Marty Roesch: Scaling Sourcefire and creating a new way to monetize open source security software

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sid Trivedi (00:04):
Welcome to Inside the Network. I'm Sid Trivedi.

Ross Haleliuk (00:08):
I am Ross Haleliuk

Mahendra Ramsinghani (00:09):
And I am Mahendra Ramsinghani.

We've spent decades building, investing, and
researching cybersecuritycompanies.

On this podcast, we invite you to join us inside the
network, where we bring the bestfounders, operators, and
investors building the future ofcyber.

Our guest today is Marty Roesch, founder
of Sourcefire, a company thatled the intrusion detection and
protection or IDSIPS as it'scalled. He raised 4 rounds of
financing from leading VCs likeNEA, Sierra Ventures, and
Sequoia, completed a successfulpublic offering later to be

(00:49):
acquired by Cisco for almost $3,000, 000, 000 At the time, it
was the largest cybersecurityexit. Almost 2 decades after
starting Sourcefire, Marty hasgone back full circle to being a
CEO of a start up calledNetography. In full disclosure,
my investment firm, is aninvestor in Netography. But this
is not a commercial for thecompany as much as the art and

(01:11):
science of building a company,taking it public, and doing it
all over again.
We will hear from Marty abouthis entrepreneurial bug. It has
bitten him twice now, and howfounders can find insights and
inspiration from his journey.

Hi, Marty. Welcome to Inside the Network.

Marty Roesch (01:29):
Hi Sid thanks. Great to be here. Thanks for
having me.

So we have a few different topics that we're
gonna try to cover today. Wehave 4 different topics. And the
first topic, which is the mostimportant 1, is we we describe
it as there and back again,which is after completing this
entire cycle, the cycle of afounder from starting a company
all the way to taking it public,you came back again to an early

(01:53):
stage startup, and this 1 iscalled Netography. And you
decided to choose to suffer thispain for another bout of
entrepreneurship. I'd love tounderstand why you did that and
what was the motivation?
How was it different this timearound than the last time around
with Sourcefire?

Oh, yeah. Motivation. Boy, that's a good
one. You know? Like I was sayingbefore we started recording the,
the new, fun startup saying wedo these things not because we
they're easy, but because wethought they would be easy.
It's it's really interesting. SoSourcefire, you know, was a big
journey from me by myself in myliving room to public company to
acquired was a 12 yearadventure. And, you know, I

(02:32):
learned a lot, and I had areally amazing time doing it
even though it's hard, you know,labor and security while you're
getting going and things likethat. But, know, from a
motivation standpoint, I guess Ireally felt like I wasn't really
necessarily done with my career,and I really like working
freely. You know, anytime you gowork for a big company, you're

(02:55):
submerged within that company'sculture and priorities and all
the other things that come alongwith that, like, you know,
stability and health insurance,which are actually pretty nice,
it turns out.
But, when you're doing a startup, you have the breathtaking
clarity of somebody with nothingto lose and no established kind
of history. And as I like to saywhen I'm advising entrepreneurs,

(03:16):
you're unencumbered by success.You don't have anything that's
kind of weighing you down likecustomers and, these
expectations and things likethat. So it's this extremely
free way to work, and it letsyou actually create new stuff.
And this is a talk track thatI've kinda had for a really long
time about where innovationcomes from in the cybersecurity

(03:36):
industry, and it really comesfrom startups.
You don't see the big giant megacorporations really driving
innovation that comes out ofstartups, and they eventually
either turn into big companiesor get acquired by the big
companies and their ideas andtechnologies integrated into the
larger whole. So, yeah, for me,motivation was certainly all of
that. Chance to go be innovativeagain, a chance to operate in an

(03:59):
unencumbered fashion. But it wasalso, you know, to some degree,
almost a little bit offrustration with what I, I saw.
So, you know, after Sourcefire,we got acquired by Cisco, and I
worked at Cisco for almost 6years as the chief architect for
the security group there.
And, that was really interestingwork, obviously, big company
with huge, you know, huge scope,huge remit. But you're back to

(04:22):
that, well, it's really hard toinnovate in these kinds of
environments kind of problem. SoI left and I kinda semi retired.
I, you know, sailing and wentand had some fun, and then the
pandemic hit in the beginning of2020. And, you know, just like
everybody else, I was sitting onon my couch in my sweatpants,
like, wondering what I should dowith myself.
So I had the ability to sitthere because that's all I could

(04:43):
really do and think about what Iwanted to do with myself. And,
you know, in the run up toSourcefire, there was a lot of
working by myself alone bycollaborating with people over
the Internet and things likethat, which is exactly,
essentially the the environment,the beginning of the pandemic.
So I started thinking aboutdoing new things, and I started
teaching myself. I needed to getup to speed on relevant

(05:06):
technologies that people were,using these days, like, taught
myself go and Rust because I'man old school c programmer, and,
like, nobody wants programmingc, anymore because it's, you
know, quote, unquote unsafe.But, anyway, so I worked on a a
variety of things and but I gotenticed by the photography team.
I was advising them before Icame to the company, and they

(05:27):
were really doing something thatwas fundamentally new, but it
was also something that I reallybelieved in because I had very
similar notions of the way thatkind of network security
technology should go. And thenwhat happened once they invited
me to come work here, I startedlooking around the industry and
just see what the state ofthings was, and nobody moved the

(05:48):
ball forward. I was like, I wasshocked and to some degree kind
of horrified that all of thenetwork security architectures
for the most part were still onthe old models of looking at
packets and appliances andcentral management platforms and
all sort of stuff that are just,you know, just don't work in the
the world that we're in. So Ithink part of it was I was

(06:08):
interested in doing somethingnew and because, you know, all
of a sudden, all had a bunch oftime on our hands with the
pandemic. I was like, well, Ishould go do another startup
because, of course, what else amI gonna do?
Am I gonna go doing some giantmega corp, or am I gonna go do
my own thing? And then thephotography thing came along. I
was like, oh, this is Oh. Thisis cool. Oh, and nobody else has
moved the ball forward.
I'm

And and, Marty, how how big was the team, the
photography team when youjoined, and did that concern you
in any way?

The team was, was 8 people when I got here. It
didn't really concern me. I'mused to working small. You don't
need to have a big team to dointeresting things. Obviously,
all the way back into the latenineties with Snort.
Right? That was initially justme and then people collaborating
over the Internet, and thatdidn't bother me at all. It's a
very capable team. People havebeen there and done that. This
it's not a bunch of kids doingthis.

(06:54):
This is a bunch of people who'vebeen building real stuff for a
long time. So I wasn't reallybothered by that at all.

In our last episode, Ron Gula, the cofounder
and the and the former CEO ofTenable, mentioned that you were
actually roommates at ClarksonUniversity. And, it looks like
both of you had a similarjourney. We you both built open
source projects, which becamequite successful products, built
startups from their inception toIPO. And that's where the

(07:21):
similarities seems to end. Sinceleaving Tenable, Ron became an
early stage investor, started afoundation, and is going down an
influencer path on YouTube.
What other possibilities did youexplore before jumping into the
startup world again? And beforeyou answer that question, what
did you guys talk about when youwere roommates?

