Security Thought Leaders

Introduction

Stephen Northcutt from the security laboratory conducts in depth interviews with the thought leaders in information security. For every novel security product, there is a thought leader, a man or woman of vision that sees the need and guides the creation of the security product. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu.

Table of Contents

• What is a Security Thought Leader - Updated August 26th, 2009
  
• Framework for Security Thought Leader Interview - August 26th, 2009
  
• Ed Hammersla, COO, Trusted Computer Solutions - October 15th, 2009
  
• Amit Klein, CTO, Trusteer - September 27th, 2009
  
• An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - Updated August 13th, 2009
  
• A. N. Ananth, CEO, Prism Microsystems, Inc. - August 7th, 2009
  
• Lance Spitzner, The Honeynet Project, founder - Updated May 11th, 2009
  
• Jeremiah Grossman, Founder and CTO of WhiteHat Security - Updated April 24th, 2009
  
• Mike Yaffe, Director of Product Marketing, Core Security Technologies. - April 15th, 2009
  
• Chris Petersen, Chief Technology Officer, LogRhythm - March 13th, 2009
  
• John Pirc, IBM, ISS Product Line & Services Executive: Security and Intelligent Network - February 17th, 2009
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare: Evolution of log analysis - January 28th, 2009
  
• Bill Worley, Chief Technology Officer, Secure64 Software Corporation - December 9th, 2008
  
• Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill - October 30th, 2008
  
• Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
  
• Andrew Hay, Q1 Labs - May 13th, 2008
  
• Gene Schultz, CTO of High Tower - April 4th, 2008
  
• Tomasz Kojm, original author of ClamAV - April 3rd, 2008
  
• Bill Johnson, CEO TDI - April 2nd, 2008
  
• Gene Kim, Tripwire - March 14th, 2008
  
• Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
  
• Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
  
• Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
  
• Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
  
• Ivan Arce, CTO of Core Security Technologies - Updated May 6th, 2009
  
• Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
  
• Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
  
• Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
  
• Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
  
• Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
  
• Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
  
• An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
  

Marty Roesch, Sourcefire CEO and Snort creator

February 26th, 2008
By Stephen Northcutt

I keep thinking about the news reports that Chinese hackers managed to exfiltrate six terabytes of sensitive data from a large number of systems belonging to the Department of Homeland Security in November 2007. It seems like that would be impossible to do without being detected. But, I have to wonder, since the famous Richard Stiennon paper, Intrusion Detection is Dead, organizations have been replacing IDS with IPS, and maybe, just maybe, they think the devices do their job in some kind of "fire and forget" mode. Sourcefire was kind enough to allow me to interview Snort creator and Sourcefire CEO Marty Roesch on this topic, and we certainly thank him for his time.

Marty, do you have a sense that detection is not a top priority these days, and do you have any idea why?

Stephen, network monitoring seems to be out of vogue these days in various corners of the security world for a variety of reasons. The litany of reasons seems to be unending sometimes. Signature-based systems aren't comprehensive enough. Evasion is an insurmountable problem. Wily hackers operate so stealthily that they're impossible to detect. These criticisms of network monitoring are not without merit but I believe that many of them don't understand the manner in which network monitoring truly works today.


Well Marty, that is a cheery thought, what do you see as the primary attack vector these days?

The lion's share of attacks today seem to focus on client-side vulnerabilities manifested in things like malicious JavaScript and hostile "Web 2.0/ AJAX" sites.
NOTE: if AJAX is just a buzzword for any of our readers there are two short YouTube videos on the subject, you might want to watch them:
http://www.youtube.com/watch?v=bgJzmOHjO5E
http://www.youtube.com/watch?v=NkfzeXBFyDU&feature=related


So Marty, is the problem that these attacks are complex and, therefore, signatures are hard to write for systems like Snort?

Stephen, the pure signature-based methods that are so roundly criticized by those "in the know" haven't been used for years as the sole method of understanding the assets and threats on networks. Understanding what is on the network, what it is doing, how it is changing, and who or what is interacting with it, are essential to understanding how to defend today's networks properly. Today, the state of the art of network monitoring doesn't rely on one technology or method to provide awareness. Network flow analysis, passive network discovery, passive user discovery, stateful protocol analysis, attack mitigation, packet logging and signature-based mechanisms can all be used in concert today to provide pervasive network awareness.



So, is it fair to say that if you can define your network, and identify changes, that might help you find attacks you would otherwise miss?

I strongly believe that network awareness is really where we need to be headed with monitoring technology and that seems to be the trend among the companies who are continuing to work in the monitoring space. The ability to enumerate the assets in the environment, understand their configuration, usage patterns and changes, as well as how that data correlates to security events gives security practitioners the ability to see beyond the meager and largely meaningless information that the Intrusion Detection Systems of the 20th century provided. Done properly, today's network monitoring infrastructure can run in a highly automated fashion and only involve humans when necessary, cutting through the noise and constant babysitting that plagued early generations of these technologies.

I believe that network monitoring is a fundamental capability required to have an effective security program. New technologies available during the last few years have made it much more powerful and useful than it was even 3-5 years ago, and I would recommend that all security practitioners take a good look at what is available today.


Thanks Marty, I appreciate the insight. I would imagine your company, Sourcefire, has some product or products that help you with full-on network monitoring; can you give us the names of those tools and any open source tools that you think are helpful as well?

Sourcefire offers the Sourcefire 3D System, a suite of technologies to allow organizations to implement this next generation network monitoring capability. Sourcefire RNA (Real-time Network Awareness), RUA (Real-time User Awareness), and Snort products implement all of the primary features I have mentioned. We bring a holistic set of capabilities to organizations that need to monitor large, sophisticated and disparate network environments in a way that is manageable and scalable.

There are many open source tools that can send similar sets of data to users who are willing to integrate the data into useful forms themselves. Technologies such as PADS, open source Snort, and various NetFlow collection and visualization tools have been available for several years and do provide a lot of the basic information that's needed to do a more comprehensive job of monitoring network environments against today's threats.



One last question, do yu have any suggestions for computer security managers to find out how well their organization is doing at detection, any actionable tips?

At the most basic level, managers need to figure out what they've got and how it's changing; that's the fundamental requirement for determining whether your detection is working at all!
<<Thought Leader Home