Despite the increased security investments and proliferation of new infosec tools, the damage caused by cyber breaches continues to worsen.

Meanwhile, the adversary plays by their own rules and evade detection by studying a static environment. They’ve had the luxury to decide when, where and how to attack, while organizations continue to remain in a reactionary defensive state.

This session looks at the most common methods used to bypass detection. It will also discuss how to combat against the adversary advantage with simple proactive approaches to prevention. Finally, it presents recommendations to reduce risk, including a look at innovative technologies with Moving Target Defense to prevent advanced threats and zero days.

Enjoy the video presentation and accompanying transcript below, by Andrew Homer.

About Andrew Homer

Andrew Homer is the Vice President of Marketing and Business Development at Morphisec, leading all marketing and strategic business partner initiatives for the company. Prior to joining Morphisec, Andrew was Director of Business Development and Technology Alliances at RSA, where he led the company’s technology partnership program, including its vast ecosystem, strategic alliances and embedded OEM partnerships.

Over the past two decades, Andrew has gained a wealth of both corporate, product and high-growth experience at Dell, EMC and VMware. Andrew attended the University of Massachusetts, Amherst for his undergraduate degree and obtained his MBA from Babson College.  

A Proactive Prevention Strategy to Reduce Risk


Join Thousands Who Have Benefitted from the Virtual Event of the Year - WATCH NOW Okay. Good afternoon, and good morning, for some of you. It's great to be here. My name is Andrew Homer, I'm the Vice President of Business Development and Marketing at Morphisec. Very excited about our partnership with Ivanti, and also proud of the integration work that we're driving together. So, today I'll be discussing how we can be taking a proactive prevention strategy to reduce risk. So about 30 seconds, really, about who we are. As you can see in the top left corner of this slide, under our logo, and read Moving Target Defense, which I'll talk a bit more about. We provide a whole new, simple, proactive approach to endpoint security, by killing the most advanced unknown attacks pre-execution. We do this without any detection or signatures, which makes it pretty lightweight to the endpoint, and very simple to operate. We do this across workstations, servers, cloud server workloads, and virtual desktop infrastructure. Been shipping product since 2016. And have about 90 employees globally, and now deployed in over 4 million endpoints across 500 enterprises.

So today what I'd like to talk about is ... Discuss some highlights, interesting trends that we're seeing in the security landscape. What we see across millions of the advanced attacks that we've prevented that have evaded detection, that have either been unknown exploits, advanced malware, and also fileless attacks. I'd then also like to dig into some of the blind spots that we see, that we all have as IT and security practitioners. And some of the status quo traps that have held us back in the industry. Some of these observations can help you make a significant improvement in your own environment. Also dig into a couple important areas to improve your security posture, reduce risk, by taking this proactive approach to prevention. Both prevention on the hygiene side of known threats, as well as net new innovations in offensive prevention against unknown threads.

To kick things off, I'll spend a couple minutes here on describing today's security landscape. The way we see things now is this massive increase of data breaches that's also reflected in the news. That's nothing new for us. We're seeing exponential growth in the malware over the past several years, with now nearly a billion total pieces of malware so far just this year in the first half. And to put that in perspective, that's over a half million new pieces of malware variants per day. And so, it's reached this unsustainable point of this whack-a-mole approach, where the traditional endpoint security vendors, they'll identify a new strain, distribute its signature, and the threat actors respond by instantly creating a new malware variant. And they're using tools such as AI and automation to generate and distribute these variants at a very fast pace. And so ... Much faster than the industry can react.

According to Ponemon Institute report of about 660 IT and security professionals, that malware has largely been very effective, with about 2/3 of all attacks resulting in a successful breach compromise. And 3/4 of those breaches occurred as a net new, unknown attack or zero day. And also, the dwell time of the attack remains a significant problem according to Verizon's data breach investigation report that came out about six months ago, looking at 40,000 security incidents, including 2,000 confirmed breaches. About over half, 56% of those breaches dwelt for over a month. Data corroborated with Ponemon puts the average delay in applying those patches to 102 days. So there continues to be this disconnect between the time frame for attacks vs. response. Discovery's taking months. But the exfiltration, the severe damage that's occurring is happening within minutes.

