Regwall: Yes, https://claroty.com/resources/reports/state-of-xiot-security-1h-2022

Target Audience: IoT (or XIoT) experts

Length & Read time: 35 pages, 30-60 minutes, longer if you are not an IoT expert. I finished reading the report in 75 minutes but required extra time to review some of the terminology and the Purdue Model.

Grade: B. Despite some parts being hard to digest, this has more going for it than most.

Overall Impression: I dislike the creation of new initialisms/acronyms in reports, but I think Claroty can get away with it this time. ‘XIoT’ stands for the Extended Internet of Things, meaning medical devices, video cameras, embedded devices, and a whole host of other general connected ‘things’. However, the report often uses the initialism for many of these things without clarifying what they mean and how they are used in the report. Lack of definition is a reoccuring theme of the report, from defining terms, to explaining the statistics used, to plots with no titles or captions.

Be prepared to spend some time identifying and understanding the most important parts of this report on your own. Most of the text is a reading of the visualizations, with confusing context and analysis. It may be because IoT/XIoT isn’t my main area of interest, but I think it’s because I don’t like having plots read at me. The writers left too much to the reader to figure out.

Despite the uneven delivery of the report, I still suggest reading it if you’re interested in IoT in its myriad forms. Several sections contain Key Events and are worth reading on their own. More than anything else, it’s the Mitigations/Remediations section I would point readers at, starting on page 22. Not only does Team82 give specific suggestions, they provide data to show why specific recommendations should be the reader’s priority. This section is why think the report is above average, but in need of tender loving care and focus to make it truly shine.

The Good: Let’s start with the low hanging fruit. The Team82 report clearly credits the contributions of the researchers, writers, and data scientists who worked on the effort, which is not as common as it should be. The visualizations are generally clear, though there’s more than a few to cover in the next section of the review. The report sticks with simple visualizations, mainly donut and bar charts. It is a visually pleasing report in most ways. Its layout almost makes some sections into ready to use slides. The colors chosen for the plots make them accessible and are color blind friendly, though the variation of colors in the donut charts are confusing.

As mentioned before, the Mitigation/Remediations section and four Key Events segments are what makes the report above average. We’re past a time when the security events that could happen are just something we theorize about. From the Russia-Ukraine war to ransomware attacks, we’re seeing attacks on a daily basis that affect real businesses and real people.

I like the Team82 section of the report; it highlights the group’s technical knowledge without diving into a marketing spin. A report should show off the author’s experise, but not blatantly scream ‘Buy our product!’. That said, the section belongs further down in the report. Showing off the data and findings should always come first.

While the report is 35 pages in length, at least 8 pages are separators and the covers, which means it’s really closer to 25 pages of content. Even at that, it’s not a short report and there’s plenty of sections that need extra time to digest. The text isn’t too dense, but it requires some concentration to read.

The Bad: The report is very uneven in its delivery of intelligence and how the various sections relate to each other. The data is represented unclearly in many cases, with loosely related data being represented together without an attempt at defining the different threads. In my view, multiple sections are mislabeled and don’t fit the function they advertise.

The Executive Summary isn’t a summary at all, it’s an opening statement that fails at telling the reader what’s most important in the report. Too much time is spent on the opening arguments, without really telling the reader what they’ll get out of the report. It does tell us who should read it, but not why. I’m very keen on telling the reader from the first page what I want them to take from a report and highlighting the primary talking points I want them to know. The Executive Summary is more akin to a first research section than it is a summary.

One of the initialisms from the report, IoMT, is first used in the donut chart on page 5, but the term isn’t defined until page 15. And I still don’t know what the author’s definition of ‘IT’ is. Even if this is meant for experts in IoT, any initialism or acronym should be spelled out the first time it’s used. I might even argue that ‘XIoT’ should have been defined on the cover.

The figures aren’t numbered, with many lacking a title or caption. The donut chart on page 6 lacks both caption and title. While you can tease out which of the talking points to the left it refers to, you shouldn’t have to. The same page is a good example of missing analysis in many parts of the report. Four different boxes of text are displayed with no clear relationship and a plot lacking context to give it meaning. This is all still in the Executive Summary.

Readers should be clearly shown how the data, the plots, and the analysis are intertwined in a good report. In this case the reader is left to their own devices far too often. Page 26 typifies my concern, with a series of percentages that are dropped onto the page with almost no supporting text.

While the Mitigation/Remediations section was very good, the Recommendations section simply presents the same talking points without the benefit of the data. I think the two sections should have been combined into one, with a single page summary of the report at the end.

Overall, the Team82 report on XIoT is an instrument built of strong materials, but in need of polishing and another generation of design work. It has several very strong sections that may never get read because it loses the reader almost immediately. Kind of like these TL;DR posts.

The post You don’t have to be an expert, but it helps – Team82 State of XIoT 1H22 appeared first on Network Security Blog.

RegWall: No! https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-1h-2022.pdf

Target Audience: Technical, primarily for readers in the IPS space.

Length & Read time: 17 pages, 30-45 minutes. Taking notes, I spent 75 minutes with this report, with additional time researching prevalence in statistics.

