Cyber Defense: Martin Roesch of Netography On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Authority Magazine Editorial Staff
Authority Magazine
Published in
16 min readJan 11, 2024

…While there are opportunistic attackers on networks just looking for basic access that they can resell or collect information, there are just as many attackers who have a plan and are working towards fulfilling their success criteria. This may be in the service of criminal goals or even nation-state-level interests in a target environment. Understanding your risk profile and what you are likely to face from the threat actors out there is a key consideration in successfully defending yourself.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us. As a part of this series, I had the pleasure of interviewing Martin Roesch.

Martin Roesch is the CEO of Netography, Inc. With over 25 years of experience in information security and embedded systems engineering, Marty is a pioneer in the industry as one of the first entrepreneurs to successfully commercialize open source software in addition to creating the global standard for describing and detecting network-based attacks. In 2001 he founded Sourcefire, serving as CEO/CTO, until the 2013 acquisition by Cisco for $2.7 billion where he went on to lead the Security Business Group as Chief Architect. He is the original author and lead developer of the Snort Intrusion Detection and Prevention System that formed the foundation for the Sourcefire product suite. He has received substantial recognition over the course of his career for innovation and was selected as one of the Top 25 Disrupters of 2013 by CRN Magazine as well as one of eWeek’s Top 100 Most Influential People in IT. He holds a B.S. in Electrical and Computer Engineering from Clarkson University.

Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue a career in cybersecurity? Can you share the most interesting story that happened to you since you began this career?

I got introduced to the field in the mid-90s working as a government contractor in Maryland. I was staffed on a cybersecurity contract to provide engineering support for our customer doing work to develop what amounted to a secure internet enclave, and I was learning the rudiments of securing systems and networks and the fundamental tools used to enact those security controls. I was really interested in the problem space and one day, a team from “the customer” came in to review our progress, and their skills and knowledge were just light years beyond mine: they were like the kings of the internet. They deeply understood the protocols, the infrastructure, the systems, and the software and how it all worked together, and I decided right then that I wanted to be one of those guys because I knew that the internet was going to be massive and security was going to be a problem that would always need lots of skilled people but it was still a young field which I thought would produce opportunities to do important work.

Can you share the most interesting story that happened to you since you began this fascinating career?

Probably one of the more interesting stories is from the early days of Snort, in 1999. Snort was initially developed in my spare time and releases were done late at night after I would get the code working and tested and the documentation written. At this point, I really didn’t know how widely used Snort was, but I got enough emails and encouragement to keep going with the project. One night I rolled out a release at about 3 a.m. and went to bed like I usually did. The next morning, I woke up and had dozens of emails — I had missed a couple of issues in the build, and the release was broken! I got so many emails so quickly that I decided to set up the original Snort mailing list, and within a couple of days, I had several hundred people signed up on the list, and I began to think that, hey, maybe this Snort thing was bigger than I had suspected! That was the first seed that told me I was onto something with the technology and helped drive me to turn it into what it eventually became — the global standard in network intrusion detection.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

I sail in my spare time for fun and adventure, and one of the ways I really embrace sailing is by participating in long-distance offshore sailboat races on my Class 40 racing boat. I’ve found that the traits required to succeed in both my career and on the race course have a huge amount of overlap.

Curiosity: Curiosity about the macro and the micro is a key attribute of success. In racing, we look at the macro of what the weather models show us to find the wind that we want all the way down to the micro of how we set up the lines (ropes) on the boat for efficient motions that conserve the crew’s energy on a long race. Curiosity about how networks work and what takes place on them at a deep level initially drove a lot of my interest in cybersecurity. Being curious forces you to confront what you know and what you don’t know and plan for how to fill in those gaps, either through continued development of your knowledge or contingency planning. Fundamentally, Snort happened because I was curious about what was happening on my network on a day-to-day basis, especially when I wasn’t at home.