And so, the gap must be tightened, and it needs to be a real time focus on attack prevention if we're to have any chance of curtailing any of these breaches. On much of what we read about Nation State Packing, the attacks that are most successful, are sometimes not even all that particularly innovative. They're just effective in becoming much more targeted. And we see an economic warfare occurring with the adversary. Each side having a risk/reward tolerances in terms of how much investment they can spend to fight the other side. The top targeted verticals continue to be healthcare, public sector, in manufacturing, where the adversary is taking advantage of very lean security teams within these verticals, that have very slim budgets as well.

So ransomware is an example, as a whole accounted for 24% of data breaches in Verizon's data set. But when looking at healthcare data, ransomware jumps to 70% of data breaches according to that same study. Already this year, three breaches have made the list of the 10 largest breaches of all time. Certainly one of the most recent, Capital One's data breach affecting 100 million customers, about 1/3 of the U.S. population. This data exfiltrated by this one hacker is said to possess multiple terabytes of stolen data for more than 30 companies. So even looking at Capital One, it doesn't even break into the top five breaches of all time. Ransomware attacks, truly nothing new at this point. This year, 2019, looking to be another banner year for them. Most famous example of a ransomware attack, it takes us back to 2017's Petya attack. This is the most devastating in history, contributed to Russian hackers which masqueraded as ransomware.

But the group behind it had no interest in receiving ransom payments. The motivation behind the attack was pure destruction. Poster child, we read about, is Maersk, the world's largest shipping conglomerate, suffered incredible damage. And Maersk has since become a Morphisec customer, just this past quarter. You may have read last week about Apple's zero day exploit, that Morphisec first prevented and discovered. We notified Apple months prior. But this exploit allowed the bad actors to invisibly install the dangerous bitpaymer ransomware. Bottom line, cyber criminals becoming much more efficient picking and choosing their targets. Causing the highest amount of damage possible to the organizations in order to demand much higher ransoms. And so, often the attackers are pushing ransomware ... Are doing so with the aid of known vulnerabilities, for which the vendors already have issued security updates. And still effective with many of the companies out there, we still haven't patched those systems against those known vulnerabilities.

And then there's supply chain attacks that have become sort of the new normal. And also the most dangerous given that it's coming from a signed, trusted certificate from the software supplier itself. Example here, ASUS, disclosed a supply chain attack earlier this year that impacted over a million users. And that was a backdoor Trojan that reached out to the C2 server to download it's payroll. This Shadow Hammer group that we see brings to mind a similar group attribution to the CCleaner supply chain attack that Morphisec prevented and discovered and notified Avast of last year. In fact, I just saw this morning, there was another breach of CCleaner as well. This is a very similar technique to the illegally modified backdoor that exhibited internal code injection into memory that we blocked.

So we're also seeing a rapid increase in the vulnerabilities. And last year, over 16,000 vulnerabilities discovered last year. That's over 45 new vulnerabilities published each day. And this is nearly tripled just in a couple years. And on pace to exceed that number this year. And it's important to note that the increase is likely to be much, much worse given how CDE records do not include zero days being used in the wild without knowledge of the software developers. So not only that, the number of vulnerabilities identified as critical is also peaking up. Contributing factors involve an expanding attack service with a move towards cloud and the rapid digital transformation over to cloud workloads. And also the sheer proliferation of IOT devices. In fact, this year, for the first time, there are now more IP connected devices than there are human beings, which is a daunting statistic to get your head around. And with more devices, there's much more code to be written by much more people. All having a compounding effect in this increase that we're seeing in vulnerabilities.

