I’ve Joined Co3 Systems

For decades, I’ve said that good security is a combination of protection, detection, and response. In 1999, when I formed Counterpane Internet Security, I focused the company on what was then the nascent area of detection. Since then, there have been many products and services that focus on detection, and it’s a huge part of the information security industry. Now, it’s time for response. While there are many companies that offer services to aid in incident response—mitigation, forensics, recovery, compliance—there are no comprehensive products in this area.

Well, almost none. Co3 Systems provides a coordination system for incident response. I think of it as a social networking site for incident response, though the company doesn’t use this term. The idea is that the system generates your incident response plan on installation, and when something happens, automatically executes it. It collects information about the incident, assigns and tracks tasks, and logs everything you do. It links you with information you might need, companies you might want to talk to, and regulations you might be required to comply with. And it logs everything, so you can demonstrate that you followed your response plan and thus the law—or see how and where you fell short.

Years ago, attacks were both less frequent and less serious, and compliance requirements were more modest. But today, companies get breached all the time, and regulatory requirements are complicated—and getting more so all the time. Ad hoc incident response isn’t enough anymore. There are lots of things you need to do when you’re attacked, both to secure your network from the attackers and to secure your company from litigation.

The problem with any emergency response plan is that you only need it in an emergency. Emergencies are both complicated and stressful, and it’s easy for things to fall through the cracks. It’s critical to have something—a system, a checklist, even a person—that tracks everything and makes sure that everything that has to get done is.

Co3 Systems is great in an emergency, but of course you really want to have installed and configured it before the emergency.

It will also serve you better if you use it regularly. Co3 Systems is designed to be valuable for all incident response, both the mundane and the critical. The system can record and assess everything that appears abnormal. The incident response plans it generates make it easy, and the intelligence feeds make it useful. If Co3 Systems is already in place, when something turns out to be a real incident, it’s easy to escalate it to the next level, and you’ll be using tools you’re already familiar with.

Co3 Systems works either from a private cloud or on your network. I think the cloud makes more sense; you don’t want to coordinate incident response from the network that is under attack. And it’s constantly getting better as more partner companies integrate their information feeds and best practices. The company has launched some of these partnerships already, and there are some major names soon to be announced.

Today I am joining Co3 Systems as its Chief Technology Officer. I’ve been on the company’s advisory board for about a year, and was an informal adviser to CEO John Bruce before that. John and I worked together at Counterpane in the early 2000s, and we both think this is a natural extension to what we tried to build there. I also know CMO Ted Julian from his days at @Stake. Together, we’re going to build the incident response product.

I’m really excited about this—and the fact that the company headquarters are just three T stops inbound to Harvard and the Berkman Center makes it even more perfect.

Posted on January 6, 2014 at 6:18 AM34 Comments


Anonymous SMB January 6, 2014 6:42 AM

Sounds expensive, what market are you/they targeting? Just large enterprises or will you be providing for SMBs as well?

Bruce Schneier January 6, 2014 8:24 AM

“Sounds expensive, what market are you/they targeting? Just large enterprises or will you be providing for SMBs as well?”

It’s not expensive — at least in the scheme of things.

Large enterprises like that it allows them to coordinate large response teams. SMBs, who are chronically understaffed, use it more to provide the expertise and context that they lack.

It’s also available both as a SaaS and an on-premises solution. SMBs want the SaaS solution, but large enterprises prefer to have it on their network.

Gag January 6, 2014 8:50 AM

How do you expect “Co3 Systems” to react, if it is victim of a Gag order from NSA or the likes ?

Clive Robinson January 6, 2014 9:16 AM

Well a happy new year and new job, sounds from what you say that the move’s been on the cards for a while.

One thing I note, the photo of you on Co3sys web site looks a lot more “warm and cuddly” than the one on your current book 🙂

I also not your “three stops” comment it sounds as though you are “moving into” the area on a more permanent basis, does this mean you intend doing a little less “glob trotting”?

