It’s about as regular as hearing Auld Lang Syne on New Year’s Eve: The annual year-end security report issued by companies big and small looking to create awareness and build relationships. Our inboxes were flooded with dozens of them. In this newsletter that I co-authored with Greg Matusky and Mike Lizun, we look at some of the best and worst features of these annual reports and give our opinions. Hopefully you can use our findings to improve your own reports this time next year, and learn from the best and avoid the biggest mistakes.
The Scintillating Standouts of 2017!
Some of the more unusual reports are the ones that really caught our eyes.
Kaspersky’s “story of the year” takes the typical annual year-end report and transforms it into a cyber-security news story similar to People’s Person of the Year. Written in layman’s terms with an accompanying infographic, Kaspersky’s Story of the Year reworks the tired ransomware story into a can’t-not-read compendium on all things ransomware. And it’s understandable! The first line reads like the opening of a movie rather than a technical rehash. Consider, “In 2017, the ransomware threat suddenly and spectacularly evolved. Three unprecedented outbreaks transformed the landscape for ransomware, probably forever.”
Kasperksy then takes it one step forward by producing “The Number of the Year,” based on the number of malicious files its networks have seen transit its sensors. Our co-author David Strom calls it gimmicky, and maybe it is from his journalistic perch. But from a strictly PR perspective, the ability to distill a finding down to a single number (and one drawn from data at their ready disposal) is a brilliant PR take, and they are to be congratulated.
What about your organization? Do you have available internal data that could add PR gravitas to your next report? Might be something to consider.
Another take comes from ServiceNow. They opted to deliver their security predictions in a short-and-sweet format–one that takes less than three minutes to read. Their conclusions are compelling without overselling. For instance, they suggest that 2018 will see the emergence of security haves and have-nots–those having automated detection and response and those who don’t. Guess who sells such a solution? Still, they keep the sell to a minimum.
Watchguard uses their blog to make a series of predictions in a very attractive and still informative way. There are predictions about IoT botnets, a doubling of Linux-based attacks, what will happen to multi-factor authentication, and the state of election and voter hacking. Each prediction takes the form of a short video with high production values.
With all the news about Uber’s mistakes over the past year, here is a cogent analysis by Dark Reading of what Uber did wrong with its breach response: delayed notification, failure to implement stronger access controls, unclear approval workflows, storing access credentials in GitHub, and failing to compartmentalize data access. This analysis was a neat package that we wish others would emulate.
This report, which appeared in IBM’s Security Intelligence blog, is another rarity. It compares what few of these year-end surveys actually do by looking back a year and then scoring their predictions. The author looked at the threats posed by IoT, the rise of cybercrime-as-a-service, and the threats against brand reputations and concludes he was a bit ahead of the curve on some trends. We wish we would see more of these “truth telling” evaluation-type pieces.
Those were our top picks. But there are plenty of other year-end reports, most choosing one of three paths: presenting the results of a survey, focusing on a particular vertical market, or summarizing what telemetry they have collected from sensors located at major internet peering points or at their customers.
All in the Numbers: The Best of the Survey-Based Reports
Let’s look at the two best survey posts.
“The State of Open Source Security” touches on both telemetry and survey methods. It presents the results of a survey of 500 open-source users combined with internal data from Snyk and scans of various GitHub repositories. Sadly, almost half of the code maintainers never audit their code, and less than 17 percent feel they have high security knowledge. Code vulnerabilities are on the rise for open-source projects but not for Red Hat Linux, which is an interesting factoid that isn’t often mentioned.
Beyond Trust’s report has a series of 18 predictions, most of which are obvious (bigger targets will fall, mobile spam on the rise, games can double as malware). A few are interesting, and what sets this report apart is a look ahead to five years from now when GDPR becomes untenable, online elections become secure, and the end of cash arrives.
Customer Telemetry-Based Reports Work Well Also
McAfee’s annual threat predictions have some interesting insights and cover some non-obvious subjects, including describing the machine learning arms race, the opportunities for serverless attackers, and the ways that home automation vendors will misuse your personal data.
Fortinet is another one of those companies that runs a massive protection network and can cull trends from its customers. Their quarterly threat report has identified 185 zero-day vulnerabilities, with an average of each customer experiencing more than 150 attacks over the quarter and unknowingly running an average of two botnets inside their networks. Like other security researchers, they talk about the delay to patching known exploits and how lousy most of their customers are at getting at root causes of infections.
Then there is Bitdefender’s insights into the past year’s threats. It is based on their own global sensor network and from their customers. Ransomware is still king, with one in every six spam emails including some kind of ransomware attack vector. Also on the rise this past year are crypto-currency miner malware, polymorphic attacks, and Android-based Trojans.
Dashlane’s report on the worst passwords of the year is entertaining, if a bit predictable. While they break all the rules about these year-in-review articles, it works. Yes, it is subjective, it is somewhat self-serving (Dashlane sells a password manager), and it covers familiar ground. But it is very amusing and that is why sometimes you can deliver old chestnuts in interesting ways.
Slicing and Dicing Vertical Markets in Reports
Some vendors have taken a different tactic and written year-end reports that examine specific verticals. This is what eSentire has done with the healthcare industry. Rather than just positing the “chicken little” scenario, it provides specific case studies of security weaknesses in various enterprises that of course were eSentire customers and discovered malware on their networks. They conclude by saying that well-known exploits have been out for years and yet still aren’t patched. Yes, it is self-serving, but it is also instructive.
Another way to slice things is to just focus on bitcoin exploits, which have been increasing as its value rises. Incapsula looked at exploits across its own network and found three out of four bitcoin sites were attacked and a third of the network attacks were persistent attacks. Hong Kong was the most targeted country for bitcoin-based network layer assaults in Q3 2017, largely because of a persistent attack on a local hosting service that was hit hundreds of times throughout the quarter.
Another example is this report looking at mobile threats by RiskIQ. They used telemetry from their network of more than 120 different app stores and billions of endpoints. This is a rich source of exploits and a growing threat. It highlights the non-surprising trend toward using phony rave reviews to prop up a malicious app. It also reviews the collaboration over the takedown of the WireX botnet earlier this fall.
What to Avoid in Your Annual Report
Finally, no compendium would be complete without mentioning some examples of what to avoid. As we mentioned in an earlier newsletter, having small survey sample sizes is never a good idea, and this report by Holger Schulze where he interviews 500 people forthis report for Alienvault is to be avoided. While it has numerous graphics that can be used in blog posts, it contains mostly subjective content.
Also to be avoided: reports that don’t say anything new, such as this report from Wandera on WiFi risks, or this report on security trends from Cipher. A corollary to this is to avoid predictions that are more self-serving or self-promotional, such as these from Axiomatics.
Another issue: checking your facts. In November, an organization called the Information Technology and Innovation Foundation posted a supposedly detailed review of the security compliance of hundreds of the more popular U.S. government websites. Sadly, the facts weren’t correct, and webmasters responded with complaints and corrections.
Don’t do what NordVPN and eSentire did. Both of their PR firms sent out predictions for 2018 in email messages, and neither of them posted any of this content online. That isn’t helpful, especially in a world where you want to cite a URL for any predictions-related materials.
Then there is this encyclopedic listing from our colleagues at MSSP Alert of dozens of predictions, culled from various security management vendors. We dare you to read through the entire list, which spans multiple pages. Sometimes less is more!
Finally, here is a somewhat different twist on the predictions route.Varonis put together a post that contained quotes from a series of podcasts. It was a good try, and a terrific example of repurposing content. But it held little value for discerning audiences that would want more context in their analysis.