What did we talk about? Well, we were, you know,
in our early twenties. We werebig gamers, believe it or not.
We became fast friends veryquickly. My freshman year of
college, he lived across thehall from me, and, we both
loved, flight simulators.
There was a combat flightsimulator called Falcon, And, I
had the very unique attributeof, having a 90 foot long RS 232

(08:04):
cable that I could streambetween our rooms so we could
play against each other. So,yeah, that's kinda how things
started. We used to talk about,you know, technology and all
the, you know, stuff you expectkind of the the late eighties,
early nineties, you know, UFOsand aliens and engineering, and
we had kind of similar sciencefiction, backgrounds in terms of

(08:24):
our reading and stuff like that.So, yeah, we had tons to, talk
about. We were we were verycomplimentary nerds and had, a
lot of nerd things to, alwaysstay in sync on.
Anyway, yeah, let's see the thethings the other things that I I
considered. So I've been doingsome advising. I've been on
boards and things like that.Obviously, I've kinda done the
startup journey from soup tonuts, so a lot of people get

(08:46):
pointed my way and ask for help.And, you know, 1 of the things
that I do is, you know, anyentrepreneur who darkens my
doorstep and says, hey.
I'm starting a new tech company.Could you please help me figure
some things out? I always sayyes. Because when I was getting
started in, 2001 in CentralMaryland right after dotcom
bubble burst, advisors were fewand far between. And so so I'm

(09:06):
always willing to help.
So I did some of that, and, Iwas on some boards. And, I
started thinking about, youknow, like I said, what I wanted
to do. The actual first thingthat I really worked on and
almost decided to go into wasworking on essentially, dealing
with disinformation and,deepfakes. This is back in,
2020, 2021. I was starting toyou know, I became kind of

(09:31):
painfully aware over the last,whatever, 8 years that
information warfare was beingwaged at scale on defenseless
populations of all the, thewestern countries.
And, it seemed to me that, therewasn't a lot of effort being
expended on, you know, liketrying to deal with things like
deep fakes, and they were gonnabecome a huge problem. We're
seeing it more and more now aswe get into another election

(09:51):
cycle. But we also see there'sthere's other problems out there
like, Zoom call hijacking andthings like that where you can,
you know, put up a convincingavatar in real time to hijack a
call. So, anyway, I investigatedthat, and I was looking at it
kind of from the, from the trustside and trying to figure out
instead of to trying to detectdeepfakes, which, you know, may
or may not be achievable overthe long term because you get in

(10:13):
this arms race with the deepfake generation technologists, I
was trying to go to the otherside of it and try to figure out
how to validate that, you know,validate what was real
essentially because there were anumber of organizations that
kind of traffic in beingtrustworthy, like media
organizations and softwarecompanies and things like that.
So being able to validate thatmaterials were in fact

(10:33):
authentic, I thought was thedirection to go.
So I did a lot of work on that.I actually built some technology
and, you know, put someprovisional patents together and
things of that nature. Then, Ikind of came to the conclusion
that, the amount of money thatwas gonna be required to
actually do the upfront work to,do the trust level validating
for this stuff is going to beimmense. You'd have to be like a

(10:54):
a Google or a Microsoft to pullit off. So, I decided not to to
go that direction, but I did Idid spend time actually building
technology, writing code, thingslike that.
I also looked at, doing, kind ofa a mobile work from wherever a
security bastion, like, thingyou could carry around in your
pocket, but I decided that wassilly, after doing some some

(11:14):
research on it and building someprototypes. I was like, no,
that's that's probably peopledon't wanna take things around
with them. So I decided not to,to pursue that, and then the
photography thing came up. So,yeah, I built some stuff, taught
myself some stuff, did a lot ofadvising and things like that,
but I like to build things.

Tell us more about the UFO. That is probably
1 of the 1 of the mostfascinating topics that both you
and Ron mentioned. We didn't getlike, we didn't have enough time
to talk with Ron about it. Sonow you're the victim. Tell us.

Well, you know, there's always a question. Are
they real or are they not? Andespecially, you know, back then,
not everybody was carrying ahigh res camera around in their
pocket. So, it was, there was alot of fuzzy video of weird
things and lights in the sky andstuff like that. And 1 of my
hobbies is, astronomy.
And, I got into astronomy when Iwas a teenager, so I spent a lot
of time looking at the sky. Iwas always interested in that

(12:03):
question, especially growing upin that era that I did. And I
never saw anything that wasn'texplainable up there, but, you
know, definitely had a few headscratcher evenings, over the
years. Anyway, so, yeah, Ron andI used to talk about, well, what
do you think? Are there aliensout there?
Is there, life on other worlds?Are UFOs visiting us? And we had
these, you know, discussions.The funny thing, so Ron was in

(12:24):
the air force, and, he, wasdoing pilot training and and
things of that nature. Heeventually ended up going to the
Intel side of the world, and, wehad a a pact if he ever, saw
anything that, proved it 1 wayor the other.
If he just if he told me hebought a cat, then I would know
that. You finally found justdirect evidence because he was

(12:44):
allergic to cats.

Wow.

And the the real punch line is he he eventually
got married to a woman whoactually owned a cat, so he did
have a cat. But it wasn'trelated to Ellen.

But we'll never know. We'll never know. I mean,
it could be it could be thatthat was the the the sign.

Maybe he hit that level of commitment was, you
know, him, like, it was a, like,a a side note. He couldn't say
it, but you know?

Well, as somebody who went to Cornell in in
upstate New York, just hearingabout 2 founders in cyber at
Clarkson going and building abuilding 2 different companies
that have had such an amazingimpact. It's just truly
spectacular to hear. Let's talka little bit about Netography.
What's a problem that Netographyis solving, and and why does

(13:30):
this problem prevail? I'm justcurious how you thought about
the the idea.

Yeah. So it it's a bit of a journey. So, you know,
for me, the foundation of itgoes all the way back to, about
2010 or so. So this is in thelate Sourcefire days a few years
before we got acquired. And, Iwas starting to notice the the
trends in the industry ofcompanies moving more and more
to the cloud, and it was stillpretty early in the adoption
phase back then.
But, you know, you definitelysaw it coming. Like, this was

(13:56):
obviously gonna happen. And,also, the increasingly pervasive
use of network encryption,which, obviously, if you're
doing deep packet inspection,which was our raison d'etre at
Sourcefire, is very problematicbecause you have to either play
all these typology tricks to getinto the path of clear text
traffic, or you have to buydecryptors, or you just have to
ignore traffic. And as more andmore of it becomes encrypted, it

(14:18):
gets to be a larger and largerTCO problem as well. So you have
the TCO problem posed byencryption.
How am I gonna deal with it? Gettaps and aggregators and
decryptors and things like thatto present clear text traffic to
my inspector. But you also hadthis dispersion problem of
things moving to the cloud. Sothe networks are dispersing. I I
coined this term in metography.

(14:39):
I call them atomized networks.We have all these atoms of
presence that are scatteredacross multi cloud environments
plus on prem. And the way thatwe were deploying, you know,
packet inspection technology wasprimarily watching the north,
south ingress, egress trafficonly and was completely blind to
what's going on across the,across the lateral ocean east
west environment. So this wasyou know, I saw this as a as a

(15:00):
problem, and I started thinkingabout, well, you know, 1 of my
jobs at Sourcefire was preventstrategic surprise. Like, don't
let us, you know, get caughtwith our our feet flat as
something is, emerging andturning into a problem that
we're gonna have to deal with asa company.
So I started looking atarchitectures for dealing with a
world where the networks areincreasingly dispersed. The
traffic is increasinglyencrypted. Also, you've got

(15:23):
this, you know, this kind of,ephemeral problem to deal with
in the cloud where things comeand go very quickly or they can,
as well as just the the generaldiversity of the environments,
like multi cloud plus on prem oreven IT and OT. And what the
implications of this were forfor trying to observe what's
going on at a network level inthose environments. So it turns
into an architectural question.

(15:43):
The architectures that we builtover the last 25 years really
are suitable to the networksthat we're in today. So that was
the the concept. If you agreewith that that notion, then how
would you address it? Well, Ihad a model that I was really
interested in, and it wasactually based on, EDR
technology. So at Sourcefire, wehad acquired 1 of the pioneering
EDR vendors company calledImmunet, and they built a

(16:05):
technology called AMP, which isnow Cisco's EDR.
And the way that it worksessentially is you had an agent
that ran on your host. Itcollected metadata about what
was being executed on that host.They shipped it up to a cloud
back end. All the detectionheavy lifting was done there,
then it shipped, you know,answers or directives back down
to the agent and said, oh, blockthat process. That's malware or
whatever.
So I thought that was a reallyfascinating architecture because

(16:27):
it it allows you to do reallycool things like, you know,
update detection 1 time in thecloud and all of your customers
simultaneously get protected. Soit's not like on Microsoft
Tuesday and the old source firedays where it's like, I have to
roll out 20 new rules to 35 100customers, and they have to
actually, you know, integratethem on their management
platform, test them in theirenvironments, deploy them to

(16:47):
their sensor infrastructures,and things like that. It's I
update once, everybody'sprotected. Cool. Super cool.
So I was thinking about, okay.Well, what would we, you know,
what would we do if we wanted todo that in the network? And my
conclusion was essentially,well, I can't ship all the
packets from the network up to acloud back end. That's obviously
insane. That would never work.
But it could ship metadata.Right? Just like the the
endpoints are processingmetadata, we can ship metadata

