The thoughts and ramblings of Martin Mckeay

Month: August 2022

You don’t have to be an expert, but it helps – Team82 State of XIoT 1H22

Only one Too Long; Did Read post this week, The State of XIoT report for 1H 2022 by Claroty’s Team82. The content and analysis of this report was uneven. There is a lot to commend the team for, but also significant sections that left me shaking my head. This is a reimagining of previous reports, so it’s hopeful that future Claroty reports will build on the better aspects of this one.

Regwall: Yes, https://claroty.com/resources/reports/state-of-xiot-security-1h-2022

Target Audience: IoT (or XIoT) experts

Length & Read time: 35 pages, 30-60 minutes, longer if you are not an IoT expert. I finished reading the report in 75 minutes but required extra time to review some of the terminology and the Purdue Model.

Grade: B. Despite some parts being hard to digest, this has more going for it than most.

Overall Impression: I dislike the creation of new initialisms/acronyms in reports, but I think Claroty can get away with it this time. ‘XIoT’ stands for the Extended Internet of Things, meaning medical devices, video cameras, embedded devices, and a whole host of other general connected ‘things’. However, the report often uses the initialism for many of these things without clarifying what they mean and how they are used in the report. Lack of definition is a reoccuring theme of the report, from defining terms, to explaining the statistics used, to plots with no titles or captions.

Be prepared to spend some time identifying and understanding the most important parts of this report on your own. Most of the text is a reading of the visualizations, with confusing context and analysis. It may be because IoT/XIoT isn’t my main area of interest, but I think it’s because I don’t like having plots read at me. The writers left too much to the reader to figure out.

Despite the uneven delivery of the report, I still suggest reading it if you’re interested in IoT in its myriad forms. Several sections contain Key Events and are worth reading on their own. More than anything else, it’s the Mitigations/Remediations section I would point readers at, starting on page 22. Not only does Team82 give specific suggestions, they provide data to show why specific recommendations should be the reader’s priority. This section is why think the report is above average, but in need of tender loving care and focus to make it truly shine.

Continue reading

I wanted to like this report, but … – Fortinet Global Threat Landscape Report 1H 2022

The Thursday edition of ‘Too Long; Did Read’ focuses on Fortinet’s Global Threat Landscape Report for the first half of 2022. In my experience, 7-8 weeks to go from data collection to a published report is a relatively tight deadline, but it means this data is still timely. I applaud Fortinet for making this report available without having to register, which is a rarity. The failure of this report is the use of the term, “prevalence”. I suspect most readers have never seen this term used in its data science context and no effort is made to clarify what it means. My suggestion is to read the text, but generally ignore the plots and graphs.

RegWall: No! https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-1h-2022.pdf

Target Audience: Technical, primarily for readers in the IPS space.

Length & Read time: 17 pages, 30-45 minutes. Taking notes, I spent 75 minutes with this report, with additional time researching prevalence in statistics.

Grade: C, average for the security industry.

Overall Impression: I was excited to read this report when I first saw it, but found myself becoming more confused as I read through the text and tried to make sense of the data visualizations. The Overview and Key Highlights section sums up the main talking points, but most lack the specificity I’d like to see.

If you only have a few minutes to devote to the report, read these sections: ‘Vulnerabilities in OT’, pages 7 & 8; ‘Ransomware Roundup’, pages 12-14. I also liked the review of wipers targeting the Ukraine and spilling over into other countries, pages 14-16. But I can’t recommend the report due to difficult to understand data representation choices.

Continue reading

Hidden Gems Amongst Too Much Text – Unit 42 Cloud Threat Report

My first report for this week’s ‘Too Long; Did Read’ is titled “Identity Access Management: The First Line of Defense” by Unit 42 and Prisma Cloud. The report is moderate in length at 19 pages, with significant intelligence scattered throughout. Technical readers who want more information about how cloud identities are being exploited will gain a lot from reading it, though it requires significant concentration to find the gems.

RegWall: Yes, https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-volume-six

Length/Read time: 19 pages in length, I suggest setting aside 60-90+ minutes to read in its entirety. I spent 2.5 hours reading the report and taking several pages of notes.

