Cisco is spending $2.7 billion to acquire network security specialist Sourcefire in an effort to bolster its stagnant security business with an infusion of talent and new customers.
Sourcefire is perhaps best known for a commercial version of Snort, an open source intrusion prevention technology that was created by Sourcefire founder and Chief Technology Officer Martin Roesch in 1998. The Columbia, Md.-based company has since expanded beyond intrusion prevention, with a firewall platform, a growing advanced threat protection business and a well-regarded vulnerability research lab that writes intrusion prevention signatures.
Sourcefire should immediately bolster Cisco's reputation and revenue in network security. "Sourcefire is growing revenue, and Cisco has been really challenged in security revenue recently," said Greg Young, research vice president at Gartner. "Also, in this heated market, a security pure-play vendor has a good reputation, so it's about revenue, security reputation and showing some commitment by Cisco in the security space."
Sourcefire's intrusion prevention and firewall technology has substantial overlap with existing Cisco products, but the company's discrete products were not the focus of this deal, he said.
Sourcefire's Vulnerability Research Team, which writes the signatures for its intrusion prevention and malware protection products, is the real prize. The engineers who work in such labs are hard to find and even harder to retain, Young said. "That's one of the reasons why Sourcefire's intrusion prevention is so good, because of the threat research capabilities that back it."
Integrating the Sourcefire team into Cisco will be essential. Roesch and other Sourcefire executives said they would be joining Cisco's security division. If Roesch stays with Cisco for an extended period of time, it would be a good indication of "how that cultural alignment is going to work out," Young said.
Chris Young, Cisco's senior vice president for the security and government group, affirmed the value of the Vulnerability Research Team in a corporate blog announcing the Sourcefire acquisition. He wrote that the team is "a group of elite security experts who work around the clock to proactively discover, assess and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities."
The Sourcefire acquisition "directly supports Cisco's strategy to constantly defend, discover and remediate threats -- with the ultimate goal of covering our customers before, during and after an attack," he wrote.
Product integration will be a long haul
Customers of Cisco and Sourcefire will be understandably nervous about the future of the two company's overlapping product lines.
"I'm a little saddened, because I like both [Cisco and Sourcefire's] products, and I feel this will be the start of the demise of one product line or another," said Willis Marti, chief information security officer at Texas A&M University. "Cisco doesn't do a consistent job of keeping the products it buys as going concerns."
Convergence of actual products will be less of an immediate focus, said Gartner's Young. Cisco will probably stay the course with its own firewalls, but Sourcefire's intrusion prevention technology is clearly superior.
Integrating security products is not easy. McAfee acquired Secure Computing Corp. in 2008, but McAfee never successfully integrated its own intrusion prevention products into the Secure Computing firewall products it acquired, Gartner's Young said. "And McAfee just [purchased] Stonesoft, another company that has intrusion prevention and firewalls."
The future of open source Snort
Since-deleted comments on Cisco's blog expressed concern about the long-term viability of the Snort open source project, given that the community has long been supported by Sourcefire.
In his blog post announcing the deal, Roesch wrote that Cisco has made a commitment to the open source roots of Sourcefire and to Snort. "We'll be able to more quickly innovate, develop and provide products and technologies that continue to solve your biggest security challenges. And not just for commercial and government solutions -- [Cisco is] committed to continued innovation and support of our open source projects too."
"Supporting an open source product is a hard thing to do, and an open source security product is a very hard thing to support, because there is not much going on in open source security today," Gartner's Young said. "The quality of the signatures in Snort is highly influenced by the Sourcefire research capabilities. There is a myth that the Sourcefire signatures are contributed by the [open source] community, but they are not. A very small percentage is community-contributed.
"If you look at [Cisco's] track record with open source, they will have to put in extra effort to deal with it. So Snort users are going to be nervous," he said.
Snort has the potential to compete with Cisco products; given Cisco's weak position in intrusion prevention prior to this deal, however, Gartner's Young noted that it has little reason to neglect Snort. The company would be better off by staying the course and keeping Snort alive and well, he said.