(17:10):
up to the to the cloud back endto do the detection there and
then signal back to thecollectors. Hey. I see something
that I don't like.
Do something about it. So Ikinda, you know, I had a rough
draft of this idea, and Ithought that that would probably
work. It would scale reallywell. It could operate in the
cloud as well as on prem.Doesn't care about encryption
because I'm not looking at theapplication there.
Doesn't care about theenvironment because the data

(17:30):
that we'd be collecting, aboutthe, you know, the activities in
the environment, the metadatawould be universal every place
we were so we could write, youknow, generic detection around
this. So I thought, okay. Thisis pretty cool. And I mentioned
it to some of my, coworkers, andI mentioned it a little bit in
the Cisco days, but we nevernever really took it anywhere.
And then Barrett and Dan, thecofounders of Netography,
basically had largely the sameobservations and conclusions

(17:54):
from their vantage point ofbuilding Internet scale anti
DDoS services and things likethat, and they said there's
gotta be a better way.
So they started working on thisarchitecture. And as as much as
it's anything, it is a modernarchitecture for doing network
security observability acrossany environment in real time. So
it's not like everybody'sthrowing everything into data

(18:14):
lakes right now. Data lakes aregreat, but they're not real time
systems for saying, oh, thisjust happened. Let's do
something about it immediately.
Their dashboards are reporting,things of that nature. So in
Netography, we've essentiallygone to a metadata driven
platform for being able to, inreal time, do streaming
analytics of the data as itarrives and marry it up with
context, not just about theactivities that are occurring in

(18:36):
the environment, but we alsopull context from the tech
stacks of the companies thatwe're in. So if you've got,
like, Wiz and you've got Tenableand you've got Axonius and
you've got Clarity orCrowdStrike, we can essentially
leverage their APIs to accesswhat they know and then pull
that in to decorate the, theactivities that we're observing.
It's not just, you know, this IPaddress talking, that IP address

(18:59):
on these ports for this long orIt's not just, you know, this IP
address talking to that IPaddress on these ports for this
long with this many bytesstarting at this time and ending
at this time. It's, you know,Marty's computer, Marty's laptop
connected to a vending machinein the break room and shipped 40
gigs of data to it.
Don't know what that is. You'reprobably not gonna be super
happy when you figure it outthough. So that's the the idea

(19:20):
here. And the other cool thing,here's the the rabbit out of the
hat. I can do this withouthaving to deploy anything.
I don't need to deploy anyappliances. I don't need to
deploy any agents to make itwork. It just leverages the
infrastructure you've alreadygot. So it's a a live off the
land architecture. That's that'swhat we're doing, and what it
really is is an architecturalinnovation.
You know, taking this thing andreally not nobody else does

(19:41):
this. Like, there are no realtime streaming analytics
platforms for network data likethis that operate at scale
across, you know, multi cloudplus on prem, blah blah blah. I
don't wanna turn this into a acommercial. But it is it is
really unique, and it's veryinteresting because, you know,
most people hear it and they'relike, oh, are you a SIEM? It's
like, no.
We're we're operating onfundamental data. We're an event
generator, not an eventconsumer. You know? So it's it's

(20:03):
a a very different approach, andit requires people to think
about the problem differentlyand say themselves, jeez, maybe,
you know, detecting every log 4j attack that floats in off the
public Internet actually isn'tvery important, but detecting
when somebody breaks out of a 0trust containment environment
actually is really important.And I can do that with this
architecture.
I can't do it with the oldarchitecture.

Thank you for that wonderful, and very
comprehensive description ofNetography, Marty. Clearly, your
passion is evident in why youhave come back to the startup
world. Let's switch gears alittle bit to go to market. What
you did at Sourcefire was prettyfascinating. Right out of the
gate, you signed up, like, these4 amazing logos,

(20:47):
Pricewaterhouse, Intel, SAIC,International Paper.
Now we as VCs often tell ourfounders, like, don't go to the
big companies too early in thegame. Go to the middle market,
call your friends. And you tookthe contrarian approach and, and
pulled off 6 figure contractsright out of the gate at
Sourcefire. And now you're doingit again at Netography with

(21:07):
Goldman Sachs and a bunch ofother customers as well. What
advice do you have for founders?
And how can they tacticallychange their thinking to to go
after the the big customers?

Yeah. Well, I think, you know, it's a bit of a
chicken and egg problem. So atSourcefire, we had this really
crazy unfair advantage in thatall these places were already
using our core technology.Right? Smart is an open source
engine is, already embedded inall these places and every place
else.
Task was just letting everybodyknow we existed for the most

(21:40):
part for the 1st couple ofyears. So, because everybody was
super excited about the idea of,oh, enterprise grade Snort?
Absolutely. Sign me up. So thatwas and the Sourcefire business
model was a very contrarianbusiness model.
This was me with my engineeringdegree and nothing else,
basically, but but confidence inmyself saying, I think we can

(22:02):
get people to pay for somethingthat's free. And, you know,
people did. But, man, when Itook that business model on the
road and I said, hey. I'm a guywith a computer engineering
degree. I've never built or runa company before, but I started
this 1.
And not only do I have newtechnology, but I have a new
business model nobody's everpulled off before. Definitely
give me 1, 000, 000 of dollarsto go see if I can make this
work. People were not superenthused about that idea because

(22:25):
let's face it, who's this clown?Right? We know he's a good coder
because all these people areusing his stuff, but what does
he know about building businessmodels and then businesses and
things like that?
So going after the enterprisesfor me, the whole thesis of
Sourcefire was essentially, youknow, like, why do you rob
banks? Because that's where themoney is. Why do you go to the
enterprise? Because that's wherethe money is. And in Sourcefire,

(22:45):
particularly, the the whole ideawas thrown on the small scale
sales problems, started on thelarge scale, causes problems,
and the problems that it causesare different than the ones that
it solves.
And the companies that itproduces the biggest problems
for also tend to have the mostmoney and the biggest problem.
Right? So just go to those guys,and I was right. So I think

(23:08):
you've gotta know your market.Like, you understand your value
proposition and who your marketreally is because, yes, you can
go do lot of $10, 000 deals or alot, you know, AAA stupendous
number of $1, 000 deals, butdoing the elephant hunting thing
is high risk, high reward.
But also if you know out of thegate like I did, these guys are
already using this stuff. Imean, I had big banks contacting

(23:30):
me, sending me computers.They're like, hey. Could you
keep smart ported to true 64 onthe deck alphas because we're
using it here at the bank, andwe don't wanna port it
ourselves. So we'll just sendyou a hardware and bulletproof
service contract and just let usknow what you need.
It's like, okay. Great. So Iknew all these guys were already
using stuff. In fact, I waskinda shocked at all the places
that were using it. So, yeah,for me, it was kind of a no

(23:52):
brainer to go there.
In photography, it's a littledifferent now. And the reason
that we're going to the bigs outof the box is because we've been
selling to them. The leadershipteam at this company has an
immense track record ofbuilding, you know, real
technologies for the largeenterprise. Nobody doubts that
we're serious when we say thethings that we say and, talk
about the things that we talkabout. So that whole, I don't

(24:14):
you know, are these guys wearingclown shoes, question from the
other side of the table, getsanswered in a big hurry.
You know? Oh, this guy isresponsible for the IDS, IPS
industry, a lot of the coretechnologies there. My chief
product officer is a guy namedDave Meltzer. He was the built
the competing technology tosource fire when, we started and

(24:34):
went on to become, you know,over the years went and did
startups and was the CTO atTripwire for a long time. Like,
he's got a big track record.
Dan Murphy, who's our CTO, youknow, 1 of the guys who built
the anti DDoS industry. So,like, people, you know, going to
large enterprise, these guysjust take us seriously because
they know we're not kiddingaround, which is great. And a
lot of startups can't do that.But you really have to know

(24:56):
who's going to be the mostinterested in the problem that
you solve and it kinda doesn'tmatter what size they are once
you figure that out. Because ifyou find your ICP, right, your
ideal customer profile, it juststarts spinning like a flywheel.
So you shouldn't be afraid ofgoing to large enterprises. The
large enterprise has the problemthat you're addressing, the
worst because they'll probablybe the most interested. But it's

(25:19):
a little harder to get into,sometimes. So with Sourcefire,
it was a bottoms up approach. Wegot the techies first and then 1
up the the ladder.
And the tography, we're kindastarting top down because we
have the relationships with theCSOs, so we don't need to treat
it the same way that we used to.Although right now, I'm thinking
about real hard about adding a abottoms up approach because I
feel like if more technologistsgot an exposure to what we're

(25:40):
doing, they would, be picking upadoption faster.