Overall Impression: Palo Alto Networks’ report is a solid contribution to the security knowledge base, but requires a significant effort to read and understand. The technical details don’t surface until the sixth page of the report, but come on strong until the conclusion. I enjoyed seeing links to external resources scattered throughout, allowing the reader to follow up on topics of interest. The target reader is a technical audience looking to learn more about Identity and Access Management (IAM), with language accessible to a much larger audience.

Like almost every report, there are things I’d change with the execution of this report. My primary criticisms are two fold. First, the report has too much text. I don’t think most readers have the time to sift through thousands of words to find the gems in the report. Second, the report lacks focus, a common criticism of mine. Reading the Foreword, Executive Summary, and Who’s Attacking the Cloud? sections don’t tell me what I, the reader, will gain by spending time deep in the report.

Once through the background and introduction of this report, it has a lot to offer. Start on page 6, read through page 16, skip the intro and conclusion. I give this volume of the Cloud Threat Report a grade of B+ overall.

Continue reading

451 Group on API Trends – Spot On, for the Intended Audience

Today’s post for ‘Too Long; Did Read’, is a review of the 2022 API Security Trends Report, written by Dan Kennedy of the 451 Group/S&P for noname Security. Going forward I’ll add a couple more pieces of information to each post: Is it behind a registration page and how long of a read is it. Alex (@alexanderjaeger) suggested the first, because many of us won’t fill in the fields needed to get to a report behind a regwall. The second I’m adding because the amount of time needed to read a report often influences if it’s read or not. A 10-page report with one or two redeeming qualities can be easier to read than a 100-page report with buckets full of interesting stuff.

Overall Impression – For its target audience, this paper is one of the best I’ve read this year. It has significant analysis scatter throughout, it uses plots appropriately, and the colors are easy to read, for the most part. You have to keep in mind that this is an analyst’s report, so it’s based on survey data. I generally think of surveys as ‘soft data’ and do not hold this type of information in the same regard as data from logs, alerts, and other data taken directly from sensors. This is definitely a personal bias, but I’ve seen too many surveys done badly over the years.

The intended reader is anyone considering the future of APIs. This includes organizations creating the next wave of products, both engineers and marketing teams. CSO’s who want to know their peers experience with current technologies will get a lot out of the API Security Trends Report, as well as teams looking to better understand API protections before making a purchase. It is not for front-line blue/red teams or other security professionals who want deeply technical knowledge. Which is not what we should expect from most analyst reports in the first place. I give this report a solid A.

Reg Wall: Yes – https://nonamesecurity.com/api-security-trends-report

Length / Read time: At 17 pages, this report took me 45 minutes to read and take notes on. A casual read should take 15-30 minutes.

Continue reading

On being critical of industry reports in security

Rather than writing another review today, this Tuesday’s essay is an exploration of what I’m looking for when reviewing a report.

I started the ‘Too Long: Did Read’ series of blog post at the suggestion of a friend and former coworker. I have written, edited, and led the charge of over 30 industry reports, the majority with her help. She’s heard me critique the work of other organizations and be at least as critical of our own works many times over the years. “Why not use that experience as fuel for blog posts?”, she asked.

I’ve been following Verizon’s Data Breach Investigation Report (DBIR) since the first volume was published. I had the privilege of contributing to the report while working at Verizon and contributed data to the DBIR as part of my role at Akamai. I helped create the first version of Akamai’s State of the Internet / Security (SOTI) and led the effort through the beginning of 2022. What I’m getting at is that I’m not some rando talking smack about reports in the security industry. I have experience to draw from directly related to these reviews.

What am I looking for?

When I read any of the reports, there’s a laundry list of things I’m looking for. More than any other factor I’m looking for a report that understands it’s audience and gives a compelling reason to read past the introduction. This may sound easy and obvious, but it is probably the single biggest issue most reports in our industry fail to do. I’ve failed to provide this in many of my own early efforts. The reader is being asked to spend one of their most precious commodities, time, so they need know from the start it will be time well spent.