Grade: C, average for the security industry.

Overall Impression: I was excited to read this report when I first saw it, but found myself becoming more confused as I read through the text and tried to make sense of the data visualizations. The Overview and Key Highlights section sums up the main talking points, but most lack the specificity I’d like to see.

If you only have a few minutes to devote to the report, read these sections: ‘Vulnerabilities in OT’, pages 7 & 8; ‘Ransomware Roundup’, pages 12-14. I also liked the review of wipers targeting the Ukraine and spilling over into other countries, pages 14-16. But I can’t recommend the report due to difficult to understand data representation choices.

The Good: As mentioned above, there are a few sections that bouy this report. Figure 5 uses the idea of prevalence in a way that’s understandable, unlike how it’s expressed elsewhere in the report. The TTPs table uses color well, highlighting how often different types of techniques are used. I like figure 12, a map of the countries affected by the wipers tied to the Russia-Ukraine war. As a product of the US education system, I’m aware than many of us have a hard time remembering where European countries are in realationship to each other. I’ve been to all the countries highlighted and still need to look at the map.

The report has a large number of links leading to other resources. Half lead to other Fortinet reports or posts, half take the reader to organizations like MITRE and FIRST. I’m generally happy to see readers given an opportunity to learn more. It’s clear a lot of knowledge and experience has gone into the report.

The Bad: I am not a data scientist and I’m the first to admit there are significant holes in my education on the topic. But I believe I have significantly more experience with data science than then majority of readers targeted by the Global Threat Landscape Report. Which is why when I started seeing the term ‘prevalence’ used with Figure 2 and beyond, I was confused. I’ve never seen it used in another report in the security industry. I didn’t know what it meant in context, I didn’t understand the significance of the percentage, and I still don’t understand the specifics of how it was in various visualizations.

In statistics, prevalence is the proportion of individuals in a population who have a specific characteristic at a certain time period.

Statology, https://www.statology.org/prevalence-in-statistics/

I understand the standard English definition of ‘prevalence’ as ‘commonness’. But used as a percentage measurement for exploits, vulnerabilities, etc. it’s hard to make sense of. When it’s used in Figure 5 and shows ‘1 in 10K’ on the axis, it makes sense, but every other use of ‘prevalence’ is confusing. I like drawing my own conclusions and over half the plots are useless for generating your own analysis. I found reading these visualizations a very frustrating effort.

The paper lacks credits and a methodology section, both of which I expect to see in a report. A few paragraphs spent explaining how the data was collected, how ‘prevalence’ was calculated, and what the percentages mean would have made a large part of my complaints moot. Even with an explination, I don’t think prevalence is the best way to represent the data used, but I’m open to hearing more.

Rather than having a conclusion, this report titles their closing section as, ‘Ending on a High Note’. A more accurate description would be, ‘Ending with a Marketing Call to Action’. It doesn’t summarize any of the intelligence in the report, there are no conclusions, it’s a CTA section, pure and simple. Marketing is a valuable part of any enterprise, but a report is better served highlighting the intelligence and experience of the team. If a reader finds value in your intelligence, they’ll look at your product without being hit on the head with product pitches.

Please, please, please, honor the work of the authors by crediting them publicly in future reports.

The post I wanted to like this report, but … – Fortinet Global Threat Landscape Report 1H 2022 appeared first on Network Security Blog.

RegWall: Yes, https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-volume-six

Length/Read time: 19 pages in length, I suggest setting aside 60-90+ minutes to read in its entirety. I spent 2.5 hours reading the report and taking several pages of notes.

Overall Impression: Palo Alto Networks’ report is a solid contribution to the security knowledge base, but requires a significant effort to read and understand. The technical details don’t surface until the sixth page of the report, but come on strong until the conclusion. I enjoyed seeing links to external resources scattered throughout, allowing the reader to follow up on topics of interest. The target reader is a technical audience looking to learn more about Identity and Access Management (IAM), with language accessible to a much larger audience.

Like almost every report, there are things I’d change with the execution of this report. My primary criticisms are two fold. First, the report has too much text. I don’t think most readers have the time to sift through thousands of words to find the gems in the report. Second, the report lacks focus, a common criticism of mine. Reading the Foreword, Executive Summary, and Who’s Attacking the Cloud? sections don’t tell me what I, the reader, will gain by spending time deep in the report.

Once through the background and introduction of this report, it has a lot to offer. Start on page 6, read through page 16, skip the intro and conclusion. I give this volume of the Cloud Threat Report a grade of B+ overall.

The Good: I love the fact that this report links to external resources for the reader. There are multiple links to other research by the same team, a plus in my view, but it’s the link to MITRE, NIST, etc. that add weight to the already good analysis.

There are a pair of diagrams that show the methodology used in attacks, well supported by the text. The remaining visualizations are simple, but useful. I’ll take a simple plot I can read at a glance over a complex plot I have to examine at length to understand. I also like the ‘Key Takeaway’ listed for each of the threat actors later in the report. The tables of TTPs associated with each of the threat actors is a mixed bag, mostly because the tables span more than one page.