Perseverance: One thing that a lot of people don’t realize about offshore racing is that it’s as much an endurance contest as it is a skill contest. Many are the nighttime rainy watches in rough seas where I’ve had to remind myself that this is an endurance contest and I must endure. In the early days of Snort, I worked on it during the evenings after my day job, typically doing releases late at night so that I’d get emails and feedback while I slept that I’d respond to the next night. It was exhilarating but required a lot of perseverance to maintain over the course of a few years. In 2001, I founded Sourcefire, and again, perseverance to build that company to a multi-billion valuation was essential. When you start any venture like this, there’s a period where you’re laboring in obscurity with little recognition and no praise, just grinding towards a vision of success. On the water, it’s finishing the race. In technology, it’s building things that people want to use and love; in the business world, it’s building a great business that’s also a great place to work. All of these things are preceded by the grind, the time when the only thing that’s going to keep you going is perseverance that you’re heading in the right direction, you’re doing the right thing.

Self-awareness: On the water, it’s important to be self-aware so that you know when your body is off of its peak — or even acceptable — performance abilities. We get dehydrated, exhausted, sunburned, and maybe even seasick as the races wear on and the weather conditions change, and you have to manage the machine that is your body like you would any other key component of the boat. As I built Sourcefire, I found that it was not just curiosity and perseverance that would serve me well but also self-awareness as I worked out how to build a great company with no prior experience. One of the things that I was curious about was all the pieces of a business that are required to make a company work was the gradually dawning realization of my limited understanding of so many pieces of the puzzle. As my team and I persevered in those early obscure years, I became acutely aware that I was great at a few things, pretty good at a lot of things, and not very good at everything else. That self-awareness drove me to hire a strong management team to come in and help me build the vision I started the company around in 2001. Even decades later, I can’t tell if I was more lucky or more good at recruiting the amazing people that formed the core of the company but I spent the decade that followed learning everything I could from them to become the best leader I could.

Are you working on any exciting new projects now? How do you think that will help people?

Currently, I’m the CEO of a startup called Netography, where we have built the industry’s first Network Defense Platform (NDP). This is a new approach to securing networks that should be vastly more effective on modern networks than the tools that we built 25 years ago are today. I believe that it will help every internet-connected business on the planet that cares to use it — if you’re worried about securing your network! Too many organizations haven’t yet accepted that the cloud is part of the network and needs to be secured as such, nor have they found solutions to detecting compromises that historic approaches, such as deep packet inspection, are blinded to due to myriad reasons. NDP addresses these and many other problems. I’m confident that NDP will be the next evolution of network security — similar to how Snort and Sourcefire IDS were.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

I have been working in cybersecurity since 1996. I am the original author of the Snort open-source intrusion detection and prevention system that became the global standard for describing and detecting hackers using network-based attacks to break into computers. I started a company called Sourcefire around Snort once I understood its popularity and impact across the world. Building Sourcefire, I also pioneered what’s now known as the Open Core business model, where a company builds a value-added offering around a core open source technology. Sourcefire eventually grew to $250M/year in revenue by the time Cisco acquired it for $2.7B in 2013, after starting from $0 operating out of my house in 2001. At Cisco, I stayed on in a role that suited me well: Chief Architect of the Security Business Group. I resigned in 2019 to quite literally sail into the sunset and recharge. But the world has changed dramatically since I founded Sourcefire, and network transformation has accelerated since the pandemic hit. So, I got back in the game and joined Netography as CEO. The founders and I share a vision of the way network security should be secured and how it must evolve, and Netography is solidly targeted at driving that evolution with our NDP.

Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

That’s a broad question. MITRE ATT&CK lists 232 tactics and techniques that attackers use when they’re breaching computer networks. For most people, I think it’s not particularly useful to descend into the nitty-gritty of the various pieces of the puzzle, but it is useful to talk about some of the predominant attacks that individuals face on a daily basis. Generally, these fall into some broad categories, and you can think about it in terms of what we call the “attack surface” of the individual user. This is going to consist of the things that you regularly use to interface with the internet — your email client, your web browser, your operating system, and the glue technologies that hold it all together, like DNS. In the email client, we see the chief risks as phishing and malware delivered via file attachments. In the web browser, it’s attacks against the browser that cause a user to reveal things like personal information or login credentials or attacks that compromise the browser itself and lead to attackers gaining access to the underlying computer and operating system. Your operating system is the foundation upon which most of your user experience is mediated with the computer, and it has many potential points of entry for a skilled attacker. Finally, DNS is necessary for translating domain names into addresses of computers on the internet, and it must be reliable and secure so that users aren’t tricked into interacting with systems that are mimicking authentic destinations on the internet, once again leading to exposure to malware and attempts to harvest valuable personal information.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Both individuals and businesses need to be aware of the risks that they face and manage them appropriately. In fact, even non-tech or security-focused roles should be security aware. Individuals should ensure they embrace the basics for personal security — turn on auto-updates for your software, use ad blockers like uBlock Origin in your web browser where possible, use a managed email service like Gmail or Office365, don’t click on email attachments unless you can verify that the sender sent them in good faith, use a DNS security service like OpenDNS, use a password manager and multi-factor authentication whenever possible.

Businesses usually have more to lose and more capability to mount a defense that raises the bar enough for an attacker to move to lower-hanging fruit. Smaller, less capable companies should be working with Managed Security Service Providers (MSSPs) that can help customers develop a credible security stance, while larger businesses should be investing in full-blown security programs led by a team of experts.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

Before any external resources are called in, the internal team/stakeholders should be convened first so everyone has the right awareness of what is happening and has a chance to validate its importance and relevance. Depending on the type of attack and extent of the compromise, this could include your investigation team, incident response, fraud, risk mitigation, and executive leadership. It also depends on the type of and size company you are at (e.g., SEC guidelines apply strictly to certain scenarios with public companies). With the right people in place, formulate a plan from there and engage with outside authorities once you have a game plan in place.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Misconfiguration of systems and infrastructure, weak passwords and authentication, and employees who click on things they should not in their inbox. These mistakes are as old as computing and are very common. The best way to combat them is to have well-managed and enforced policies and procedures. For example, review of configuration changes before they’re put into production, password managers and multi-factor authentication technologies, and training for users on how to avoid being the weakest link in your organization’s security posture.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Standardize methods and mechanisms for building secure-by-default technology environments. This is more than just things like password policies and phishing training but extends all the way to the selection of the technologies that are deployed in an organization and the philosophy for curating them to ensure their secure configuration and operation. This can be something “simple,” like a single-sign-on deployment to manage user access all the way to a Zero Trust architecture for minimizing damage in the face of a compromise of the organization.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

I think there are some good parallels between what it takes to do an offshore race and what it takes to shield yourself against cyber attackers. Sailing without the proper tools and training can be a dangerous endeavor. Without proper direction and knowledge of what is going on in the open sea, sailors can risk getting lost, running aground, and other unexpected events they weren’t prepared to handle. Operating in a dispersed network without the right security measures in place to really see into the activity happening on your network can also lead to disaster. Here are the five parallels:

Know what you will face. One phrase you learn very early in your racing career is, “it is the captain’s sole discretion whether to proceed.” Making the go/no-go decision for whether you start a race or continue it after it has started and conditions and the state of the boat and crew “evolve” is a big responsibility. In order to make informed decisions, we look at the weather forecasts and models, the readiness of the boat and its systems, how much food and water we’ll take, and a bevy of other considerations. The same sorts of understanding and decision-making are necessary to prepare your organization to be capable and resilient in the face of a cyberattack. What are you defending, what will you be defending it from, what are the tools that you have to enable your defense, and what else would be good to have to weather the storms and come out in good shape to not just continue but to be at the front of the pack? You need these answers.

Understand the competition. We don’t race in a vacuum; the competition on the race course is fierce with people who are just as motivated and prepared as you and who have a game plan for success. In the class in which I sail, there are professional sailors whose only job is to sail and win races to maintain and expand their sponsorships. Sound familiar? While there are opportunistic attackers on networks just looking for basic access that they can resell or collect information, there are just as many attackers who have a plan and are working towards fulfilling their success criteria. This may be in the service of criminal goals or even nation-state-level interests in a target environment. Understanding your risk profile and what you are likely to face from the threat actors out there is a key consideration in successfully defending yourself.

