The SANS Technology Institute

Security Laboratory

Security Laboratory: Thought Leaders

Stephen Northcutt from the security laboratory conducts in depth interviews with the thought leaders in information security. For every novel security product, there is a thought leader, a man or woman of vision that sees the need and guides the creation of the security product. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu

What is a Security Thought Leader - March 22nd, 2008
Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
Andrew Hay, Q1 Labs - May 13th, 2008
Gene Schultz, CTO of High Tower - April 4th, 2008
Tomasz Kojm, original author of ClamAV - April 3rd, 2008
Bill Johnson, CEO TDI - April 2nd, 2008
Gene Kim, Tripwire - March 14th, 2008
Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
Ivan Arce, CTO of Core Security Technologies - October 26th, 2007
Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
Jeremiah Grossman, Founder and CTO of WhiteHat Security - July 12th, 2007
Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - March 22nd, 2007

Marty Roesch, Sourcefire CEO and Snort creator

February 26th, 2008
By Stephen Northcutt

I keep thinking about the news reports that Chinese hackers managed to exfiltrate six terabytes of sensitive data from a large number of systems belonging to the Department of Homeland Security in November 2007. It seems like that would be impossible to do without being detected. But, I have to wonder, since the famous Richard Stiennon paper, Intrusion Detection is Dead, organizations have been replacing IDS with IPS, and maybe, just maybe, they think the devices do their job in some kind of "fire and forget" mode. Sourcefire was kind enough to allow me to interview Snort creator and Sourcefire CEO Marty Roesch on this topic, and we certainly thank him for his time.

Marty, do you have a sense that detection is not a top priority these days, and do you have any idea why?

Stephen, network monitoring seems to be out of vogue these days in various corners of the security world for a variety of reasons. The litany of reasons seems to be unending sometimes. Signature-based systems aren't comprehensive enough. Evasion is an insurmountable problem. Wily hackers operate so stealthily that they're impossible to detect. These criticisms of network monitoring are not without merit but I believe that many of them don't understand the manner in which network monitoring truly works today.


Well Marty, that is a cheery thought, what do you see as the primary attack vector these days?

The lion's share of attacks today seem to focus on client-side vulnerabilities manifested in things like malicious JavaScript and hostile "Web 2.0/ AJAX" sites.
NOTE: if AJAX is just a buzzword for any of our readers there are two short YouTube videos on the subject, you might want to watch them:
http://www.youtube.com/watch?v=bgJzmOHjO5E
http://www.youtube.com/watch?v=NkfzeXBFyDU&feature=related


So Marty, is the problem that these attacks are complex and, therefore, signatures are hard to write for systems like Snort?

Stephen, the pure signature-based methods that are so roundly criticized by those "in the know" haven't been used for years as the sole method of understanding the assets and threats on networks. Understanding what is on the network, what it is doing, how it is changing, and who or what is interacting with it, are essential to understanding how to defend today's networks properly. Today, the state of the art of network monitoring doesn't rely on one technology or method to provide awareness. Network flow analysis, passive network discovery, passive user discovery, stateful protocol analysis, attack mitigation, packet logging and signature-based mechanisms can all be used in concert today to provide pervasive network awareness.



So, is it fair to say that if you can define your network, and identify changes, that might help you find attacks you would otherwise miss?

I strongly believe that network awareness is really where we need to be headed with monitoring technology and that seems to be the trend among the companies who are continuing to work in the monitoring space. The ability to enumerate the assets in the environment, understand their configuration, usage patterns and changes, as well as how that data correlates to security events gives security practitioners the ability to see beyond the meager and largely meaningless information that the Intrusion Detection Systems of the 20th century provided. Done properly, today's network monitoring infrastructure can run in a highly automated fashion and only involve humans when necessary, cutting through the noise and constant babysitting that plagued early generations of these technologies.

I believe that network monitoring is a fundamental capability required to have an effective security program. New technologies available during the last few years have made it much more powerful and useful than it was even 3-5 years ago, and I would recommend that all security practitioners take a good look at what is available today.


Thanks Marty, I appreciate the insight. I would imagine your company, Sourcefire, has some product or products that help you with full-on network monitoring; can you give us the names of those tools and any open source tools that you think are helpful as well?

Sourcefire offers the Sourcefire 3D System, a suite of technologies to allow organizations to implement this next generation network monitoring capability. Sourcefire RNA (Real-time Network Awareness), RUA (Real-time User Awareness), and Snort products implement all of the primary features I have mentioned. We bring a holistic set of capabilities to organizations that need to monitor large, sophisticated and disparate network environments in a way that is manageable and scalable.

There are many open source tools that can send similar sets of data to users who are willing to integrate the data into useful forms themselves. Technologies such as PADS, open source Snort, and various NetFlow collection and visualization tools have been available for several years and do provide a lot of the basic information that's needed to do a more comprehensive job of monitoring network environments against today's threats.



One last question, do yu have any suggestions for computer security managers to find out how well their organization is doing at detection, any actionable tips?

At the most basic level, managers need to figure out what they've got and how it's changing; that's the fundamental requirement for determining whether your detection is working at all!