Whether we’re talking about sales or writing a book, this is called the ‘hook’. No big surprise there, any good marketing team or PR will ask the author for this hook. It gives them a better idea of how to use the content, what press outlets or reporters to approach, and makes their own work more effective. In my experience, the hook should be the very first thing the reader sees! More important than the index, an introduction to the author, or any other part of the report, I want to see something that tells me why I should turn to page 2! A good understanding of what the author is trying to educate the reader about is also going to be one of the biggest things that will get a reader to open the PDF of your report in the first place.

I learned to ask myself one question after the writing was done, as the report went to design: What three things do I want my readers to walk away with if they quit reading after the first page of the report? These can be part of the introduction, as a standalone section next to the intro, or in some other form ON THE FIRST PAGE. There might be two bullet points or five, the count isn’t important. After you’ve written ten, twenty, or more pages, it’s easy to lose the core of your message in the fog of relief from getting the first draft completed.

What’s inside?

Once I know what the purpose of report is, how well it communicates this purpose is next on the block. If I have read the first half dozen pages and still haven’t been able to divine its purpose, it’s a major failure. In the land of report writing, there’s no room for subtlety. Tell me what you’re going to tell me, tell it to me, then summarize it again at the end. Don’t hide your intelligence, make it as clear and straight forward as possible.

As I read through the pages, I need to know that the contents in the tin deliver on what the label advertised! If you’re selling your report as a technical treatise on DDoS attacks, I want to see in-depth information about attacks as quickly as possible. Sticking with a set format that starts the DDoS section on page 20 of a 50-page report is a recipe for failure. Not that I’ve ever done exactly that, of course. Even worse is when a report is really about a different topic than promised in the title, with only a nod to the title and introduction buried deep in the report.

How does it look?

Next, I look at the data visualizations: the plots, the charts, the diagrams used to reinforce the analysis in the report. Data visualization is a whole field on its own, and I can only brush against the surface of what there is to learn. I want to see a chart that directly relate to the analysis on the page. I want charts that are readable by the widest audience possible. I want charts that tell stories beyond what’s in the analysis.

I absolutely hate plots that are simply window dressing and have nothing to do with the content and analysis! Space is at a premium, time is valuable, so why waste both with something that offers nothing to the reader? If the author isn’t presenting analysis or providing additional meaning from an image in the report, why is it there? Having created a beautiful visualization isn’t a good enough reason to include the image if it doesn’t further the story. Personally, I want graphics to have descriptions and figure numbers as much as possible. I like to include additional analysis in the description, but that might not work for all authors.

I’m a huge advocate for using a Color Blind Friendly (CBF) palette. I have family, friends, and former co-workers who have various degrees and type of color blindness, and the thought of producing a report that doesn’t take that into account is anathema to me. Approximately 5% of the population is color blind, and more people suffer from color deficiency, a very similar problem. Color is also an incredibly valuable method of conveying information, so be sure to make the most of it. Coloring for Colorblindness by David Nichols is a good starting point for more information on making accessible plots.

Similarly, unless your audience is other data scientists, I prefer simple plots wherever possible. River plots, dot plots, violin charts, matrix plots and all the other complex graphics are appealing to other data viz geeks, but indecipherable to the average reader. Most readers will skip a plot they have to struggle with rather than learn something from it. I once spent a page and a half of a 30-page report explaining how to read a river plot many years ago and learned this lesson the hard way.

Stick to bar charts, line plots, and other visualizations most readers can understand at a glance. I’ll even include pie charts in this suggestion, but only if the data has four or fewer data points that are highly dissimilar. This means you can’t use a pie chart to show data with 20 different points, each less than 5% of the total. A table might not be pretty but is much more accessible and educational for a reader.

It’s okay to use more complex plots, but only with forethought and a clear understanding of the point you’re trying to make. I strongly recommend reading ‘The Truthful Art’ by Alberto Cairo or ‘Storytelling with Data’ by Cole Nussbaumer Knaflic as good starting points. Data-Driven Security by Jacobs & Rudis is great for domain specific visualization. Yes, Mr. Tufte was once considered groundbreaking for his visualizations, but there are plenty of authors more in tune with current technology and methods of communicating data visually.

