Battle Zone: An Interview With Bruce Schneier
Interviewed By Richard Thieme

Bruce Schneier wrote The Book on applied cryptography…literally. Now he's throwing his hat into the managed security services…

…Battle Zone

Q: Your new enterprise focuses broadly on computer security, not just cryptography. How do you define a 'secure system?'

A: That's the key question. However, there's no way to answer it without understanding the context in which it's asked. What does security mean in your home? Does it mean no one can break in? Does it mean no one can ever come in? Does it mean that you know the name of everyone who comes in? There's no single definition of security.

Isn't it particularly difficult to define security during times of radical change? Didn't people once share a single context to a greater extent?

I'm not sure that's true. What a king meant and what a peasant meant by security were always different. And what someone meant in the United States and what someone meant in China were different. The definition has always depended on context, culture, role and class status.

Your expertise has been in mathematics and cryptography. In the cryptographic space, what is crackable, and at what level? What's needed to do the job?

Even though I'm a cryptographer, I believe the science of cryptography has it all wrong. You have to look at security in the context of the entire system. You can't point to a cryptographic algorithm and say, 'This can't be cracked, therefore this system is secure,' just as you can't point to someone's front door and say, 'This lock can't be picked, so no one can break into the house.'

Is this because, given enough resources, all code can be cracked?

No, it's because there are many ways into your house. Just because your front door is secure doesn't mean someone can't throw a brick through your window.

Cryptographer Matt Blaze has said that, because the cryptographic space is finite, you can search the entire space if you have enough machinery-although it may take huge resources. Do you agree?

That's true, but so what? He's saying you can go to a product such as Windows NT and build a machine to break the code, but it would take more atoms than exist in the solar system. Does that mean it's secure? No. It's completely broken. That's the reason I started this company: Here I am, a cryptographer and mathematician, designing all of these mathematical ways of keeping things secure, all of these secure protocols and algorithms, but the products they're going into are getting broken again, again and again.

Because, no matter how strong you make it, you simply determine that it's no longer the weakest link in the chain?

Right. Cryptography is a strong link and you can make it stronger, but so what? In terms of the security of the system, it doesn't matter. People will just go into the system through a different door.

As an academician, you functioned in a different context where everyone spoke one language. In the world of commerce, people have to understand what you're saying. Do your clients 'get it?'

The average person often understands a lot more than an academic does. The average person does not understand the math, but they understand that every week there's a new vulnerability published on this or that application.

That's what your company intends to address with a multilevel response. The cornerstone of your enterprise is MSN (Managed Security Monitoring Service), which is a capacity for a real-time response at every level of attack. Who is your major competition?

It's bizarre, but no one else is doing the whole thing. A lot of people do pieces of it: Some do the forensics piece, and are hired after a breach. Others manage firewalls or particular applications. But nobody else does real-time monitoring and response as a service. That's because it's very hard and very expensive.

Do you have clients now?

We have about 20 evaluation partners.

You need staff at every level of response. How many people does that take?

It takes seven people to fill a 24x7 seat. The hardest part is giving the analysts the complete backup they need to be really smart. By backup, I mean our database, which will make the analysts smarter about the problem.

Do you mean computer-enhanced human intelligence? That's the essence of it. A lot of information security products are computer products, but they're trying to fight or defend against a person at the other end. By building a comprehensive service, we marry a computer and a person in a useful way. The power of computing serves the person, and the person focuses that power.

In other words, the computer system is only a means to an end, and its scope and range will be determined by human intention and motivation as your analysts can infer it from observed behavior. You're supplying a quasi-military system. You have to. That's the only way to do it. You can't hang up a sign saying, 'Please restrict all hacking attempts to Monday through Friday, 9 a.m. to 5 p.m.'

What are the key implementation issues?

The key issue is to enable analysts to work at their peak. The scale mandates that we have a lot of analysts, and we do. The U.S. military has proven that you can take an intelligent layperson and put him or her through technical training. And if you have very high expectations, and provide very narrow and focused training, a person will be able to do amazing things. It has to be very focused, and you have to have very high expectations of the person.