This report also contains two things I always look for, a methodology section and credits listing the contributors and researchers by name. The methodolgy section isn’t expansive, but it shouldn’t have to be. Explaining the details of where the data comes from tells a reader a lot about how the conclusions were reached. I see too many reports that draw conclusions from very small data sets. Crediting the authors helps them build their own reputation, which is valuble for their careers. It shows support for the individual and a name to reach out to if you disagree with the analysis as a reader. Or am I the only one who does that?

The Bad: The report is too text heavy and lacks a clear understanding of what it’s trying to communicate to the reader. As an example, the Foreword is the first thing a reader sees, and it spends nearly half its text talking about a former report. The Executive Summary is not a summary and doesn’t accurately portray the contents. In the first of the four ‘summations’, I would have written “Cloud identities are too permissive – 99% of the cloud users, roles, services, and resources were granted excessive permissions.” Leave that big, bold and simple, leave the exposition to the relevant section of the report.

On a related note, I think the report misses an opportunity by burying an important statistic deep in the report. “62% of organizations have cloud resources publicly exposed.” Coupled with the previous point about excessive permissions, this would help create a story a reporter could run with. Maybe getting press coverage isn’t one of the priorities for the report, but telling a reader a compelling story always should be.

The Conclusion and Recommendations section is weak. Pulling most of a segment from an external resource detracts from the research. In this case, why lean on Gartner language and suggestions when there is more strength on showing your own analysis? I would have dropped the first and last conclusions, linking the ‘Focus on Hardening IAM Permissions’, which is more in line with the majority of the contents.

My criticism are meant to point to how future reports could be made more impactful and more readable. The burden on the reader to wade through the report means a significant portion of readers may never read past the first few pages. Which means they’ll never get to the juicy stuff in the middle and end of the research. It’s a good report overall, but lacks focus and clarity on what’s being communicated to a reader, hence a B+ rating.

The post Hidden Gems Amongst Too Much Text – Unit 42 Cloud Threat Report appeared first on Network Security Blog.

Overall Impression – For its target audience, this paper is one of the best I’ve read this year. It has significant analysis scatter throughout, it uses plots appropriately, and the colors are easy to read, for the most part. You have to keep in mind that this is an analyst’s report, so it’s based on survey data. I generally think of surveys as ‘soft data’ and do not hold this type of information in the same regard as data from logs, alerts, and other data taken directly from sensors. This is definitely a personal bias, but I’ve seen too many surveys done badly over the years.

The intended reader is anyone considering the future of APIs. This includes organizations creating the next wave of products, both engineers and marketing teams. CSO’s who want to know their peers experience with current technologies will get a lot out of the API Security Trends Report, as well as teams looking to better understand API protections before making a purchase. It is not for front-line blue/red teams or other security professionals who want deeply technical knowledge. Which is not what we should expect from most analyst reports in the first place. I give this report a solid A.

Reg Wall: Yes – https://nonamesecurity.com/api-security-trends-report

Length / Read time: At 17 pages, this report took me 45 minutes to read and take notes on. A casual read should take 15-30 minutes.

The Good – It may sound like faint praise, but this report knows who its audience is, caters to their needs simply and effectively, and does not get caught up in trying to be something else. But my praise isn’t faint; I’d say the majority of the reports in our industry suffer from too many cooks in the kitchen, none of them knowing what the final goal for the report is. In my opinion, being an analyst makes this much easier, because the job centers around knowing your audience and how to reach them.

Each section contains at least one piece of analysis that shows why specific findings are important. This is another issue that sounds like it should be a given, but far too many reports simply read the statistics and don’t tell you what they mean. None of the analysis is groundbreaking, but that is not the purpose of the report. Here’s just one example of a statistic being highlighted, and then the author telling us why the statistic matters.

The ability to inventory critical APIs ranked fourth (51%) in the list of concepts associated with API security, which might seem low in the collection of concerns because it is the first step in securing APIs. After all, one cannot provide security risk mitigation unless there’s an understanding of what’s being secured. However, its ranking may be due to the fact that users consider discovery a commodity or necessary feature of API security tools, and thus table stakes when deciding among API security providers.

Dan Kennedy, 2022 ApI Security Trends report

The choices of data visualizations are basic, simple, and exactly what is needed to highlight the data effectively. Bar charts, donut graphs, and horizontal stacked bar charts are the only types of visualizations used in the report. Every donut graph and horizontal stacked bar chart is limited to three data points, allowing them to be read at a glance. While I like seeing more complex visualizations, I’d rather see reports use the simple plots effectively.

In the first few pages of the report we receive a short list of the key findings, though the placement is deeper in the report than I like to see (page 4). Consider these as well-placed hooks to get you read further into the report in order to find out what they actually mean. The introduction sets the stage for the analysis, but you could easily skip it without decreasing the value you get from the report.

One of the things I greatly appreciate about this report is that every plot is accompanied by the questions asked in the survey and the sample size received. All too often we seen any form of a methodology section missing from reports. In my opinion, the way the questions are phrased to the respondents is almost as important as the responses. At best, badly done surveys miss their mark and skew the results. At worst, bad survey questions make any findings unusable or misleading. Yes, I’m looking at you, Pikachu and your Pokemon buddies.

