Let’s Hear from OISF Board Member Randy Caldejon of FireEye

As many of our community members already know, OISF’s Board of Directors is comprised of 7 security industry experts and thought-leaders.  We are fortunate to have their expertise in guiding us through the next two exciting years for OISF and Suricata.

However, you may be wondering why did they want to become a member of the OISF board, what is their vision for OISF, what are their opinions about security tools,  etc.  Well…. we thought it was best to hear it directly from them.   This month, we would like to thank Randy Caldejon, CTO of FireEye EnterpriseForensics Group for sharing his thoughts with us.

1. Tell us a little about you – your working security, how you arrived in security, the organization you work for, etc…

My interest in security stems back to the 90’s while serving in the Marine Corps. I was assigned to a small joint-military unit that was tasked with developing TTPs for Computer Network Defense (CND). We were early pioneers of cyber warfare. Interestingly, the unit was the predecessor to what is now known as U.S. CyberCommand. Fast forward twenty years… Today, I’m the CTO of the Enterprise Forensics Group at FireEye.

2. What inspired you want to become a board member of OISF?

Like many others, I was looking for an alternative to SNORT. Something that could easily scale to multi-gigabits on current commodity hardware. After vetting the early release and achieving +7Gbps by integrating it with a Napatech adapter, I became convinced that Suricata, although still a young project, had the potential to address the future needs of cybersecurity. Consequently, the company that I cofounded, nPulse Technologies, became one of the first con- tributing consortium members. Eventually, I was nominated and selected to serve as a board member.

3. What is your opinion about having security tools, such as Suricata, managed by a non-profit vs. for-profit organizations?

Open-source has many advantages and some perceived drawbacks; but, in general the advantages outweigh the disadvantages. This is certainly the case for Suricata under the umbrella of the OISF. The advantages are 1) better quality code and accountability by virtue of a peer-reviewed process that includes a wide audience, 2) introduction of relevant features by virtue of crowdsourcing and 3) flexible other-than-GPL licensing terms to contributing consortium members. Overall, it’s a win/win for parties interested in collaborating for the greater good while maintaining a competitive position through value-added services and/or features.

4. What is your role in the security community (or if you have specifics around Suricata and OISF)?

As an engineer and US citizen, I’m motivated to innovate and to help advance the state-of-the art in cybersecurity in order to protect information and our national critical infrastructure from exploitation or destruction. However, cybersecurity is a global issue as much as it is a national problem. This is one of the reasons that I enjoy working with the Suricata community. It is an international community with developers representing various countries around the world, from the US, to the Netherlands, spanning all the way to India. I cannot think of any other project where national pride takes a backseat to the vision of building the best open-source cybersecurity platform possible for the benefit of all. In short I believe my role is to continue to champion and contribute to the project.

5. What does your crystal ball about the future of IDS, IPS, and Suricata tell you?

As cyber attacks become more sophisticated, the traditional IDS/IPS is becoming less effective.  As a result the industry is moving towards an intelligence-driven model for cybersecurity. The Lockheed Martin Cyber Kill Chain model does a great job at distilling the key elements of intelligence into three types of indicators: atomic, computed, and behavioral. An IDS does a great job at handling atomic and computed indicators; but, falls short of processing behavioral indicators. This is one reason IDS are notoriously prone to generating false positives. I believe the future of Suricata is in detecting behavioral patterns. As a side note, this is where Bro, another open-source tool, shines. From its inception, Bro was designed to handle atomic, computed, and behavioral indicators. Unfortunately, it was designed as a single-thread application requiring substantial computing resources. As a result, it does not scale as well on multi-core systems. To fill this niche, I would like to see Suricata incorporate some type of complex event processing engine. This will enable it to process chain-of-events as meaningful pat- terns of behavior and react accordingly.

6. What should we be telling people about Suricata that makes us different then other IDS / IPS technologies out there?

Suricate is more than an IDS/IPS. It’s a very capable, general-purpose engine that can be used as the basis for various sorts of cybersecurity solutions. It is versatile enough to be used as a foundation for an IDS/IPS or a purpose-built sensor for passive DNS, breach detection (aka callback decoding), malware (tracking files that traverse an enterprise), or TLS/SSL certificate monitoring. With the extended rule keywords and LUA scripting extensions, there are numerous possibilities for innovation. To think of Suricata as just an IDS capability is to underestimate its potential.

7. Any final thoughts….

It’s exciting to see that the 2015 Suricata User Conference in Barcelona sold out. I’d like to see the attendance double next year. If you’re a user, start making plans to join us in 2016.

Randy Caldejon CTO of FireEye Enterprise Forensics Group — As CTO of the FireEye Enterprise Forensics Group and Founder of nPulse, Randy is passionate about designing and developing 20Gbps+ packet capture solutions for network forensics.  With implementations in production at leading financial institutions, government agencies, and telco carriers, he and his team are focused on the design and implementation of a high-performance, big data security framework for network forensics.

Though our Barcelona event is sold-out at the moment we are quickly setting plans for our 2016 conference.  Dates and location to be announced very soon!

If you have a question for one of our board members or questions you’d like us to include in this series, feel free to contact us at info@oisf.net.