Analysis of Cisco’s Acquisition of Sourcefire

By | July 23, 2013

Today Cisco announced they are acquiring Sourcefire in what can be seen as an inevitable event. What does this mean to the security industry?  It means the party is over for Snort while Cisco becomes a honest player in the security market.

The Inevitable Acquisition of Sourcefire

Ever since Checkpoint’s failed acquisition of Sourcefire in 2005, it was clear to everybody who paid attention to these things that Sourcefire would be acquired. What is surprising is how long it took to get there.  After the Checkpoint debacle, Sourcefire walked away looking a little like that weird kid that overbearing Uncle Sam will not let play on the playground.  Checkpoint walked away with a huge Israeli flag in their hat as if to remind everybody “they ain’t from ‘round here.”

Sourcefire soldiered on, but it was merely a matter of time before somebody acquired them.  Their technology has always been good and they have a very loyal following. However, it is that loyal following that has caused them troubles.

Rise of the Planet of the Pigs

Sourcefire rose out of the Snort open source intrusion detection system/intrusion prevention system (IDS/IPS).  Snort has always been a widely respected IDS/IPS engine.  Back in the early days of the IDS wars (circa 1998-2002), Snort had legions of devoted followers who would accept nothing short of the divine purity of Snort.  In some ways, Snort was the first cult brand of the security industry, something others have attempted to emulate.

However, in Snort’s case, their IDS engine was a pretty remarkable technology (at the time.)  Snort entered into a battle with the early commercial IDS engines from the likes of Mantrap, Network Flight Recorder, BlackICE and a bunch of other names that have long since disappeared.  When Sourcefire emerged as a commercialized version of the beloved open-source technology in 2001, the ground shook for the Snort faithful. Would the wheels of capitalism corrupt the elegance of Snort?

Surprisingly, the opposite happened.  Sourcefire taught the world how to successfully transition from open source to commercial without infuriating the zealots.  Sourcefire, and their leader Martin Roesch, kept Snort alive and developed Sourcefire in tandem.  Sourcefire consistently went to market with the message that Snort was Sourcefire and vice-versa.  This was a daring move, but it paid massive dividends in earning trust with their client base.

However, not everything was unicorns and rainbows.  Sourcefire’s early products were slow and buggy.  Without a dedicated hardware supplier, they were highly dependent upon a shifting set of OEM suppliers, which lead to persistent quality problems with their early appliances.  Their sales channel program has never been good. I speak from direct experience when I say that Sourcefire made some epic blunders in their attempts to engage the channel.

In turn,  Sourcefire has struggled to be a big player in the IDS/IPS market.  While they had strong sales in government, they were never able to break into the commercial market at the same level of TippingPoint, McAfee, Cisco and even old Internet Security Systems (ISS).

The Fall of the Snort Empire

Then in about 2009, the IDS/IPS market began to stagnate and implode. The rise of UTM and now NGFW began consuming the market.  IPS makers shrunk and disappeared.  IBM gobbled up ISS and left it to rot on the back porch. TippingPoint, once the darling of the industry became stale and outdated, with HP finally consuming it and treating it like an unwanted stray.  Juniper left their IDS product to become a laughable mess.  Cisco’s IDS/IPS has never been a serious contender.  All of these players lost market share to the likes of Fortinet, Palo Alto and, oddly enough, Checkpoint.

Sourcefire too became a victim of the great UTM/NGFW migration.  Sourcefire was the last man standing in a battle where the others had simply become too tired to fight any more.  Although Sourcefire enjoyed near universal acclaim for their IDS/IPS products and routinely won NSS labs bake-offs, this was not enough.  The great migration was happening.  Sourcefire’s late entry into the NGFW market last year has been largely a failure, with virtually no marquee accounts to speak of.

I, For One, Welcome Our New Cisco Overlords

Now comes Cisco, finally, snapping up the Sourcefire product line in what was an inevitable purchase. Cisco really was the only place for Sourcefire to go.  Juniper cannot afford their janitorial service, let alone Sourcefire.  HP is has that TippingPoint albatross around their necks, so they were out of the question. McAfee already has too many IPS products. Fortinet did not need or want them.  Dell was a possibility, but they are too busy going private.

The good thing about this acquisition is that Cisco may actually do something interesting with Sourcefire.  The idea of a Sourcefire infused ASA appliance is intriguing.  This puts Cisco back into the security market.  Sourcefire is an excellent product and Cisco really does not need to do much to keep their quality alive.

