Office cold, kettle on, pad open. The Christmas break was, by recent standards, calmer than usual — the customer-portfolio operational tempo settled around the SolarWinds-related response work in the back half of December but did not produce any incidents at customer organisations themselves. The first Monday's planning is shaped by three things: the SolarWinds aftermath, the post-Brexit regulatory landscape now operationally settled, and the Black Hat 2021 paper that the team submitted in October and which was accepted in December.
The SolarWinds aftermath. Two weeks after the December disclosure I noted in the retrospective, the operational picture is firmer. The actor — now publicly attributed to Russian state intelligence (SVR / APT29 / Cozy Bear / Nobelium, depending on which terminology) by US government statements (Joint Statement by FBI, CISA, ODNI, NSA, January 5) — appears to have used the SUNBURST backdoor as one element of a broader campaign that included multiple supply-chain compromises, sustained dwell time at affected organisations, and operational sophistication that has substantially raised the customer-organisation conversations about state-actor capability. The customer-portfolio specific exposure remains zero on direct SolarWinds Orion deployment, but the secondary indicators (vendors and software-bill-of-materials items adjacent to the affected supply chain) have produced ongoing audit work that will continue through Q1.
The post-Brexit regulatory landscape. The UK adequacy decision under the EU's GDPR framework was issued in late June 2021 — wait, no, that has not happened yet at the time of writing this; the Trade and Cooperation Agreement that came into effect on 1 January 2021 includes a six-month bridging period for personal-data transfers, with the formal adequacy decision expected before the bridging period ends. The customer-portfolio data-flow architecture is positioned for either outcome; the contingency planning we did through 2020 has held. The UK GDPR is operational from 1 January as the post-Brexit replacement for the directly-applicable EU regulation, with the substantive content essentially preserved and the regulatory authority remaining the ICO. The customer-organisation programme work continues without significant change.
The Black Hat USA 2021 paper. The team submitted in October a paper-and-presentation proposal to Black Hat USA 2021 covering the threat-intelligence-integration work that has been the principal Emily product feature through 2019-2020. The acceptance landed in December. The presentation slot is in August in Las Vegas — the COVID-environment-permitting in-person form, with virtual fallback. The lead engineer will present, with my supporting role on the broader research and customer-deployment context. This is the second peer-reviewed conference acceptance for the team after the USENIX Security 2019 paper.
The portfolio. Six vCISO clients carrying through. Fourteen SOC customers (the 2020 net-positive carrying through). Twelve EmilyAI commercial customers entering the year with three additional prospects in late-stage commercial discussion for Q1 close. The team is at thirty-three at year-start with the 2021 hiring plan envisaging six to eight further hires, primarily on the EmilyAI engineering and customer-success functions and one senior detection-engineer hire for the SOC.
The threat-landscape planning for 2021. The supply-chain-attack pattern — SolarWinds is the worked example, the precedent value will inform the entire year's customer-organisation conversations. The continuing ransomware escalation — the targeted-and-data-exfiltrating model from 2020 is now the baseline, the 2021 evolution will produce further refinements. The state-actor-targeting environment that SolarWinds has clarified — customer-organisation threat models will need to incorporate state-actor capability more explicitly than 2020's planning envisaged. The post-Brexit regulatory environment in operational tempo. The continuing COVID-affected operational landscape, with the public-health environment continuing to constrain in-person operations through at least mid-year.
The book project. The GDPR-era operational discipline book is in late editing and is on track for publication in May or June. The proofs went to the publisher in mid-December.
The kettle has boiled. Inbox now.