I have a fairly big role to play in helping, to
create categories and helping todefine acronyms and also in
educating buyers to ultimatelydirect their software budgets
towards making a certainpurchase. Both of these
organizations, like Gartner andSANS, played a pretty big role.
And from what I understand, hadmeaningful impact on your

(26:09):
decision to start Sourcefire andalso informed your thinking
around future productdevelopment. Do you think these
kinds of organizations shouldplay such a big role in the
future? And even moreimportantly, do you think
founders should interact andwork with them today, and how
should they do it?

Yeah. That's that's a that's a big question.
So the so Sans is reallyinfluential in the early days of
Sourcefire because they they'rethe ones who kind of put the bug
in my ear that Snort was a lotmore popular than you think it
is. I thought there were a few1000 users of Snort, something
like that. I saw survey resultsin, the fall of 2000 that showed

(26:45):
that, they surveyed theirstudent body and 1 of the
questions was, you know, checkall that apply check all the
intrusion detection technologiesthat you use and you could, you
know, select multiple.
So numbers check 92% of thetime. I was like, oh, okay. I
had no idea. So, yeah, I hadthat and, Stephen Northcutt, of
course, was my first seedinvestor in the company, helped

(27:05):
me get it going. He saw what Iwas doing and thought it was,
interesting and, you know, puthis money where his mouth was.
So that was obviously veryhelpful as well. But SANS is a
training organization, and I wasI was an instructor there for
the 1st couple years ofSourcefire. And even before
Sourcefire, what happened wasthat, you know, it was almost
like, get them while they'reyoung, teach them this is the

(27:26):
way that you do intrusiondetection, and they adopt that
kind of mindset. And everythingthat's not that looks weird to
them. So that was hugely helpfuland influential.
I still run into CSOs who waslike, I took your SANS course in
2001, and it was great. Youknow, or I use Snort. You know,
it's 1 of the tools that I usewhen I was just getting going in
security. It taught me a lot.It's hugely, hugely influential

(27:49):
still.
So that's, that's really prettypretty interesting how that
continues to be influentialtoday. And then Gartner.
Gartner's, you know, Gartner'san interesting animal. Gartner
doesn't make or break a company,but it does make the phone ring.
Being in the that, upper righthand quadrant gets the phone
ringing because when you know,all other things being equal and

(28:10):
people are saying I need CSPM orI need a firewall or I need
whatever, especially the largeenterprise customers that you're
gonna sell to.
If you're a guy like me, 1 ofthe first places they're gonna
look just to get a list of thecompanies they should be
considering is looking at theMagic Quadrants and looking to
see if there's a category. Andis there a definition for this?
And do these guys fit in certainplaces and not in others? And to

(28:32):
some degree, you have to playthe game. And it's, I guess, I
would say have kind of a nuancedview on them.
They can be helpful. Like, theycan help you define your
category. They can help youfigure out what you you know,
how you should be positioningthings, you know, review your
your verbiage, give you feedbackthat they're getting from the
market and things like that.They also sometimes they I would

(28:54):
say they kind of overstep theirremit, like, 20 years ago when
they declared intrusiondetection dead or things like
that, which I I think is alittle more of a speculative
thing. Right?
And they were saying, well, IDSis dead and IPS is gonna replace
it because nobody needs todetect these attacks. They just
need to block them. But, ofcourse, there's a lot more
nuance to it, than that, and youjust, you know, you can't make

(29:15):
those kind of blanket statementsnecessarily, although it's
become kind of a time honoredtradition in this industry to
declare, you know, XYZ dead whenI've got the new mousetrap. So,
yeah, I think, you know, GartnerGartner does bring stuff to the
table. Your need to interactwith them in the early days of
your company, unless you'reselling to the customers that
they're advising, I would sayyou should be working on other

(29:37):
stuff, gaining momentum, thebusiness, and things like that
because they're not really gonnahelp you if your customers
aren't paying attention to them.
As you get bigger and you dostart getting into the
enterprise and maybe you dobecome part of a competitive
category, that's when they get alot more useful because you can
talk about how you stack up andtalk to them about how customers
perceive you and and things ofthat nature, and that can be

(29:57):
really useful. So, yeah, bothorganizations, I think, are are
pretty unique in their own waysand useful in their own ways. I
think if I had a, a free to useversion of photography, I might
go to sans conferences orsomething like that to show
people how to do the newarchitecture for network
security. If you think networksecurity is going direction that
I think it's going, then, youknow, you might want to check it

(30:20):
out.

Marty, you mentioned Snort a couple times,
and I'd love to dig in a littlebit on Snort. And before I do
that, in our last episode, wetalked about Tenable's journey
and how Tenable was built on topof an open source project called
Nessus. Sourcefire similarly wasalso built on top of an open
source project called Snort,which you referenced, which was
an open source IDS IPS solutionthat you created back in 1998.

(30:43):
Now Tenable decided tocommercialize Nessus and make it
proprietary software, but youchose to keep Snort open source
throughout. How did you figureout a way to monetize free
software, and what lessons didyou learn about commercializing
open source that still hold truein today's world?
Because now we are seeing asignificant number of commercial

(31:05):
open source projects that arebeing created. And in today's
world of cloud, AI, and thisdirect to developer motion.

Well, so I think different approaches that, we
took with Smart versus, Tenableand Nessus to some degree are
driven by kind of the nature ofthe technologies. And what I
mean by that is that I thinkthat well, I gotta be a little
careful here because I don'twant to, say anything that's
technically incorrect. But Ithink that Nessus as an engine

(31:33):
kind of got into a certain shapeand didn't have to evolve as
much or as frequently as anintrusion detection engine,
would because of what it'sdoing. Right? It's it's
connecting to things andinterrogating them and running
through vulnerability managementdata and stuff like that.
Whereas, Snort, as attacksevolves, Snort had to evolve
with them. As evasions evolve,Snort had to evolve with it. As

(31:55):
the complexity of attacks on thenetwork evolves, the complexity
of smart detection engine had toevolve. So Snort was an evolving
piece of software that wasconstantly adding, like like,
really new functional featuresto it and incorporating new
ideas and things like that. So Iwould almost say it's more of a
living piece of software becauseit needs to because the pace of

(32:16):
innovation on it needs to be sohigh.
And I think that the problemthat Ron and the guys with
Nessus, you know, were havingwith, with Nessus was that it
was a relatively more staticpiece of technology that had
content as the primary driverand it was maybe a little too
too easy to adopt the engine andgenerate your own content, and

(32:36):
they just felt like they werehemorrhaging opportunity
essentially. With us, I believethat driving innovation into the
snort engine was the best way tokeep everybody's eyes on us
across the entire industry. Likeso everybody who's doing deep
packet inspection basedintrusion detection and
prevention, and even in the nextgeneration firewalls, I felt
that if we continue to drive thepace of innovation where you'd

(32:58):
be nuts to look at anything elseand give it away for free,
because don't forget that's notmonetizing necessarily the
engine. I'm monetizing solvingthe problem that people who are
using the engine have, andthat's different. So that's that
was the method to my madness,and and I was very emphatic
about it.
You know? Early on inSourcefire, when I was hiring
executives and things like that,I told them, we are going to

(33:18):
continue to develop Snort andgive it away for free and make
it the best engine we possiblycan and give all the innovation
that we put into it away forfree. And I don't wanna hear and
we're never gonna havediscussions about closing it
because that's not the gamewe're gonna play. We're gonna
monetize the fact that operatingsnorted scale is actually very
difficult. Right?
It's gotta be on appliances.They have to run at certain line

(33:41):
rates. They have to besupported. You've got this huge
curation cycle involved with allof this stuff, the content
that's driving the detections aswell as the engines themselves,
the back end managementplatform. That's what people
were paying for.
Right? So, you know, in anutshell, the things that people
were paying for in Sourcefiredays were scalability,
manageability, performance,automation, and support. Right?

