The unexamined life-missing metrics of malware

David Perry Trend Micro

There are so many metrics, so many stats produced in this industry, and almost all of them are produced for our (the vendors') purposes. We look to prove the effectiveness of scanning, the reach and scope of a particular attack, but our metrics are centred in our own world view. For years I have been asked salient questions by reporters, by the general public, and by listeners on radio and in person that are nowhere addressed by our industry.

While we all report vulnerabilities as they are disclosed, we never follow up as to whether these vulnerabilities move on to become attacks. What percentage of vulnerabilities actually become malware? Is there a measurable window for attacking after disclosure of a particular vulnerability? How many that go proof of concept actually move on to a genuine malicious attack? We may be able to extrapolate statistics like these from the known data, but they are not 'salable' in our normal business - the only people such data would serve would be the general public and computer users everywhere. In other words, the people who need help most desperately.

This presentation will report which metrics the researchers and I can create and map, and will discuss the possible methods of obtaining them and what use they can be to the public at large.