News Stay informed about the latest enterprise technology news and product updates.

Sourcefire's Roesch pledges long, open source life for Snort

SAN JOSE, Calif. -- You might not expect it, but one of the security industry's most successful executives shares a house with his mother-in-law.

In fact, Martin Roesch, founder and chief technology officer of Sourcefire Inc., and inventor of the popular Snort open source IDS tool, also manages a frenetic household that includes his wife, three young daughters and several pets.

"Weekends are pretty much ruled out now," when it comes to coding, he says, but his passion for security is evident when explaining that he still tip-toes down to the PC some nights, after everyone else is tucked into bed, to work on his beloved Snort.

Yet amid Sourcefire's pending acquisition by Check Point Software Technologies Ltd., Roesch has been criticized for what's perceived to be selling out, and putting Snort's future in jeopardy. In an interview with at the recent 2006 RSA Security Conference, Roesch addressed those concerns as well as the next generation of intrusion prevention technology, the value of the open source community and enhancements in the works for Snort.

Martin Roesch
Martin Roesch
How much joy do you still get out of being a part of Sourcefire today, versus when you first got started?
I love Sourcefire. It's the best job I've ever had. What's not to like? I've got lots of resources at my fingertips. I have access to whatever computing horsepower I need. I work with a bunch of really great people and I've learned tons. Plus ideas that people would've dismissed a few years ago are taken very seriously now and things like RNA [Real-time Network Awareness] are the result. When I first brought up the idea [for RNA] to my own engineering team, they told me it wouldn't work. And we made it work, and [today] it works really well. So I look forward to going to work everyday when I get up. Many users in the Snort community are interested in the Check Point acquisition. What's happened since the acquisition?
Well, the fact that we're going to have more resources at our fingertips to continue to advance Snort. More people in research, developers, QA people, [and] the quality of the technology should continue to improve more rapidly. We have a lot of ideas as far as where detection technology needs to go to remain relevant. I don't think the end-all, be-all of detection technology is deep-packet inspection. I think that that's one approach, but it ignores a whole lot of problems that aren't going to be ignored by the bad guys forever. We're working hard to combat those kinds of problems and bring people more effective, powerful analysis technology. So the Snort community should be thrilled because we're going to pour a lot of interesting ideas and hard work into this technology that they're still going to benefit from.

There's a lot of skepticism from the Snort users right now because they're in wait-and-see mode, so we need to prove to them that we mean it when we say Snort's going to get a lot better. We're not going to try to close it or anything like that. Once they see how much benefiting, they're going to be really happy. How do you expect your role to change following the acquisition, and will you spend more of your time on products not originally from the Check Point portfolio?
We haven't defined exact roles for everybody yet because we're still waiting for the acquisition to close. The thing I'm going to be doing initially is helping to roadmap the integration strategy between Check Point's and Sourcefire's products. Obviously it makes a lot of sense to be able to get Snort's role-processing capabilities into other products. Long-term, we have a shared vision at a senior management level of this notion of automated network security become a reality. [It's] being able to get real policy enforcement systemically across your security infrastructure in a way that's driven by policy engines and real-time event generators that can inform the security infrastructure of what the state of the network is and have the infrastructure enforce policy automatically.

You can't put a price on it when... you're going into Fortune 1000 accounts to compete, and the meeting opens up with them pulling out their Snort books and asking for your autograph.
Martin Roesch,
on the value of the open source community.
I've seen people come up to you and offer their congratulations here at the show. Is it fair to say that you will profit financially as a result of the acquisition?
Oh sure. I have a large stock-holding in the company. I'll definitely be a very confortable person after this. No so much that I won't work. It's not really in my genetic makeup to just sit on a beach and sip pina coladas all day long, but it takes a lot of the pressure off. It secures my children's' future. They'll go to college any place they want to go. We can live anywhere we want to live now, and it gives me a lot of flexibility. It allows me to kind of relax and unburden myself of a lot of the day-to-day nuts and bolts stuff of when you're a single-income family that you have to worry about a little bit. Obviously I was a well-compensated executive at Sourcefire, but I've got three kids, a wife and a mother-in-law at home… There's still a reliance on the paycheck.
Yeah, I've gotta bring home a paycheck right now. Really, this lets me get free of that. So it's exciting for me to stop worrying about those things, have a little bit of fun and be able to focus my creative energies on things I enjoy. The finalization of the acquisition has been delayed by what's been called a "longer than expected regulatory approval process." What can you tell me about it?
I can't tell you anything about it. No comment. Is that an accurate statement?
What, no comment? No, longer than expected regulatory approval process.
Yeah. You know, it's this CFIUS process. That's the Council of Foreign Investing in the United States. That's the government body that's currently investigating the transaction. We were hoping to get completed in the regular 30-day cycle, but it didn't happen. So nobody's happy about it, but it's something we've gotta get through, and once we do, we'll move on.
There's a lot of skepticism from the Snort users right now because they're in wait-and-see mode, so we need to prove to them that we mean it when we say Snort's going to get a lot better.
Martin Roesch,
on Check Point's acquisition of Sourcefire
You said earlier that deep packet inspection is not the answer to the IPS puzzle, but there are a lot of security pros out there who have had negative experiences with IPS products. How does your company go about bridging the gap, not only technologically by improving the products, but also by beating back some of the negativity plaguing IPS products?
If IPS has perception problems in the market, it's nobody's fault but the IPS vendors. The security industry has a nasty habit of over-hyping products that are still in their shakedown phases. There are always going to be edge cases where an IPS has issues, whether it's performance issues due to computational complexity problems or false positives and negatives. But one thing that we've been working at Sourcefire that gets beyond this notion of deep-packet inspection is driving the information about the participants in the network conversation into the analysis process itself, so we're analyzing and modeling the endpoints properly based on what they really are, instead of based on theories of what they might be, which is how most of these technologies work right now.

