Can He Watch?

Every second counts when you're trying to stop a break-in. Home owners and burglar-alarm companies know that. That's why they install motion detectors, loud alarms, and trip wires that alert police immediately. Safe manufacturers know that too. Each safe is actually rated according to approximately how long it can withstand fire, as well as how hard it would be for a veteran safecracker to break into it. This caught-in-the-act logic isn't meant to stop attempted break-ins, but rather to bring help almost instantly -- making it likely that burglars will give up before much damage has been done.

Shouldn't Web security be guided by the same principles?

For the past year, that question has tantalized computer-security expert Bruce Schneier, 37. In the early 1990s, Schneier created the Blowfish algorithm, a popular encryption formula that has yet to be cracked. He has also authored or coauthored five books, including "Applied Cryptography: Protocols, Algorithms, and Source Code in C" (John Wiley, 1994), which still frequently appears on Amazon.com's list of its top 1,000 best-selling books.

Schneier has spent most of his career on the classic priorities of computer security -- that is, figuring out ways to put sensitive data behind bigger padlocks and thicker lead walls. Now he's widening his ambitions, believing that prevention is only part of what a good Web-security system should do. If break-in attempts are inevitable -- and, as the Web becomes more visible, it becomes a more inviting target -- then, he contends, it's time to focus on an infrequently asked question: How fast can you react when trouble strikes?

"I had an epiphany last year,'' Schneier says. "I realized that lots of security products work wonderfully when they're used properly,'' but that haphazard implementation often makes them vulnerable. That increases the need for a system that can spot the first stirrings of an attempted break-in, while there's still time to react. "Think about credit-card data thefts on the Internet," he says. "Many result from a flaw in a popular piece of software for which a patch has been issued but that merchants fail to use."

To help shore up security in an imperfect world, Schneier and his colleague Tom Rowley, 52, a computer engineer, last year founded Counterpane Internet Security Inc. Their company doesn't make data firewalls, encryption algorithms, or other familiar types of security software. Instead, it focuses on detecting suspicious activity and responding to trouble -- fast. So far, Counterpane has raised $34 million in venture capital from such companies as Goldman Sachs and Morgan Stanley Dean Witter. It has attracted more than three dozen customers that rely on Counterpane to spot signs of mischief on their networks and then to help them quickly take countermeasures.

"When an attack happens, you have very little time to react,'' says Rowley, president and CEO of Counterpane. Indeed, as chief technology officer Schneier points out: "When someone hacks into your Web site and stays there for an hour or more, it's very difficult to get that person out because hackers will compromise your security in many places. But if you can spot a hacker immediately, you can turn off the point of access before much damage is done.''

To put their ideas into action, Rowley and Schneier decided to create a secure operations center (SOC) at the farthest corner of Counterpane's San Jose, California offices last winter. In that small, brightly lit room, technicians watched computer screens around the clock for signs of possible intrusions into clients' Internet operations. That first SOC has since been replaced by a bigger facility in Mountain View, California, and a second, nearly identical site is located in Chantilly, Virginia. Each facility is physically hardened against attack and is under constant video surveillance.

Data analysts join Counterpane only after passing a psychological-profiling test. Even so, their every keystroke is monitored. "We're looking for people who have a very strong sheltering and protective side,'' Rowley says. "People who, if they weren't working for us, might be police officers or firefighters.'' Two types of workers are attracted to computer-security jobs, he adds. "One type is exactly what we want. The other is exactly what we're fighting against.''

Inside an SOC, security analysts put in nine-hour shifts of tedious but exacting work. In many ways, it is the post-Cold War equivalent of sitting in a bunker somewhere on the Great Plains, watching satellite images of the Soviet Union and looking for suspicious activity near nuclear-weapons sites. On many days, nothing happens. But every now and then, blue-and-white warning messages pop onto computer screens, warning of "suspicious" -- or even "critical" -- behavior.