The notebook is fifteen years old today. Fifteen feels — for the first anniversary in some years — substantial enough to warrant an actual reflection rather than the usual passing remark, but I am going to write a shorter year-opening post than usual because the 2012 retrospective covered most of what would normally appear here. The kettle is on, the coffee is, by some considerable margin, the best of any year I have written this post.
The structural fact about fifteen years is that the notebook has now been running for longer than my entire pre-Hedgehog career. I started this in 1998 as a junior infrastructure engineer; the longest single-employer phase since then has been the Hedgehog years, which started in spring 2010 and are now approaching three years. The notebook therefore predates everything I now do operationally, which is — in a small way — its own thing. Most of my professional contemporaries either do not write at all or have started writing within the last few years; the discipline I started keeping in 1998 is, by itself, distinctive. I have stopped feeling embarrassed about pointing this out to clients when the question of "how long have you been doing this" comes up, because the honest answer is "longer than most of the practitioners you have ever met".
The priorities for 2013 are continuity from 2012. The SOC build has a fourth client onboarding next week and is moving from "novel project" to "operational core of the practice". The privacy-and-encryption methodology needs further development through the spring; the engagement-team material is about half-finished. The penetration-testing methodology piece from September wants its first revision based on twelve months of using it. The vCISO portfolio (Towry, Northcott, News International, Browne Jacobson) continues; the fifth secondment conversation that has been running since autumn is scheduled for resolution this fortnight. The structural question for the SOC of moving to 24/7 staffing is something I will defer until midyear.
What I am also planning to write more about, which is the part of this post that is forward-looking rather than retrospective: the question of attribution. The Stuxnet-Duqu-Flame line through 2012 produced enough public material that the underlying operator group is now substantially more identifiable than the security community could publicly acknowledge two years ago. Mandiant has been signalling that they are about to publish a substantial piece of attribution work on Chinese state-affiliated activity that they have been tracking for several years; I expect that to land in the first quarter and to be operationally significant. The practitioner community has historically been reluctant to do public attribution beyond "we think this is a state actor", and the Mandiant piece, if it lands at the depth they have been signalling, will change that. I am going to think more carefully about what attribution actually buys defenders and what its limitations are, and the writing on this will probably be the dominant theme of the spring.
The reading priorities are continuity. Schneier, Krebs, the Crysys/Kaspersky/Symantec consortium, the Verizon DBIR. The book I have set aside for January is Bruce Sterling's The Caryatids, which I want to read for non-technical reasons but which has several passages about distributed-trust infrastructure that I have been meaning to think about for a couple of years. Sterling's blog at Wired has continued to be the right place for the wider sense of how the technical and political infrastructures are interacting at the edges. The first technical post of the year will probably be Mandiant when they publish, or whatever falls out first.
Happy 2013 to anyone reading.