And making our lives much harder is that business is pushing as fast as they can to the cloud, towards digital transformation. What's driving this pace is, from a business perspective, is to be fast. To adapt as quickly as possible to our customer needs and our environment. It's a bit cliché, but things are getting faster and faster, and IT organizations are being challenged by the business and the board to work faster, much faster than they ever had to before. Things seem to be getting actually worse for Windows 10. I think 80 security flaws just this month alone, down from the 93 the month before, with a critical rating assigned to a quarter of those. Two of those holes involved privileged escalation to god admin status involving all variants of Windows that have been exploited in the wild. Of course, oftentimes, patching does not go smoothly, as we all know here.

So we're left with patching for the patch, which consequently means more downtime. That means having to reimagine machines. And even when stable patches are often available, organizations we see commonly dragging their feet, attracting threat actors to look for and exploit unpatched installations. Most if not all these vulnerabilities are still being exploited in the wild by malicious actors going back many, many years, sometimes more than a decade. And so, if we take another picture in comparison to 10 years ago, things have correlated well and compounded the complexity on the other side. So this is according to a talk recently given by General David Petraeus last year. Threat actors measuring in the thousands vs. less than 50 10 years ago. Over a million threat types today. Daily alerts, we can all agree is really making it humanly impossible for a million daily alerts to the average enterprise organization.

And also the complexity of finding a solution. A decade ago, we had administry with about 100 vendors, today we're starting to edge more towards 3,000 security vendors. And so, yet our industry has responded with a game of clones of sort. 2,600 vendors, 30 subcategories, with little distinction in the differences or advantages between any of them. You can see this by just walking the floors of RSA, black hat, Gartner, and just look at their signage. You'll find yourself in a maze, really difficult of ... Not only not knowing what these vendors do, but many, many, too many solutions that often don't cooperate, nor do they inter operate with one another. And so, this is really deeply important for us. Deep integration with the other security tools in the marketplace. As well as IT service management with Avanti as well. And so, of course, this proliferation in tools, vendors, spending, alerts, really hasn't manifested itself in the benefit of the customer trying to prevent the breaches. We're left with this $124 billion market, growing 12% per year. And just like the rise in attacks and the damage being done, it has not resulted in less breaches.

In spite of the spending, we have a lot of challenges, right? Number one is poor hygiene. There's an awful lot of money being spent on sophisticated security tooling and detection dashboards, but many of the organizations are still leaving the door wide open for criminals to walk right in. And they've just done a lax job on the housekeeping side when it comes to maintaining hygiene and adequate security basics. The number two is detection mentality. About 80% of spending today is on detection. Again, go to RSA this year, Black hat you'll see ... There's a sea of vendors with all detection mindset and solutions in undifferentiated messaging solutions. And if we accept this detection mentality, we're lost. The dwell time is measured in months. And exfiltration and damage is being measured in minutes. Still we're left with this terrible outcome, right? It's expected six trillion in cyber damage next year alone, according to Cyber Security Ventures. And to put that in perspective, that's more than the GDP of Germany and United Kingdom combined. Six trillion. That's 6% of our global economy.

And so, let's kind of look at, what do we do about it? And it's important to take a step back and focus on what matters most. And build a smart prevention strategy to reduce risk. Prevention is a step. And so, let's turn back the clock 250 years to Benjamin Franklin, who wisely said, "An ounce of prevention is worth a pound of cure." And this actually is as true as ever. And also applies directly to how we should be looking at our own security strategy and our posture. And although many use this quote when referring to health, Franklin actually was addressing fire safety. So I'll spare the details, you can go check it out online, but when he visited Boston back in 1733, he was impressed with their means of handling fires in the city. He returned to his home in Philadelphia determined to improve the way his Andrew Homer:own city handled the fires. And that would be less costly, ultimately, to prevent the fires than it would be to deal with its consequences of fires.

