Schneier on Security
A blog covering security and security technology.
January 6, 2014
I've Joined Co3 Systems
For decades, I've said that good security is a combination of protection, detection, and response. In 1999, when I formed Counterpane Internet Security, I focused the company on what was then the nascent area of detection. Since then, there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now, it's time for response. While there are many companies that offer services to aid in incident response -- mitigation, forensics, recovery, compliance -- there are no comprehensive products in this area.
Well, almost none. Co3 Systems provides a coordination system for incident response. I think of it as a social networking site for incident response, though the company doesn't use this term. The idea is that the system generates your incident response plan on installation, and when something happens, automatically executes it. It collects information about the incident, assigns and tracks tasks, and logs everything you do. It links you with information you might need, companies you might want to talk to, and regulations you might be required to comply with. And it logs everything, so you can demonstrate that you followed your response plan and thus the law -- or see how and where you fell short.
Years ago, attacks were both less frequent and less serious, and compliance requirements were more modest. But today, companies get breached all the time, and regulatory requirements are complicated -- and getting more so all the time. Ad hoc incident response isn't enough anymore. There are lots of things you need to do when you're attacked, both to secure your network from the attackers and to secure your company from litigation.
The problem with any emergency response plan is that you only need it in an emergency. Emergencies are both complicated and stressful, and it's easy for things to fall through the cracks. It's critical to have something -- a system, a checklist, even a person -- that tracks everything and makes sure that everything that has to get done is.
Co3 Systems is great in an emergency, but of course you really want to have installed and configured it before the emergency.
It will also serve you better if you use it regularly. Co3 Systems is designed to be valuable for all incident response, both the mundane and the critical. The system can record and assess everything that appears abnormal. The incident response plans it generates make it easy, and the intelligence feeds make it useful. If Co3 Systems is already in place, when something turns out to be a real incident, it's easy to escalate it to the next level, and you'll be using tools you're already familiar with.
Co3 Systems works either from a private cloud or on your network. I think the cloud makes more sense; you don't want to coordinate incident response from the network that is under attack. And it's constantly getting better as more partner companies integrate their information feeds and best practices. The company has launched some of these partnerships already, and there are some major names soon to be announced.
Today I am joining Co3 Systems as its Chief Technology Officer. I've been on the company's advisory board for about a year, and was an informal adviser to CEO John Bruce before that. John and I worked together at Counterpane in the early 2000s, and we both think this is a natural extension to what we tried to build there. I also know CMO Ted Julian from his days at @Stake. Together, we're going to build the incident response product.
I'm really excited about this -- and the fact that the company headquarters are just three T stops inbound to Harvard and the Berkman Center makes it even more perfect.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..