Moving target defense 2019 landscape: paradigm shift picking up steam

It’s that time of year again to check in on the moving target defense landscape. 2018 and 2017 were big years for moving target defense. Yet 2019, halfway in, has already outpaced. For practitioners and industry watchers, there is a palpable sense of momentum behind the moving target defense revolution.

Moving target defense: a paradigm shift for security

Moving target defense is a fundamental shift in how defenders think about security. Before getting into the latest moving target defense landscape in 2019, it’s worth revisiting the “why” behind moving target defense in the first place. Defending infrastructure today is a rigged game — in favor of attackers — because the defense infrastructure is static and unchanging.

Static defense infrastructure hands adversaries many asymmetric advantages:

• Time: Attackers have plenty of time to plan and execute their attacks. As more time goes by, the defense infrastructure continues to exist in the same or similar state as before. This makes time one of attackers’ biggest advantages. On the flip side, time is a huge disadvantage to defenders. The longer an adversary has in a defender’s system, the bigger the risks of compromise or exfiltration.
• Sprawling infrastructure: Defense infrastructures are more and more spread out. Enterprises are adopting cloud infrastructure, edge computing, and even distributed ledger technologies such as blockchain at faster and faster exponential rates. This sprawling infrastructure provides an asymmetric advantage to attackers because the attack surface is so wide and diverse. Meanwhile, defenders struggle more and more as infrastructure spreads.
• Easy to hide: Detection is a constant cat and mouse game between attackers and defenders. In today’s ever-sprawling infrastructures attackers can hide and evade detection. Meanwhile, defenders must grapple with how to defend static infrastructure that is easy to study and plan to attack.

Moving target defense is a complete paradigm shift. MTD turns the current asymmetry between attackers and defenders on its head. The biggest adversary advantages: time, sprawling infrastructure, and ability to hide, turn into defender advantages and adversary disadvantages.

• Time: With the passing of time, as defensive infrastructures change and morph, attackers are constantly back to square one. Without the ability to study a static defense over time, attackers are left with trying to decipher a randomly and constantly changing and moving infrastructure.
• Sprawling infrastructure: cloud, edge, and hybrid distributed infrastructure in a moving target defense game is an advantage to the defender, because the bigger and more sprawling the infrastructure is, the higher the entropy of the moving target defense and more difficult it is to attack.
• Staying hidden: With moving target defense, it is actually easier for defenders to hide critical assets and information, even if it is in plain sight. Because moving target defenses move randomly, being hidden and observing the defense infrastructure is no advantage to the attacker.

Traditional approaches to security don’t change the asymmetric advantages attackers currently enjoy.

As an example in the data security space, there are technologies that split and shard data, spreading fragments around to various areas in an infrastructure. These technologies, such as multi-party computation or secret sharing, have been around for decades. In this example, 1 piece of data or 1 key may become 5 fragments placed in various parts of the infrastructure. However, over time, and with the ability to hide in a sprawling infrastructure, attackers will figure out the locations of the fragments. It may take longer, but the advantage of time is still on the attacker’s side. With moving target defense, if those same 5 fragments were to constantly change locations as well as properties, mutating and re-encrypting, at random — that is a fundamental paradigm shift. Now as time goes by, the attacker is constantly back to square one, unable to retrieve all the data or key fragments simultaneously.

MTD flips the curve, unlike other marginal risk reductions

While data is a powerful illustration of moving target defense, the same paradigm shift can be applied to network security, OS-layer security, source code security, and every part of the security stack. To change the game in security, such a fundamental paradigm shift is needed.

2019: Moving target defense’s breakout year

This is the year that moving target defense really put itself on the map. Across the startup landscape, enterprise and government adoption, and academia, moving target defense is a central priority for security innovation. There are several notable developments in 2019 ushering in the moving target defense tsunami:

Devops and kubernetes:

SecDevOps, DevSecOps, DevOpsSec. Whatever you call it, it’s happening. In a big way. Organizations are rapidly adopting kubernetes at an incredible rate.

https://www.hpe.com/us/en/newsroom/blog-post/2019/06/pathfinder-insights-enablement-of-containers-and-rise-of-kubernetes.html

Kubernetes, cloud-native infrastructure, serverless, as well as CI/CD stacks lend themselves beautifully to moving target defense. As infrastructure comes and goes and is ephemeral by nature, there is a perfect opportunity to apply moving target defense principles. At CryptoMove, we’ve found repeatedly that some of our largest traction is around the transformation to kubernetes, CI/CD, and cloud native infrastructure.

Applying moving target defense to CI/CD — CryptoMove and CircleCI webinar

Moving target defense for kubernetes secrets management

United States government and military has recognized the necessity of rapidly shifting to moving target defense as a national security priority

2019 has seen moving target defense elevated as an even bigger priority in the United States federal government and Department of Defense. Moving target defense has been a focus for some years now — in 2018 the Department of Defense Defense Intelligence Agency keynoted its annual conference on Data as a Weapons System with a discussion of moving target defense.

2019 DoDIIS keynote on moving target defense

Department of Homeland Security has been funding and researching moving target defense via its S&T group and Silicon Valley Innovation Program for some years. All that has continued in 2019 and grown dramatically.