The Bad – Most of the negatives I found in the report are minor and simply offer room for improvement for the next report. I love that Dan Kennedy is clearly being given credit for the report. But this shouldn’t be the first thing the reader sees. Credits belong at the end. Use the premium space at the beginning the report for the Key Findings or the main topics you want the reader to walk away with.

The color choices for the pie charts and stacked charts are questionable. I’m not sure if the difference between greens is distinct enough to be readable by a color blind audience. But to be fair, the plots are simple and each includes the percentages represented, making the report readable without relying on color as a method of conveying infermation.

Final thoughts – I’ve long thought that the controls most organizations have around APIs were largely non-existent or ineffective. The 2022 API Security Trends Report doesn’t say much about how widespread protections are, but it does make it clear many organizations are worried about the effectiveness of what they have in place today. I believe this report is worth reading if you are even slightly curious about the perception of API protections today.

The post 451 Group on API Trends – Spot On, for the Intended Audience appeared first on Network Security Blog.

I started the ‘Too Long: Did Read’ series of blog post at the suggestion of a friend and former coworker. I have written, edited, and led the charge of over 30 industry reports, the majority with her help. She’s heard me critique the work of other organizations and be at least as critical of our own works many times over the years. “Why not use that experience as fuel for blog posts?”, she asked.

I’ve been following Verizon’s Data Breach Investigation Report (DBIR) since the first volume was published. I had the privilege of contributing to the report while working at Verizon and contributed data to the DBIR as part of my role at Akamai. I helped create the first version of Akamai’s State of the Internet / Security (SOTI) and led the effort through the beginning of 2022. What I’m getting at is that I’m not some rando talking smack about reports in the security industry. I have experience to draw from directly related to these reviews.

What am I looking for?

When I read any of the reports, there’s a laundry list of things I’m looking for. More than any other factor I’m looking for a report that understands it’s audience and gives a compelling reason to read past the introduction. This may sound easy and obvious, but it is probably the single biggest issue most reports in our industry fail to do. I’ve failed to provide this in many of my own early efforts. The reader is being asked to spend one of their most precious commodities, time, so they need know from the start it will be time well spent.

Whether we’re talking about sales or writing a book, this is called the ‘hook’. No big surprise there, any good marketing team or PR will ask the author for this hook. It gives them a better idea of how to use the content, what press outlets or reporters to approach, and makes their own work more effective. In my experience, the hook should be the very first thing the reader sees! More important than the index, an introduction to the author, or any other part of the report, I want to see something that tells me why I should turn to page 2! A good understanding of what the author is trying to educate the reader about is also going to be one of the biggest things that will get a reader to open the PDF of your report in the first place.

I learned to ask myself one question after the writing was done, as the report went to design: What three things do I want my readers to walk away with if they quit reading after the first page of the report? These can be part of the introduction, as a standalone section next to the intro, or in some other form ON THE FIRST PAGE. There might be two bullet points or five, the count isn’t important. After you’ve written ten, twenty, or more pages, it’s easy to lose the core of your message in the fog of relief from getting the first draft completed.

What’s inside?

Once I know what the purpose of report is, how well it communicates this purpose is next on the block. If I have read the first half dozen pages and still haven’t been able to divine its purpose, it’s a major failure. In the land of report writing, there’s no room for subtlety. Tell me what you’re going to tell me, tell it to me, then summarize it again at the end. Don’t hide your intelligence, make it as clear and straight forward as possible.

As I read through the pages, I need to know that the contents in the tin deliver on what the label advertised! If you’re selling your report as a technical treatise on DDoS attacks, I want to see in-depth information about attacks as quickly as possible. Sticking with a set format that starts the DDoS section on page 20 of a 50-page report is a recipe for failure. Not that I’ve ever done exactly that, of course. Even worse is when a report is really about a different topic than promised in the title, with only a nod to the title and introduction buried deep in the report.

How does it look?

Next, I look at the data visualizations: the plots, the charts, the diagrams used to reinforce the analysis in the report. Data visualization is a whole field on its own, and I can only brush against the surface of what there is to learn. I want to see a chart that directly relate to the analysis on the page. I want charts that are readable by the widest audience possible. I want charts that tell stories beyond what’s in the analysis.

I absolutely hate plots that are simply window dressing and have nothing to do with the content and analysis! Space is at a premium, time is valuable, so why waste both with something that offers nothing to the reader? If the author isn’t presenting analysis or providing additional meaning from an image in the report, why is it there? Having created a beautiful visualization isn’t a good enough reason to include the image if it doesn’t further the story. Personally, I want graphics to have descriptions and figure numbers as much as possible. I like to include additional analysis in the description, but that might not work for all authors.

I’m a huge advocate for using a Color Blind Friendly (CBF) palette. I have family, friends, and former co-workers who have various degrees and type of color blindness, and the thought of producing a report that doesn’t take that into account is anathema to me. Approximately 5% of the population is color blind, and more people suffer from color deficiency, a very similar problem. Color is also an incredibly valuable method of conveying information, so be sure to make the most of it. Coloring for Colorblindness by David Nichols is a good starting point for more information on making accessible plots.

