The thoughts and ramblings of Martin Mckeay

Category: TL: DR

You don’t have to be an expert, but it helps – Team82 State of XIoT 1H22

Only one Too Long; Did Read post this week, The State of XIoT report for 1H 2022 by Claroty’s Team82. The content and analysis of this report was uneven. There is a lot to commend the team for, but also significant sections that left me shaking my head. This is a reimagining of previous reports, so it’s hopeful that future Claroty reports will build on the better aspects of this one.

Regwall: Yes, https://claroty.com/resources/reports/state-of-xiot-security-1h-2022

Target Audience: IoT (or XIoT) experts

Length & Read time: 35 pages, 30-60 minutes, longer if you are not an IoT expert. I finished reading the report in 75 minutes but required extra time to review some of the terminology and the Purdue Model.

Grade: B. Despite some parts being hard to digest, this has more going for it than most.

Overall Impression: I dislike the creation of new initialisms/acronyms in reports, but I think Claroty can get away with it this time. ‘XIoT’ stands for the Extended Internet of Things, meaning medical devices, video cameras, embedded devices, and a whole host of other general connected ‘things’. However, the report often uses the initialism for many of these things without clarifying what they mean and how they are used in the report. Lack of definition is a reoccuring theme of the report, from defining terms, to explaining the statistics used, to plots with no titles or captions.

Be prepared to spend some time identifying and understanding the most important parts of this report on your own. Most of the text is a reading of the visualizations, with confusing context and analysis. It may be because IoT/XIoT isn’t my main area of interest, but I think it’s because I don’t like having plots read at me. The writers left too much to the reader to figure out.

Despite the uneven delivery of the report, I still suggest reading it if you’re interested in IoT in its myriad forms. Several sections contain Key Events and are worth reading on their own. More than anything else, it’s the Mitigations/Remediations section I would point readers at, starting on page 22. Not only does Team82 give specific suggestions, they provide data to show why specific recommendations should be the reader’s priority. This section is why think the report is above average, but in need of tender loving care and focus to make it truly shine.

Continue reading

I wanted to like this report, but … – Fortinet Global Threat Landscape Report 1H 2022

The Thursday edition of ‘Too Long; Did Read’ focuses on Fortinet’s Global Threat Landscape Report for the first half of 2022. In my experience, 7-8 weeks to go from data collection to a published report is a relatively tight deadline, but it means this data is still timely. I applaud Fortinet for making this report available without having to register, which is a rarity. The failure of this report is the use of the term, “prevalence”. I suspect most readers have never seen this term used in its data science context and no effort is made to clarify what it means. My suggestion is to read the text, but generally ignore the plots and graphs.

RegWall: No! https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-1h-2022.pdf

Target Audience: Technical, primarily for readers in the IPS space.

Length & Read time: 17 pages, 30-45 minutes. Taking notes, I spent 75 minutes with this report, with additional time researching prevalence in statistics.

Grade: C, average for the security industry.

Overall Impression: I was excited to read this report when I first saw it, but found myself becoming more confused as I read through the text and tried to make sense of the data visualizations. The Overview and Key Highlights section sums up the main talking points, but most lack the specificity I’d like to see.

If you only have a few minutes to devote to the report, read these sections: ‘Vulnerabilities in OT’, pages 7 & 8; ‘Ransomware Roundup’, pages 12-14. I also liked the review of wipers targeting the Ukraine and spilling over into other countries, pages 14-16. But I can’t recommend the report due to difficult to understand data representation choices.

Continue reading

Hidden Gems Amongst Too Much Text – Unit 42 Cloud Threat Report

My first report for this week’s ‘Too Long; Did Read’ is titled “Identity Access Management: The First Line of Defense” by Unit 42 and Prisma Cloud. The report is moderate in length at 19 pages, with significant intelligence scattered throughout. Technical readers who want more information about how cloud identities are being exploited will gain a lot from reading it, though it requires significant concentration to find the gems.

RegWall: Yes, https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-volume-six

Length/Read time: 19 pages in length, I suggest setting aside 60-90+ minutes to read in its entirety. I spent 2.5 hours reading the report and taking several pages of notes.

Overall Impression: Palo Alto Networks’ report is a solid contribution to the security knowledge base, but requires a significant effort to read and understand. The technical details don’t surface until the sixth page of the report, but come on strong until the conclusion. I enjoyed seeing links to external resources scattered throughout, allowing the reader to follow up on topics of interest. The target reader is a technical audience looking to learn more about Identity and Access Management (IAM), with language accessible to a much larger audience.

