CBR catches up with the founder and CTO of Sourcefire and creator of open source intrusion prevention and detection system Snort. Steve Evans asks the questions
Can we start with a look at the origins of the company?
I’m an engineer by education and I’ve worked in security since 1996. In the early days I was an engineer working for government contractors in the US and that’s where I learned to do security. It was very interesting and I decided to focus on it. A few years after I started working in security I wrote Snort, which turned out to be a pretty good thing to do.
When you first had the idea for Snort did you think the industry was lacking something in that space?
Oh no, not at all. I didn’t have anywhere near enough insight into the industry that I do now. Back then I wrote it because I had a cable modem in my house and I wanted to see who was knocking on my door every day while I was at work. I was scratching my own itch, as the open source guys say.
So I decided to build a new sniffer that would allow me to record the traffic coming into my network. After I played around with it for a month I decided to release it as an open source project. I called it Snort because it’s a sniffer with more.
I did the initial release and got a few emails about it, then I did another release and got a few more. Then I started adding in the rules language and processing into it that made it functionally more like an IDS at that point. I was having fun doing it in my spare time in a spare room in my house, going by the open source philosophy of ‘release early, release often’. Snort took off with version 1.5, released in late 1999.
Did you still have a day job at this time?
I did; I was working for a start-up. I left them during Fall of 2000 and was wondering what to do next. It was becoming apparent that Snort was everywhere in the security world. I was already working on Snort 40 hours a week so I thought if I could come up with a business model I could start getting paid for the privilege of giving away software.
I went through lots of business models and got lots of advice. I came up with a business model which was essentially a value add model around an open source core. It was like Snort was an engine and Sourcefire built the car. We gave the engine away for free but if you needed for wheels and seats you bought those from Sourcefire.
I was told the business model would be a complete failure by several people but it took off. VCs became interested and we raised $7.5m Series A funding, which we need to compete. We staffed up the company with management and sales and I got in a CEO. We grew from four people at the end of 2001 to around 400 now.
You’ve recently branched out into the next-generation firewall (NGFW) and IPS (NGIPS) markets and antivirus with the Immunet buy. Why head down that route?
There seems to be an opportunity around the NGFW space from a couple of different angles. If you look at some of the market predictions a fair amount of the IPS market will be delivered on NGFW markets and we don’t want to cede market. Also if you look at the vendors that are building NGFW almost all are coming at it from the firewall direction to build IPS, and we’ve already got the best IPS on the planet. We think building application control is not as difficult as building a world class IPS.
I think there is going to be a market for our approach, leveraging our awareness technologies for self-tuning systems and things like that. I think companies will want to to work with a security vendor first, not a compliance or network management vendor.
But we’ve seen quite a few companies moving away from their origins and struggle. Do you think that’s a risk?
Ever since we were told our business model was stupid we’ve been told we can’t do X, Y or Z. We hear it a lot. When we bought Immunet we kept hearing that no network company had ever bought a hosted end-point company and been successful with it. But so what? Antivirus is turning into a network problem because if you get "owned" via a virus or piece of malware that starts collecting credentials they are going to be coming at you over the network.
Our focus isn’t diluted. We think we’ll be successful. We have a unified strategy moving forward for all these technologies working together as well as separately. From our standpoint it’s all part of a grand strategy to provide people with effective security capabilities for the environments they are trying to protect. The problems they are trying to solve today are really hard – advance persistent threat, hackers, cyber criminals, guys that are breaking into networks for fun and profit. This is in addition to securing the network in general.
We’re building an architecture that will allow us to secure and control the network and end-point and give us an awareness platform so we can understand what’s happening in the environment so when things do go wrong we can rewind and find out what happened.
You’ve spoken to CBR in the past about the possibility of moving into the DLP space. Is that a likely addition to the portfolio?
We were thinking about it, but there’s nothing that we’re talking about right now. We have plenty on our plate at the moment with the acquisition of Immunet and developing the NGFW and NGIPS. We’ve hired a lot of people to staff up our engineering team. We’re busy.
For Roesch’s full response to this see our news article here.