Which sounds bigger – a thousand billion or a million million? Ahh, what’s it matter? A trillion is a really big number, right? Well, if someone wanted to count to a trillion it would take them almost 32,000 years according to at least one internet estimate. To a computer, counting to a trillion is trivial. Over the past few years, Microsoft has taken to promoting the number of “security signals” they monitor on a daily basis, and that number is up to 24 trillion, or, a trillion an hour – trivial, especially when you have the power of the internet behind you.
How many security detection failures is too many?
Why does this matter? In many business quality programs like Six Sigma, it is common to target “five nines” or 99.999% as a measure of quality. That’s one defect in a 100,000. In IT, five nines of availability translates to downtime of just over 5 minutes a year. Now, let’s talk about security signals.
Here are some of the specific “signals” Microsoft identifies in various communications. (Some are a bit vague for my taste, and they bounce from distinct controls to a mix of activity and content):
- Devices scanned
- Authentication events
- Azure user accounts assessed
- Petabytes of data scanned
- Web pages scanned
- Malware detected
- Emails analyzed
Now, if we translate a five-nines approach for quality to Microsoft’s security signals, it would allow for over 200,000 detection failures a day. Put another way, Microsoft could have ten nines of quality and still have two security signal failures a day, or around 700 a year. We can only speculate at how many incidents that might lead to. (The most optimistic of us would point to this being good reason for defense-in-depth).
What are your quality expectations for your control environment?
Of course, it is in Microsoft’s best interest to make that number as large as possible (it was about 8 trillion just 18 months or so ago), but you can guarantee it is huge. Of course, in a world where a million still seems like a very large number, everything is huge. It’s time to start looking at our tools to figure out how we can collect these numbers as well. It doesn’t have to be difficult. Most solutions out there provide some sort of measurement. (As I indicated in a previous column, it seems difficult, but that’s not really true.)
You might wonder why I care so much about crazy-sounding numbers like these. The answer is: I know a lot of dedicated, excellent cybersecurity professionals who are fighting a battle that is much more complex than people realize. The odds are against us, literally, but still we are essentially judged in the court of public opinion (and sometimes by senior management) based solely on whether a breach occurs.
Years ago, I was one of those people who would assert in presentations and group settings that “when we are successful, nothing happens.” That couldn’t be further from the truth. It’s time to start counting, folks.
Copyright © 2022 IDG Communications, Inc.