Similarly, unless your audience is other data scientists, I prefer simple plots wherever possible. River plots, dot plots, violin charts, matrix plots and all the other complex graphics are appealing to other data viz geeks, but indecipherable to the average reader. Most readers will skip a plot they have to struggle with rather than learn something from it. I once spent a page and a half of a 30-page report explaining how to read a river plot many years ago and learned this lesson the hard way.

Stick to bar charts, line plots, and other visualizations most readers can understand at a glance. I’ll even include pie charts in this suggestion, but only if the data has four or fewer data points that are highly dissimilar. This means you can’t use a pie chart to show data with 20 different points, each less than 5% of the total. A table might not be pretty but is much more accessible and educational for a reader.

It’s okay to use more complex plots, but only with forethought and a clear understanding of the point you’re trying to make. I strongly recommend reading ‘The Truthful Art’ by Alberto Cairo or ‘Storytelling with Data’ by Cole Nussbaumer Knaflic as good starting points. Data-Driven Security by Jacobs & Rudis is great for domain specific visualization. Yes, Mr. Tufte was once considered groundbreaking for his visualizations, but there are plenty of authors more in tune with current technology and methods of communicating data visually.

The Bottom Line

I could write a book on the topic of industry reports. I could, but it would be crap. Do expect more blog posts on the topic in the future; there’s still much more I could wax poetic about. Instead, I’d like to leave you with three questions an author should be asking as they begin the process of writing:

• Who am I writing for? An executive rarely has time to read more than the introduction, while the red team wants all the juicy details of the latest attack type. Write appropriately for your audience.
• What do I want them to walk thinking about? I cannot stress enough that if you haven’t communicated your primary message in the first 500 words, you’ve probably lost half your audience. If you can’t tell a reporter your why your publication is important to his audience, the chance of coverage for your story drops dramatically.
• Have I communicated my findings well? Whether it’s the analysis or the graphics in a report, if they leave the reader confused, you’ve failed at your most important task.

One last thing: A good editor is your best friend when it comes to writing! And like any good friend, they may sometimes tell you your baby is ugly. At least you can throw your first draft in the garbage and start over, unlike a baby.

The post On being critical of industry reports in security appeared first on Network Security Blog.

To be clear, I’ve worked with and known much of the team at the Cyentia Institute and respect them greatly. I’ve followed their work for years and know what they’re capable of. I wouldn’t spend the time needed to read the report from front to back and comment on it if I didn’t know, beyond a shadow of a doubt, they are capable of something much better than what’s shown in this report. Please look away, Wade and team!

Overall Impression – When I review a report, I’m examining three aspects: A) What data is the report drawing on, B) How was the data analyzed, and C) How was the data visualized. I’m also looking at how it was laid out and edited, but that’s generally a minor part of my analysis. The CISO Engagement report fails, or nearly fails, on every one of these measurements. The data and the visualizations are rendered useless by the color choice, and the analysis is window dressing with key words thrown into the mix. I’m looking for guidance on how to use the data, rather than generic SEO feedback.

Who should read this? Marketing and content creation teams might gain some insight from this report. It is primarily aimed at people trying to connect to CISOs after all. I would suggest that marketing teams skip straight to page 22 (or is it 39?) and the section titled ‘Reaching Your Audience’. There are a significant number of ‘Marketing Takeaways’ that may contain nuggets of wisdom for their consumption.

Security professionals should avoid reading this report. We’re not the target. If you’re interested to see what an SEO driven content team thinks will grab your attention, dive in. But you’d better like blue and cyan, because there are no other colors to choose from in the CISO Engagement study.

The Good – The conclusions and reflections on page 29 have some good, if basic, feedback for marketing teams. I especially like the realization that “…campaign strategies lack an understanding of the subject matter, which leads to misperceptions…”. I’ve worked with good marketing teams who get this and engage subject matter experts for guidance. This is something to keep in mind no matter what industry you work in.

The examination of current events on article traffic (pg 17) is also a decent reminder to use the news to create traffic. Because the survey is drawing from ISMG’s data, I think this section fails to understand the difference between a news organization capitalizing on a breaking story and a vendor writing blog posts about how their product is the silver bullet for today’s disasters. This section deserves some careful thought; being involved with or acknowledging current events is generally a good idea. But the report fails to highlight how easy it is for a vendor to be seen as an ambulance chaser instead.

The cover is a pretty design. Which is where the positive feedback ends.

The Bad – There’s a lot to unpack in the negative feedback I have. The data behind this report that could have been displayed and analyzed very different to make this report useful. Instead, any intelligence appears to have been drowned in favor of … something. I can’t rightly tell what the real purpose of the report is.

First off, the title. This report isn’t about CISO engagement. The first real mention of catching the attention of a Chief Information Security Officer doesn’t enter the report until page 26. Prior to that, it refers to ‘C-level executives’, and occasionally uses the acronym, but it’s rare. There are 48 uses of ‘CISO’ in the text, with most (25) of those simply being in the title in the footer of each page. Subtle hint: if you want someone to read your report, actually make it about the topic you promised and put that content as close to the front as you can!