(34:02):
Those were the things thatpeople were giving us money for.
Smart, we gave away for free.
But if you wanna make smartperform and scale, you had to
pay. And that was the the model.And, you know, and it worked. So
it's called the open core modelnow. It has a name.
And, yeah, more companies, areusing it. And open core models
and kind of similar approaches,maybe more tenable like
approaches where there's a freeto use version and then there's

(34:24):
a pay version are certainly muchmore common today. But, yeah,
back then they were veryexperimental, but I had real
opinions on it. I actually, thething that I spent the most time
figuring out how to startingSourcefire was what the business
model was actually gonna belike. Thought about it for maybe
4 or 5 months.
I have lots of advice fromdifferent people, what it should
be. Should it be, you know,should I do CD ROMs and try to,

(34:47):
get them distributed at, youknow, CompUSA? Should I, you
know, make, little consumer sizeappliances and try to get in the
consumer market? Should I do theenterprise model that I did? You
know, what should we, whatshould we do?
So, yeah. And none of thesequestions were, like, well
answered at the time. They wereall very speculative. And I I
sat there and I thought about,well, you know, what are are the

(35:08):
problems that people actuallyhave with this thing? And that's
that was the that's what becamethe Sourcefire business model.
Like, was sort of causesheadaches, Sourcefire is gonna
sell aspirin.

Talking about building a successful companies,
we know that resellers anddistributors account for a large
percentage of the of the revenueof, successful, public
cybersecurity companies. And Ibelieve in case with Sourcefire,
it did account for over orroughly 46% of the revenue at
the time of of its IPO. 1 of theinteresting data points that I

(35:37):
found when writing my book wasthat 9 out of $10 is spent on
via channel partners in theindustry. How did you get
comfortable with direct versusthe channel mix? And also, when
and how should founders engagechannel partners?

I got comfortable with selling to the channel as
the company matured. We startedout as a fairly direct company,
and we had a couple of kind ofchannel initiatives that went
okay, but not great until wereally kinda locked in on it in,
the 2008, 2009 time frame andcame up with a kind of a a
multistage graduated channelengagement model where, you

(36:13):
know, the more effort thechannel partner did, the more
margin they would get and stufflike that. So we came up with a
much more sophisticated channelmodel as time wore on. But, you
know, the channel gives youscale. Right?
If you're going to get salesscale, you really need to have a
an effective channel programbeyond a certain point because
you only have so many marketingdollars. You only have so many
people you can put in the fieldto go find deals and things like

(36:34):
that. Channels have therelationships with the customers
that you wanna sell to. Theyknow where the deals are. They,
you know, might know about dealsthat you're never gonna find out
about.
So there's many advantages thatthey have. They also have the
working relationship and thetrust relationship with a lot of
these customers so they canreally smooth out your, you
know, your approach to a newcustomer. So I think that, yeah,

(36:56):
the channel can be really,really effective, but you have
to prove yourself in the marketto get their attention. There
has to be margin there that theycan take advantage of. You know,
if you are capable of doing onlygenerating $50 a margin for them
per deal, that's not veryinteresting.
Sourcefire would 1 of the planscould run a quarter $1, 000, 000
since they're getting 30 pointsof margin on it. That's pretty
good day. Right? And if theysell 1 of those or if they sell

(37:17):
10 of them to some bigenterprise and all of a sudden
you're talking some real dollarshere. So getting their attention
requires you to be able to throwoff enough cash essentially so
that they're getting paid.
If 50 points margin is only $50,nobody's gonna be interested.
But if it's $50, 000,everybody's gonna be interested.
So that's the, that's the realthing. But, yeah, to an
entrepreneur in the early days,probably, you're not gonna get

(37:41):
the channel's interest untilyou've got a sufficient amount
of, sales volume that they see.Okay.
This is a a real repeatable, youknow, product market fits there.
They've got a repeatable salesmotion. We can take them to our
our trusted customers and engagewith them. And, you know,
they've got a supportorganization that can support us
both from a a sales enablementstandpoint as well as a a tech

(38:02):
support standpoint. They've gota a well developed, sales
engineering core that can dig inon the the technical questions
that arise, all those kind ofthings.

You know, the the only question I had, Marty, as a
as a follow-up there was, isthere a specific number of
customers or a specific revenuedollar that you'd say is
necessary, and at that point,you should start engaging
channel?

I would say probably the right time to do it
is when you're becoming capacityconstrained. So 1 of the ways
you can look at your yourselling is are you capacity
constrained or are youopportunity constrained when
you're in the market? If you'recapacity constrained and you
don't have the ability,especially, to grow into the
capacity that you need to havebecause you don't have the cash

(38:45):
or whatever, that's a perfecttime to go engage the channel.
This is at a certain size,probably somewhere between 5 and
10, 000, 000 ARR if you'reselling a, you know, an ARR kind
of revenue model. That'sprobably when these guys are
gonna start engaging.
We're already in the channel. Wealready have channel partners
that we're working with, andwe're still relatively small.
But once again, everybody knowsus, so they're willing to work
with us out of the gate. Theyknow that we know how to run a

(39:06):
real channel program. I thinkthe for the the first time
entrepreneur, you know, gettingthe the company up to a certain
revenue level, like, probably atleast 5 to 10, 000, 000 before
you go try to engage the channelis, is important.
And at that size, you should ifyou're becoming capacity
constrained because your demandis extremely high, that's

(39:26):
probably a good, time to goengage the channel. But if
you're capacity constrainedbecause I only got 2 sales guys
and I can only, you know, makeso many phone calls a day, Maybe
maybe less so, right, until youget to a certain revenue cliff.

But let's spend a little time on the Cisco
acquisition. I know that was, atthe time, 1 of the largest
acquisitions that had happenedin cybersecurity, almost $3,
000, 000, 000 You were growingat a phenomenal clip. You had
created a new category. All ofthat is public. But what is not
quite available to the benefitof our audience is what

(40:01):
happened?
How do these exit negotiationsoccur? What happens? How long
does it take? What are the upsand downs? Can you walk us
through some of the behind thescenes there?

Sure. Yeah. So that was a very interesting time
in the industry. A lot of thingswere going on. So this is at the
beginning of 2013 is when allthis got rolling and there have
been a kind of there were a fewexternal things going on and
there were some internal thingsgoing on at Sourcefire.
The external things going on andthere were some internal things
going on at Sourcefire. Theexternal things that were going
on was the emergence of PaloAlto as, next gen firewall

(40:31):
company and leader, as well as,FireEye doing this kind of, you
know, quote unquote signaturefree malware and attack
detection. And, they were bothdoing things that we were doing
in different directions. Theywere both extremely well funded
companies. There were noexpectations of profitability
anytime soon for either 1 ofthem.

(40:52):
I think at the time, Palo Altowas spending 97¢ for every
dollar that it brought in on goto market. I mean, it was insane
how much money these guys had attheir disposal and how freely
they could operate as a resultof that. And, same thing with,
FireEye. They had theirappliances doing malware
detonation and things like thatthat, you know, sounded good,
and everybody was really, havingthese kind of, very rosy

(41:16):
predictions that we wereentering the age of,
signatureless detection andstuff like that. And I was, you
know, a contrarian on that as Isaw off of them.
But, you know, in fact, thematter was that these guys were
operating in the market, andthey were competing. We were
trying to go to market with EDRand building our own next
generation firewall. So we hadkind of this 2 front war going
on at the same time that we'retrying to save the preeminent

(41:37):
vendor in the IPS space to toforge into these new fields
against companies despite thefact that we were a public
company. I think we were doingin 2013, we were doing about
220, 000, 000 a year in revenueand grown at about 40%. And that
was good, but our profitabilitywas we were locked into our

(41:58):
business model.
So Wall Street had expectationsof our operating margins and
profitability and and stuff likethat. So I wanted to compete
with these guys because I knewwe were either gonna have to
compete with them or, you know,we were gonna have a problem. So
we're gonna have to free up cashto be able to go fight this new
2 front war in addition toworking our existing markets. So
on our earnings call beginningof 2013, I I told, Wall Street