For more information

Listen to a portion of our interview with Martin Roesch in our Security Wire Weekly podcast (mp3)

Snort users fear future under Check Point

Check Point to buy Sourcefire for $225 million


Check out our intrusion detection and prevention learning guide
There's been some debate recently on the value of the open source community to a product like Snort. While the popularity helps the product, some say the community doesn't contribute as much as it seems. What's your response?
It depends on the project. You get out of the open source community what you put into it. I've always looked at the community as a giant testing lab to make sure the software is working properly, and also as an idea generator to improve ideas that may not be working that great. Plus it's a potential user base for the other things we may develop. Some say, 'If they're not contributing code that's every bit as high quality and innovative as what [Sourcefire] is capable of producing internally, then it's not worth it.' I don't believe that's the case.

My argument is that the networking effects and the good will from the community, if you build it properly, is worth every bit as much as the IP itself. You can't put a price on [the open source community] when you have a 20-person or a 30-person company and you're going into Fortune 1000 accounts to compete against giant switching and routing vendors and other security companies, and the meeting opens up with them pulling out their Snort books and asking for your autograph. What's the value of that? It's huge, absolutely gigantic. For those who only need one or two Snort sensors, or they're just messing around on their home network or can't afford an appliance, they can still get exposure to the technology, can get comfortable with it and build a relationship with us. So that one day, when that person needs to roll out 100 sensors worldwide for their Global 1000 company, maybe we'll think of calling us, and we're happy to have that relationship. Your legacy in the industry will always be tied to Snort, and much of Snort's legacy will be determined by what happens after the acquisition. What's your vision for guiding the product forward?
The future vision that I have for the Snort technology -- and we have agreement from within Check Point -- is that Snort needs to remain open source. There are good reasons for it, and there's no reason to screw up that success. The plan is to keep it open source and continue to evolve the technology. I have some very definite ideas about where I'd like to take it. So I agree with you, following the acquisition the legacy of Snort will continue to be determined. So I think it's important that we always be honest with the community, and that we continue to develop technology that's innovative and cutting edge to keep the community with us. If we let Snort wither on the vine, everybody's got an excuse to go look at other technologies, and that doesn't serve anybody's interests very well. Finally, can you give our readers a sneak preview of the technology that you hope to be working in the coming years with Snort and throughout Sourcefire?
With Snort, I'm prototyping some fairly radical things right now that I'm not going to go into because if they don't turn out, I'll get e-mail about them for three years as people come across this article. Can you give us an idea of what radical means?
Changing out Snort processes rules, how its processes are managed, and making it so you don't have to restart Snort to change its configuration.

For Sourcefire, we have a ton of things coming up. Our next [RNA] going to have network behavioral anomaly detection in it. It's going to have scanner integration with it to compliment our passive network discovery system we'll have the ability to orchestrate scanners now and incorporate our data back into our network models. We have a brand-new GUI going into the product. It looks great and it works really nice. We're working on tiering, being able to drive more information about the network into analysis processes, and some things around vulnerability management that we think will be fairly disruptive, but I don't think if those things will happen this year or next. We win by being smarter and coming up with better ideas than everybody else, even our bigger competitors. So I've always got something up my sleeve.

Dig Deeper on Open source security tools and software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.