News

Martin Roesch: Beware your partners, they're no good at security

Simon Sharwood

Security pioneer and Chief Technology Officer of Sourcefire, Martin Roesch, believes that allowing partners to access your networks is a growing source of security risks, as the links between two companies are targets for exploitation.

Speaking to SearchSecurity ANZ on a visit to Australia, where Sourcefire now has a two-strong office, he said a recent survey from Verizon alerted him to the prevalence of this risk.

“It made a lot of sense to me,” he said. “You can be paying plenty of attention to security but if you have to give a partner access to your server farm and their security posture does not match our own, prepare for disappointment.” The issue is especially important, he feels, given the growing prevalence of services that rely on access to their clients’ data.

“Companies like services that mine data about who clicked on your website are a risk,” he says. “They are a marketing company, they do not have awareness of security. A lot of people do not think about that when they partner up.”

Sourcefire has therefore developed “a methodology … to keep these problems from happening. We put the partners into sandboxes so they cannot get access to anything. We think we are pretty good at putting people into boxes, there is not much damage they can do.”

“But we are a security company,” and therefore expert at the task. Others, he worries, may not be sufficiently expert to accomplish the task effectively.

Roesch said his trip to Australia was made to visit customers and “to get things rolling” in the local office, established in January this year and now targeting large enterprises and organisations in industries like defence. The company is also working hard on new versions of its products, with Roesch saying the new version 3.0 of Snort, Sourcefire’s intrusion detection and prevention tool, currently available in open source beta at snort.org, is “designed to last ten years.”

“We laid out the architecture for Snort in 1999,” he said, with his personal workstation at that time based on a 200Mhz Pentium Pro.

“Our goal is to build something that can last another ten years,” he said. Snort 3 is therefore “heavily multithreaded and takes advantage of current hardware. Feature after feature reflects modern computing. It is architected to run continuously, inline at high speeds.”  Detailed explanations of the enhancement can be found on Roesch's blog.

The company’s recently-acquired Clam anti-virus tool is also due to be updated, with a September refresh to version 0.94 to include a “new unpacker architecture to unpack binary files that contain malware.” Sourcefire is also “putting in protection feature and working on new logical processing engine.”

3D, an Enterprise Threat Management tool, will soon gain a new dashboard and threat detection features.