In July 2019, the Department of Defense brought together a small group of leaders in moving target defense for a 2-day “moving target defense solutions day” event. CryptoMove was honored to participate. Put on by the Rapid Reaction Technology Office (RRTO), these solutions days are a way for the DOD to rapidly react to innovative technology trends. In its moving target defense needs statement, DOD stated:

“A cyber moving-target technique attempts to defend a system and increase the complexity of cyber-attacks by making the system less homogeneous, static, or deterministic. Instead of defending unchanging infrastructure by detecting, preventing, monitoring, tracking, or remediating threats, moving target defense makes the attack surface dynamic.”

DoD is looking for MTD technologies and capabilities in the following areas:

• Data randomization
• Scrambled Software
• Randomized Runtime Environment
• Dynamic Networks

A DoD moving target defense solutions day? Hard to believe such a thing even as recently as last year.

Government and military focus can often be vital to driving new technology innovation across the economy, so this is a welcome prioritization for moving target defense industry watchers.

Driving Innovation: the Military, Technology, and Silicon Valley

DoD’s DevSecOps initiative:

Further to the rapid expansion of kubernetes adoption across enterprises, the DoD as well is rapidly transforming its software stack to devops and kubernetes.

“If you don’t know what Kubernetes is, you should know. It is the future of software. There is nothing done today that does not involve Kubernetes.” — Nicolas Chaillan, Air Force Chief Software Officer

Defense Department's DevSecOps Initiative Is on the Move

Air Force prioritization of moving target defense:

In addition to the Department of Defense, the Air Force too has increased its focus on moving target defense. Via AFWERX, which aims to drive innovation by working with startups and emerging technology companies, the Air Force has begun working with CryptoMove and its moving target defense solutions. Further, the Air Force has selected CryptoMove to showcase its moving target defense capabilities at the July 2019 Air Force Multi-Domain Operations event.

AFWERX Fusion Xperience

Moving target defense in the private sector — growing like a weed

In 2019, moving target defense is transforming how developers protect application secrets in the private sector, how organizations protect their endpoints, how teams secure their operating systems, how industrial and energy giants secure their OT networks, and more.

For CISOs, moving target defense is sometimes on the radar, although in 2019 still is primarily known only to the early adopters. Mostly analysts like Gartner have not focused on the area, although a small few have started quietly discussing and even sometimes publicly mentioning moving target defense as an emerging priority. Even NIST and supply chain standards bodies are starting to involve themselves more with moving target defense and its massive implications for security and risk.

In 2019, moving target defense startups have continued to innovate ahead of the market, getting better and better at packaging moving target defense solutions to problems that are must-solve-priorities in today’s infrastructure environments. At CryptoMove, we are applying moving target defense to secrets management, a problem that plagues every devops stack, CI/CD pipeline, and kubernetes and cloud-native infrastructure to hundreds of organizations. Dispel is innovating on network moving target defense and making a big impact in industrial and energy protection, among other things. Polyverse continues to expand its scrambling operating system moving target defense technology to countless machines. Morphisec keeps growing its moving target defense anti-malware technology across many endpoints.

Meanwhile, capital continues to flow into the moving target defense arena, with many unannounced funding rounds from great security investors.

Moving target defense vs quantum computers?

In 2019, quantum computers and the threat they pose to today’s encryption and security is on many people’s minds as not a question of if, but when. Tel Aviv University hosted its annual Cyberweek Conference in June 2019, where one of the main tracks was dedicated to the quantum threat to encryption and security and explored the viability of moving target defense as a counter to quantum threats.

CyberWeek Recap: Quantum Computing Security Risks and Moving Target Defense

MTD in academia — beyond theories to practice and measurement

Moving target defense continues to be a focus in academia, with new papers and research constantly underway. The 2019 moving target defense ACM conference will be held in London in November. A recent paper in May 2019 focused on surveying various moving target defense techniques. Further, there is a new emphasis in moving target defense academic research on threat modeling, attack graphs, risk modelling, and quantification of moving target defenses. This will be vital to help security teams, CISOs, and their organizations make a case for investing resources in the moving target defense paradigm shift.

2020: Predictions — where will moving target defense go next year?

Each year, the progress around moving target defense surpasses expectations and predictions from the year prior. Here are a few predictions for the rest of 2019 and 2020.

• Explicit top 3 priority: The next 6–18 months will see moving target defenses across the stack become a top 3 priority for all sorts of organizations, as increasingly sprawling static infrastructure will become untenable to defend. Analysts will be paying more attention and speaking out about moving target defense as well.
• Moving target defense will drive infrastructure transformation and vice versa. Moving target defense paradigms will speed up and enable rapid transition to kubernetes, cloud native, and edge computing infrastructures. Like with CryptoMove’s secrets management solution for kubernetes, cloud, and SecDevOps, moving target defense will more and more become baked into critical pieces of the devops stack.
• Standards and supply chain risk attention: moving target defense will start entering the conversation around standards and best practices for supply chain risk reduction in 2020, with bodies such as the Department of Defense and NIST influencing the adoption of moving target defense across supply chains.

And here are 2018 and 2017’s moving target defense recaps and predictions, if you’d like to go further down the rabbit hole:

Moving target defense - state of the field in 2018?

Moving Target Defense — recent trends

In 2019, it is clear that moving target defense is the next step in the evolution of security. 2019 has shown that MTD is one of the last untapped areas of a new generation of security and no longer a luxury, but a necessity. While the future is difficult to predict — as it is a moving target — one thing remains clear: moving target defense is on the map in 2019 and here to stay.