Tuesday, October 07, 2003

Sourcefire Redefines Intrusion Detection

This morning Marty Roesch, CTO and founder of Sourcefire, launched a new road show, sponsored by IBM, to describe his company's Real-time Network Awareness technology. Here are my notes on Marty's talk, which he began by noting that "Sourcefire is a security company," not just an IDS company. What follows are Marty's main points, regardless of whether I agree or not. Any personal commentary is specifically noted.

  • Company

  • As a company, Sourcefire is firing on all cylinders. After being founded in Mar 01, they shipped their first IDS appliance in Nov 01, their 100th in Aug 02, their 1000th in Jun 03, and will ship their 2000th shortly. Projecting forward, they could be the #3 IDS vendor in terms of shipped units by year's end. Marty's estimates 100,000 installations of the open source version of Snort.

  • Sourcefire received about $7.65 million in funding in Feb 02, and another $11 million in Feb 03. $8 million is cash in the bank. They were cash flow positive in Q3 of 03 and will be profitable in late Q1 of 04. During the last year, sales increased from $2.1 million to $23.2 million.

  • In Feb 02 Sourcefire employed 4 people. Within the last year they've grown from 22 to 90 employees, supporting 300 customers.


  • Detection Theory

  • IDS is "an automated system that monitors traffic on a network and based on defined rules/policies alerts administrators to possible intrusions, misuses, or defined malicious behavior."

  • The "fundamentall mission" of IDS is data reduction, which is accomplished via stateful packet inspection and protocol anomaly detection.

  • IDS provides awareness (how is my network/security architecture working, and are policies enforced?) and analysis (when intrusions occur, what happened and how can I prevent future trouble?)

  • "Classic IDS" does not "protect" networks. (Amen!)

  • Other vendors hype "sensing technology," when data management is the real issue. Sourcefire has spent 5-6 man-years of research and development solving this issue.

  • Most IDS' operate in a "contextual vacuum," unaware of network architecture, assets, and their criticality. (My comment: without context, human analysts collect and analyze the data necessary to make decisions manually.)


  • Network Awareness

  • Active vulnerability assessment tools are limited. Their "intermittent picture" missies laptops, multi-OS systems, and assets reconfigured by intruders to be hidden. Scanning for all active services takes too long, so not all protocols, ports, and services are found. Active scanning disrupts availability and consumes bandwidth.

  • Passive discovery sees everything active on the network. It is "persistent" and "real-time," "all the time." It transforms traditional IDS into a "target-based IDS" by eliminating "nontextuals," or alerts without context.

  • Passive discovery also performs vulnerability and protocol/port/service profiling, change detection, and policy compliance monitoring. Using confidence models (percentages based on observed traffic, or decaying half-life models when nothing else is seen), one can answer questions like "What hosts run SSH on ports other than 22 TCP?" or "What hosts run vulnerable SSH services?"

  • Taken further, upon seeing an attack, the IDS can report if it sees a new protocol/port/service in time X, perhaps indicating installation of a back door.

  • An IDS supplemented by RNA technology is "self-tuning." Admins can assign priorities to their assets and tell an RNA-assisted Intrusion Prevention System (IPS) which actions to take against various threats. Response range from simply alerting, to updating a policy on an access control device, to blocking packets or whole sessions.


  • The Next Generation

  • Next generation technology offers control (via firewall and traffic filter integration) and monitoring (via threat detection and policy enforcement).

  • The "Sourcefire Insight System" consists of (1) "IDP" (intrusion detection and prevention -- thanks Yen-Ming!) capable of IDS, threat monitoring, policy enforcement, and intrusion prevention; combined with (2) RNA, offering asset profiling, vulnerability assessment, behavioral analysis, network mapping, and policy enforcement, and (3) a console, doing correlation, policy optimization, and sensor management. An "inline" IDP to provide its own access control (like IPS) is being researched.

  • The Sourcefire console has two models, with the $18,000 box handling 40 million events and the ~$60,000 box handling 200 million events. Both use a proprietary embedded database that could handle 30,000 events per second before keeling over during the MSBlaster attacks.

  • RNA technology is designed to be lightweight so as to facilitate embedding it elsewhere. Upcoming platforms will offer two network ports, and future boxes will have 6 six to seven.


Following the prepared talks, Marty gave a live demo of a beta version of RNA watching traffic from Sourcefire to the Internet. It could profile 40 unique services now. Visibility to hosts behind NAT and proxies is an issue, but research continues to address these issues. The product's visualization features actually looked useful, unlike other more expensive products I've seen. He showed nodes in cone trees, and hinted hyberbolic trees like those of CAIDA's walrus are forthcoming.

Overall, I highly recommend you sign up to see Marty speak. It's the clearest indication that Gartner has no clue regarding the future of IDS! If Gartner had done its homework, it might have read Ron Gula's 1999 paper on "Passive Vulnerability Detection," which explains many of the concepts put to operational use in RNA today. Ron's current implementation is NeVO.