Security Laboratory

Please enjoy this series of interviews with the thought leaders in software security. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu.

Marty Roesch, Sourcefire CEO and Snort creator

February 26th, 2008
By Stephen Northcutt

I keep thinking about the news reports that Chinese hackers managed to exfiltrate six terabytes of sensitive data from a large number of systems belonging to the Department of Homeland Security in November 2007. It seems like that would be impossible to do without being detected. But, I have to wonder, since the famous Richard Stiennon paper, Intrusion Detection is Dead, organizations have been replacing IDS with IPS, and maybe, just maybe, they think the devices do their job in some kind of "fire and forget" mode. Sourcefire was kind enough to allow me to interview Snort creator and Sourcefire CEO Marty Roesch on this topic, and we certainly thank him for his time.

Marty, do you have a sense that detection is not a top priority these days, and do you have any idea why?

Stephen, network monitoring seems to be out of vogue these days in various corners of the security world for a variety of reasons. The litany of reasons seems to be unending sometimes. Signature-based systems aren't comprehensive enough. Evasion is an insurmountable problem. Wily hackers operate so stealthily that they're impossible to detect. These criticisms of network monitoring are not without merit but I believe that many of them don't understand the manner in which network monitoring truly works today.


Well Marty, that is a cheery thought, what do you see as the primary attack vector these days?

The lion's share of attacks today seem to focus on client-side vulnerabilities manifested in things like malicious JavaScript and hostile "Web 2.0/ AJAX" sites.
NOTE: if AJAX is just a buzzword for any of our readers there are two short YouTube videos on the subject, you might want to watch them:
http://www.youtube.com/watch?v=bgJzmOHjO5E
http://www.youtube.com/watch?v=NkfzeXBFyDU&feature=related


So Marty, is the problem that these attacks are complex and, therefore, signatures are hard to write for systems like Snort?

Stephen, the pure signature-based methods that are so roundly criticized by those "in the know" haven't been used for years as the sole method of understanding the assets and threats on networks. Understanding what is on the network, what it is doing, how it is changing, and who or what is interacting with it, are essential to understanding how to defend today's networks properly. Today, the state of the art of network monitoring doesn't rely on one technology or method to provide awareness. Network flow analysis, passive network discovery, passive user discovery, stateful protocol analysis, attack mitigation, packet logging and signature-based mechanisms can all be used in concert today to provide pervasive network awareness.



So, is it fair to say that if you can define your network, and identify changes, that might help you find attacks you would otherwise miss?

I strongly believe that network awareness is really where we need to be headed with monitoring technology and that seems to be the trend among the companies who are continuing to work in the monitoring space. The ability to enumerate the assets in the environment, understand their configuration, usage patterns and changes, as well as how that data correlates to security events gives security practitioners the ability to see beyond the meager and largely meaningless information that the Intrusion Detection Systems of the 20th century provided. Done properly, today's network monitoring infrastructure can run in a highly automated fashion and only involve humans when necessary, cutting through the noise and constant babysitting that plagued early generations of these technologies.

I believe that network monitoring is a fundamental capability required to have an effective security program. New technologies available during the last few years have made it much more powerful and useful than it was even 3-5 years ago, and I would recommend that all security practitioners take a good look at what is available today.


Thanks Marty, I appreciate the insight. I would imagine your company, Sourcefire, has some product or products that help you with full-on network monitoring; can you give us the names of those tools and any open source tools that you think are helpful as well?

Sourcefire offers the Sourcefire 3D System, a suite of technologies to allow organizations to implement this next generation network monitoring capability. Sourcefire RNA (Real-time Network Awareness), RUA (Real-time User Awareness), and Snort products implement all of the primary features I have mentioned. We bring a holistic set of capabilities to organizations that need to monitor large, sophisticated and disparate network environments in a way that is manageable and scalable.

There are many open source tools that can send similar sets of data to users who are willing to integrate the data into useful forms themselves. Technologies such as PADS, open source Snort, and various NetFlow collection and visualization tools have been available for several years and do provide a lot of the basic information that's needed to do a more comprehensive job of monitoring network environments against today's threats.



One last question, do yu have any suggestions for computer security managers to find out how well their organization is doing at detection, any actionable tips?

At the most basic level, managers need to figure out what they've got and how it's changing; that's the fundamental requirement for determining whether your detection is working at all!

© 2000-2007 The SANS™ Institute

SANS Web Privacy Policy: www.sans.org/privacy.php - Web Contact: webmaster@sans-ssi.org
SANS SSI Press Room: www.sans-ssi.org/press / Policy On SANS Trademark Usage