The media is abuzz over news from Microsoft that the security threat from Zero-Day exploits are “overblown” and that companies should therefore reevaluate their priorities.  Thiscommentary from Microsoft derives from their assessment of data collected as part of their Security Intelligence Report (SIR) volume 11.

My advice?  Take Microsoft’s advice on this point, carefully write it down in a memo, tear it up and throw it out the window.

Microsoft’s reasoning for this advice is that Zero-Day exploits count for less than one percent of attacks.  This isn’t a lie or a damn lie, it’s beyond that – it’s a statistic – a statistic that desperately needs to be considered in its proper context.

Many current enterprises have thousands, tens of thousands, or even hundreds of thousands of security alerts coming from their SIEMs on a daily basis.  If even a fraction of these represent real threats, how many of these represent Zero-Day attacks?  The important piece of information missing from this ill-advised advice is the risk associated with Zero-Day attacks.  Even if they are a small number of overall attacks, they are a significant component in a much higher percentage of successful, targeted and advanced persistent threat (APT) attacks.  The majority of attacks are blind, non-targeted attacks – highly unlikely to exfiltrate your company’s secrets.

Should we dismiss Aurora?  Stuxnet?  Because these attacks represent less than one percent of all exploits?  Microsoft released SIR at an RSA conference (Oh the irony!).

Yes, there are lots of threats companies deal with and some probably deserve more attention than they get, but companies that have done their due diligence in other ways and have generally good security are rightfully searching for ways to mitigate or prevent Zero Days.  Advice that downplays the threat that Zero Days pose just won’t do anybody any good.