The office is cold and the kettle has not yet warmed. First Monday back, and I am running through the year ahead before the inbox catches up.
The SOC carries four sustained customers into 2015 and a handful of seasonal ones. Splunk indexers are healthy, the OSSEC fleet is at six hundred and thirty endpoints, and Bro is ingesting from three customer perimeters in addition to our own. The 2014 retrospective I posted in December set out the operational picture; what I want to think through this morning is the commercial one.
Browne Jacobson is firmly in the rhythm of quarterly board reviews and an annual programme review. The relationship has matured past the early "what does a CISO actually do" phase into something more structural — they ask me about specific decisions, not categories of decision. TWI is closed; that work resolved in the spring of 2013 and the residual programme stewardship moved internal. Towry continues, with the focus this year on the trading-platform refresh and the third-party assurance work that goes with it. Northcott Global Solutions remains in place; the operational tempo there is uneven by nature, which is the work, but the contractual frame is settled.
The new vCISO conversation that ran through November and December is converging on a manufacturing client. I am reluctant to write the name down until contracts are signed, but the scope is interesting — they have grown by acquisition through a long period of weak central security, and the clean-up is going to be substantial.
Pen testing has shifted in flavour. Two thousand fourteen ended with a noticeable uptick in scoping calls that begin with the words "we would like to test our SDLC" rather than "we would like to test the website". That is healthy. It means the conversation has moved upstream, where the vulnerabilities are cheaper to fix. The flip side is that the engagements are longer and harder to sell to procurement teams whose templates only know about per-IP day rates.
Privacy is going to take more of my time this year than it did last. The Right To Be Forgotten ruling from May 2014 has settled into operational practice without nearly the friction I expected, and the Article 29 Working Party guidance from late November 2014 (wp225_en.pdf) gives a reasonably workable interpretive frame for it. The bigger story is the General Data Protection Regulation, which is still in trilogue but no longer feels like vapour. The European Council's general approach published last summer is shaping the implementation conversations I am having with vCISO clients now, two years before the regulation will exist. I am writing programmes against it.
The Snowden disclosures continue to surface, more slowly than in 2013-14 but still with material effect. Der Spiegel's December batch on TLS, IPSec, SSH and the BULLRUN programme (detailed in their December 28 piece) is going to drive several uncomfortable conversations with infrastructure teams about which protocol versions they are actually running. I have already started the audit on our own perimeter.
Forward operational concerns. Heartbleed and Shellshock made 2014 a year of patching. POODLE forced the SSLv3 cleanup. None of those are over — there is a long tail of devices that were not in any inventory until they were found by a scanner. I expect 2015 to repeat the pattern. The bug calendar is unforgiving and the protocol surface is wider than the asset register.
On the research side I want to invest more time in DNS as an attack surface — both reflection (Spamhaus 2013 was the public lesson but it has not been learned everywhere) and exfiltration. The SOC has flagged enough pattern-of-life DNS oddities in 2014 to make this worth a deeper look. There is a dataset there.
The blog — this thing — needs to be more disciplined. Last year drifted between operational notes and incident response. I want a clearer separation: incidents on the day or near it, programme observations on a weekly cadence, and the longer pieces — the deep-dive TTP work — separated from both. A reader should be able to find what they want.
The kettle has boiled. Inbox now.