Marty Roesch made his name in the security world as the creator of Snort. He's now Cisco's Chief Architect of the Security Business Group and has strong opinions on the current state of security.February 26, 2018
Mention the name Marty Roesch to anyone remotely interested in cybersecurity, and their ears will inevitably perk up. You see, he's a celebrity in the cybersecurity world, having created Snort, a network intrusion detection system back in the late 1990's. Now Roesch is the Chief Architect of Cisco's Security Business Group. In a recent interview with Focus Magazine, he talked candidly about the current state of security and how he got his start.
Focus Magazine: You're the founder of Sourcefire, which Cisco acquired in 2013. What's it like going from leading your own company to joining the behemoth that is Cisco?
Marty Roesch: It's very different. You go from waking up under the flag of your own creation every day to waking up under this new flag and it's a different vibe. I'd say to some degree, it's less visceral. I started Sourcefire in my house back in 2001, so it was every bit of me in that company. This is a lot bigger, and you can make bigger changes in the industry on the one hand, but on the other hand, it's not as organic. It's a huge professional company with a major global impact and you have to think differently when you're operating on that scale.
I think the group at Cisco is a good-natured group that really does see the opportunity to improve security on a global level. I have very strong opinions on the right ways to use certain areas of security, especially when it comes to keeping hackers out of your networks, but I'm a little more tempered these days. I can certainly dig my heels in, but I think as a group, especially at the leadership level, we have a lot of mature people who know a lot about security, who are capable of getting to a decision point where we can all live with the result. I think the group at Cisco is a good-natured group that really does see the opportunity to improve security on a global level.
Focus Magazine: I'm fascinated by Snort! Is that a Snort Pig on your desk?
Marty Roesch: Yes, it is. I call him Snorty.
Focus Magazine: Full disclosure, I didn't know anything about Snort until I started doing some research on you. For people like me, can you tell me what it is and how you came up with the name and logo?
Marty Roesch: What it is today is the core of our security technology, what our Next Generation Firewall and Intrusion Prevention System runs on now.
Snort is 19 years old, able to drive, and go to college. (laughing)
Back in the mid 90's, when I first got into security in my mid to late 20s, I wrote my own tools. One of the tools I wrote was a thing called a sniffer, and that was the basis for Snort.
A sniffer was a natural thing for me to write because I wanted to learn how these networks work at a low level. I started writing a new sniffer in late ‘98. I wanted to watch what was going on my home network while I was at work during the day. I had a cable modem so I wanted to see if anybody was poking around while I was at work. By that time, I knew enough about security to know that there was a fair chance that somebody could be. I also had coding projects I was working on and I needed to be able to watch the network traffic they generated. After about a month of working on it, I decided to release it as an open source project. Open source was relatively new to a lot of people at the time, but it was gaining rapid notoriety, and becoming much more normalized as a way of developing software in a community driven fashion, as opposed to developing software in a very corporate driven structure.
Focus Magazine: Where were you working during this time?
Marty Roesch: I was a government contractor working on information security contracts at the time.
Focus Magazine: You were doing this in your spare time and released it as an open source project?
Marty Roesch: Yes, I went to open source because I wanted to see if anybody would pick up my software and play around with it, maybe give me some suggestions. It was a fun rainy-day and weekends project.
It was also a way to help me debug the software that I was writing, so it was a sniffer, but it was a little bit more than a sniffer. So, what's a sniffer but a little bit more? Well, that's a snort, so that's where the name came from. The pig came later.
In 1999, I put together the core architecture that we're still on today, which is much more modular and much more extensible than early versions of SnortIn 1999, I put together the core architecture that we're still on today, which is much more modular and much more extensible than early versions of Snort. One of the things I realized pretty quickly was that I was writing an intrusion detection system instead of just a sniffer.
Focus Magazine: Are you able wrap your brain around the idea that something that you created in your spare bedroom 19 years ago is the core architecture for network security?
Marty Roesch: It's very gratifying as an engineer. I started my own company because I love building things. It took on a life of its own pretty quickly. Within two years Snort was the most popular intrusion detection system in the world. It was crazy and I didn't even understand it at the time. I look back at it now and I think, holy crap!
Focus Magazine: I read somewhere that before you hired your Sourcefire CEO, you made him hang out with you. Tell me why having a human connection is so important to you.
Marty Roesch: When you're young and you create these cool technologies, you become very wrapped up in how good it is. I'm a good sales guy, and that's in addition to being pretty good engineer so you get really good at proselyting about it.
