Home Guru Bruce Schneier: “It is not prevention or detection, it is response”

Bruce Schneier: “It is not prevention or detection, it is response”

Bruce Schneier, Co3 Systems

As well as being a renowned cryptographer, influential security expert and outspoken conference favourite, Bruce Schneier has had his share of coverage in recent months as the Prism story unfolded. He chose to leave his position as BT’s security futurologist at the end of last month and has now turned his hand to incident response.

 

Schneier recently left BT, who acquired his company Counterpane in 2006, to join Co3 Systems as chief technology officer this month. I began by asking him what attracted him to a relatively unknown company.

 

He said that working for a start up is fun and something that he wanted to do, as incident response is a space that needs work. “If you go back to the definition of security being protection, detection and response, this feels like the last area that needs work, and the idea of incident response coordination and working on a response is really important and something that isn’t there,” he said.

 

I asked what he meant by this not being done yet. He said that there is a huge market for response and, while a lot of response services have emerged, there are not a lot of response products and that is what Co3 offers. “That has become important now, and two things are driving it: firstly attacks have got more sophisticated. We are seeing more targeted attacks and you need a sophisticated response; secondly the regulatory environment in the United States is much more complicated and dangerous, so there are a lot of laws you have to follow or else you risk being fined, or face lawsuits and you need to demonstrate in court that you do things properly,” he said.

 

“So those two together shows that you cannot do ad hoc response anymore, and the problem with emergency response is that you do it in a panic. It is easy to respond in the moment and anything that will automate things, and anything that will make the coordination more effective, is really valuable.”

 

I asked Schneier if this area is effectively a final frontier for the industry, who need to learn more about incident response? He said that, rather than being that extreme, as an industry we need to be more sophisticated as this is nothing new. “There will be a time when your response will say “call in someone else”, but your thermometer doesn’t replace the doctor, you know to call the doctor,” he said.

 

“I think we started seeing this at conferences three or four years ago where we went from being told ‘buy my thing and you’ll be safe’ to ‘you’re going to get hacked and you have a problem’, and I thought that was very refreshing as for too long tried to throw imperfect solutions at this. So the fact that we are striving to say things like ‘yes we know this is imperfect’ is a good sign.”

 

Looking back at the RSA attack from 2010, Schneier said that was a big deal and called the response “terrible” as the coordination to such a big attack “was all pretty much ad hoc”, but with a coordinated response you would know what to do, what to say and how to fix it.

 

Talking specifically about Co3 Systems, Schneier said that it offers a way to coordinate a response. “It is not prevention or detection, it is response, and it doesn’t make attacks less likely to happen, it makes it less bad when they do, and that could be not getting smacked with a class action lawsuit,” he said.

 

I concluded by asking if he felt that companies needed to be prepared in the face of a potential attack. He said he did because of sophisticated attacks and legal trends. “For those two reasons, it becomes important to do something like this and there are different reasons for different sized companies, so those two things make it very useful and I am surprised by how much demand there is.”

 

Bruce Schneier, chief technology officer of Co3 Systems, was talking to Dan Raywood

Recent

Iran named as being behind attack on Las Vegas “Sands” resorts

Iran has been named as the perpetrator of an attack on a Las Vegas casino last year. After the Sands hotel and casino chain was attacked in February 2014, James Clapper, US director of national intelligence, told the Senate Armed Services Committee that the attack was by Iranian attackers which hit many of the systems (…read more)

February 27, 2015

TalkTalk admits to breach of customer data

Internet service provider TalkTalk has admitted that it suffered a major breach of user information, including customer names, addresses, phone and account numbers. As reported by The Register, in an email to customers TalkTalk said that it first saw a big increase in malicious scammers claiming to be from TalkTalk at the end of last year. (…read more)

February 27, 2015

TDW 2015 – How to deal with anonymised healthcare data securely

In the second and final day here at the Trust in the Digital World conference in Madrid, I have attended a panel debate on the subject of E-Health. With speakers from SAP, ATOS and hospitals in Spain, the concept was mostly on sharing anonymised data for the benefit of research and action, whilst keeping the patient (…read more)

February 26, 2015