(42:22):
basically that we were gonnahold our net operating margins
flat for this year instead oftrying to expand them and to
free up. I think it was, it waseither 12 or $16, 000, 000 to go
duke it out with these 2incredibly well funded new
companies.
So so that's what we were gonnado, and we were trying to figure
out how to juggle all of this atthe time. At the same time, I
had just recently gotten backinto the CEO seat at Sourcefire

(42:44):
because our, CEO that I, hadhired in 2008, gentleman named
John Burris, had, passed awaydue to cancer, unfortunately.
And he was a great mentor,really super solid guy. I still
remember a lot of his, a lot ofhis teachings and things. But,
unfortunately, he had passedaway, so I'm back in the in the
CEO seat of my company after,you know, 10 years of being out

(43:06):
of it, basically.
So that was going on. We had alot of uncertainty in the in the
business. And then, at RSA,actually, in 2013, we had some,
sit down meetings. This is inFebruary of 2013. We had some
sit down meetings with, ChrisYoung and the gang.
So Chris was the new GM of thesecurity business, and he was
really interested in the nextgen firewall work that we were

(43:26):
doing. And we had just enteredthe market with our own next gen
firewall built our own firewallfrom scratch, to run alongside
with the the IPS technology. Sothey were very interested in
that, and, you know, we came tofind out was that Cisco had
tried to build their own nextgeneration firewall, but it had
been kind of a flop. So theywere feeling like they were
being pressured by, by Palo Altoat the time to come up with a

(43:49):
better answer, and we were 1 ofthe only games in town,
essentially, to do that. So theystarted talking to us about
that, and we started talking tothem about what we were building
as well as our cool new EDRtechnology called AMP, and they
decided to engage.
So we went from the initialmeeting in February of 2013 to

(44:09):
announcing the acquisition inJuly of 2013. So pretty quick,
like, 6 months. And that'sreally quick for Cisco also, and
and it was a large deal. So,yeah, it was, it was really
interesting. And the dynamics ofdoing the deal, there are a lot
of pieces to the puzzle.
Once we determined they werereally interested in engaging,
we hired a banker, Catalyst, andthey were, you know, great to

(44:32):
work with. They did a a lot ofanalysis with us to figure out
if the deal that had beenoffered was was fair and what
kind of price expansion we weregonna have to have and things
like that if we wanted to growthe stock price. We were trading
at the time around $53 a share,and Cisco had offered us $76 a
share. So it was prettysubstantial premium on the stock

(44:53):
price. So we did all the mathand got all the bankers involved
and, you know, all that stuffand made the decision.
But it was a tough decision forme because Sourcefire, you know,
the business was a greatbusiness and we were doing great
things, but the company was suchan amazingly great place to work
with all the people that we hadthere and how gelled the team

(45:13):
was and just what a what a niceplace to work it was. You know,
the management team, we gotalong very, very well. We are
still friends to this day. And,yeah, it was just a it was a
very unique environment. Wedidn't really have politics
there.
We had a very outward focusedculture that was just focused on
building great products for ourcustomers and for competing as

(45:34):
hard as we could in the market,and that really kept people,
aligned with, with just beingsuccessful. So I was 1 of my
major kind of hold ups on doingthe deal or not. It's just it's
gonna change things. And when itdoes, you know, we're never it's
gonna be hard to recapture themagic. And that is, that has
proved to be true.

(45:54):
So, yeah, Sourcefire was, was avery unique animal, and getting
the deal done with, with Cisco,there's ups and downs. There was
all sorts of things in play, butit was kind of fascinating too.
I got to work with John Chambersdirectly. And, you know, he's an
industry legend himself, and hewas, you know, he'd be calling
me up at Saturday mornings andask me how the deal is coming
along and stuff like that. So,it was, it was really exciting

(46:17):
time.
But, yeah, there was, there weredefinitely the pros and cons to
it. And as an entrepreneur, whatI would recommend is, you know,
1 of the things that I say toalmost all of the entrepreneurs
that I work with when I'm,advising is you have to figure
out what your victory conditionsare. Like, what is success to
you? Is it IPO ing a company?IPOs are vanishingly rare for a
software company.
The NEA guys used to have, aslide that showed the odds that

(46:39):
you had of going from founder oftech company to funded to IPOing
or any exit to an IPO. I thinkthe the odds was of all
companies started that were techcompanies that produced a
business plan that put it infront of a VC, it's about 1 in
80, 000. And, you know, thoseare pretty terrible odds until
you look at the Powerballlottery odds, and then all of a

(46:59):
sudden, they're actually quitegood odds. So but you should
always figure out what yourvictory conditions are because
that will inform you when isenough enough. When can I say,
yes?
We did a great job. We did whatwe came here to do, and we're
ready to, you know, take itsomeplace else to the next
level, to another level, eitherIPO or take this acquisition
offer that's on the table andthings like that. So, you know,
when you look at a deal like thedeal that Barracuda guys put on

(47:22):
the table in front of us, thatwas nowhere close to victory in
my estimation. When the Ciscoguys came along and gave us a,
you know, 40 something percent,you know, boost on our, our
trading price, it was like,yeah. That's you can call that
success.
Also, 1 of the things that kindaground away at me in the
background as I was decidingwhether or not I wanted to take
this, you know, special magicalthing that I had built, sell it

(47:44):
to Cisco, was, don't be Yahoo.If you remember very famously,
Yahoo had a $40, 000, 000, 000offer on the table from
Microsoft and told them to gopound sand. And 2 years later,
they're worth, like, $4, 000,000, 000 or $2, 000, 000, 000 or
something like that. Don't bethose guys. That's always that's
always something you gotta keepin the back of your mind is
there is a failure option.
We can always screw this thingup later. Right? So that's the

(48:06):
the thing an entrepreneur alwayshas to also keep in the back of
your mind. Be humble. Right?
You have to have some level ofhumility. Is this going to
continue forever this way, orare there there potholes that we
could fall into? Are there, youknow, problems that we could
have that are insurmountable?That sort of thing. And when the
Cisco deal came along, it waspretty obvious that that was
victory.
We can be happy and a job welldone.

Marty, you spoke about investors and these
critical junctures of ofdecision making at Sourcefire
pretty extensively. You had 3quite big name investors on your
board at Sourcefire. You hadAsheem Chandna. And for context
for the listeners, Ashim joinedyour board before he had joined
Greylock. So he wasn't even a VCat the time that he joined your
board.
Then you had Tim Guleri, whowho's at Sierra Ventures, and

(48:54):
you had Harry Weller, who'ssince passed away,
unfortunately, but was at NEA atthe time. And all 3 of these
kind of big name VCs wererelatively early in their
venture careers when they joinedthe Sourcefire board. What was
it like working with the 3 ofthem? What did you learn from
them? What annoyed you aboutthem?

Oh, boy. Let's see. I gotta be a little careful
here. So, I never gotparticularly annoyed with, any
of them. I think the mostannoying thing that I ran into
on a relatively frequent basiswas kinda Silicon Valley
groupthink.
I remember very distinctly in2008 when the markets were
melting down and, you know, thewhole the Sequoia noted come out

(49:37):
about, you know, hard timesahead and things like that. We
went into a board meeting, and Ithink this is in November of
2008 or maybe October of 2008,something like that. We went
into a board meeting and, like,the VC board members, like, you
have to fire 20% of your team,like, immediately. We're like,
woah. What?
And, you know, we were like Ithink we were 400 people at that
time. It's like, we're gonnafire 80 people. I mean, we're

(49:59):
growing like this. Why why arewe firing all these people? It's
like, you just have to.
And, you know, we explained tothem very calmly, look, guys, we
are not at all and we're a 400person company, and we're, like,
a 100, 000, 000 in revenue or80, 000, 000 in revenue growing
at, like, 40 or 60%. Like, guys,we are not at all opportunity
constrained right now. We areabsolutely capacity constrained

(50:20):
with our ability to sell thisproduct. Like, nobody's taken
their foot off the gas from abuying standpoint. This is a
cybersecurity thing.
Like, let's all remember kids.Cybersecurity is plumbing. The
pipes are always leaking.Everybody needs security all the
time. So that's the, you know,the mindset, and we we did
ultimately fire, I think, 4people.
It was like, we just use it asan opportunity because it's

