In yesterday's article I detailed some interesting results from the latest Microsoft Security Intelligence Report from the Key Findings Summary. I've now made it through several more sections and wish to highlight some more interesting data.
In the section titled "Malware and Potentially Unwanted Software" (starting on page 49, which is page 73 of the PDF), Microsoft presents many interesting statistics. They break down the infection rate by country (geolocated by IP), by Microsoft OS version (XP SP3 through Windows 7 SP1, including Server 2003 SP2 and Server 2008 R2) and bitted-ness (32 bit vs 64 bit), and threat categories by country. They also present statistics on rogue security software, a.k.a. "scareware."
Most interesting to me, however, is the discussion of home vs. enterprise threats that starts at the bottom of page 66 (PDF page 90). By separating the data from its MSRT software into domain-joined vs. non-domain-joined computers, Microsoft is able to present a view of the differences between the home and the enterprise. What is most interesting is that in the enterprise, the top threat category (approximately one-third of all threats) is worm-related. On the home side, the top category (approximately one-third of all threats) is adware. I sort of expected adware/spyware to be at the top of the list for home users, but based on data we gather from our enterprise network security monitoring (NSM) customers, I expected the same to hold true for the corporate world.
So what does this mean for enterprise NSM? I don't know for sure. My first guess is that traditional network-based IDS is not as good at detecting worm traffic once it gets on the inside of the network, whereas it is quite a bit easier to detect adware/spyware that is going out to the Internet to retrieve advertisements (or transmit browsing histories). Almost all of our customers place TRUE's NSM devices at the Internet< ->internal boundary, so perhaps my expectations are an artifact of that placement.