Bruce Schneier: Incident response management breaking new groundDate: Jul 07, 2014
Bruce Schneier is one of the best-known security professionals both within the field and in the larger world of technology policymaking. He's written 12 books, produces the influential "Schneier on Security" blog and is widely quoted in the press. After a multi-year stint at BT Managed Security Solutions, Schneier has moved to a startup: Co3 Systems. The new company, where he serves as Chief Technology Officer, makes a tool that focuses specifically on security incident response management.
"It's software that allows companies to coordinate their response," Schneier says. "You put in your response plan -- or if you don't have one, it generates best practices. It knows the laws; it knows the regulations. You tell it who does what. And when an incident happens, it generates tasks, it follows up on them, and it makes sure that everything that's supposed to get done gets done."
Schneier adds that the product's record-keeping capabilities mean if there is subsequent litigation, you'll be able to prove that your organization stayed within its policies and performed the tasks that it had committed to in its incident response plans. It makes a lot of the other tools you're using to deal with incidents better, he says, "because it puts them in place where you need them, when you need them."
Robert Richardson: Hi, I'm Robert Richardson and I'm the editorial director of SearchSecurity.com. With me today is Bruce Schneier, who is a key figure in the security industry, and lately, Bruce, you've got a new gig. You've recently joined Co3 Systems. I don't know much about them, so maybe you can tell me what Co3 is up to.
Bruce Schneier: So I took this at the start of this year. Co3 Systems does coordination software for instant response. I've been saying for years, "protection, detection, response." In 1999, I formed Counterpane to do detection This is really about incident response, and its software that allows companies to coordinate their response. You put in your response plan or if you don't have one, it generates best practices. It knows the laws. It knows the regulations. You tell it who does what. And you see, what happens is it generates tasks, follows up on them. It makes sure everything that's supposed to get done gets done, either by your company policy or by law.
Then it keeps records so when there's litigation, you can prove that you did what you said you would do. The real problem with response plans is that people look at them in emergencies, and it's easy to forget things. This takes the coordination and automates it so you can respond better. I think it's a great idea. I think it's something that's been lacking in security and I'm really excited about it.
Robert Richardson: So I just want to be clear, it's not the incident response itself, it's the management of the incident response, or is it both?
Bruce Schneier: It really is the management. It will take feeds from something like ArcSight. It will take feeds from Threat Intelligence. When an incident happens you can either turn this on or it will turn on automatically and it will send out tasks, it will follow up on them. It manages incident response. It makes a lot of the other products and services you're using better because it puts them in a place where you need them when you need them. I just think that's been missing.
Robert Richardson: So this is out in the marketplace, but I do feel like its relatively fresh, it's relatively new in the marketplace. What do you think the roadmap from here forward is, where does this kind of incident response management go from here?
Bruce Schneier: Just to manage better you need to have as many regs in there as exist so you know what laws to follow. You need feeds from different intelligence and best practices. We want to put in a social aspect so that you can go to other customers in a chat room, either by name or anonymously, and talk about incidents. A lot of times when something happens, it happens to everybody. It's a new piece of malware. And being able to trade information among your peers is really valuable. Sometimes you want to do that anonymously, sometimes you don't care if your name's attached.
You think of the Target breech, they really screwed up response. My guess is because it's such a big deal that they just forgot things, and it's easy to forget things. Ideally you want to use incident response software not just for the big things, but for everything. You don't want to only look at your disaster plan in a disaster. You want it to be routine, and the Co3 system can tell you whether something's a big deal or you shouldn't worry about it. So the customers that use it best use it all the time, because it's a platform for coordination for incidents from someone lost a laptop and there might be personal information on it to something as big as the Target breech and now the FBI is here.
Robert Richardson: Well it's going to be very interesting to see where this winds up. It seems like in 2014 just like in 2013 we're going to be seeing and talking about a lot of breeches.
Bruce Schneier: What we've seen is that attackers have gotten more sophisticated. Breeches are getting harder to deal with because you have far more sophisticated hackers. And at the same time, the regulatory environment is more sophisticated. There are more rules that you have to follow and there's more litigation that happens after an event. Those two things are driving incident response as a category, much bigger than Co3, but it's making it really a category we have to watch in this year.
Robert Richardson: Well, we'll be watching. Bruce Schneier, thank you for joining us today.