(50:41):
like, well, we gotta firesomebody, and there were 4
people. It's like, well, we'vebeen kicking these names around
for a while anyway, so I guesswe should just do that and call
it good enough. So we did. And,yeah, that you know? So the the
group thing thing is, issometimes a problem, but, you
know, a lot of times they'rewilling to be reasonable,
especially if you back it upwith numbers.
You can show them No. No. Thisis actually not of a problem for

(51:03):
us. Although independent of, youknow, what we were saying and
how the business was doing, ourstock did bottom out below $4 a
share in, in November of 2008.You know?
So $3.89, I think it was. And,you know, a year later, we were
trading at $26 because we keptbeating and raising every
quarter. So anyway, yeah, it wasreally the boardroom was pretty

(51:24):
interesting. Harry was awesome.He was a believer.
He was the kind of VC you wantthat really believes in your
vision and really believes inyour believes in you and what
you're saying, what you'redoing, and how you're doing it.
He may not understand it a 100%,but his level of enthusiasm and
just support was phenomenal. Timwas, pretty early. He was, he
was a true believer right fromthe beginning. They actually

(51:45):
found me at the, RSA show, Ithink, in 2002.
We did our first booth there. Wehad a 10 by 10 booth with a big
pig on the backdrop, and, youknow, we had this big crowd of
people standing around us, andwe clearly had no idea what we
were doing. You know, we had rawappliances just sitting there on
the, you know, on the table infront of people and just, you
know, show them what it could doand our crappy gooey and stuff

(52:07):
like that. But he saw the crowdand he started asking around and
realized there was anopportunity here. And he was
very enthusiastic investor.
Ashim came in a little bitlater, but he was, you know,
with his background in,marketing at, at Checkpoint, he
was seen as somebody who'dreally help us flesh out the,
the marketing story, and he wasgreat too. A lot of great

(52:28):
insights, a lot of great accessalso. He knew everybody, so that
was always really, nice to haveas well. Yeah. So it was very
interesting and we were all alot younger.
I mean, this was 20 plus yearsago now. So, it was a very
interesting group of people, butthey were generally very
supportive and, you know, a lotof enthusiasm for what we were

(52:50):
doing and, you know, when Iturned out to I think I think
everybody around the tableincluding me felt a lot smarter
when it turned out I was rightabout my business model. So,
yeah, I think, you know, nothingsucceeds like success. And, as a
great group of people, they letus operate, for the most part.
So there's always gonna beannoyances in boardrooms, you
know, people who, you know,depending on where they come
from, their their background,whether or not they've been

(53:12):
responsible for operationalprofit loss and things like
that, they can be more or lesshelp in different areas.
You know, you've always gottapay close attention not just to
who's gonna be in yourboardroom, but what their
backgrounds are and where theycome from and kind of the the
types of help that they're gonnabe able to give and things like
that. But, yeah, great group ofpeople. We had really great luck
in the the the early to middleages of the Sourcefire board.

(53:34):
Just very talented investors onaround us.

So the lesson there, Marty, is that
avoid groupthink, especially ifit comes from Silicon Valley.
And I think you have a uniqueadvantage when you're based in
the DC area. I think you and Ronboth avoided the Silicon Valley
Group thing very elegantly. 1interesting data point about
capital is that at Sourcefire,you raised 4 rounds. And before

(53:57):
going public, you consumed only$35, 000, 000, 000 In fact, $20,
000, 000 was still in the bankat the time of going public.
And here at Nerdgraphy, 20 yearslater, your Series A is like
$45, 000, 000 Very differentnumbers, very different times.
You know, 2 decades have passedby. What are some observations
about the flow of capital? Whatadvice do you have for founders

(54:18):
in these times?

Yeah. Well, Sourcefire was incredibly
capital efficient, amazinglyenough, but things were pretty
different back then. So thecompany got going right after
the tech bubble bursts, whichwas kind of fascinating because,
you know, the down times is whenpeople get hungry again. And the
good times is when people get,complacent and, to some degree,

(54:39):
when the money is out there,they'll, you know, they'll want
it. So the team that we had,especially in the early days of
Sourcefire, very famously, thecompany's management team was
largely solidified by year 2 ofthe company and stayed with the
company for the full ride.
So it was, it was reallyinteresting team and that we got
the team right almostimmediately out of the gate,

(55:00):
which is very, very difficult todo. Yeah. On the on the money
side of things, the capitalefficiency that we had then is
very difficult to replicate nowbecause this company started
right at the tail end of thelast boom period. So and I
shouldn't say it started. Ishould be a little careful about
that because it started a fewyears before that.
But when I came on board, it wasright at the tail end of 2021,

(55:20):
and people were very expensivein 21 and 22. There's inflation.
We're operating in AWS now, soour ongoing operational costs
for, you know, providing ourservice are always there. You
can do much more, you know, whenyou're selling appliances. You
buy what you need, and you putthem together, and you ship them
out to customers.
You get margin right away. Wehave to have all this reserve

(55:41):
capacity at Amazon in case 1 ofour customers blows up or
something like that. So we endup with you're paying a $100,
000 a month for your Amazonbill. You know, that's just an
expense that's baked into the tothe business. Also, you know, in
the early days of Sourcefire,when I I hired my first CEO, I,
at the time, was only payingmyself, like, $75, 000 a year.
So he basically set a flatsalary cap for all the c level

(56:04):
people at the company of a 150k, and that was it. So everybody
was, like, at this level, andwe'll start giving raises and
getting people to more marketprices as we're successful or
not. And now, like, people haveexpectations that are well
beyond that. Nobody nobody wantsto be well, you know, they're
working from home, and if theylive in San Francisco, they're
gonna want a different salarythan, you know, if they work in,

(56:26):
Columbia, Maryland or, you know,Annapolis, Maryland where I am.
So that also kinda weighs on itas well.
So, yeah, the expenses, they'revery different expense model
now. People are much moreexpensive as well. The marketing
is much more advanced, but alsocommensurately, expensive
whether or not the marketemerges for you. So, yeah, the
the expense load seems to bemuch higher than it ever was in

(56:48):
the original days, but I thinkthat's you know, the market
economics are different now, andthe tooling that's out there is
different and things like that.We didn't have Salesforce when I
was getting going, and now wedo.
And, you know, we pay 1, 000 ofdollars a month for that, so on
and so forth. But you gottaspend money to make money, and
that's, you know, how you gainefficiency in these businesses
these days where we can havefewer people doing more things,

(57:09):
and that's the the theory of it.But sometimes it works better
than others.

Thanks, Marty. So having covered the past and the
present of building companies,let's place our hand on the
crystal ball. And and in ourlast question, let's briefly
talk about the future. You'vebeen in the industry for quite
some time. You've been aroundfor over 2 decades, enough to
witness several generations ofcompanies, a variety of
geopolitical developments, anddifferent cohorts of

(57:38):
practitioners and entrepreneurstrying to move the industry
forward.
What do you think security isgoing to look like 10 years from
now? And finally, what futureshould the early stage
entrepreneurs be preparing to inthis AI first world?

Well, 1 of the things that having, 20 plus
years in the security industryand, longer than that involved
in the tech industry has taughtme is that, we always have to be
careful about, you know,straight lining approximations.
You know, 22 points 2 datapoints is not a trend make. So
AI is ascendant right now, butwe all have to remind ourselves

(58:13):
that AI has been ascended manytimes over the past 40 years.
And, you know, there's a termcalled AI winter, which was
coined after, several rises andfalls of AI. I remember when I
was in college, 1 of my computerengineering professors working
on expert systems, which is whatAI you know, you couldn't call
your stuff AI anymore.
It had to be called expertsystems because you couldn't get

(58:33):
funding for AI because I'mbecause we were in a AI winter.
Alright. So that said, I thinkthat, you know, in the future, I
would like to think that thereare going to be fewer security
companies, but it's hard to seeit incentivized at all except
for by the smoking craters leftby security companies that have
failed and kind of the barriersto entry, to this industry,

(58:56):
which are quite frankly few. Sothere's that. I think that, you
know, the cloud's with us tostay, so you're gonna have to
build for the cloud.
But there's a whole world outthere of things that aren't the
cloud that you need to consider.So, you know, 1 of the things
that we do at Netography is webring together a composite view
of your multi cloud world plusyour on prem IT and OT world.

