Can He Watch?

By: George AndersWed Dec 19, 2007 at 12:15 AM

The Thinker: Computer-security and encryption expert Bruce Schneier. The Setting: A counterpane surveillance room, Mountain View, California. The Question: How fast can you react when hackers attack your site?

On March 20, 2000, for example, Julio Calderon, 25, a Counterpane senior security analyst, noticed a deluge of attempts to log onto one client's Internet service, all coming from Internet addresses in the Middle East. He emailed the client at 3:03 PM, advising it to close one of its data ports through which users can log on. The client did so -- and the attacks stopped.

To be sure, Counterpane's services aren't for everybody. For one thing, very large companies usually set up their own traffic-monitoring departments, paying in-house analysts to do nothing but look for suspicious activity. For another, Counterpane's "high-touch" approach isn't cheap. Clients typically pay about $12,000 a month.

Counterpane sees big client opportunities in online businesses that are early enough in their growth curve that they want to outsource specialized functions like security monitoring. And the company contends that beyond strategic focus, there's another virtue of outsourcing: As it grows, Counterpane's analysts will have especially up-to-date and comprehensive knowledge about hacker practices, simply by seeing so many surveillance reports every day.

Among some of the first clients trying out Counterpane's service is Conxion Corp., a Web-hosting business based in Santa Clara, California. Conxion handles, among other things, most downloads of Microsoft's Internet Explorer software. Reading audit logs of Web-site traffic "is a mind-numbingly boring thing to do,'' says Mark Kadrich, 42, Conxion's director of security. He says he would much rather hire Counterpane to handle that task -- and to have someone from Counterpane call him at work or at home, day or night, if anything abnormal shows up -- than have to recruit and manage a staff of data analysts himself.

This spring, after several months of calm, Conxion became the target of a small-scale, attempted hacker attack. And within 10 minutes of the intrusion, Counterpane sounded the alarm, Kadrich says. Conxion was then able to tell the hackers that they were under surveillance, which discouraged the intruders from proceeding further, he adds. Even before that incident, a pre-Counterpane skirmish last year made Kadrich decide that detection and response needed to be prominent parts of his company's security package -- a realization that led him to seek out Counterpane.

Last year's hacker attempt involved Conxion's Web-hosting work for the World Trade Organization's Internet site. As part of widespread disruptions at the WTO's Seattle meeting in December, protesters began bombarding the organization's Web site with spurious requests. "We spotted this activity early on and took steps to redirect the traffic back to the protesters,'' Kadrich recalls. "As a result, they were the ones who ended up getting swamped.''

That tussle worked out well enough that Kadrich is able to laugh as he recalls the incident. But he says that immediately after the WTO flap, as he thought about the prospect of more such challenges ahead, he decided that he didn't want to face hacker attacks entirely on his own. "That was one of the factors I used to help justify bringing in Schneier and Rowley's expertise,'' he says.

Schneier is hoping that more and more dotcom executives who are charged with maintaining security will reach the same conclusion: The only safe Web site is one that's always being watched.

George Anders (ganders@fastcompany.com) is a Fast Company senior editor. Visit Counterpane Internet Security Inc. on the Web (www.counterpane.com).