Martin Roesch founded Sourcefire in the living room of his Carroll County home in 1998. Last month, the Columbia-based cybersecurity firm for which he now serves as CTO announced it was being acquired by Cisco Systems for $2.7 billion.
“We’ve done a lot of things here nobody outside the place thought would work,” said Roesch, who grew up in western New York but has lived in Maryland the last 17 years, and now resides in Ellicott City.
One of those things was building a business around Snort, the free, open-source product Roesch developed for detecting and preventing computer network intrusions that today has been downloaded more than 4 million times.
He describes Snort as the “engine” to the cars Sourcefire builds. While Snort is indeed free, deploying the technology on large computer networks, with dozens of computers, requires “scalability, performance and support — the core things people were buying from us,” Roesch said.
Over time, that led to a billion-dollar-plus company. Among other prominent Baltimore area technology company acquisitions, Sourcefire’s price tag ranks high. That’s a triumph for the 43-year-old Roesch, at least where money is concerned, not to mention one for the region, especially since Roesch, Sourcefire and its roughly 650 employees will remain local.
But Sourcefire’s biggest triumph, perhaps, was “changing the game” for cybersecurity, as Roesch (who goes by Marty to friends) put it.
Technically Baltimore spoke with Roesch about Sourcefire’s acquisition, and how his cybersecurity startup distinguished itself from others in this century’s first decade.
TB: As part of the acquisition, you’ll become chief architect for Cisco’s security business. Are you worried about innovating within a large company?
MR: I’m not tremendously concerned with having the creativity squished out of me. Security is interesting because it requires new solutions to new problems all the time. I think that [Cisco is] really looking for somebody who can come in and think creatively about the problems their customers actually have, and maybe not just taking what they already have, but inventing new stuff.
TB: You say Sourcefire had a choice to make in 2003, and part of that choice was your company deciding deliberately to not build an intrusion-prevention system.
MR: Back then intrusion-prevention systems were new to the market. The vendors competing with us had one, we didn’t. Instead of building one, we went out and built something different: real-time network awareness. Nobody was asking for it, and nobody had ever seen it before.
TB: For lesser cybersecurity minds, explain the difference for us.
MR: Same core concepts with different outcomes.
- Intrusion-prevention systems analyze traffic and look for known attacks by defining what attacks look like, telling the system about it, and then detects and blocks when it can. But intrusion-prevention systems only work as well as they are configured by people.
- Real-time network awareness watches traffic on [computer] networks and builds up a real-time picture of what’s on the network: the devices, the operating systems, what web browsers [people use], whether they’ve got file sharing turn on. You build up a model of the network, then communicate to intrusion-prevent systems how they should be configured. You have technology do it, it builds up a much more accurate picture.
TB: And that was vital to Sourcefire because?
MR: It’s the thing that allowed us to break out of the pack of other small security startups. It’s very rare for a startup to change the focus from one core technology to a new core technology. We did it. It changed the game for us and also changed how people talk about security in a lot of ways.
TB: We know Sourcefire is a company in the county, but can Baltimore city’s startup community count on seeing you around?
MR: I’d certainly be open to it. I’ve been kind of deluged with stuff lately, but I’d certainly be open to it. I remember when I was getting a company going, how hard it was to find people who could give me some useful advice.
TB: Well, let’s do some of that. What do you think early-stage cybersecurity startups get wrong?
MR: In an early-stage cybersecurity company — ideas are few and far between. A lot of them are incremental improvements. I always like companies that are doing really new things.
TB: Let’s broaden this a bit. What do early-stage startups, generally, get wrong?
MR: People need less money than they think they do to get going. It’s all about focus. Get it done with the bare requirements of what you need to get out there, and show what you have and what you can do. Go execute on that. Once you have your first few customers, that when you start engaging the investment community.
TB: What do you think Baltimore city needs to do if it wants to benefit from Maryland state’s regular promotion as a cybersecurity center?
MR: Look at good models of towns that have attributes [companies want]. If it’s a nice place to live and there are opportunities around for people both inside and outside the tech industry. If the local government is friendly to startups and friendly to companies that have just a few people and are going to need investment help and tax benefits. Those are the sorts of things that those kind of companies look for.-30-