Page numbering is another problem with the report. While the front and back cover are presented in portrait mode, the rest of the report uses landscape mode. The way the pages are numbered, every internal page is marked by an even number, even though only a few actually make use of a two column format. This isn’t a 54 page report, it’s a 31 page PDF that’s pretending it was supposed to be printed.

The table of contents promises a research methodology page, which the report fails to deliver. Yes, it does show a simplistic breakdown of different elements of the data. However, this is nothing close to telling us where the data came from or how it was manipulated to create the plots and graphs for the report. Even if this self-aggrandizing pulp were considered insight into the data, it belongs at the end of the report. The first page of content should be reserved for a summary, a set of major talking points, a TL: DR, etc. In other words, hit them with your hook as quickly as you can, not with a dead trout.

By far, my biggest beef with this report is the choice of color. This report lost all credibility with the very first figure, on page 6 of the PDF. In the world of data visualization, color is used as a method of conveying information to the reader. This report strips out a vast majority of the information contained in colors, instead using shades of blue and cyan.

This goes far beyond my usual rant about using color blind friendly palettes! Quite frankly, figures 1 & 2 are completely unreadable and a waste of their space and my time. Figure 2’s river plot is a travesty, with colors being reused repeatedly, which makes it impossible to draw conclusions from the visualization. The ‘observations’ for the plot are on the next page and even say, “If you squint, you may be able to make out…”. No, even if you squint, they’re impossible to make out.

The blues look pretty, if slightly monochrome and repetitive. They also wash out any hope of making use of visualizations. Which is made worse because there’s little evidence the plots are related to the content in the first place. Please do research on palettes that are Color Blind Friendly for the next version of the report. David Nichols offers a good starting point in his Coloring for Colorblindness article.

The data itself is of questionable value to most readers. The parent organization of CyberTheory, ISMG, has well over a decade of data on the effectiveness of different formats. My concern is the data is more reflective of their support of the different formats than it is of general trends. Without a proper methodology segment, it would be easy to think this report was drawn from a wider pool of data.

Overall – If you want guidance on SEO or content generation, read the various ‘Marketing Takeaways’ sections. You shouldn’t have to squint to gain something from the visualizations, but that’s exactly what CyberThreat is asking you to do. In the report, in their own words, none the less. Simpler plots, better color choices, and analysis that draws conclusions for the reader would make for a vastly better version of the report in the future. Complex visualizations are great for data nerds, but the majority of the people targeted by this report don’t have the time, the energy, or the background to read a river plot or a dot plot at a glance. They shouldn’t have to.

I give the ‘CISO Engagement and Decision Drivers Study’ a D-. It’s saved from receiving an F because of the Marketing Takeaways, but only by a slim margin. By the way, the Introduction promises “… the brands creating the most engagement from their Q1 content marking efforts.” I don’t see that delivered upon anywhere in the report.

The post ’50 Shades of Blue’ or ‘Red Hot Mess’ from CyberTheory appeared first on Network Security Blog.

Overall Impression – If you’re a defender looking for more information about the threats social media organizations face right now, this is definitely for you. It has an appendix listing their public threat indicators at the end of the report that listing domains to block and Yara rules for your use. The report uses a very simplistic layout, which is mostly in its favor.

The content has plenty of information for beginning and mid-career responders. It might not be as interesting to experienced defenders who have other avenues to get the same information. If you’re in one of the many intelligence sharing groups in our industry, this information is probably already available to you.

While the content of the report is excellent, it needs more copy editing and better layout. It’s clearly a labor of love by the technical teams at Meta, rather than a marketing team trying to make an impression. This is aimed at a technical audience and not something you’re likely to talking about with the CSO or other executives; they’ll want you to do something with the information, not take their time with the specifics.

The Good – Both the report and the blog post supporting it include the most important takeaways from the report right up front, as it should be. They’ve taken the time to identify what you’re going to get from the report, which is often harder than you’d think. The report is 36 pages long and without this summary, many readers might never do more than skim it and look at the appendix.

I appreciate that the authors are credited up front and are clearly people in roles responsible for creating actionable intelligence internally and externally at Meta. The ‘Key Findings’ points to which organizations and countries are involved in Coordinated Inauthentic Behavior (CIB), which is the type of call out we need to see more often.

I found Sections 1, covering two South Asia networks, and the in-depth analysis of Cyber Front Z starting on page 20, to be the most valuable sections of the report, other than the Appendix. Diving right into Bitter APT and APT38, as well as providing significant details hooks the reader and makes some of the less valuable content palatable. The analysis of Cyber Front Z is just short of 1/3 of the total report, with screenshots and translations. I really like the observation that Z Team is taking lunch breaks and weekends off.

The Bad – The editing of this report needed another round or two before it was published. Sections 2, 3, and 4 spend more time on defining terms than they do talking about the groups and attacks the report covers.

I’m glad to see Meta explaining what they mean when they discuss emerging harms, but they use more real estate on those definitions than on the specific examples. In Section 2, less than half contain examples. Three of seven only works if you’re part of the Borg Collective.

