The Making of the 2014 Trustwave Global Security Report

Last week we unveiled one of our biggest projects of the year: the 2014 Trustwave Global Security Report, a beautifully designed, 123-page account of our firsthand insight into data breaches and threats bolstered by information from our security operations centers, telemetry from our security technologies and our cutting-edge research.

The annual report is one of the security industry's must-read compilations. PCMag.com, for example, described this year's report as "bursting with valuable data." Also eWeek declared: "One of the largest, most comprehensive annual security reports in any given year is the Trustwave Global Security report, and this year's edition is no exception."

We love assembling the Global Security Report every year. Certainly it's a lot of work (as I'll explain below). But the key personnel behind it - the researchers that comprise our elite SpiderLabs team at Trustwave - are all too familiar with the limited resources and information sharing available to most organizations. As a result, these researchers understand that organizations of all sizes rely on reports such as this one to make security buying and deployment decisions specific to the current threats they face.

"Our team loves any excuse to dive deeper into any particular topic," Sam Bakken, the product marketing manager of SpiderLabs, recently told me. "We also look at this as a public service. 'Hey, we're an expert. We have a view into the threat landscape so let's put that together for people to use, as they may hopefully better protect their organization and we can arm them for making security decisions.'"

Now that the finished product has been released to the world, we thought it would be interesting to share what goes into putting together the report each year - so you can better understand the detail and depth that each edition includes.


Phase One: Review our investigations and threat intelligence

Trustwave prides itself on the information we learn from our on-the-ground data breach investigations and the threat intelligence we gather from our dozens of products and services used by customers in 96 countries. The latter, for example, helped us track down the Pony botnet.

We store this information in two proprietary databases and, throughout 2013, we monitored them to keep tabs on and extract notable data breach and threat intelligence trends.

One of the databases contains all of the aggregated and anonymized information we amassed while conducting 691 breach investigations across industries and the world in 2013. This data includes things like industry, region, when the compromise was first identified, how long it lasted, how it was detected, what the attackers were after and how they got in. The other repository we plugged into is our global threat database, which includes telemetry from our products - such as our secure web and email gateways, vulnerability scanners or managed security services - and includes ongoing research projects.


Phase Two: Construct an outline

After we collated and correlated information from these two proprietary databases, the SpiderLabs leadership team discussed the findings and drew up an outline. This outline served as the initial sketch of the content that would make its way into the report.

For example, during these planning meetings, we decided that attacks on point-of-sale devices were going to be displayed prominently in the report. That was not just because 33 percent of the attacks we investigated were on POS devices, but also because Josh Grunzweig, one of our researchers, had over the course of last year produced unique research by reverse engineering POS malware - in the process reaching fascinating conclusions regarding command-and-control and automation capabilities.


Phase Three: Pull it all together

Recognizing (and wanting) the Global Security Report to be read by people with varying security skill levels - from philistine to wonk - our goal was to create a report that was consumable by a broad audience, without it feeling watered down. To do this, we assigned writing responsibilities to roughly 20 technically minded researchers, then took their copy and ran it through our in-house team of editors who massaged the product to make it as engaging, compelling and decipherable to the reader as possible. Then, we shipped the document off to our design agency, which we challenged to be unique and bold. And they delivered.



"Our goal was to present the same hard-hitting data, which we've done, but make that data more easily digestible," Sam Bakken told me. "We purposefully designed it so that a reader could open to any one single page and pull out an idea and/or data point. You can open to any single page and get something of value and then dive deeper if you choose."

In the end, we believe we produced a report that appeals to the widest audience possible. We can't please everyone, of course. But we like to think the data speaks for itself.

Dan Kaplan is online content manager at Trustwave.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.