And so, I want to discuss call to action here, for a prevention centric approach to our cyber security defense. How to take a proactive choice to prevention, and how it can lead to a dramatically more effective and cost effective outcome. And so, here I'll talk about two very important prevention approaches here, that we can be taking. The first is, kind of the unsexy one that focuses more on the process side of prevention. The second one is about net new technology innovations that can ... We should be taking to be taking to prevent the unknown attacks. So the first is about hygiene. As you see here, there's a bear easily getting into the tent. I don't want to underestimate this one, if any of you have been camping, as we do here in New England, bear country. Then you shouldn't leave your tent wide open. Put your s'mores inside your tent while you sleep. And so, we should be going through the checklist of hanging the food in the tree in lockboxes, for example.

And it's about protection against the common threats by preparing basic prevention controls against common threats. It's about doing the basic things very well. But the analogy to how we manage security risk is also close to home. The basics are the areas we need to put the most serious work into to solve this problem. And the first problem here is obvious. Most organizations in the most embarrassing breaches that ... Have all had poor hygiene, if you look at it. Look at Equifax, Capital One, Yahoo, Uber, many others. Their failed password policies, lack of strong authentication, uneducated employees, unpatched systems, open ports, remote access, leaving data bases open to third parties. I could give a whole other talk on just this subject alone, but it's a shared responsibility. The good news is, you don't need to spend a lot of of money with your vendors in order to improve your security posture. It's about preventing against the known dangers that we know can harm us.

Yet according to the Ponemon Institute study that came out six months ago, this one serving 3,000 organizations, it found that over half, 57% of the breaches were caused by known vulnerabilities. And unpatched systems. And more often, it's either a known vulnerability with a patch available to which somebody just doesn't apply the patch. Or they're implementing very poor authentication controls, identity management, access management practices. And the results, get compromised by some form of spear fishing, right? In many cases it's a combination of both these things that work. And abuse of the fact that the organizations haven't maintained basic hygiene in their environments. And their systems are vulnerable to all sorts of different malware and that's exploited broadly. And so, to illustrate this point, let's bring it home. Introduce you to this gentleman here, Rob Joyce. For those of you that don't know who Rob Joyce is, he recently left the White House administration as the Chief Cyber Coordinator for NSA's Tailored Access Operations.

This is the government's top hacking team, who's responsible for breaking into systems of its foreign adversaries. And occasionally probably its allies as well. And his charter at the NSA was to lead a team who's job it was to break into other people's systems, gain access to the bad guys information, obtain intelligence, gain information, that sort of thing. Last year, a rare event at the USENIX Conference in California, where Rob got up onstage and gave an amazing talk about how to keep guys like him, that work for governments in other countries out of your endpoints and your networks. And you can look it up on YouTube and watch it. But, you know, it's a great presentation. But what he said is that the Tailored Access Operations team would much rather use a known vulnerability and published exploit. It's cheaper. It's lower risk. Less costly. It's the mindset that the advanced threat group of the NSA operates with. And it's the way our adversaries operate.

And part of what he said was, don't assume a crack is too small to be noticed. Or too small to be exploited. If you do a penetration test, and 97 things pass the test, but these three esoteric things fail, don't assume that they don't matter. Those are the ones that the NSA and other nation state attackers will seize upon. The first crack, the first seam, we're going to look and look and look. What kind of edge case to break open and crack into. And of course, you know, part of the strategy is reaching into this deep egg of zero days as part his strategy. But the point is, it's very much a game of economics of the adversary as much as it is for the defender itself. So much more easier and economical to go after the easy pickings in this case. And so, good cyber hygiene makes all the difference, much of the difference in ultimately reducing the amount of risk that you have in your organizations in reducing the risk that you have for intrusions. And there can be a whole separate talk on this subject.

The point I'll leave you with is, they need to do the basics very well, and practice good hygiene. And this will go many miles further than spending a lot more money on the status quo vendors. Nailing the basics are available today. These are the preventable things, such as applying strong, authentication, and patching system to known vulnerabilities. Governance and policies for highly privileged users with admin status. It's about educating your employees about what to protect and also what to report. Also simply knowing which assets matter. Which systems you have and the associated business risk of those systems and users in data to the organization. And this will help prioritize your patch efforts and also have a plan for upgrading legacy systems and applications. The truth is that preventing these things is exceptionally straightforward. I'm not saying it's easy to do. But at least we can agree it's straightforward. The thing you have to do is protect yourself, is maintaining good hygiene with the systems and users.