Run-on and poorly parsed sentences interrupted my reading of the report. As an example:

“We took action against a group of hackers — known in the security industry as Bitter APT — that operated out of South Asia, and targeted people in New Zealand, India, Pakistan and the United Kingdom.”

Meta ATR, Q2 ’22, Section 1, page 5

It’s easy to read this sentence as Meta taking action against hackers -and- targeting people in New Zealand, etc. Obviously not how it was meant! This might not bother some readers, but is just one example showing more editing was needed.

Overall – Despite my editing issues with Meta’s Quarterly Adversarial Threat Report for Q2, 2022, it’s still well worth the time to read. I appreciate teams who want to share their intelligence with a wider audience. Even more, I appreciate seeing specific domains to be wary of. If time is of the essence, flip to page 21 to read the In-Depth section, then come back to the rest when you can.

The post Great information in need of polish from Meta appeared first on Network Security Blog.

I’m kicking off this series with the PwC’s Global Economic Crime and Fraud Survey 2022. I found this report while reading Lori MacVittie’s monthly newsletter, The Tech Menagerie. As my friends in Boston would say, Lori is ‘wicked smaht’ and someone you should follow. Note: none of my friends actually talk like that unless they’re making fun of their own home town.

Overall impression – This not a cybersecurity report, it’s a report for CFOs, CMOs, and other executives looking for information about fraud in the industry. It’s worth reading for a security professional because it reflects the concerns those executives are worried about. Survey data is one of my least favorite ways to build a report, but PwC is correct in framing this as opinions, rather than facts.

My key takeaway from the report is the rising concern about hackers and cybercrime among executives across all industries. My key complaint is the lack of analysis in the report. ‘Here’s the data’ is different from ‘Here’s what the data means.’ I’d give this report a solid B, which could have been an A with additional analysis.

The Good – This is a short and very pretty report, which makes it both readable and easy to consume. There are multiple graphics in the report that can be used in a presentation to highlight specific topics. The ‘Type of fraud experienced, by industry’ image on page 6 could easily be used when talking to any number of industries to show how they compare to other industries. Similarly, the ‘Type of external perpetrator’ bar chart on page 9 could be used in many presentations.

The report has two ‘In Focus’ sections, the first on page 6, a second on page 9, which contain the most analysis in the report. Rather than rephrase the plots in writing, both sections give additional insight into what the data means. If you only have a couple of minutes to spare, read these sections first.

A personal concern of mine has long been to have both a methodology and a credit section, and this report has both. Sort of. There is a brief ‘About the survey’ on page 13, appropriately sized for this report. I’d like more details on the survey, but most readers wouldn’t be well served by such content. I’m not sure if the Contacts on page 14 is the same as a credits page, but it does give the reader someone to reach out to for more information.

The Bad – My primary concern with this report is, once again, the lack of significant analysis in the majority of the report. The worst example is page 5, which provides a bump out that’s disconnected from the majority of text and a plot that’s useful but devoid of any explanation or analysis.

The title of the report is misleading, and the concept of a perimeter doesn’t enter the text until page 8. Even then, the perimeter is poorly defined. Some of this is because the target audience isn’t security professionals, but neither the data nor the analysis demonstrates a strong connection to this title.

The color scheme is interesting, with a mixture of reds, oranges, and greys. Making plots and graphics accessible to readers who are color blind or color deficient is too often overlooked when developing reports. I suspect anyone who is red-green color blind will have difficulty differentiating the data points in some of these plots. The good news is that the majority of these plots are simple enough to be read without color being a major issue.

Conclusion – PwC’s Global Economic Crime and Fraud Survey 2022 is worth downloading and spending 30 minutes with because it gives insight into what business leaders are thinking about. It doesn’t draw many conclusions about the data or provide any earth-shaking conclusions, but it does give most readers decent data points to create their own analysis from. I just wish the content could have fit the title better.

The post PwC Survey – Decent report, too little analysis appeared first on Network Security Blog.

My daughter came out to my wife and me as a transgender individual nearly five years ago. It was a shocking revelation, as we’d always thought about her future in terms of male things, like being a father. But that was not the road she needed to travel. Our job as her parents is to help her live the best life possible, even when it wasn’t what we expected. 

I’ll refer to my daughter simply as ‘A’ for the rest of this article. She’s sitting next to me, helping to make sense of what we’ve been through. Putting this into words is helping me understand what she experienced and gives her more context about my experiences. More than anything, she wants people to understand that being trans is not a choice, it’s a realization that enables you to make sense of many things in hindsight.

When did you know you were transgender?

A: There was no singular incident or experience that revealed to me that I am trans. It was more of an evolution that allowed me to make sense of other decisions and trends in my life. I never liked traditionally masculine things, like sports. I never felt the aggression some children display. But I wasn’t into things that are feminine or ‘girly’ either, so there wasn’t a defining “girl’s toys” childhood experience that made me realize things didn’t fit. I mostly just played video games or read, neither of which we saw as heavily gendered. 