The Bottom Line

I could write a book on the topic of industry reports. I could, but it would be crap. Do expect more blog posts on the topic in the future; there’s still much more I could wax poetic about. Instead, I’d like to leave you with three questions an author should be asking as they begin the process of writing:

  • Who am I writing for? An executive rarely has time to read more than the introduction, while the red team wants all the juicy details of the latest attack type. Write appropriately for your audience.
  • What do I want them to walk thinking about? I cannot stress enough that if you haven’t communicated your primary message in the first 500 words, you’ve probably lost half your audience. If you can’t tell a reporter your why your publication is important to his audience, the chance of coverage for your story drops dramatically.
  • Have I communicated my findings well? Whether it’s the analysis or the graphics in a report, if they leave the reader confused, you’ve failed at your most important task.

One last thing: A good editor is your best friend when it comes to writing! And like any good friend, they may sometimes tell you your baby is ugly. At least you can throw your first draft in the garbage and start over, unlike a baby.

’50 Shades of Blue’ or ‘Red Hot Mess’ from CyberTheory

My ‘Too Long; Did Read’ review of the ‘CISO Engagement and Decision Drivers Study‘ from CyberTheory is, by necessity, much more negative than I’m generally comfortable writing, but it truly deserves the treatment. Despite the title of the study, it barely talks about engagement with CISOs in any meaningful way. It might be useful to a Marketing team, but is almost impossible to decipher and misses its target. Due to the colors chosen for the plots and graphs of the report, any hope of the reader drawing intelligence from the study is quickly drowned in in a sea of blue ink.

To be clear, I’ve worked with and known much of the team at the Cyentia Institute and respect them greatly. I’ve followed their work for years and know what they’re capable of. I wouldn’t spend the time needed to read the report from front to back and comment on it if I didn’t know, beyond a shadow of a doubt, they are capable of something much better than what’s shown in this report. Please look away, Wade and team!

Overall Impression – When I review a report, I’m examining three aspects: A) What data is the report drawing on, B) How was the data analyzed, and C) How was the data visualized. I’m also looking at how it was laid out and edited, but that’s generally a minor part of my analysis. The CISO Engagement report fails, or nearly fails, on every one of these measurements. The data and the visualizations are rendered useless by the color choice, and the analysis is window dressing with key words thrown into the mix. I’m looking for guidance on how to use the data, rather than generic SEO feedback.

Who should read this? Marketing and content creation teams might gain some insight from this report. It is primarily aimed at people trying to connect to CISOs after all. I would suggest that marketing teams skip straight to page 22 (or is it 39?) and the section titled ‘Reaching Your Audience’. There are a significant number of ‘Marketing Takeaways’ that may contain nuggets of wisdom for their consumption.

Security professionals should avoid reading this report. We’re not the target. If you’re interested to see what an SEO driven content team thinks will grab your attention, dive in. But you’d better like blue and cyan, because there are no other colors to choose from in the CISO Engagement study.

Continue reading

Great information in need of polish from Meta

My next review for ‘Too Long: Did Read’ is Meta’s Adversarial Threat Report, Second Quarter 2022. I’d seen the ATR (best initialism I can think of) before and find the work by the Meta team to be exemplary in content, though it is far from the most polished report I’ve read. I chose it large part because it is so very different from the PwC report I reviewed last week.

Overall Impression – If you’re a defender looking for more information about the threats social media organizations face right now, this is definitely for you. It has an appendix listing their public threat indicators at the end of the report that listing domains to block and Yara rules for your use. The report uses a very simplistic layout, which is mostly in its favor.

The content has plenty of information for beginning and mid-career responders. It might not be as interesting to experienced defenders who have other avenues to get the same information. If you’re in one of the many intelligence sharing groups in our industry, this information is probably already available to you.