And the truth is that you can protect yourself by applying these mechanisms, and it's not rocket science. You don't need to be a security guru in the security space to know how to do this. It really boils down to doing the work. Doing the basics very, very well. But the key point here is that it should be easy to prevent what we can see, right? Right in front of us. Right under our noses. The known threats. What we know can harm us. But what the adversary and what adversaries are trying to exploit, that sides a bit more complicated. It's the prevention against the unknowns. The adversary is in many cases very sophisticated and they have an enduring advantage. And that is advantage is that we live in almost complete darkness against the unknowns, and what can harm us. You know, they're able ... Adversary on the other hand is, they can see through this darkness. They can study our stationary position. Where we're located. Our tendencies. And then can plan their attack, methodically and undetected as well.

We're afraid of what we can't see. And so, we formulate our suspicions about what we know might hurt us. What's hurt us before. What's hurt others. And what looks malicious based on known behaviors. And so, we start to orchestrate our defenses based on these known behaviors. But consequently we've adopted what I would call this detection mindset. We've built up our security cyber defenses designed to be reactionary to every shadow, every noise, but we've ... We're quick to turn on the flashlight or throw an alert and investigate only after hearing the noise. And this has created an expensive unscalable reactionary defense. But oftentimes when you shine a light into the small corner of this darkness, into the woods, you see nothing more than a mouse. It's the same with security operation teams with alerts. Every bump in the night creates an alert, contributing to this massive flood of false positives. Much of which just falls on the floor.

But the reality is that the threats are becoming more evasive, and they're not creating the known shadows and the noises we're expecting. They're studying us, our reaction or responses, in order to do evade detection. And yet still, the adversary only needs to be successful once. Meanwhile, many of the folks in this industry, they continue to talk about detection. I mentioned earlier that this is where 80% of the spend is in the market. As an industry, if we accept this detection mentality, we're lost. It's done. And security detection, it's not enough. Detection is not enough. Dwell time could be fatal. With the average attack detection taking 10 months. But even if we were to detect in 10 minutes, it's still too late. Sophisticated malware can shut down your endpoints, steal all your data in less than 10 minutes with a fast link. And meanwhile, there's nobody to prosecute. And there's nobody to catch.

So let's look at the methods and how adversaries are constantly evading detection. Talk a little bit about this. And as I mentioned, we're on over four million endpoints, having prevented millions of malicious attacks. First let's talk about the first one, behavioral analysis. Detection, in this case, you know, would need to monitor the behavior of the process. If the process uses undocumented functions to execute from within memory, then you can't monitor it. And it would be a bypass. And so, detection would not see it. And example here would be unpacking itself in runtime, reflectively loading itself in runtime. So simply execute in memory without being monitored. EDR cannot monitor all the time in real time. The problem with detection solutions today is they can't scan the memory all the time. And so, what the adversary needs to do is just introduce noises. Reflectively load stuff. Update things. Introduce noise. And then just pull that trigger just in the split second moment when they want to execute. This is the way to bypass behavior analysis today. What we see. And so, in this case, the attacker has the advantage to choose what, when and where.

The other one that we see, probably the most easiest to bypass is static analysis. Just generate new signatures. Don't create a file at all. Just live off the land, right? You don't have anything static to scan if there's no file on disk, there's nothing to scan. Or simply generate new file signatures on the fly. File indicators, like function names, section names, characteristics. Within seconds, an overflow signature based static analysis. And both these static is by far the easiest one to bypass detection. Also, white listing. This one's interesting. You know, solutions today, Bitnine, AppLocker, Windows Defender, AppControl, application white listing solutions don't care about known malicious code. What is known good for my environment should do. And so, whatever is not in my white listed group is by default determined to be malicious. Essentially, these white listing technologies provide a central control to define what programs and their related dependencies are allowed to execute in your environment.