Martin: We’re a family of geeks. We like computers, board games, role playing and tons of other geeky things. We don’t place a lot of importance on what most people consider traditionally masculine or feminine roles. We also never considered our child might not like the gender she was assigned at birth. 

A: There was nothing wrong with the life I was living, but there was a growing feeling of discomfort I felt being male. There was just a feeling slowly building in the background. It took me many years to understand what that tension was and to admit to myself that it wasn’t just a phase I’d outgrow. I spent many sleepless nights thinking about being trans, took every test on the internet I could find about being trans, but finally realized it’s who I am. By the way, all those tests suck; if you’re taking one of these tests, you probably already know the answer you want.

Being trans wasn’t a choice as my father thinks of it. It was an inevitability that existed outside of any choice I could make. I was trans, my only choice was to acknowledge it or continue to fight it my whole life.

Coming out

A: Once I decided to come out to my parents, it was nerve wracking. The experience wasn’t everything I’d hoped it would be. I’d been thinking about being trans and revealing it to them for years. I’d hoped they would celebrate the decision with me. My parents didn’t do that.

They asked me questions like, “Are you sure? Is this just a phase? Can you put this decision off until after college?” They didn’t reject me, cast me out, or make me experience any of the worst case scenarios others have had to deal with, but they also didn’t immediately accept who I am, and it hurt.

Martin: We were scared, there’s no other way to put it. Our child had just told us they wanted (or needed) to change their gender, and that they were no longer going to follow major parts of the life plan we expected from them. We were confused. 

We could have handled the situation better, but we did the best we could based on our own life choices. Both my wife and I are comfortable with traditional gender roles and learning our child was going to eschew those roles in favor of something that is guaranteed to make their life more difficult was a hard adjustment to make. As were a thousand other factors, not the least of which was a new name and pronoun.

A: I would have kept the name you gave me if it had been gender-neutral!

How do you feel now?

A: One of the biggest aides to my mental health was finding a group of people who were also trans or LGBTQ+ to hang out with at college. Surrounding myself with people who are friends, who don’t have the implied judgment of my parents, who have had similar experiences was a big relief as I explored my new life. I didn’t have to perform for them like I felt I needed to for the rest of the world. 

I was honestly a little resentful of my parents for not immediately accepting my coming out. My parents have worked hard at using the right pronoun and name, which helps a lot. At first my nerves were open and raw when people used the wrong gender or name. As time goes by and I’m more comfortable in my own body, I’m growing less sensitive to those mistakes — and, thankfully, they happen less and less often.

Martin: I dislike being constantly corrected, and for the first year after her revelation, I had to be corrected in my use of name and pronoun almost every day. I didn’t have the time to adjust to the thought of having a daughter that she’d had, and resented having to adjust everything I’d framed my mental image of my child around. It was HARD!

But I had to learn, had to adjust, had to make room for her to be who she is. I have a life of my own, I can’t force her to be the person I thought she should be. This is her life, to make the best of, to make mistakes in, and to learn from. I can’t take this away from her. So I changed my thoughts, my words, my actions. Eventually.

Lessons learned

A: I understand why my parents were scared; it’s a scary, scary world for trans people. That’s not their fault or mine, it’s just the way it is. I don’t like it that way, and believe we have a responsibility to change it. The political and legal machinations we see every day are aimed at making it harder to be trans. Internationally, there are significant efforts to curtail the rights of transgender individuals. Wherever there are efforts that impact the rights of trans individuals, to make it harder to come out, or to make being trans illegal, we need to take action and defend trans and LGBTQ+ rights as a whole. I want the world to be better than it is, not simply accept that some things cannot be changed.

Martin: Parenting is hard! Even under the best of circumstances, raising a child is difficult and has never been done perfectly in the history of humanity. And yet, somehow we continue, generation after generation.

Having my worldview upended over the course of a 30 minute conversation was painful. Both my wife and I have made mistakes in dealing with the new reality of having a trans child. We’ve done our best, but sometimes that’s not enough. I hope other parents in the same circumstances understand that it’s okay to falter, to have doubts about your child’s evolution, to wish for a return to the path you had always envisioned for our child. But you also have to provide support, realize it’s their life, and our job as parents is to be there for them through a very stressful experience.

Our understanding of what we thought the future would bring was turned upside-down. The best thing I can do is reassure my daughter I’ll always love them, no matter what gender they are. We’re slowly finding a new baseline for our relationship.

Both: Thank you for reading this to the end. It was more emotionally difficult and draining than either of us imagined it would be. We also learned a lot writing it and hope you did too. This article barely scratches the surface of what it means to be trans or have a trans child. We intentionally kept to the surface levels of the experience, it’s a still evolving story we may add more detail to in the future.

The post Daughter + Dad: Coming out as transgender appeared first on Network Security Blog.

Unluckily, much of what I wrote before was unrecoverable, or at least I haven’t figured out how to recover it yet. I’ll keep at it, so you may see old posts coming back to live. And when I reread those archival posts, you might be able to see my blush from orbit. What was I thinking, those 20 years ago!?

I hope you’ve enjoyed my past writing and look forward to sharing my thoughts once again.

The post Once more unto the breach, dear friends! appeared first on Network Security Blog.