Marty Roesch, founder and CTO of Sourcefire talks about the future of intrusion prevention systems and whether technologies like the RSA NetWitness network security monitoring platform pose a threat to the IPS business.
Roesch in his team recently introduced FireAMP, an integration of its $21 million acquisition of cloud-based antimalware vendor Immunet. FireAMP is an agent-based system that monitors end points and connects to Sourcefire’s servers, where the data is analyzed and shared with other users. Users of FireAMP will receive threat intelligence alerts on suspicious behavior and can block and remove malicious files, including malware that targets zero-day vulnerabilities.
The rise of high-profile data breaches associated with targeted attacks, such as the RSA SecurID breach in 2011, has put a renewed focus on the importance of Intelligence gathering technologies. RSA, which acquired NetWitness last year, is positioning the network security monitoring platform as an awareness system, rather than a system used by forensics teams during a post breach investigation. But Roesch doesn’t see a major threat posed by NetWitness’ capabilities. He said the system requires users to analyze massive volumes of data, asking questions to make sense of it all.
“That thing collects a lot of data and it’s pretty raw and in the past you needed to know what questions to ask the data to get anything out of it,” Roesch said. “I don’t see people putting IPS and IDS investments on hold because they’re looking at NetWitness. Since the acquisition happened they’ve been a lot quieter than when they were a private company. It will be interesting to see if their approach scales to solving the kind of problems we solve just knowing what I know about their sensing and collection infrastructure.”
In a meeting with invited media, RSA recently presented its plans for NetWitness. The company is working on improving analytics to make it more of a real-time platform. The company credits its NetWitness deployment for detecting the SecurID breach, although attackers still had time to gain access to its intellectual property. RSA executives said they are working on integrating its Archer governance, risk and compliance platform to provide NetWitness with easier to use reporting and dashboard capabilities.