And then nothing else is allowed to execute. So, you know, this is a popular approach today in servers, which often is the only mode of protection. But that doesn't mean you're all set. Actors are still able to exploit white listed vulnerabilities, exploit vulnerabilities of white listing solutions. So the threat actors, they're clever. They find ways to get at these programs to do something outside of their normal intent. To find some built in functionality that can have ultimate uses. To help carry out the mission of the malicious code under the veil of legitimate white listed process. Windows and application processes are, of course, white listed by default. And some of the most popular and easiest ways to bypass is to abuse your legitimate white listed process to execute malicious code. Say leverage the components within the .net framework. And there are two ways to do this. Either open a legitimate process after load time and replace it in memory with the malicious code. Or just abuse the fact that some of the legitimate processes can help execute code for the attack. A white listed process carrying out the dirty work.

And in both cases, the malicious code needs its roots. It can't execute by itself. And its looking for those memory strings. The legitimate wrapper. How to prevent effectively, which I'll talk about here shortly, is to make those resources inaccessible, and cause the malicious executable to crash. What we see as exploits here, zero days, still a favorite way to detect ... Evade detection. And these will live on forever. Because if software is signed and known, its execution of a new malicious process will generate an alert with lower confidence score. And security vendors will avoid flagging it to prevent unnecessary disruptions in their business, meaning that the attack can abuse it to execute a new malicious child process, and avoid triggering an alert. You know, if a malicious program didn't have an extension, security tools may not scan it. So exploits get into every category I mentioned earlier, behavioral, static scanning, and white listing ... Well, static scanning, not really relevant here for exploit because most of the exploits are infiltration remotely, not like browser, .doc files, which are considered like file on disk. It's not executable.

So exploits by nature bypass white listing solutions because they usually only inject into exploitable applications, which is a legitimate, albeit tainted or exploitable. And so, with behavioral exploit bypass as something you can't predict, expect, notice as a new zero day. And you don't know what kind of behavior to expect on a zero day. So, you know, even modification to an existing technique is often a new exploit. And so this is why exploits will live on forever. This is why exploits are almost always used by the advanced attacker. Especially state sponsored, because exploits, they don't leave any attribution. No traces, no file on disk, no artifacts or scripts. Those attacks just get in and they get out without a trace.

Again, an example, recent ransomware attacks that were exploited, that Morphisec discovered and blocked was the Apple zero day. This was easy to slip past detection tools and infect victims with a bitpaymer. And also, the Windows CTF subsystem flaw. This is a 20 year ... In this case, a 20 year exploit design flaw that Morphisec also prevented day one. So, you know, Microsoft does a lot to limit the attack surface here, with attack surface reduction. And things like .net, which means an increase in exploits in some of these other areas. And it's also important to note that many exploits, they live on for many, many years. Oftentimes well over 10 years. So we not only need to protect against the new zero days, but also the many generations going back of exploits downstream which the attacks today have a field day with.

The main challenge that we see in terms of what the attacker is targeting is going after runtime memory. Okay? This is the centerpiece of the battlefield today that the attacker focuses on. Where almost all the successful advance attacks occur. And the reason being is that the memory assets itself are being targeted as static. And therefor are very easy to attack and study. An observation here, you know, is a problem according by the Department of Homeland Security, he was also a strategic partner for Morphisec, is that they said, in the physical battlefield, we're constantly moving critical assets in a non predictable way as an important part of our defense strategy. And so it's a bit philosophical, but this is how the Department of Homeland Security thinks about their own security posture. In fact, in the cyber world, the point that Rob Joyce made earlier, is that the adversary has all the time in the world to learn an organization's weakness, will know oftentimes more about our own systems than we know about our systems.

