Today on the Microsoft Blog Vinny Gullotto, general manager of MS Malware Protection Center, announced the release of the Microsoft Security Intelligence (SIR) Report version 8. The SIR is a wide-ranging study of the evolving threat landscape, and addresses such topics as software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Microsoft creates the SIR to provides information that helps customers and partners better understand the problem of malicious software, so they can take appropriate action.
Volume 8 of the Security Intelligence Report (SIR v8) covers July 2009 through December 2009. It includes data derived from more than 500 million computers worldwide, each running Windows. It draws from a variety of sources, such as Forefront and some of the business Internet services, like Windows Live Hotmail and Bing.
The full report and a great interactive summary is available here and here’s a video of Vinny and Frank Simorjay discussing the report.
A key finding of the latest SIR is that cybercrime continues to mature as criminals model their operations on conventional business processes. Enterprise networks continue to be susceptible to worms while home users are more exposed to malware and socially engineered threats.
And criminals continue to package online threats into “kits” to maximize potential impact. The Eleonore browser exploit kit, for example, employs different exploits for browsers from several different vendors as well as popular application software frequently found on systems.
SIRv8 further confirms that attackers are now largely motivated by financial gain and rarely act alone. For example, malware creators seldom conduct attacks themselves but instead work with other criminals in online black markets to buy and sell malware kits and botnet access. Bot herders are also at the core of the professional online threats, knitting together compromised machines into a dark version of a Cloud Computing network.
From Vinny’s blog post:
The telemetry data in SIR has shown consistently that the lowest infection rates are seen on computers running Windows Vista SP2 and Windows 7. Infection rates for both operating systems are less than half the infection rate for computers running Windows XP. Also, analyzing the attacks in affected Office program installations, we found that most attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003.
So what can enterprises and individuals do to defend against the latest malware? Keeping current is essential. Use products developed with security in mind, install good anti-malware solutions, and make certain you are applying the latest software updates.
Finally, in this latest volume we introduced a section based on customer request called “Mitigation Strategies for Protecting Networks, Systems, and People.” This guidance section was developed by Bret Arsenault, Microsoft Chief Information Security Officer and it provides insight on how Microsoft implements our own defense in depth approach to security. We hope you find it valuable and applicable to your systems.
Awhile back I spoke with George Podolak, the IT director at Pei Cobb Freed & Partners. They are one of the world’s best-known architectural firms, perhaps most recognized for the glass pyramid at the Louvre in Paris. But, like all companies, they also have to be a security company, especially when it comes to protecting information about their clients’ projects. For that, Pei Cobb Freed looks to Forefront. (continued below)
“Many of our largest or most public clients are very concerned about the security of their work,” said Podolak. “They don’t want to see their name or plans in print or out on the Internet before they’re ready.”
The company previously ran Symantec products for server and desktop security, but found them difficult to manage. They couldn’t ensure that all of the firm’s PCs were up to date with security patches, too. In addition, the Symantec products didn’t address security related to outgoing traffic – employees caught in phishing scams, inadvertently going to malicious Web sites, or downloading malicious software.
“We were worried about someone downloading a keystroke logger or other malicious software. We needed to fully protect our intellectual property from that sort of thing,” said Podolak.
Podolak now relies on Forefront Protection Suite.
“Having one set of security products—the Forefront suite—across our entire infrastructure makes security easier to implement, easier to update—and that by itself makes us more secure. Our architects realize that the Forefront Security Suite is an essential element empowering their success,” he said.
They use Forefront Client Security for PC and server security and Forefront Security for Exchange and SharePoint to protect email and collaboration. Additionally, Forefront Threat Management Gateway provides URL filtering and Web-access policies to safeguard employees from malicious Web sites, malware, phishing traps, and similar threats that can steal information and corrupt personal computers.
“We’re doing a better job of managing risk. With the Forefront Security Suite, we’ve solidified protection across the organization, and we’ve eliminated doubts about it.” says Podolak
Microsoft and RSA, the Security Division of EMC, recently commissioned a Forrester Consulting survey of enterprise security managers about information protection. The results are available in a white paper called "The Value of Corporate Secrets," available here on Microsoft.com - see Technical Resources. We issued a joint press release about it, too, available here. (Microsoft and RSA have a strategic partnership around information protection solutions, announced more than a year ago.)
The most interesting finding of the survey of 305 security decision makers around the world is that while enterprises are investing heavily in compliance and protection against accidental leaks of custodial data (such as customer information), they are under-investing in protection against theft of trade secrets (intellectual property)....which is much more valuable.
“Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs. Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs,” according to Forrester Consulting’s study. “But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.”
Below is a short video of RSA’s Sam Curry discussing the survey results.
The survey also revealed that while organizations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly. For example, based on responses received in the survey, employee theft of sensitive information is ten times costlier than accidental loss on a per-incident basis: hundreds of thousands of dollars versus tens of thousands.
Despite a wide range in security spending, views on the value of information and number of incidents, nearly every company rated its security controls to be equally effective.
“Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting,” according to Forrester Consulting. “‘Compliance’ in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure.”
Read the white paper for recommendations from Forrester, Microsoft and RSA to better ensure your information security strategies are appropriately balanced, including:
Identify the most valuable data assets in your company's portfolio.
Create a "risk register" of data security risks that documents specific threat scenarios.
Asses and re-prioritize your IT security program's balance between compliance and trade secrets
Increase vigilance of external and third party business relationships
Measure data security program effectiveness.