS and next gen products crammed into one top-heavy stack would still let attacks through. That is, if there was enough computational power left for the system to function. They are all detection tools and all detection tools cook pretty much the same security dish, using slightly different recipes (a pinch more signature here, fresher behavior algorithms there) but outputting the same nutritional content. And with respect to in-memory attacks: look for the payload, that is, let the attack succeed, try to find and neutralize it before it does too much damage. That’s the next gen way. More technology may protect more, but not much more.

As for economics and operations, even if you’re already groaning under the burden of costs you can’t afford, more spending on more layers of detection seems to be the stock response. And when the industry is told that each layer produces more telemetry than the world’s supply of analysts can interpret, the practitioners are advised to build bigger SOC’s and staff them by paying higher salaries or outsourcing. Or ignore 90% of the telemetry. It’s noise, after all. It is considered heresy to question the wisdom of spending money to create telemetry that you’re going to have to ignore because you can’t afford to use it.  As is doubt that a higher salary will recruit an analyst who doesn’t exist. There are 300,000 too few cyber professionals for industry demand and the shortfall will grow to 1,500,000 by 2020. Banking on a ghost workforce is a dubious strategy.

And when all else fails, practitioners are told they should patch more frequently. But the question of what to do while the vulnerability is still unpatched ricochets back at them with indignation. Find the attack faster with technology that misses attacks and people who don’t exist. Money is no object: at least not your money. As for false negatives, or polymorphic evasion of defenses an answer given is: tune your sensors to higher sensitivity so they give you more telemetry. False positives or false negatives, that’s the trade-off. Right. In the heads I win, tails you lose sense of the word.

Diagnose the Madness

Hire more analysts who don’t exist to interpret more telemetry that you should ignore in order to not detect attacks that will defeat the defenses you deploy at great cost.

The logic is surreal. Yet the technology is state of the art and the advice is well-intentioned. The products all work, in the sense that they do what the vendors say they do. 

The cause of the madness is doctrinal. Defenses are static; the fact that they have to be static is an article of faith. In this spirit, they are deployed in depth, at known network and host control points, and behave in predictable ways. This makes sense in some cases. Unsophisticated attacks may well be detected.  But known defenses stumble when they encounter unknown and unknowable attacks like the ones advanced attackers specialize in.  These sophisticated attacks do great damage. Attackers know your defenses and evade them, using ingenious techniques and the assurance that you will remain static and predictable so they can be dynamic and unpredictable. Your cost of modifying the defense is high; even maintaining it is high. Their cost of designing a new or unknowable variant of an attack is close to zero. That’s why there are three billion attacks per year. How many times per year do you change your defenses?

And Treat the Madness

We regularly see Moving Target Defense when the stakes are existential--in modern warfare, where mobility rules. Castles, forts, and fixed positions are relics of bygone times. Now the stakes are equally high on the cyber battlefield, and Moving Target Defense works there too. Moving Target Defense by Morphisec on the endpoint prevents in-memory attacks. It hides targets from attackers, shifting the cyber battlefield in favor of the defender.

When Morphisec’s Moving Target Defense technology is added to an endpoint, attacks cannot find the system resources they need to exploit the vulnerabilities they are targeting. Morphisec renders the system resources unknown and unknowable to the attack by randomizing the memory structures. In-memory attacks - ransomware, data exfiltration, zero days or unpatched vulnerabilities - are prevented deterministically: no detection, no monitoring, no rules, no signatures, no extraneous telemetry, no false positives or negatives. Think Maytag repairman. If you terminate the attack before the kill chain starts, you don’t need to do much.

When attacks target application vulnerabilities, the memory resources serve as the highway for the attack. What Morphisec does is move all the roads, all the intersections, all the buildings along the roads, and all the topography. Leaving behind no map, no forwarding address, no local guides. And it does this anew, every time an application loads. Entropy is high, which is bad news for attackers. The new math is the defender’s friend.

No target, no exploit. It’s more than game-changing; it’s game over.

A Happy and Sane Outcome

Moving Target Defense restores the 24-hour day and gives the aspiring artist a violin to practice on. Common sense prevails and battling cyber-adversaries falls into just the right balance: 100% method, 0% madness.


Subscribe to our blog

Stay in the loop with industry insight, cyber security trends, and cyber attack information and company updates.

New call-to-action

Search Our Site

    Recent Posts

    Posts by Tag

    See all