December retrospective. The annual structured retrospective continues, following the pattern from 2006 and earlier years.
This is a comprehensive retrospective because 2007 has been substantively interesting and several developments deserve careful framing.
The major events
In rough chronological order:
- TJX breach disclosed (January) — 45+ million payment cards.
- Storm Worm emergence (January) — peer-to-peer botnet architecture.
- Animated cursor zero-day MS07-017 (March-April).
- Estonia DDoS attacks (April-May) — the political-cyber category emerges.
- iPhone shipped (June) — mobile-platform shift.
- Operation Bot Roast (June) — coordinated FBI takedown.
- Black Hat USA 2007 (August).
- DDoS book final drafting (September).
- Vista deployment retrospective (October).
- Evolution of DDoS book published (November).
Ten substantive events. The pace has been consistent with recent years; the cumulative shifts are larger.
The cumulative trajectory
Three structural observations from the year.
Politically-motivated DDoS is now operationally demonstrated. Estonia is the first sustained, infrastructure-scale, politically-motivated attack against an entire country. Specific subsequent incidents will follow; specific defensive responses must address the category.
The data-breach disclosure trajectory continues to scale. TJX at 45+ million payment cards substantially exceeds CardSystems in 2005. Specific subsequent breaches will continue the trajectory; specific regulatory responses will continue maturing.
The mobile-platform threat-model has shifted. The iPhone introduces a substantially different attack surface; specific subsequent platforms will continue the diversification. The cumulative threat-model for mobile devices is becoming substantially more varied.
The cumulative trajectory is positive on defensive maturity, negative on threat sophistication, mixed on cumulative outcome.
The personal trajectory
The year has been substantial.
The DDoS book was the dominant non-day-job activity. Substantial sustained writing through the year; cumulative effect on my own operational thinking has been meaningful; cumulative effect on the broader practitioner community will be bounded but real.
The CISO role at Gala Coral continued productively. Specific structural projects through the year; specific cumulative defensive maturity continues.
The cumulative writing discipline continued. Approximately 50 notebook posts through the year, at the established cadence. The cumulative archive continues growing.
The predictions, reviewed at year-end
The January 2007 predictions, reviewed:
Continue the weekly cadence. 95%. Resolved AFFIRMATIVE.
Complete and publish the DDoS book. 60%. Resolved AFFIRMATIVE.
Continue the CISO role at Gala Coral productively. 90%. Resolved AFFIRMATIVE.
Attend at least four conferences. 80%. Resolved AFFIRMATIVE.
Speak at at least one conference. 70%. Resolved AFFIRMATIVE.
Write a substantial piece on internal segmentation. 55%. Resolved PARTIAL — specific posts touched the topic; no single substantial piece.
The cumulative score: 5 affirmatives, 1 partial, 0 misses. The book prediction at 60% probability resolving AFFIRMATIVE is the most consequential.
What I have been writing about
The 2007 writing has covered:
- The continued CISO trajectory.
- Specific incidents — TJX, Storm, .ani, Estonia, various smaller events.
- Major releases — iPhone, ongoing Vista deployment.
- Industry shifts — Operation Bot Roast, the takedown trajectory.
- Reading reflections — Black Hat USA 2007.
- The book project — drafting, completion, publication.
The cumulative volume continues at the established cadence.
What I expect for 2008
The detailed predictions for 2008 will be in next week's post. The high-level expectations:
- Continued operational tempo. Specific events at the rate of recent years.
- Continued Vista deployment, accelerating after SP1 ships.
- Continued commercial-cybercrime maturation.
- Continued Estonia-pattern political-cyber incidents.
- Continued web-application security category development.
- Continued personal trajectory at Gala Coral.
A reflection on ten years
The notebook will reach ten years in January 2008. Specific milestones at that point will warrant treatment in the New Year post.
For now: thank you for reading through 2007. The conversations, corrections, and cumulative engagement continue to be the most rewarding aspect of the discipline.
More in the predictions post next week.
A closing thought
2007 has been operationally substantial. Specific events tested the defensive infrastructure; specific cumulative shifts continued; specific personal trajectory progressed (the book in particular). The cumulative trajectory remains positive.
For my own continued work: more on the cumulative trajectory in 2008. Specific events will inform; the cumulative archive grows.
More as the year wraps up.