Like almost every report, there are things I’d change with the execution of this report. My primary criticisms are two fold. First, the report has too much text. I don’t think most readers have the time to sift through thousands of words to find the gems in the report. Second, the report lacks focus, a common criticism of mine. Reading the Foreword, Executive Summary, and Who’s Attacking the Cloud? sections don’t tell me what I, the reader, will gain by spending time deep in the report.

Once through the background and introduction of this report, it has a lot to offer. Start on page 6, read through page 16, skip the intro and conclusion. I give this volume of the Cloud Threat Report a grade of B+ overall.

Continue reading

451 Group on API Trends – Spot On, for the Intended Audience

Today’s post for ‘Too Long; Did Read’, is a review of the 2022 API Security Trends Report, written by Dan Kennedy of the 451 Group/S&P for noname Security. Going forward I’ll add a couple more pieces of information to each post: Is it behind a registration page and how long of a read is it. Alex (@alexanderjaeger) suggested the first, because many of us won’t fill in the fields needed to get to a report behind a regwall. The second I’m adding because the amount of time needed to read a report often influences if it’s read or not. A 10-page report with one or two redeeming qualities can be easier to read than a 100-page report with buckets full of interesting stuff.

Overall Impression – For its target audience, this paper is one of the best I’ve read this year. It has significant analysis scatter throughout, it uses plots appropriately, and the colors are easy to read, for the most part. You have to keep in mind that this is an analyst’s report, so it’s based on survey data. I generally think of surveys as ‘soft data’ and do not hold this type of information in the same regard as data from logs, alerts, and other data taken directly from sensors. This is definitely a personal bias, but I’ve seen too many surveys done badly over the years.

The intended reader is anyone considering the future of APIs. This includes organizations creating the next wave of products, both engineers and marketing teams. CSO’s who want to know their peers experience with current technologies will get a lot out of the API Security Trends Report, as well as teams looking to better understand API protections before making a purchase. It is not for front-line blue/red teams or other security professionals who want deeply technical knowledge. Which is not what we should expect from most analyst reports in the first place. I give this report a solid A.

Reg Wall: Yes – https://nonamesecurity.com/api-security-trends-report

Length / Read time: At 17 pages, this report took me 45 minutes to read and take notes on. A casual read should take 15-30 minutes.

Continue reading

On being critical of industry reports in security

Rather than writing another review today, this Tuesday’s essay is an exploration of what I’m looking for when reviewing a report.

I started the ‘Too Long: Did Read’ series of blog post at the suggestion of a friend and former coworker. I have written, edited, and led the charge of over 30 industry reports, the majority with her help. She’s heard me critique the work of other organizations and be at least as critical of our own works many times over the years. “Why not use that experience as fuel for blog posts?”, she asked.

I’ve been following Verizon’s Data Breach Investigation Report (DBIR) since the first volume was published. I had the privilege of contributing to the report while working at Verizon and contributed data to the DBIR as part of my role at Akamai. I helped create the first version of Akamai’s State of the Internet / Security (SOTI) and led the effort through the beginning of 2022. What I’m getting at is that I’m not some rando talking smack about reports in the security industry. I have experience to draw from directly related to these reviews.

What am I looking for?

When I read any of the reports, there’s a laundry list of things I’m looking for. More than any other factor I’m looking for a report that understands it’s audience and gives a compelling reason to read past the introduction. This may sound easy and obvious, but it is probably the single biggest issue most reports in our industry fail to do. I’ve failed to provide this in many of my own early efforts. The reader is being asked to spend one of their most precious commodities, time, so they need know from the start it will be time well spent.

Whether we’re talking about sales or writing a book, this is called the ‘hook’. No big surprise there, any good marketing team or PR will ask the author for this hook. It gives them a better idea of how to use the content, what press outlets or reporters to approach, and makes their own work more effective. In my experience, the hook should be the very first thing the reader sees! More important than the index, an introduction to the author, or any other part of the report, I want to see something that tells me why I should turn to page 2! A good understanding of what the author is trying to educate the reader about is also going to be one of the biggest things that will get a reader to open the PDF of your report in the first place.

