This series of articles and the accompanying videos are part of an ongoing project to illuminate the people, products, and vendors that make up the IT security industry. The vendors paid for the video production.

Marty Roesch is a pioneer in network security. He is the creator of the open source IDS product SNORT and commercialized it under the SourceFire brand. Over the years he had a front row seat to the changing threat environment.

He built SourceFire through acquisition and innovation and ultimately sold it to Cisco in 2013. I had a chance to sit with Marty this past February to learn how his thinking has changed recently.

Marty is now Cisco’s Chief Architect of its Security Business Group. He identified what he is calling a “new security model.”  Rather than the traditional layered defense approach, where enterprises deploy multiple layers at the gateway, endpoint, etc. he has come up with a temporal model: Before, During, and After (BDA). It addresses a problem he saw in talking about security with customers. There was confusion, he says, over the technologies that had already been purchased.

Before a breach you “build a castle and thicker walls” by deploying firewalls, IPS, encryption, vulnerability management and access controls. During a breach you use IDS, content filtering, and network monitoring, and after a breach you use forensics, IDS, SIEM, and other tools to contain and clean up.

Marty also had a chance to talk about how the integration with Cisco is coming along. A few interesting developments:

Cisco is continuing to support the open source community with new releases of SNORT and ClamAV since the acquisition. On top of that Marty announced that they were open sourcing the network application ID that SourceFire had built into its firewall. He hopes to see open source Next-Gen Firewalls develop around this technology.

Thanks to its Immunet acquisition SourceFire developed a cloud analytic engine for malware. They built connectors for their products and now Cisco is deploying connecters to its web and email gateway products. The email gateway product alone sees 93 billion emails a day. With a connector critical data can be extracted from malicious email and sent to the cloud for analysis. By learning from so many connectors each device can have global knowledge of new threats.

Watch my interview with Marty Roesch here:

Leave a Reply