By focused training, do you mean you have a constrained domain of expertise and use the computer to enhance effectiveness and provide the trainee what is needed in real-time? Do you also intend to hold analysts to the highest ethical and training standards?

Yes, we're basically a security-guard type of organization, and we're treating it like a security clearance. One characteristic of the nastier attacks is that there are exceptions. When Yahoo dropped during the DdoS attack, it took them three hours to get back up because no one had ever seen it before. Our analysts will see nothing but attacks. That experience-sitting in front of a console and doing nothing but this-cannot be replicated.

They'll have battlefield experience. But won't you also need to be in touch with the hacker underground, because exploits need to be known at once?

Yes, we have to. Our intelligence organization will monitor both the underground and the overground, the products and the attacker tools. We need to know what's out there. And that will be fed to the analysts so they'll be constantly updated on what works. I think of the intelligence group as a bunch of particle physicists. They'll take a new product-a new router, for example. They'll set it up as their target, take all the tools that exist and fire them at the target. Then they'll see what happens, what works and what the footprints of that attack look like in the network.

Will you include analysts with the kind of diversity of hacker experience that, say, Secure Computing or @Stake has?

We will, but we will also leverage the community. We'll use a lot of what's already out there. We don't have to do it all ourselves. Our goal is not to replace the products. We will leverage and scale what's out there.

As it gains value over time, will your database be made publicly available?

There's a lot of information out there now about what hackers do, how they work and what tools they use, but it's all anecdotal. Nobody has visibility across the entire Internet. We'll have that visibility. We'll identify a new tool, and say how it was used and what it looks like over time as it becomes less effective or is enhanced. We can build that database. There is no reason not to publish that database publicly as it grows in value.

For example, we can show how firewalls work-not in a laboratory setting-but as they're implemented by companies around the world. It's in our best interest to make products better. We're not selling a firewall or an IDS; we're leveraging these products. So if we find something wrong with the firewall, we'll tell you. Whether we publish it to the world will depend on the environment.

So you're a prototype for a system that captures knowledge in real-time in a complex domain, integrates it with what is known from the past, and constantly updates it to make it available via human experts to customers, again in real-time?

Right. The concept isn't new: That's the essence of help-desk software. The execution will be the proof of the pudding, and the test will be the real world. We chose evaluation partners and wired their networks early on because this isn't a product you can test in the laboratory. It can only be tested in battle. The worst security product is the one that isn't used. Being used is important, especially for an infrastructure tool. Being first to market in this domain-but not being effective-would be bad. We would not come to the marketplace if we didn't know we could do a good job.

Your exploration of network security has led you toward more holistic solutions, resulting in the mantra: 'Security is a process, not a product.' Is that true?

Yes, and that came as a surprise to me. I came from cryptography, and cryptography is mathematics; cryptography is truth. I am finding that security, though, has almost nothing to do with mathematics. It's like putting an enormous stake in the ground and hoping the enemy runs right into it. I'm actually annoyed at this: Why are you ruining my beautiful mathematics by choosing a lousy password?

There are three parts to security: prevention, detection and response. But almost all of computer security centers on prevention. In the real world, you never hear someone say, 'This door lock is great, so we don't need to worry about someone breaking in.' In computer security, you hear that all the time. Here's a firewall, so you don't have to worry about someone breaking in to the network.

Because that's what someone's good at: making firewalls.

Right. You try to buy a safe; they have ratings. A rating may be 30 TL, which means a safecracker with tools will need 30 minutes, or 60 TLTR, which means a safecracker will need 60 minutes with tools and torch. So what that safe buys you is not security, but time. Within 60 minutes, you need to have an alarm sound and a guard come running to stop the attacker. So prevention mechanisms work as long as they're perfect. If a firewall was perfect, you wouldn't need an alarm.

However, products are never perfect, so you need detection and response. You can have detection, but, without response, it's worthless. If an alarm rings, but no one responds-like car alarms-it might as well not ring. It's not enough to have detection circuits unless someone is there to hear the alarm and respond appropriately. We're building that detection-response circuit because all products are imperfect. And when the alarm rings, we'll come running.

Originally appeared in the June 2000 issue of Information Security Magazine (www.infosecuritymag.com). Copyright (c) 2000. All rights reserved.

BACK