Prepare the boat. From the basics: is the hull watertight? Are the sails fresh and undamaged? Have we practiced basic maneuvers? To the more complex: do the navigation systems work properly? Are they calibrated? Are all of the communications systems (satellite, cellular, VHF) functional and integrated with the navigation computers? The forecasts say we’ll face rough conditions; do we take extra seasick meds and electrolytes? All of these weigh into the preparedness question but also define how we’ll maintain peak performance no matter what happens. We can ask the same questions about our cybersecurity posture. Do we have all the tools needed to secure the network properly? Are they integrated in appropriate and useful ways? Do we have the policies and procedures in place that will allow our teams to recognize and respond to compromise effectively and quickly? If the answer to any of these questions is no, how will we get to a point where the answer to all of them is yes on an ongoing basis?

Plan for emergency situations. I have been on a big boat racing on the ocean when the 110’ tall carbon fiber mast broke and fell to the deck in rough seas. The motion of the waves would lift and smash the mast against the deck, threatening to punch a hole in the boat, so we had to break out tools to cut away the mast, sails, and rigging to save the boat. This is an extreme example of being prepared, but you need to think about the worst-case scenarios and plan for them. Who does what, what tools are necessary, how will the team carry on despite the situation? The first part of weathering an emergency is having a plan that is understood by the team and where the tools and techniques have been practiced. Whether it’s sailing or cybersecurity, none of these high level needs change.

Know when to throttle back. If you want to win a sailboat race, the first thing you must do is finish. Pushing your team and equipment has a time and a place, but so does conserving them for best use later. The same must be done for building a robust organization for dealing with cyberattacks. People must be trained, their energy must be used effectively to guard against complacency and burnout, and there has to be capacity in the systems and organization to be able to throttle up when the time comes.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I’m back in the cybersecurity game because I never lost my passion for creating technology and awareness of mindsets that make users more secure. I’m in an interesting situation because part of the market shift I pushed years ago when creating Snort and building Sourcefire was to get people to think about what I called the threat continuum — before, during, and after a threat. This is still referred to in the industry as “threat-centric” security. But the problem is that we can no longer apply yesterday’s solutions to today’s security problems, or even in our efforts to protect we are making people more vulnerable. I’m very passionate about creating yet another shift in technology and mindsets, this time around “compromise-centric” security.

In modern networks, threat-centric security has a major scaling problem, and the traditional solution of trying to apply automated contextualization to sets of raw alerts is done infrequently. Human operators frequently end up having to do it by hand. Doing detections with a mindset of detecting the conditions of compromise — or, applying compromise-centric security — results in fewer events because an actual compromise triggers them — which paradoxically allows operators a faster time to action because of its rarity and specificity. This compromise-centric approach not only enables faster time to action, but it reduces the investment in frustrating, meaningless alerts, and it allows defenders to get a grasp on what their networks never should be doing in the first place — and reduces the dwell time of an attacker. In the end, improving overall network securing, inclusive of the cloud, on-prem, OT/IoT, and beyond.

If I were to reach a bit outside of security, I do feel very strongly that we have a severe global issue with the spread of misinformation and disinformation, and I am constantly thinking about how I might apply what I know and my unique view of the world to fix that problem, to protect humans at scale in an entirely different way than I do now.

How can our readers further follow your work online?

The best central place to find my work — news articles and blogs — is on Netography.com. I am also very vocal on LinkedIn, less so on X these days. If you’re interested in how I fare with my sailing, I talk about that on my social media, too.

This was very inspiring and informative. Thank you so much for the time you spent on this interview!

--

--

Authority Magazine
Authority Magazine

Published in Authority Magazine

In-depth Interviews with Authorities in Business, Pop Culture, Wellness, Social Impact, and Tech. We use interviews to draw out stories that are both empowering and actionable.

Authority Magazine Editorial Staff
Authority Magazine Editorial Staff

Written by Authority Magazine Editorial Staff

In-depth interviews with authorities in Business, Pop Culture, Wellness, Social Impact, and Tech

No responses yet