Office cold, kettle on, pad open. The Citrix ADC CVE-2019-19781 clean-up that I wrote about on the 18th of December is the dominant operational concern of the first week — mass exploitation against unmitigated estates began over the new year period as predicted, and the customer-portfolio mitigation deployment is holding but the wider population is producing exactly the wave of incident-response work that I expected. Two of our pen-testing customers from 2019 have engaged retainer-mode incident-response support over the holiday period because they had unmitigated ADC deployments and discovered indicators-of-compromise consistent with active exploitation. Both cases are in active investigation; both customers are now being engaged on accelerated post-incident remediation work.
The portfolio carries forward. Six vCISO clients continuing into the year. Eleven EmilyAI commercial customers (down one from end-2019 — a small customer who decided to bring SOC operations fully in-house, the most amicable kind of churn). Thirteen SOC customers. The team is at thirty-one, with the 2020 hiring plan envisaging six to eight further hires through the year primarily on the EmilyAI engineering and customer-success functions.
The company turns ten in April. I wrote a longer note in the Christmas post about the ten-year arc; the operational point is that we have a 10-year-anniversary event planned for late April in Bath — customers, partners, the team, a few of the security-community contacts who have been part of the company's development. The planning is in the hands of the senior leadership team and is in good shape. The personal commentary I want to write — a longer essay on what ten years of running a security business has taught me — is in the long-form essay file and will probably surface around the anniversary itself.
The regulatory landscape ahead. The BA and Marriott final-fine determinations remain on the 12-18-month timeline I wrote about in July. The CCPA — California Consumer Privacy Act — came into effect on the 1st of January and is operational from this morning; the customer-organisation programme work to address the new US-side consumer-rights obligations has been substantive but tractable. The post-Brexit UK data-protection environment is being clarified through the Withdrawal Agreement transition period; the customer briefings need to be specific about what changes when the transition period ends, but the answer for most customers is "less than the press coverage suggests" as long as the UK adequacy decision arrives. The EU-US Privacy Shield is, on the legal commentary, increasingly likely to face Schrems-II-style invalidation in the coming months; the contingency planning we have been doing with customer organisations on Standard Contractual Clauses is in motion and is the right posture.
The threat landscape ahead. The targeted-ransomware-with-data-exfiltration model that the Maze leak-pattern formalised in November is, on the early evidence of January, being adopted by other ransomware operators. The defensive architecture work on data-egress visibility and on customer-organisation incident-response playbooks for the data-publication scenario is the dominant Q1 strategic theme. The post-Citrix supply-chain-and-appliance-vendor-risk conversation continues. The credential-aggregation environment continues to produce Collection-#X disclosures on a steady cadence; the customer-organisation MFA rollouts continue. The cloud-native-architecture security discipline that Capital One made central in 2019 continues to develop.
The conference calendar. Infosec Europe in June with the EmilyAI booth. RSA Conference in February — I am not attending personally but the Bath engineering team has a small presence working with one of our partner integrators. BSides Manchester in late summer if the schedule supports it.
The kettle has boiled. Inbox now.