I learned to ask myself one question after the writing was done, as the report went to design: What three things do I want my readers to walk away with if they quit reading after the first page of the report? These can be part of the introduction, as a standalone section next to the intro, or in some other form ON THE FIRST PAGE. There might be two bullet points or five, the count isn’t important. After you’ve written ten, twenty, or more pages, it’s easy to lose the core of your message in the fog of relief from getting the first draft completed.

What’s inside?

Once I know what the purpose of report is, how well it communicates this purpose is next on the block. If I have read the first half dozen pages and still haven’t been able to divine its purpose, it’s a major failure. In the land of report writing, there’s no room for subtlety. Tell me what you’re going to tell me, tell it to me, then summarize it again at the end. Don’t hide your intelligence, make it as clear and straight forward as possible.

As I read through the pages, I need to know that the contents in the tin deliver on what the label advertised! If you’re selling your report as a technical treatise on DDoS attacks, I want to see in-depth information about attacks as quickly as possible. Sticking with a set format that starts the DDoS section on page 20 of a 50-page report is a recipe for failure. Not that I’ve ever done exactly that, of course. Even worse is when a report is really about a different topic than promised in the title, with only a nod to the title and introduction buried deep in the report.

How does it look?

Next, I look at the data visualizations: the plots, the charts, the diagrams used to reinforce the analysis in the report. Data visualization is a whole field on its own, and I can only brush against the surface of what there is to learn. I want to see a chart that directly relate to the analysis on the page. I want charts that are readable by the widest audience possible. I want charts that tell stories beyond what’s in the analysis.

I absolutely hate plots that are simply window dressing and have nothing to do with the content and analysis! Space is at a premium, time is valuable, so why waste both with something that offers nothing to the reader? If the author isn’t presenting analysis or providing additional meaning from an image in the report, why is it there? Having created a beautiful visualization isn’t a good enough reason to include the image if it doesn’t further the story. Personally, I want graphics to have descriptions and figure numbers as much as possible. I like to include additional analysis in the description, but that might not work for all authors.

I’m a huge advocate for using a Color Blind Friendly (CBF) palette. I have family, friends, and former co-workers who have various degrees and type of color blindness, and the thought of producing a report that doesn’t take that into account is anathema to me. Approximately 5% of the population is color blind, and more people suffer from color deficiency, a very similar problem. Color is also an incredibly valuable method of conveying information, so be sure to make the most of it. Coloring for Colorblindness by David Nichols is a good starting point for more information on making accessible plots.

Similarly, unless your audience is other data scientists, I prefer simple plots wherever possible. River plots, dot plots, violin charts, matrix plots and all the other complex graphics are appealing to other data viz geeks, but indecipherable to the average reader. Most readers will skip a plot they have to struggle with rather than learn something from it. I once spent a page and a half of a 30-page report explaining how to read a river plot many years ago and learned this lesson the hard way.

Stick to bar charts, line plots, and other visualizations most readers can understand at a glance. I’ll even include pie charts in this suggestion, but only if the data has four or fewer data points that are highly dissimilar. This means you can’t use a pie chart to show data with 20 different points, each less than 5% of the total. A table might not be pretty but is much more accessible and educational for a reader.

It’s okay to use more complex plots, but only with forethought and a clear understanding of the point you’re trying to make. I strongly recommend reading ‘The Truthful Art’ by Alberto Cairo or ‘Storytelling with Data’ by Cole Nussbaumer Knaflic as good starting points. Data-Driven Security by Jacobs & Rudis is great for domain specific visualization. Yes, Mr. Tufte was once considered groundbreaking for his visualizations, but there are plenty of authors more in tune with current technology and methods of communicating data visually.

The Bottom Line

I could write a book on the topic of industry reports. I could, but it would be crap. Do expect more blog posts on the topic in the future; there’s still much more I could wax poetic about. Instead, I’d like to leave you with three questions an author should be asking as they begin the process of writing:

  • Who am I writing for? An executive rarely has time to read more than the introduction, while the red team wants all the juicy details of the latest attack type. Write appropriately for your audience.
  • What do I want them to walk thinking about? I cannot stress enough that if you haven’t communicated your primary message in the first 500 words, you’ve probably lost half your audience. If you can’t tell a reporter your why your publication is important to his audience, the chance of coverage for your story drops dramatically.
  • Have I communicated my findings well? Whether it’s the analysis or the graphics in a report, if they leave the reader confused, you’ve failed at your most important task.