And so, I spoke earlier about how we've responded as an industry with this massive spend and staff investment towards detection technologies. But in looking at the millions of advanced attacks that Morphisec has prevented pre-execution, we also see how detection, EDR especially, is a false sense of security. So the mentality that we have in the physical world of detection and then response simply doesn't work. Doesn't scale in the cyber security world. We can't accept an entire detection-centric mentality. We have to do prevention. We have to focus on prevention first. We have to stop the attack from getting in. And we have to stop the attack from doing damage. And so, it's important as we evaluate solutions that things like usability dashboards into detection is just one element. We need to be looking at prevention effectiveness, especially runtime memory prevention. And evaluate prevention in a whole new light. And how we protect effectively, we need to change the game. We need to make it impossible for the predators to find out where we are and what we're doing. And we need to shift our mindset. And in this case, an ounce of prevention is worth a pound of cure.

So, again, let's take a step back and ask ourselves, why hasn't this been solved in cyber yet in prevention? And that's because, as I mentioned, the adversary has a very powerful advantage in current systems. That advantage has been a static and predictable target throughout the entire attack surface, with all the time to learn our weaknesses. Attackers are looking for particular resources and particular locations in memory. In the memory structures that are known for that. And so, this idea that all the attacks can be detected before the attackers able to exploit those resources has made our defenses in this case very reactionary by relying solely on detection. So our approach with Moving Target Defense is to say, well, if the attacker's advantage is predictability, and a static target, let's now take the step away from the attacker, this advantage away from the attacker by making those critical assets unpredictable and dynamic. And so, when an attack meets its expected target, expecting to find certain structures and resources that it was designed in advance to you, suddenly they discover a totally new, unknown, unpredictable structure that kills the attack deterministically, automatically, pre=execution.

And that's the true essence of this offensive approach to protection. Prevention with moving target offense. To make those assets dynamic and unpredictable. And shift the advantage completely over to the defender. From a reactive state based on detection to a more proactive prevention state based on Moving Target Defense innovation. So if you take some of the fundamental legitimate memory resources away by morphing the memory, then you can crash the malicious code pre-execution. That's exactly how Moving Target Defense works to prevent attacks that would otherwise evade detection. And so, now the question becomes, how do you go about doing that, right? For example, in the case of a fishing document using a weaponized macro or browsing a website with an exploit hit behind that. So what happens when you double click on that file, and as you get to the very end of the loading process, where ED or EDR has been evaded, Morphisec Moving Target Defense does two things. Two very important things.

The first thing that it does is that load time, we take those memory structures and we morph them. We morph the memory structure ... By morphing the memory structure means that we're scrambling the DLLs, changing their names, the links, moving the locations, among other things. In other words, creating an unpredictable target as a whole new memory structure. All the resources are in locations that the attacker has no knowledge of. Because they didn't receive a link to the newly morphed memory structure, will not get any knowledge of them, as well. And so, meanwhile, here the legitimate code is able to run, you know, undisturbed, within this new memory structure. And without any change to its performance or behavior. And the second thing that's important to point out here is that what Morphisec does in parallel is we create a skeletonized version of the original memory structure. A stub, that places a trap in the location where the DLL resources, the memory structure, used to be.

And so, what happens is if the attacker continues running, because it has no awareness of the memory structure, it tries to unpack itself in this false memory. And when it tried to execute in the location which its designed to execute at, to exploit the memory, it encounters the trap, and the attack is stopped pre-execution. We crash it. And we also collect this very deep forensic detail about the attack. Where it originated from, what it tried to do, and ultimately its payload. But one note here, a few notes actually, a couple notes, is that we don't need this decoded trap to prevent. We're constantly morphing the memory. But what this trap does to is it confirms deterministically that an evasive attack occurred. And we locked down the attack. That we block it pre-execution. It records a full detail story that I talked about with the log, across the attack chain, describe the attacker's intent, and tracking it back to the origin the attacker would have tried to do. The other thing to note here, is one the morphing is complete, this two megabyte, very lightweight agent, it steps aside, consuming no CPU and no memory.