(59:18):
Right? Really cool. Nobody'sever really pulled that picture
together before.
So while, you know, we are kindof cloud first with what we do
or cloud hosted, in fact, weremember that there is an on
prem world. We remember thatthere is an OT world. And, you
know, you also have to remembera lot of the security
technologies and approaches are,are cyclic as well. So I kinda

(59:40):
joke around and say, you know,it's 1995 in the cloud. What I
mean when I say that is that,most cloud security is access
policies and some lightfirewalling and a lot of, you
know, host based securityessentially.
Agents log analytics is the vastmajority of, cloud security
these days. And to some degree,everybody forgot about the

(01:00:01):
network, but, you know, I thinkthey forgot about the network
because the tooling that was outthere was the architectures were
incorrect and that's kind of ourwhole our whole thing. But yeah.
You have to you know, as you'rethinking about what the security
industry is gonna look like andand things like that, if you
look backwards, you'll see thethe trends. You know?
When I was getting going, withSourcefire, there was a big,

(01:00:21):
resurgence in endpoint security,like Okina and things like that.
And then IPS came out, and IPSeventually morphed into next gen
firewalls, but then we sawadvanced persistent threats
become a thing. And APTs werereally best addressed by
endpoint defenses once again. Sowe saw the emergence of EDR or
swing the needle back towardsdefense on the endpoint. Then we

(01:00:43):
saw everybody go to the thecloud and then all of a sudden
log analytics get importantagain.
And we see vendors like Splunkexplode as everybody's trying to
instrument their networks to beable to look or, you know, their
enterprises to be able to pullall the logs together and things
like that. So these things kindawax and wane as time goes on,
and that's just gonna keephappening. This kind of 3 legged
stool of the network, the thework load slash device slash

(01:01:05):
whatever the, you know, thisthis endpoint processing, that's
going on and then, you know,looking at all the logs that are
produced by things. And, I thinkthat's just gonna keep going. We
have interesting, I would say,revolutions or unlocks that
happen as a result of largertrends here like AI is 1 of
them.
The cloud has actually beenreally interesting because EDR

(01:01:27):
was possible because of thecloud. You couldn't do EDR until
cloud existed. Once the cloudexisted, you unlock the ability
to do EDR. 4 or 5 years afterthat, you saw the first, cloud
based log management platformsand SIMs and things like that,
like, Sumo Logic, they emerged.And then the network didn't show
up really until, and this is,you know, me talking my book,

(01:01:47):
until photography showed up.
Like, nobody ever tried to doit, but, you know, the clouds
unlock the ability forphotography to exist by letting
us take this, you know, thismetadata driven model and make
it happen. So is AI gonna beanother 1 of those unlocks that
produce a new wave of securityvendors that are built on
capabilities that are unlockedby, AI. I think the jury's out.
Everybody wants you. Like, ifyou wanna be taken seriously by

(01:02:11):
investors right now, you gottaput AI somewhere in your pitch.
So everybody's definitely,everybody's definitely trying to
figure out ways to to make itrelevant whether or not it is.
You know? It would be nice tospeak English to my product and
have it spit out my proprietarylanguage, for example. It'd be
nice to have it summarize myevents in a human readable
format so you don't have toactually, understand IP
addresses, important numbers,and things like that on 1 hand.

(01:02:33):
But on the other hand, theamount of cost that's involved
to be able to provide thatcapability is is different.
So, you know, where is that costgonna exist in these model, in
these business models, and allthat stuff's gonna have to be
worked out. But I would saythere there's probably some
unlocks coming from LLM, youknow, the the emergence of LLMs,
and it's not just chatbots, but,you know, being able to use
products more intelligently andmore intuitively that are gonna

(01:02:55):
be unlocked by AI. Then you getto the other things that we can
do with it. So, you know, AI isbecoming more and more advanced,
but I look at my product forexample. So today, we are
aggregating across all of ourcustomers trillions of data
points a year, trillions.
And so you'd have to be insanenot to look at that and say, oh,
there's an AI application there,I bet you. And there probably
is, but think about all themoney that's gotta be spent to

(01:03:17):
train a model. I can look acrossall this data and, like, detect
detect weird, detect bad,detect, you know, the things you
wanna detect, and then curatingthat model on an ongoing basis
and things like that. And is itworth it? Is it worth spending
all that time and money?
Is it gonna give us uniqueinsights that can't be gotten in
other ways? That sort of thing.And everybody's gotta be asking
this question because people arereal sloppy about how they use

(01:03:40):
AI, and I know you're all awareof this. People are very sloppy
about how they apply the wordsAI and ML and things like that
to what their products canactually do. You know, if your
AI is a data center in India,you know, and for some
companies, it absolutely is.
It's putting the lie to theentire industry. It's basically
making the entire industry lookbad because then you've got, you

(01:04:01):
know, kind of this, noiseproblem that everybody has to
try to break through where whereyou gotta get through the noise
floor of all these companies orthe majority of these companies
are in spinning, you know, justpure fantasy. And then there's a
small number of companies thatare actually executing,
providing things of real value.Yeah. So I don't think, you
know, I don't think thenetwork's going away.
I don't think malware's goingaway. I don't think ransomware's

(01:04:21):
going away. I don't think badactors are going away. Maybe we
have some nation state levelstuff that goes on where, you
know, it becomes much morefinancially or physically costly
to mount these cyber attacks.You know, maybe the government
gets into it a lot more thanthey are right now.
That'd be interesting to see.But, you know, the thing that
you can depend on is that, itwill definitely look very

(01:04:41):
different in 10 years than itlooks today just like 10 years
ago when we were just, cloudadoption was on the rise. But,
you know, the trends that werereally, I think, unlocked by
the, by the pandemic of remotework and work from home and more
motion to the cloud and andthings like that and these much
more dispersed networkenvironments. I think all of
those things were driven by theemergence of the pandemic. So,

(01:05:04):
you know, you never know whatthe the actual triggers are
gonna be for these things aswell.
So something could come alonglike aliens coming out of a UFO
or something that say, oh, wehave much better ways of doing
networking than you guys thoughtof. Maybe that's what Ron was
trying to tell me when hemarried that woman who went to
Canada.

Mahendra Ramsinghani (01:05:17):
You know, Marty, I know the industry is
glad for sure that you and Rondid not end up chasing UFOs.
Both of you have built iconiccompanies, decades of your life
have gone into building productsthat have helped millions of
users worldwide. And, you know,we wanna thank you for your

(01:05:39):
service and inspiration that youprovide to founders. Building
companies, raising capital,building teams is not easy.
You've done that once and nowyou're back at it again.
So that shows that you're, like,persistent, and they will
continue to play this game for along time to come. We certainly
look forward to have you and Ronagain maybe to just discuss the
UFO part. Wonderful.

Marty Roesch (01:06:02):
Absolutely.

Wonderful. Thank you so much, Marty. Thank
you for your time. We reallyenjoyed the conversation today.

Marty Roesch (01:06:07):
Oh, I enjoyed it too. Thanks very much. I should
give a shout out to Ron's wife,Cindy. That woman's actually her
name is Cindy. She's a lovelyperson.
So I don't want her to beoffended that I didn't mention
her. But, yes, thanks very muchfor the opportunity today. I
appreciate it. It's a lot of funtalking to you guys.

Sid Trivedi (01:06:21):
Thanks, Marty.

Ross Haleliuk (01:06:21):
Thank you, Marty.

Thank you for joining us Inside the Network.

Ross Haleliuk (01:06:26):
If you like this episode, please leave us a
review and share it with others.

If you really, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first.

No. Don't do that. Mahendra gets too many gifts
already. Please reach out byemail or LinkedIn.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

24/7 News: The Latest

Therapy Gecko

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Marty Roesch: Scaling Sourcefire and creating a new way to monetize open source security software

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

24/7 News: The Latest

Therapy Gecko

All Episodes

Marty Roesch: Scaling Sourcefire and creating a new way to monetize open source security software

Dateline NBC