One last thing: A good editor is your best friend when it comes to writing! And like any good friend, they may sometimes tell you your baby is ugly. At least you can throw your first draft in the garbage and start over, unlike a baby.

’50 Shades of Blue’ or ‘Red Hot Mess’ from CyberTheory

My ‘Too Long; Did Read’ review of the ‘CISO Engagement and Decision Drivers Study‘ from CyberTheory is, by necessity, much more negative than I’m generally comfortable writing, but it truly deserves the treatment. Despite the title of the study, it barely talks about engagement with CISOs in any meaningful way. It might be useful to a Marketing team, but is almost impossible to decipher and misses its target. Due to the colors chosen for the plots and graphs of the report, any hope of the reader drawing intelligence from the study is quickly drowned in in a sea of blue ink.

To be clear, I’ve worked with and known much of the team at the Cyentia Institute and respect them greatly. I’ve followed their work for years and know what they’re capable of. I wouldn’t spend the time needed to read the report from front to back and comment on it if I didn’t know, beyond a shadow of a doubt, they are capable of something much better than what’s shown in this report. Please look away, Wade and team!

Overall Impression – When I review a report, I’m examining three aspects: A) What data is the report drawing on, B) How was the data analyzed, and C) How was the data visualized. I’m also looking at how it was laid out and edited, but that’s generally a minor part of my analysis. The CISO Engagement report fails, or nearly fails, on every one of these measurements. The data and the visualizations are rendered useless by the color choice, and the analysis is window dressing with key words thrown into the mix. I’m looking for guidance on how to use the data, rather than generic SEO feedback.

Who should read this? Marketing and content creation teams might gain some insight from this report. It is primarily aimed at people trying to connect to CISOs after all. I would suggest that marketing teams skip straight to page 22 (or is it 39?) and the section titled ‘Reaching Your Audience’. There are a significant number of ‘Marketing Takeaways’ that may contain nuggets of wisdom for their consumption.

Security professionals should avoid reading this report. We’re not the target. If you’re interested to see what an SEO driven content team thinks will grab your attention, dive in. But you’d better like blue and cyan, because there are no other colors to choose from in the CISO Engagement study.

Continue reading

Great information in need of polish from Meta

My next review for ‘Too Long: Did Read’ is Meta’s Adversarial Threat Report, Second Quarter 2022. I’d seen the ATR (best initialism I can think of) before and find the work by the Meta team to be exemplary in content, though it is far from the most polished report I’ve read. I chose it large part because it is so very different from the PwC report I reviewed last week.

Overall Impression – If you’re a defender looking for more information about the threats social media organizations face right now, this is definitely for you. It has an appendix listing their public threat indicators at the end of the report that listing domains to block and Yara rules for your use. The report uses a very simplistic layout, which is mostly in its favor.

The content has plenty of information for beginning and mid-career responders. It might not be as interesting to experienced defenders who have other avenues to get the same information. If you’re in one of the many intelligence sharing groups in our industry, this information is probably already available to you.

While the content of the report is excellent, it needs more copy editing and better layout. It’s clearly a labor of love by the technical teams at Meta, rather than a marketing team trying to make an impression. This is aimed at a technical audience and not something you’re likely to talking about with the CSO or other executives; they’ll want you to do something with the information, not take their time with the specifics.

Continue reading

PwC Survey – Decent report, too little analysis

I’m repurposing the initialism ‘TL: DR’ to mean ‘Too Long: Did Read’. I have been writing industry reports since 2015 and reading them far longer, which gives me a wealth of experience to assess the content of industry reports so you don’t have to.

I’m kicking off this series with the PwC’s Global Economic Crime and Fraud Survey 2022. I found this report while reading Lori MacVittie’s monthly newsletter, The Tech Menagerie. As my friends in Boston would say, Lori is ‘wicked smaht’ and someone you should follow. Note: none of my friends actually talk like that unless they’re making fun of their own home town.

Overall impression – This not a cybersecurity report, it’s a report for CFOs, CMOs, and other executives looking for information about fraud in the industry. It’s worth reading for a security professional because it reflects the concerns those executives are worried about. Survey data is one of my least favorite ways to build a report, but PwC is correct in framing this as opinions, rather than facts.

My key takeaway from the report is the rising concern about hackers and cybercrime among executives across all industries. My key complaint is the lack of analysis in the report. ‘Here’s the data’ is different from ‘Here’s what the data means.’ I’d give this report a solid B, which could have been an A with additional analysis.

Continue reading