Bruce Schneier January 6, 2014 9:16 AM

“How do you expect ‘Co3 Systems’ to react, if it is victim of a Gag order from NSA or the likes?”

We’ll see, won’t we.

I don’t expect it to happen, though. The sort of information on customers that we have doesn’t seem relevant to those sorts of gag orders. I can imagine being involved in providing evidence for criminal activity. I certainly expect Co3’s information to be critical in civil litigation stemming from security breaches. But I don’t really see a national security angle.

BrowserPrivacy January 6, 2014 9:33 AM

Would have been happier about you announcing a gig at CCC via talks at 30c3 instead of Co3 🙂

But I wish you all the best, and hope you’ll still be able to spend lots of time working on public-interest reporting and other projects.

Bruce Schneier January 6, 2014 10:15 AM

“I also not your ‘three stops’ comment it sounds as though you are ‘moving into’ the area on a more permanent basis, does this mean you intend doing a little less ‘glob trotting’?”

I am spending more time in Cambridge, although I haven’t moved here in any permanent sense. Between the Berkman and Co3, that’ll continue into 2014. My guess is that I’ll be traveling just as much, but closer to home.

thief January 6, 2014 10:29 AM

Great news, Mr. Schneier! I hope working there does for you the good you always did for all of us, raising awareness and improving the security field as a whole.
All the best!

NobodySpecial January 6, 2014 11:00 AM

This is obviously more use if users can see each other’s cases
At the moment the only way we know if other companies had been the victims of a similar attack is when their denials leak onto reddit later.
But we can’t publicize we have been attacked because it would affect “shareholder value”

Are you planning a secret club room where sysadmins can see each others cases or report on their responses?

Nick P January 6, 2014 11:32 AM

Well I’m glad you found a job. And I’m sure it’s quite a relief to know you’re unlikely to get pressured into the kind of stuff you do exposes on.

Figureitout January 6, 2014 12:25 PM

Have to agree w/ what NobodySpecial says:
This is obviously more use if users can see each other’s cases
–Companies won’t share this info, but the system (seems to me) is more useful if they do.

Leah A. Zeldes
Are you hiring?
–Lol, check out the ‘Careers’ section of the website.

Anura January 6, 2014 12:57 PM


Lower case “o” indicates it’s a molecule composed of 3 cobalt atoms. Not sure how stable that is.

Lou January 6, 2014 2:10 PM

Cobalt seems to be a popular element among the security community. There is a commercial penetration testing tool known as Cobalt Strike, for example.

Jan Willem January 6, 2014 3:09 PM

Congratulations with your new job.

Hope that NSA will not force Co3 to ignore any incident created by them! And in any case that the NSA will try so, that you are strong enough to refuse it!

Mr. Impossible January 6, 2014 3:10 PM

“Bruce Schneier doesn’t join a security firm. It joins him.”


I see what you did there!!!

Congratulations Bruce! Thanks for everything you do for the community. I know all of us here really appreciate you and everything you’ve taught us over the years. You’ll no doubt be a huge asset to Co3 Systems.

Carry On!!!

Cheryl January 6, 2014 3:31 PM


I kind of hoped to see you on the Travel Channel or the Food Network, reviving your “side job,” but this works!

Discount for your loyal readers?

MWeiser January 7, 2014 1:11 PM

Congrats, Bruce — what an interesting path you have traveled and still have before you. Hope to see you here in the “Minne-apple” again soon. Guess we’ll stay tuned to this space…

All the best to you!

Suresh Ponnusamy January 8, 2014 3:03 AM

Congratulations on the new job!

Hope things work out well and your personal crypto / law remarks / opinions does not affect professionally! Since, it is going to be with JB, I hope it to be fine! Congrats again!

josh January 8, 2014 5:20 PM

There’s a reason why nothing happens in the military without a checklist to go by. Just for those crisis situations, or even when tired people might forget the minor shite that needs to get done no matter what you might think at the time.

The job already seems a good fit. Enjoy! (Otherwise, why do it? ;-).

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.