Microsoft gathers security data in a number of ways and formats, including its Security Intelligence Report, now conducted twice a year but potentially going quarterly.
Among the most frustrating findings for Arsenault: Just over half of all attacks originated from the .edu domain. "[That's] a fundamental problem," he said. "We've got to do a better job with the university systems to stop that."
As for geographically where attacks are coming from, all eyes are on China, the source of 380% more attacks than a year ago.
In terms of what kind of malware is showing up most often, Trojans are on the rise. Rootkits are raising their ugly heads, but fortunately, Arsenault said, they're so hard to write that they probably won't get too much worse.
On a positive note, Microsoft is seeing the amount of publicly exploitable code, at least for its own software, shrink. But Arsenault does sweat over whether there's really less exploitable code, or whether it's more a case of such code just being kept secret by nation states looking to wage cyberwar.
Microsoft also gets a read on security issues by holding CSO and CIO summits. Arsenault is executive host for the company's annual CSO Summit, at which 300 top CSOs, mostly from the United States, partake. Microsoft compares data from the two groups to determine whether security concerns are being taken seriously by CIOs.
In Microsoft's latest survey of CSOs, it found that protection is the top security issue (62%), followed by identity/access management (57%) and compliance (44% and falling in the rankings, a finding consistent among CIOs as well). Secure messaging/collaboration is among issues on the rise, as is application architecture ("The biggest question there is how far back you go in your code base," Arsenault added). Patch management ranked 6th on this list, with 29% citing it, though Arsenault says this topic ranked first about years ago.
Arsenault also spent a chunk of his talk discussing why Microsoft makes the security investment and partnership and technology decisions it does, and steps Microsoft has taken internally to shore up its security and protect its own intellectual property and systems.
He noted that decisions, such as what security products to include in an operating system, aren't always up to Microsoft given certain regulatory restrictions. Others, such as how to integrate security and management products, are also complex. He also discussed the requirement to weigh the needs of enterprises, small businesses and consumers, noting that security at the consumer level can have a big impact on enterprise security.
Arsenault isn't your typical Microsoft speaker. He prefaced his talk by noting that he has spent his entire career at the company outside of the profit and loss side of things and doesn't really care whether you buy Microsoft Forefront security products or technology from someone else (he even fessed up to using Quicken rather than MSN Money).
"I have a vested interest in reducing security risk in the overall environment so we don't slow down the computing stuff that's been going on or what you're doing over the Internet."