How has Sourcefire evolved from its early days when you created open source network intrusion prevention and detection system, Snort?
I started writing Snort in 1998 as kind of a weekend and rainy-day project, and I decided to release it as an open source project to see if anyone would use it. Within two years, I realised it was being used globally and in really high-value areas. From there, I started to think about trying to start a business based on its adoption and success.
Sourcefire was then launched in 2001 to extend opportunities for users who needed to build scalable, manageable, high-performance and supported solutions. Our innovation has accelerated over the past 12 years as we executed and delivered on our focus – providing "security for the real world."Our most noted commercial innovations include FireSIGHT, FirePOWER and Advanced Malware Protection solutions, which are the foundation of a new model of security that can address threats across the broadest range of attack vectors. With this innovation, we’ve also been able to build both a technology and channel partner ecosystem equally as passionate about delivering these solutions.
What security trends have you noticed developing recently?
We are facing increasingly sophisticated and well-resourced threats today. Professional hackers, utilising the Internet to gather the tools and expertise they need to deliver targeted and sophisticated attacks on governments, businesses and individuals are the norm. As a result, we need to change our model of security to meet and deal with this new threat reality.
The traditional model of security is focused only on a point in time – it happens at a moment, with the security system determining if a string of packets is good or bad. But if it misses something, or is wrong, the threat is in and your organisation is at risk of compromise. That old model is not good enough on its own anymore. We need to change our security model to be threat centric with continuous security capabilities that look at networks, endpoints, virtual and mobile devices and the new attack vectors they spawn in order to address the full attack continuum – before, during and after an attack.
Sourcefire looks at security from the defenders perspective. What does this involve?
Content from our partners
Too many businesses look at the security problem as ‘how can we keep the bad guys out’ but Sourcefire believes that to be able to stop them, you need to have an understanding of the way attackers think, and that way you can identify your weaknesses and strengthen defences. Today’s cyber criminals are taking advantage of three key capabilities to hone their missions – visibility, automation and intelligence. Defenders must use these very same capabilities to better protect against attacks, including:
1. Visibility – Attackers have full visibility of your IT environment, so too must you. To more effectively protect your organization you need a baseline of information across your extended network(which includes endpoints, mobile devices and virtual environments) with visibility into all assets, operating systems, applications, services, protocols, users, network behavior as well as potential threats and vulnerabilities. Seek out technologies that not only provide visibility but also offer contextual awareness by correlating extensive amounts of data related to your specific environment to enable more informed security decisions.
2. Automation – You need to work smarter, not harder. Hackers are using automated methods to simplify and expedite attacks. Using manual processes to defend against such attacks are inadequate. You need to take advantage of technologies that combine contextual awareness with automation to optimize defenses and resolve security events more quickly. Policy and rules updates, enforcement and tuning are just a few examples of processes that can be intelligently automated to deliver real-time protection in dynamic threat and IT environments.
3. Intelligence – In an age when hackers are conducting extensive reconnaissance before launching attacks, security intelligence is critical to defeat attacks. Technologies that tap into the power of the cloud and big data analytics deliver the security intelligence you need, continuously tracking and storing information about unknown and suspicious files across a widespread community and applying big data analytics to identify, understand, and stop the latest threats. Not only can you apply this intelligence to retrospectively secure your environment, mitigating damage from threats that evade initial detection, but you can also update protections for more effective security.
How can Sourcefire’s threat-centric approach benefit defenders?
In a world in which attackers seem to be gaining an advantage, organisations must quite simply fight fire with fire. With an approach that is focused on the threats themselves, versus merely policies and controls, we can advance beyond the attackers’ abilities. As I outlined before, security technologies that continuously enable visibility, automation and intelligence can help break the attack chain and foil attacks.
How useful have traditional security technologies been and how do you they think they can be developed or bettered?
Even the most security diligent organisations are realising that breaches are no longer an ‘if’ but a ‘when’. Detection and blocking techniques only address part of the problem at a specific point in time and, as you’ve probably read, detection technologies like antivirus or sandboxing aren’t foolproof on their own. In fact, many recent attacks – for example, against Adobe, Java, etc – are outsmarting and evading sandboxing technologies. While these technologies can mitigate risk, they don’t remove it entirely because they only scan files at an initial point in time, missing files that appear to be safe initially but become malicious after entering an environment.
To what extent do you think retrospective security can help companies protect their data?
Traditional security products only look at data at one point in time and have an average detection rate of 50%. If these threats get through, organisations lose track of what happened, and they have no way to recover or record what happened. Sourcefire’s retrospective security is unique in that it leverages big data analytics to determine where the threat came from, how it got through and where it went. The ability to dig deep into the history of the breach – even after the fact -which is lost with detect-only security modes, makes it possible to identify compromises that would have gone undetected for weeks or months. They can then be scoped, contained and cleaned up – that’s unique to Sourcefire and no one else can do this.