And so, ultimately we have this pure deterministic prevention system that doesn't rely on any knowledge, no signatures, or detection. You know, we have a system where attorney code that gets into the original memory structure is regarded malicious by default. No rules, no IOCs, no patterns, no decisions that we need to make, no tuning that needs to be happen. And so, with that we gain a very powerful prevention advantage against the unknown zero day attacks across a wide coverage from web browsing, fishing, macros, exploits, evasive malware. And also the backdoor spike chain exploits that I talked about earlier. We do this across the entire attack chain, from infiltration, exploitation, pre-execution, shell code execution, or even the evasive malware itself. The system is also highly resilient to being bypassed, even if the attacker were to learn the new memory structure, it would change again. Because every time a new process is being loaded, we again morph the memory structures in randomized way. And this is why Moving Target Defense we believe is a true net new innovative leap in prevention technology in the last 10 years. We're shifting the advantage and the economics back to the defender.

So it's also useful to kind of put this in practice in how proactive prevention reduces risk. An example of why prevention based on, you know, not signatures is so powerful and effective to an organization. Let's look at an example of a zero day attack, identified as CDE Adobe Flash 48/78. You know, for several months, this attack was out in the wild. Nobody even knew about it. And at a certain point, when it was detected, the whole chain started. Right? You know, patches to Adobe, updates to the antiviruses, patching systems, and after a few months, if you did all these steps with the patches and the updates, you'd be covered. But during this window, you were exposed. And wide open to an attack. With Moving Target Defense, that's not based on any prior knowledge, prevents those attacks day one exposure to the vulnerability. And this approach, as I mentioned earlier, we prevented an attack, the 20 year old Windows flaw, CTF subsystem exploit, that was discovered in August, affecting Windows 10 machines all the way back Windows XP. And of course, this is a serious design flaw. Moving Target Defense prevents without any knowledge, without needing a signature of that flaw.

As I mentioned earlier, average time to patch, 120 days. And according to research by the Rand Corporation, 25% of vulnerabilities they say are discovered within a year and a half, but another 25% staggering, can last upwards of nine years. So Morphisec, we prevent ... We protect against infiltration. If you look at, say, the MITRE attack framework, almost all security solutions are focused on post attack. Yes, we protect many attacks, post attack, when they persist, and are already on an affected machine. But our goal is to prevent the infiltration of the attack. So what we achieve by preventing the attack very early, we increase the economics. The cost of the attack against the adversary. So we change the game against the adversary by killing the attack before infiltration. Across four million endpoints, we provide protection against advanced attacks. Where we see those attacks penetrate the gateways, penetrate the network, penetrate the EDs the customer has, and ultimately, they try to get at the memory. They try to bypass the white listing solutions by executing legitimate processes and trying to use those exploits by trying to infiltrate into the endpoint application and utilizing those vulnerabilities.

And so, what Moving Target Defense does, is it fights back, and it's economic warfare against the adversary, by making it very frustrating and costly to continue carrying out that attack. And so, in summary, what we do is we prevent zero days, sophisticated targeted attacks, preventing attacks pre-execution, deterministically before any damage can occur in the organization. Our solution is simple for teams to install and operate. Lightweight 2 megabyte agent with no memory or CPU overhead consumed. And it's also protecting even when offline. So Moving Target Defense doesn't require any detection, no signatures, updates, no tuning behavioral IOCs that the attacker tries to exploit original memory. We instantly block it pre-execution. And so, to summarize, when you think about proactive prevention, the first step is taking care of the housekeeping. The things that you know you should be doing. And doing a good job at it. Things like patching and authentication.

The next needs to be focusing on prevention, which is kind of a lost science, right? But there's amazing, innovative prevention technology out there such as Moving Target Defense, that we need to be looking at first, before the more costly detection and remediation steps. And so, with that, thank you very much for your time. I'm going to turn my portion over. For more information, you can reach out to me directly at [email protected]. We'd be happy to discuss further and also show you a demo. So, thanks again for your time, and look forward to hearing from you. Thanks.