When I was the CEO I started to comprehend all the things that I didn't know. I was very worried that I was going to wreck the company because I didn't know what I was doing, and I might make bad decisions if I thought I'm better than I actually was. Eventually I was so busy doing all the "CEO things" that I couldn't do technology things anymore. I was the lead technologist for the company, and I was driving a lot of the vision for the company, so I decided that I would hire a CEO.
The problem hiring a CEO is that, on paper, all these guys look the same. They have a huge list of accomplishments, and you really can't tell a huge amount about them in an interview. When you're the founder of a company, you are bringing in somebody who is going to be your boss so you have to choose wisely!
Investors and advisors told me to think about it like you're getting married. You've got to find someone that you really get along with. There's going to be dark days where everything is going wrong and everything's falling apart, and if you point to each other and say "it's this knucklehead's fault", it's not going to work. You need to find somebody that you really can have that deeper relationship with. That's why I decided we're not just going to go out to dinner or sit in an office and have the candidates give a list of accomplishments. We're going to go watch a football game, have a beer, and sit down and talk about our hobbies, and what we think about life outside of work.
I did that with the top three candidates and the guy I hired was obviously the right guy for me. To some degree, he was almost like a big brother.
Focus Magazine: He didn't fire you!
Marty Roesch: He didn't fire me. We have some passions that overlap and some that are different, which makes for a really good rapport. We're still friends. Before Sourcefire was acquired, but after he left the company, we bought a boat fifty-fifty, which is also a lot like getting married!
Focus Magazine: Security is more important than ever with the bad guys coming up with more and more ways of creating harmful and dangerous disruptions. Tell me what your team does at Cisco in terms of threat detection and prevention to stop them.
Threat centric security is my core belief system around security, and it's all about being able to maintain the integrity of your computing environment. Marty Roesch: Threat centric security is my core belief system around security, and it's all about being able to maintain the integrity of your computing environment. What does that mean? It means when I run a program on my computer, I want my computer to run that program and not run a bunch of other stuff like malware, or spyware, or bitcoin miners. Maintaining the integrity of your computing environment is key, whether it's what's running on the CPU, or what's in the memory of the computer, or how your network is being used.
To do that, there's two sides of the threat centric security coin. On one side, there's visibility, which is basically what can I see and understand. That's everything from identifying a smart phone that's on my network, to this is a hacker's attack on my network, to this is a print job going across my network. That's what products like Cisco's Advanced Malware Protection (AMP) and Cisco's Next Generation Firewall (NGFW) do. NGFW runs on networks, AMP runs on devices, and they're all about understanding the universe of the network and the devices and finding malware, attacks, and odd behaviors.
The other side of the coin is control. I talk about that a lot. It's fundamental to the theory of security that we do here at Cisco. If I can see something, I should be able to control it. Snort started off as a very simple system and was all about visibility 19 years ago. The theory was, if I can see an attack, then I can do something about it.
Focus Magazine: What are some of the biggest misconceptions some people have when it comes to cybersecurity?
Marty Roesch: There's a tremendous lack of understanding of how security works and what to worry about. Fundamentally, there's three phases of security that most people who do security worry about. One is before the attackers show up. You need to make sure it's hard to break into your network in the first place. The second phase is during an attack, when my defenses are supposed to be doing their jobs, and finally, there's after I've been compromised, when the first two phases failed and once they're in. That's really it in a lot of ways. Security is shrouded in mystery and it doesn't have to be. For the majority of users, there are a set of things you can do to protect yourself from casual attacks that are very doable for any computer user out there.
Focus Magazine: The other thing I found when I was researching you is you're a sailor. Are you a big-time sailor that wins a lot of races?
Marty Roesch: I am a medium time sailor that wins my fair share of races and maybe a little bit more, yes.
Focus Magazine: This is not the time to be humble. Come on!
Marty Roesch: I only got into it in 2010, once I started seeing people within one degree of separation start to have major life changes, like unexpected heart attacks or cancer. I thought I should have some fun while I can, so I decided to get into sailing, and about a year later I decided to get into sailboat racing.
Focus Magazine: How did you get interested in it in the first place?
Marty Roesch: If you move to Maryland, you'll end up on a sailboat. Sailboats are these big marvelous complex systems. They're very mechanical and hands on, so I got drawn to it because of my natural affinity for these complicated things. I just want to understand it. It's like this really cool thing that floats, and goes through the water with just the wind. I was attracted to it before I started Sourcefire, and I thought someday if this thing is successful, maybe I'll have the time and money to be able to go and sail.
I appreciate everything this industry has given me, and I've had an awesome career so far, but sailing is a totally different world and you're doing totally different things. Sometimes it's miserable and sometimes glorious, but it's a life less ordinary. It's good to get some fresh air and sunshine, sometimes.