Back at the desk. Inbox at four hundred and twelve, none of it on fire. The first Monday of the year is the right day for the kind of thinking that I do not get to do in October, so I am writing this before I open mail.
The portfolio carries forward. Browne Jacobson, Towry, and Northcott Global Solutions are all on continuing engagements. The manufacturing client engagement that closed in March 2015 has settled into a quarterly board cadence. The SOC has seven sustained customers, indexes around four hundred and twenty gigabytes per day in Splunk across the fleet, runs nine hundred or so OSSEC endpoints, and ingests Bro from three customer perimeters in addition to our own. The team grew by two engineers in the autumn and we are looking at a third in March. The shape of the operation in January 2016 is more mature than I would have predicted three years ago.
The strategic work that I want to do this year is structurally different from what I did in 2015. The General Data Protection Regulation reached political agreement on the 15th of December and will be formally adopted before Easter. The two-year implementation window starts at adoption, which means the operational deadline is late spring 2018. Twenty-six months feels like a long runway. It is not, particularly for the larger vCISO clients whose data architecture has been built up over fifteen or twenty years and where the inventory work alone will take six months. I want every customer with a programme review this quarter to leave the meeting with a GDPR readiness assessment in plain English and a sequenced plan that gets them to compliant by Q1 2018, not Q1 2018 + slippage. I am drafting a customer-facing GDPR primer this week.
The Schrems judgment from October has produced the predictable Standard Contractual Clauses migration work. Most of that is done across the portfolio. The Privacy Shield negotiation between the European Commission and the US Department of Commerce is ongoing — the public commentary suggests an announcement before the summer (European Commission press releases on the new framework) — and the Working Party 29 has been clear that the same substantive standards from Schrems will apply. I am not advising customers to delay any current SCC migration on the strength of an expected Privacy Shield. The legal validity of any successor framework will be tested in the courts in due course, and the smart money assumes another Schrems-shaped event in two to four years.
The Ukraine power grid incident I wrote about on the 29th of December has firmed up substantially in the past two weeks. SANS and ESET have both published analyses (Robert M. Lee at SANS, "Confirmation of a Coordinated Attack on the Ukrainian Power Grid", ESET on BlackEnergy and KillDisk) and the operational picture I sketched on the 29th has held up. The detailed write-up I want to do on what utility-sector vCISO programmes need to absorb is on this week's pad. The audience is partly our own utility customer (one mid-size UK distribution network operator) and partly the wider sector — there is a piece worth writing about Ukraine that lands publicly.
The Stagefright tail continues. We are still finding unpatched Android devices on customer BYOD inventories at a rate that is uncomfortable. The advice for the year is going to be more aggressive than the July advice was — for the highest-risk users we are now recommending a switch to managed devices with current patch states, rather than the tolerated-BYOD posture that was the convention until last summer. The risk-management conversation around this is harder than it should be because the visible evidence of compromise is rare and the cost of restricted BYOD is felt every day. The right answer is unpopular.
The piece of work I am most curious about for 2016 is on the SOC research side. Our analyst team has been generating a great deal of triage telemetry — the alerts that fire, the analyst's classification (true positive, false positive, benign), the disposition reason, the time to triage. I have a postgraduate intern starting in February who has been working with neural-net classifiers in a different domain, and I want to see what happens if we feed a year of our own classified alerts into a supervised learning workflow and ask it to predict the analyst's classification on alerts the analyst has not yet seen. The output of that experiment, if it works, is a triage assistant — not a replacement, an assistant — that lets analysts focus their time on alerts the model is uncertain about. The literature on this is thin in 2016. There are some Splunk-internal pieces, some FireEye marketing, some academic work on intrusion detection generally, but the specific application to alert triage in a real production SOC is, as far as I can see, mostly unwritten (Mahbod Tavallaee et al at the IEEE on NSL-KDD is in the right space but five years old). I want to be among the people writing it.
The kettle has boiled. Inbox now.