The year that contained WannaCry, NotPetya, Equifax, and Uber's concealed breach has reshaped enough of the operational and regulatory environment that I want to write the retrospective with more care than usual. Several threat models have shifted; several pieces of regulatory architecture have crystallised; and the work I have been doing on machine-learning-assisted SOC operations has moved from research to operational capability in a way that I did not expect to happen this year.
The worm-grade events. WannaCry on the 12th of May was the first weaponised use of the Shadow Brokers' April release at scale, and the operational shock — to the NHS, to the wider UK public sector, to the long-tail Windows estates across many countries — was substantial. The cleanup work and the political response have been productive in the sense that patching cadences, long-tail-Windows replacement programmes, and the National Cyber Security Centre's profile have all moved forward in ways that would have taken longer without the catalysing event. NotPetya on the 27th of June was technically the more sophisticated event, with the supply-chain initial-access through M.E.Doc and the credential-theft lateral movement that made patching alone insufficient. The destructive-wiper-as-fake-ransomware character of NotPetya is the structural innovation that the post-2017 incident-response playbooks need to absorb. Bad Rabbit in October refined the technique further. Whether the next wave of worm-grade events will use yet another iteration of the propagation pattern is the question for early 2018.
The supply-chain pattern. NotPetya's M.E.Doc compromise was the operational headline, but the year produced several supply-chain disclosures of comparable importance. CCleaner's update infrastructure was compromised in August, distributing a backdoored installer to over two million users (Cisco Talos analysis of the CCleaner compromise). Kaspersky was, separately, removed from approved-vendor lists across the US federal government in September on the basis of supply-chain trust concerns. The ROCA disclosure in October showed a vendor cryptographic library shipping flawed key-generation across millions of devices for over a decade. The cumulative effect is that supply-chain integrity, which was an abstract concern at the start of 2017, is by year-end a concrete operational discipline that customer organisations are investing in. The defensive controls — vendor security verification, software-bill-of-materials, update-content monitoring, segmentation of update channels — are starting to be productionised across the larger customer estates.
The breaches and the disclosure environment. Equifax in September was the largest single-incident breach of US consumer financial-identifier data in history, and the structural critique of the credit-bureau industry has, post-Equifax, become unavoidable. The Uber disclosure in November — of an October 2016 breach that the company concealed for over a year — has driven a sharp conversation about disclosure ethics and corporate responsibility that will continue to shape the regulatory environment through 2018 and beyond. Yahoo confirmed in October that the 500-million figure from September 2016 was, in fact, three billion — every Yahoo account ever created (Yahoo / Verizon Oath statement, October 3). The pattern of breach-disclosures-revising-upward-over-time continues. The GDPR May 2018 deadline is now visible from the customer-organisation budgeting conversations as the structural change in the disclosure regime, and the Equifax and Uber cases are the reference points used in customer briefings to make the case for what the new regime means in practice.
The regulatory environment. GDPR adoption is the dominant strategic theme of customer engagements through the autumn. The Article 29 Working Party guidance on breach notification, on Data Protection Officers, on data-protection-by-design, and on consent has been published through the year and is being incorporated into customer programmes. The NIS Directive transposition in the UK has produced a clearer picture of Operator-of-Essential-Services obligations than I would have predicted in January, partly driven by the post-WannaCry political environment. The Privacy Shield framework continues to operate, with the predicted Schrems-II-style litigation on the horizon. The aggregate effect is a substantially more demanding regulatory environment for personal-data handling than what existed twelve months ago, with most of the operational implementation work still ahead.
The Emily work. The assist-phase deployment that started in February has been operational across the customer fleet through the year. The model's classification accuracy, the analyst-team adoption, and the operational impact on triage capacity are all in the ranges I had hoped for or better. The threat-intelligence integration work in the autumn has improved the incident-grade-class precision and recall further. The team has grown around the work; the strategic question of whether the capability is a Hedgehog operational capability or a Hedgehog product capability is one I have been thinking about all year and have not yet decided. The decision will, I think, land in early 2018 — there are commercial signals in both directions and the choice has substantial consequences for the company's shape.
Two of the customer organisations have, separately, asked about licensing the Emily capability. I have been declining on the operational grounds that the productisation work is not yet done. The medium-term question is whether the productisation work should be done. The team is capable of it; the market for SOC-augmentation tooling is real; the alternative — keeping the capability as an internal differentiator that drives Hedgehog's own SOC business — is also legitimate. I want to think about this in January when the operational fires of December have settled.
The portfolio. Five sustained vCISO clients carrying through the year, a sixth added in October that I have not previously written about (a UK retailer with substantial customer-data holdings, GDPR-readiness as the primary engagement focus). The pen-testing engagement queue grew through the year, with the WannaCry-and-NotPetya tail producing substantial follow-on work. SOC customer count is at nine, indexing around 750 GB per day. The team is at 17 including the ML engineering function. The Bath-side office decision was deferred again and we are now looking at a Q1 2018 move.
The personal note. I wrote 41 posts on the blog this year, fewer than 2016 by a few, mostly because the operational tempo through May, June, and July left less writing time than usual. The DDoS-book successor is on chapter outline; the export-control-cryptographic-debt essay is in draft; the early-Emily research piece is half-written. Conferences: I was at Infosec Europe in June (panel on post-WannaCry incident response, useful), at one BSides in September (smaller, more interesting), and not at any academic-leaning venue. The book project continues to be slower than I would like.
Onward into 2018. The GDPR May deadline. The Emily productisation question. The continuing iteration in the worm-grade attack landscape. The supply-chain conversation. The Privacy Shield litigation when it lands. And whatever the year produces that I have not yet imagined.