While the content of the report is excellent, it needs more copy editing and better layout. It’s clearly a labor of love by the technical teams at Meta, rather than a marketing team trying to make an impression. This is aimed at a technical audience and not something you’re likely to talking about with the CSO or other executives; they’ll want you to do something with the information, not take their time with the specifics.

Continue reading

PwC Survey – Decent report, too little analysis

I’m repurposing the initialism ‘TL: DR’ to mean ‘Too Long: Did Read’. I have been writing industry reports since 2015 and reading them far longer, which gives me a wealth of experience to assess the content of industry reports so you don’t have to.

I’m kicking off this series with the PwC’s Global Economic Crime and Fraud Survey 2022. I found this report while reading Lori MacVittie’s monthly newsletter, The Tech Menagerie. As my friends in Boston would say, Lori is ‘wicked smaht’ and someone you should follow. Note: none of my friends actually talk like that unless they’re making fun of their own home town.

Overall impression – This not a cybersecurity report, it’s a report for CFOs, CMOs, and other executives looking for information about fraud in the industry. It’s worth reading for a security professional because it reflects the concerns those executives are worried about. Survey data is one of my least favorite ways to build a report, but PwC is correct in framing this as opinions, rather than facts.

My key takeaway from the report is the rising concern about hackers and cybercrime among executives across all industries. My key complaint is the lack of analysis in the report. ‘Here’s the data’ is different from ‘Here’s what the data means.’ I’d give this report a solid B, which could have been an A with additional analysis.

Continue reading

Daughter + Dad: Coming out as transgender

This post was originally published on March 31, 2022 on the Snyk blog, Daughter + Dad: Coming Out As Transgender

My daughter came out to my wife and me as a transgender individual nearly five years ago. It was a shocking revelation, as we’d always thought about her future in terms of male things, like being a father. But that was not the road she needed to travel. Our job as her parents is to help her live the best life possible, even when it wasn’t what we expected. 

I’ll refer to my daughter simply as ‘A’ for the rest of this article. She’s sitting next to me, helping to make sense of what we’ve been through. Putting this into words is helping me understand what she experienced and gives her more context about my experiences. More than anything, she wants people to understand that being trans is not a choice, it’s a realization that enables you to make sense of many things in hindsight.

When did you know you were transgender?

A: There was no singular incident or experience that revealed to me that I am trans. It was more of an evolution that allowed me to make sense of other decisions and trends in my life. I never liked traditionally masculine things, like sports. I never felt the aggression some children display. But I wasn’t into things that are feminine or ‘girly’ either, so there wasn’t a defining “girl’s toys” childhood experience that made me realize things didn’t fit. I mostly just played video games or read, neither of which we saw as heavily gendered. 

Martin: We’re a family of geeks. We like computers, board games, role playing and tons of other geeky things. We don’t place a lot of importance on what most people consider traditionally masculine or feminine roles. We also never considered our child might not like the gender she was assigned at birth. 

A: There was nothing wrong with the life I was living, but there was a growing feeling of discomfort I felt being male. There was just a feeling slowly building in the background. It took me many years to understand what that tension was and to admit to myself that it wasn’t just a phase I’d outgrow. I spent many sleepless nights thinking about being trans, took every test on the internet I could find about being trans, but finally realized it’s who I am. By the way, all those tests suck; if you’re taking one of these tests, you probably already know the answer you want.

Being trans wasn’t a choice as my father thinks of it. It was an inevitability that existed outside of any choice I could make. I was trans, my only choice was to acknowledge it or continue to fight it my whole life.

Coming out

A: Once I decided to come out to my parents, it was nerve wracking. The experience wasn’t everything I’d hoped it would be. I’d been thinking about being trans and revealing it to them for years. I’d hoped they would celebrate the decision with me. My parents didn’t do that.

They asked me questions like, “Are you sure? Is this just a phase? Can you put this decision off until after college?” They didn’t reject me, cast me out, or make me experience any of the worst case scenarios others have had to deal with, but they also didn’t immediately accept who I am, and it hurt.

