Shauli Zacks
Published on: March 18, 2024
In a recent discussion with SafetyDetectives, Martin Roesch, CEO of Netography and cybersecurity pioneer, shares insights from his journey, including founding Sourcefire and creating Snort, to leading the charge at Netography. His work focuses on innovating network security to meet today’s challenges of distributed, complex environments. Netography Fusion, the company’s flagship solution, exemplifies his vision by providing a cloud-native, real-time network defense platform for diverse infrastructures.
Hi Martin, thank you for your time. Can you start by talking about your background and your current role as CEO at Netography?
My background is in computer engineering but I got started in the information security industry over 28 years ago. I was one of the first to commercialize open-source software, creating Snort, a network-based intrusion detection/prevention system (IDPS) in 1998. Snort quickly became one of the most widely deployed IDPS technologies, and set the standard for detecting network-based attacks.
In 2001, I founded a network security firm called Sourcefire and alternately served as the Chief Executive Officer and Chief Technology Officer over the years. In 2013, Cisco acquired Sourcefire for $2.7 billion, and I then took the role as the Chief Architect of Cisco’s Security Business Group until 2019.
After taking a few years to serve as an advisor to numerous companies in the security and infrastructure space, I opted to join Netography in the summer of 2021 with the mission of pushing the security industry forward. I knew it was time to rethink the industry’s approach to network security because even though the underlying networks had evolved significantly, too many of the security controls enterprises rely on had not.
At Netography, my goal is to move the industry forward by delivering a new platform that gives customers the ability to know with confidence and in real-time when something is occurring in the network that should never happen–either an attack or a serious policy violation.
What are the flagship services offered by Netography?
Netography Fusion is a cloud-native Network Defense Platform (NDP) for multi-cloud and on-prem environments. Its frictionless architecture allows our customers to detect and respond to compromise activity and policy violations in real-time across hybrid, multi-cloud and on-prem networks from a single console without deploying sensors, agents or taps.
Fusion is a 100% Software-as-a-Service (SaaS) platform that eliminates the need to deploy sensors, agents or taps. Fusion combines activity metadata collected from an organization’s multi-cloud and on-prem network infrastructure along with context attributes about the users, devices, and applications from its tech stack to create enriched metadata. It analyzes this enriched metadata to monitor the activity within an organization to understand what’s happening to them in real-time. The result is a unified view of activity across any size multi-cloud and on-prem network, including IT, OT, and IoT environments.
How do you define the current state of the cybersecurity landscape, particularly concerning network detection and response (NDR) tools?
Today’s cybersecurity landscape continues to evolve, as threat actors target organizations’ diverse, distributed hybrid environments with new tactics while continuing to launch new variations on attacks the industry has seen for decades. The result is that attack surfaces have increased significantly but because of limited budgets and staff, skill gaps, and reliance on legacy technologies, they lack the ability to monitor that increased attack surface.
NDR tools were developed to detect malicious activity in networks, but because today’s multi-cloud and on-prem networks have expanded far beyond the intended scope of legacy NDR tools, they are unable to provide critical visibility across modern enterprises. And, because of the high cost of deploying appliance-based tools, customers are forced to choose which parts of their network they will monitor with the devices and which parts they will ignore.
What are the limitations of traditional NDR tools in today’s hybrid network environments?
The security industry has been trying to solve the challenge of the evolution of threats and the network with the same, outdated solutions. This is the biggest challenge with tools like NDR–they were designed over a decade ago for an on-premises networking environment that no longer exists in which traffic was unencrypted and flowed across a well-defined and controlled network.
In today’s hybrid multi-cloud environment filled with encrypted traffic, NDR tools don’t provide the detection capabilities security teams expect them to–they rely on deep packet inspection (DPI) which isn’t practical to use now because it requires costly decryption to inspect the packets. Many NDR customers still get value in deploying their appliances in environments like data centers, where they have taken the steps to decrypt the traffic, but outside of that particular use case NDR tools offer limited value. In addition, when customers try to deploy them in the cloud, they learn very quickly that NDR fails due to the significant differences between cloud and on-prem traffic monitoring.
How do you replicate the value of NDR when you move outside the physical network?
The short answer is that you really can’t. It’s fundamentally an issue of observability–seeing the activities you need to see and understanding it in the context of its environment. The issue is that each cloud provider offers their own version of data visibility with differences in the type of data provided, the format, and timeliness. Lack of standardization creates a huge normalization challenge that requires a deep understanding of the data each cloud provider supports and the expertise to make it usable, which most organizations lack. So, it’s not about replicating NDR’s value; it’s about deploying technology that was engineered for providing real-time observability of activity within multi-cloud environments.
Regarding gaps in NDR tools, can you discuss some of the issues you’re hearing from customers and your network, and what steps security leaders can take to feel confident in their network security?
When talking to customers, the top issues I hear are: The high volume of encrypted traffic that blinds their NDR tools, the high cost of deploying and maintaining additional sensors, and the inability for NDR to operate effectively in the cloud.
With enterprise networks continuing to evolve, these challenges speak to the inability of NDR tools to keep pace. The fundamental issue is that legacy NDR tools were engineered for a network architecture that only exists in the rear-view mirror, and no amount of modification to their reliance on DPI will change that.
For security leaders, I believe that they need to start with taking control of their security. They should ask themselves, “What activity am I not seeing?” “Is there a part of my network that I’m not monitoring?” “Will my team be able to see a compromise and respond before it affects my business continuity or disrupts operations?” Asking these questions and acting to close any observability and detection gaps they identify will set companies up to respond faster to threat actors in their network.