Whether you are a buyer of security services, or a provider of them, what metrics, visuals, information is actually important to customers? What is the preferred way to consume reports - emails, dashboards, PDF reports, chat bots, smoke signals? Any thoughts and inputs much appreciated!

  • vernmcc@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Proving I am in DFIR with my initial response “It depends”

    I have done both, and even when doing work internally, I have identified who the report is actually designed for. Is this something the Dir of Sec wants to use as leverage with the CISO for budget? Is this report going to be parsed out to security engineers to harden systems and networks? Is this report going to be used by lawyers and insurance companies to understand what happened so they can inform shareholders, regulators, or underwriters?

    Typically all my reports are narrative stories, even when doing threat hunts or security assessments. This may sound awkward, but a class on fictional writing helps for building the narration (not the content, I am still camp “The Evidence Speaks”)

    I use pictures and tables to emphasize points I am making in the narration, not replace it. So I will say something, then reference a figure on the same page that will help the reader understand or get a point across to them.

    I try to keep the raw tech in appendices or specific chapters like, “Forensics Analysis of Host $HOSTNAME”. The narration is always in time order, even for proactive assessments. So “This is what we are going to do, this is how we are going to do it, this is what we collected, this is what we did, this is what we observed, this is our analysis, this is our conclusions”

    Final report goes out to to the customer I identified during scoping. I have found that report readouts are common enough in the service provider space that as I write the report, I will make notes for “If asked to do a report readout, this will be a slide” I don’t make the slides until the read out is requested, but it helps to have those notes.

    Last, no matter what you are writing, take a 24 break, then have your computer read it out loud to you while you read through the text. You will be amazed how many small problems like a change in verb tense, that you will pick up on. It also helps make sure your narrative flows and you can also realize where you may have repeated narrative (happens on multiple author reports often) or realize you missed something.

    • cyberhakon@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thank you for an excellent perspective! I really like the narrative story approach. Often I find reports too dry to provide the necessary context, the storytelling approach can provide a good antidote against that!