Martin: We were scared, there’s no other way to put it. Our child had just told us they wanted (or needed) to change their gender, and that they were no longer going to follow major parts of the life plan we expected from them. We were confused. 

We could have handled the situation better, but we did the best we could based on our own life choices. Both my wife and I are comfortable with traditional gender roles and learning our child was going to eschew those roles in favor of something that is guaranteed to make their life more difficult was a hard adjustment to make. As were a thousand other factors, not the least of which was a new name and pronoun.

A: I would have kept the name you gave me if it had been gender-neutral!

How do you feel now?

A: One of the biggest aides to my mental health was finding a group of people who were also trans or LGBTQ+ to hang out with at college. Surrounding myself with people who are friends, who don’t have the implied judgment of my parents, who have had similar experiences was a big relief as I explored my new life. I didn’t have to perform for them like I felt I needed to for the rest of the world. 

I was honestly a little resentful of my parents for not immediately accepting my coming out. My parents have worked hard at using the right pronoun and name, which helps a lot. At first my nerves were open and raw when people used the wrong gender or name. As time goes by and I’m more comfortable in my own body, I’m growing less sensitive to those mistakes — and, thankfully, they happen less and less often.

Martin: I dislike being constantly corrected, and for the first year after her revelation, I had to be corrected in my use of name and pronoun almost every day. I didn’t have the time to adjust to the thought of having a daughter that she’d had, and resented having to adjust everything I’d framed my mental image of my child around. It was HARD!

But I had to learn, had to adjust, had to make room for her to be who she is. I have a life of my own, I can’t force her to be the person I thought she should be. This is her life, to make the best of, to make mistakes in, and to learn from. I can’t take this away from her. So I changed my thoughts, my words, my actions. Eventually.

Lessons learned

A: I understand why my parents were scared; it’s a scary, scary world for trans people. That’s not their fault or mine, it’s just the way it is. I don’t like it that way, and believe we have a responsibility to change it. The political and legal machinations we see every day are aimed at making it harder to be trans. Internationally, there are significant efforts to curtail the rights of transgender individuals. Wherever there are efforts that impact the rights of trans individuals, to make it harder to come out, or to make being trans illegal, we need to take action and defend trans and LGBTQ+ rights as a whole. I want the world to be better than it is, not simply accept that some things cannot be changed.

Martin: Parenting is hard! Even under the best of circumstances, raising a child is difficult and has never been done perfectly in the history of humanity. And yet, somehow we continue, generation after generation.

Having my worldview upended over the course of a 30 minute conversation was painful. Both my wife and I have made mistakes in dealing with the new reality of having a trans child. We’ve done our best, but sometimes that’s not enough. I hope other parents in the same circumstances understand that it’s okay to falter, to have doubts about your child’s evolution, to wish for a return to the path you had always envisioned for our child. But you also have to provide support, realize it’s their life, and our job as parents is to be there for them through a very stressful experience.

Our understanding of what we thought the future would bring was turned upside-down. The best thing I can do is reassure my daughter I’ll always love them, no matter what gender they are. We’re slowly finding a new baseline for our relationship.

Both: Thank you for reading this to the end. It was more emotionally difficult and draining than either of us imagined it would be. We also learned a lot writing it and hope you did too. This article barely scratches the surface of what it means to be trans or have a trans child. We intentionally kept to the surface levels of the experience, it’s a still evolving story we may add more detail to in the future.

Once more unto the breach, dear friends!

Welcome to the latest iteration of the Network Security Blog! I have been blogging in one form or another since early 2000, first creating a hand coded page, then Moveable Type, and several versions of WordPress. I mostly abandoned the blog in favor of writing for my employer in 2016 (Hello, State of the Internet Security report!) but it’s now time to pick up the quill again for my own entertainment.

Unluckily, much of what I wrote before was unrecoverable, or at least I haven’t figured out how to recover it yet. I’ll keep at it, so you may see old posts coming back to live. And when I reread those archival posts, you might be able to see my blush from orbit. What was I thinking, those 20 years ago!?

I hope you’ve enjoyed my past writing and look forward to sharing my thoughts once again.