Intrusion detection is alive and well

I met up this morning with Marty Roesch, the CTO and founder of Sourcefire and SNORT, the open source intrusion detection engine. It’s always a delight and a privilege to meet Marty. He’s one of the nicest and most enthusiastic technologists on the security scene, and he’s been incredibly successful in rapidly building a business worth a few hundred million dollars on the back of an open source product. And Marty’s not in it just for the money. He’s just rejected a $187 million dollar takeover bid.  

Gartner Group has rated the Sourcefire product range as the most visionary in the solution space. It’s not surprising. It’s built on a solid engine and it has a powerful user-centric set of features. Several years ago, Gartner Group said IDS was dead. They could not have been more wrong. But they were looking at early, clunky products, not the flexible products of today, with sophisticated risk-based, programmable rules and intelligent dashboard reporting. 

I generally get bored listening to technology vendors. They often lack insight of the problem space and innovation in the solution space. But Marty is different. He understands the importance of visibility, context and integrity, the three most important emerging issues in information security.

If you can’t see what’s happening across your infrastructure, then it’s out of control. And if you don’t appreciate the context of what you see, then you’ll draw the wrong conclusions. And of course if you can’t detect changes to data, systems and infrastructure, then you’re not able to detect and recover from attacks.

Contextualisation is one of Marty’s terms. Not as catchy as de-perimeterisation but equally important. We need to understand the context of risks and events. We need to appreciate the contextual limitations of systems and infrastructure. And, increasingly, we need to recognise the context of the information itself. Smart use of technology is essential to achieve this.