The year started with the Anthem disclosure in early February and ended with the Ukraine grid incident on the 23rd of December. Between those bookends I wrote forty-something operational notes on the blog and ran the SOC, the engagement portfolio, and the vCISO clients through what was, on any honest accounting, the most operationally demanding twelve months I have had since founding the company.
The patching cadence was relentless. FREAK in March made us audit every customer TLS endpoint for export-grade RSA cipher suites and was followed seven weeks later by Logjam, which extended the same lesson to Diffie-Hellman and added the BULLRUN-shaped question of what state-level adversaries can do with precomputation against widely-shared 1024-bit primes. Lenovo's Superfish in February was a different shape of TLS problem — vendor-shipped certificate-substitution malware with the same private key on every laptop — and I spent several days that month explaining to customers why their consumer-class corporate laptops were a category that needed treating differently from their managed-fleet enterprise hardware. Stagefright in July was the worst Android disclosure I have seen, and the patch propagation through the Android ecosystem has been, predictably, partial; we will be advising mitigation rather than relying on patching for that issue well into 2016. POODLE residuals from the previous year continued to appear on customer estates whose audit cycles had not caught the SSLv3 disablement, and the tail of those findings persists.
Three breaches reshaped the threat model. Anthem in February — eighty million health-insurance records, with credentialled-access compromise and database-side data movement — established the year's operational pattern of identity-as-perimeter intrusions. Carbanak in February, a research disclosure rather than a breach disclosure, gave the most detailed public account of patient, professional financial-services targeting — the spear-phish, the months-long reconnaissance, the screen-recorded operator instrumentation, the sophisticated payment-system manipulation. OPM in June was the breach whose long tail will be national-security work for years; the SF-86 dataset is concentrated counter-intelligence material and its compromise changes the targeting environment for cleared US personnel and the people around them indefinitely.
Ashley Madison in July and August was unlike the others. The technical content of the breach was secondary; the harm was primary, individual, and severe, and the year's most uncomfortable professional conversations with vCISO clients were about how their organisations should and should not respond to the appearance of employee email addresses in the leaked data. The right answer, I came to believe over those weeks, is generally to do nothing absent independent cause. The wrong answer is to scan and act. I expect this position to be a reference for the next several years.
Hacking Team in July was a different category again — an intelligence event, not an incident response event, in which the public learned more about the operational structure of the commercial offensive market than has ever been publicly documented. The exploit-arming side-effect (Flash zero-days into Angler within twenty-four hours) was the operational consequence; the documentary side-effect, a four-hundred-gigabyte archive of customer correspondence and source code, will fuel academic and journalistic work on the surveillance industry for years.
The legal-environment shift was the Schrems judgment in October. Safe Harbour, the legal mechanism underpinning fifteen years of US-EU data flows, was invalidated by the Court of Justice without transition. The vCISO portfolio spent the rest of October and November on Standard Contractual Clauses migrations and vendor inventories. The successor framework — informally Safe Harbour 2.0, now Privacy Shield in the early negotiations — will not land until 2016 at earliest, and the Schrems judgment's substantive findings on US bulk surveillance will inform every adequacy assessment from now forward. The General Data Protection Regulation reached political agreement on the 15th of December and will be formally adopted in early 2016; the two-year implementation window starts then, and the scale of the work to make customer organisations GDPR-ready by mid-2018 is going to be the dominant strategic theme of 2016 and 2017.
Two UK-specific incidents structured the latter part of the year. TalkTalk in October was an operationally embarrassing SQL-injection compromise at a major telco, with communications-side handling that was its own news story. The Information Commissioner's Office investigation will set a precedent for UK breach response and likely produce a record-setting fine under PECR. Talk has begun about how UK regulatory practice will adapt under the GDPR framework — fines tied to global revenue rather than the current £500,000 cap — and I expect that thread to develop substantially in 2016.
Juniper's ScreenOS disclosure in mid-December was the supply-chain story of the year. Two unauthorised code modifications, present in shipping releases for two and a half years, undetected by Juniper's own development pipeline, found by accident. The first — a hardcoded administrative password — was operationally critical and obvious. The second — a Dual_EC_DRBG parameter substitution that enabled VPN traffic decryption by anyone in possession of the new trapdoor — was cryptographically sophisticated and politically charged. The cryptographic analysis is still being completed; the operational lesson is settled, and it is that supply-chain integrity in security products cannot be assumed.
The year closes on the Ukraine grid incident — preliminary in detail, but a category-change event whose operational implications for utility-sector security will be the work of 2016 to absorb properly.
The portfolio. Browne Jacobson, Towry, and Northcott Global Solutions continued through the year as established vCISO clients. The manufacturing client engagement that I wrote about in January closed in March and has been substantial throughout the year. TWI work resolved in 2013 and is closed. Pen testing volume was up — the SDLC-upstream conversations I noted in January did materialise — and the team grew by two engineers in the autumn. The SOC carries seven sustained customers into 2016, with Splunk indexing approximately four hundred and twenty gigabytes per day of customer telemetry across the fleet, and OSSEC at approximately nine hundred endpoints. The company's fifth full year ends in better operational shape than I would have predicted in January.
The personal note. I spent more time on long-form research writing in 2015 than in any previous year — the export-control history of TLS, the Dual EC analysis, and the offensive-market structural pieces are essays I want to write properly in 2016. The book project on the evolution of incident response that I started outlining last summer is still in outline. The conference circuit was lighter than 2014 — one BSides talk in the spring, no Black Hat — and I want to fix that next year.
Onward. Twenty-sixteen is the GDPR run-up, the Privacy Shield negotiation, the Ukraine post-mortem, the long Stagefright tail, and whatever the year produces that I have not yet imagined. The kettle is on for the morning.