How about 'bad reporting?" In a conversation with The Security Ledger, Grier, the founder of Grier Forensics, said that, despite a wealth of security data, the security industry’s approach to analyzing it is immature. A respected forensics expert who presented a technique on using stochastic forensics to spot insider data theft at the 2012 Black Hat Briefings, Grier's latest project is developing a notion he calls “security paintings:” a way to distill disparate security metrics into easy to digest information.
He says classical data reports often fall into the same traps. “High level data is interesting, but low-level data is credible,” Grier said. “We need both, but we don't seem to be able to reconcile the two.” At a minimum, reports should draw the reader’s attention to the information that’s the most important to them. Humans have evolved to look for anomalies in their environment and to focus on them, but reports often fail to identify patterns in the data flag anomalies, he said.
One problem may be that its the developers, themselves, who design reports, rather than the users who are the audience. “The developers--the people who are the most familiar with the tables and data and database schema --are developing the reports. Tthey develop reports based on what they’re thinking about. Their perspective is ‘I’m a developer. I’m storing the data in this table. Let me show this table to you!’ They’re not thinking about it from the perspective of a security professional which is ‘I want to know X. What is the best way for me to present it to you?’"
Good security reports should be like "bouquets" Grier said — taking low level events (the flowers) and assembling them into mid- and then high level groupings that are easy on the eyes. If nothing else, reports should do the job of making data understandable and easy to act on. “The whole point of a report is to get a human involved,” he said. “One of the basic observations I made is that, for any kind of security control, if its obvious enough for a computer to make a decision about it, you don’t need a report,” Grier said."
Link to Original Source