Cisco has also demonstrated, lately, that they can handle security products maturely.  Their consumption of Ironport a few years back was thought to be the end for that product.  Surprisingly, Cisco managed to keep Ironport alive, and did not spoil it.  Ironport is still a fairly competitive product in the email security market.

Advice to Sourcefire Customers

This is not good, but it is not all bad.  There are much worse things that could have happened to Sourcefire. Do you see that BlueCoat/Tripwire/Solara/Thoma Bravo monster in the corner of the room? Be happy it did not eat Sourcefire.  If it did, it would be horrible.

However, Cisco is not exactly a dynamic, forward-thinking security firm like Sourcefire was.  They are a milker and they are going to milk the life out of Sourcefire.  Some of the things you love about Sourcefire will disappear once the Cisco monster fully consumes them.  I would wait for the Ciscoized version of Sourcefire before I invest much more in Sourcefire.  And if you are thinking of dumping Sourcefire, there is no time like the present. Now is a good time.  Besides, you should be investing in UTM/NGFW anyway.

Yet, there is much to be happy about as well.  Cisco could definitively solve Sourcefire’s hardware problems which have plagued them forever.  Moreover, the promise of Sourcefire infused into other Cisco products is promising.

As for Snort?  Kiss it goodbye.  Cisco is not going to give Snort much attention.  To their credit, they do not need to.  The Cult of Snort has pretty much died off.  Whatever is left of it has nowhere near the voice they did a decade ago.

Advice for Cisco Customers

Great, now the Cisco VAR has yet another thing to bug you about.  The real winner here is state government.  Every state in the country has some big, impenetrable Cisco contract where they can buy everything.  Having Sourcefire on that linecard will be a nice addition.

As for the rest of the Cisco customers – there is hope.  This is another thing they can procure through their current Cisco channel but will they even want to?  In all honesty, neither Cisco or Sourcefire are the way to go right now anyway.  While Sourcefire makes an excellent IDS/IPS, the market is all UTM/NGFW and neither of these players are leaders in that market. You too need to push Cisco to make Sourcefire into something cool.  Do not let Cisco just sell you another box, demand something better.

Advice to Cisco

We know you are going to do it, so just do it. Kill Snort and let it fork off to some other open source project.  Do not placate us with phony concern for the future of Snort. We know you are going to kill Snort and we all need to just pull up our big boy pants and get on with it.

Also, lock the ASA people and the Sourcefire people in a room with a Palo Alto Networks and a Fortinet box and do not let them come out until they produce a NGFW that is actually competitive. You have a GREAT detection engine now, arguably the best in the world. Now use it to make something cool. Give Palo Alto, Fortinet and Checkpoint a serious competitor.

Lastly, will you both go out and find some UI developers from this century?  Seriously, Cisco’s GUI developers are all stuck in the ‘90s. They have never advanced beyond Windows 95 file trees and drop-downs with big ugly “SUBMIT” buttons.  Sourcefire, you are no better. It is 2013, will you please go find an HTML5 developer who is not high on dope. You employ a hundred and fifty zillion people, surely there is one decent GUI developer out there?

Conclusion

This acquisition was inevitable. It is not that disruptive, however it does bring to a close the dedicated IDS/IPS market.  Hopefully, Cisco will Ironport Sourcefire to success.

12 thoughts on “Analysis of Cisco’s Acquisition of Sourcefire

  1. Thelma

    Thanks for finally talking about > Analysis of Cisco’s Acquisition of Sourcefire | ANITIAN Blog < Loved it!

    Reply
  2. Njr

    I know this discussion is a bit old, some points are very well said but I might disagree with others:

    First, Cisco has its Next Generation ASA5500-X for more than a year now. It has application visibility just like PAN, including IPS and dynamic url filtering provided by Cloud based Scansafe and botnet detection and ATP provided by ironport senderbase.

    Secondly, Cisco already had the biggest market chunk for IPS due to its huge Channel Partners and tremendous market penetration with its one single support contract. And essentially you can find Cisco IPS in all flavors (network switches, routers, firewalls and standalone appliances).

    Third, Cisco has opensource staff in a lot of their products, where I will mention a few: anyconnect has portions of opensource and clamAV was part of the retired CSA software.

    If sourcefire will be plagued by the same old acquisitions Cisco made in the past? Well, that’s another story. Cisco, like any other major brand is all about numbers. I remember in 2009, MARS was in the Gartner’s leader quadrant and a year later Cisco retired it. CSA was a great product, but too hard to sell (simply too expensive).

    The IPS market is suffering a slow death due to the latest advanced hacking techniques. Some ppl are talking about NGIPS, so maybe acquiring Sourcefire and its big and incredible team of Security Engineers is Cisco’s next step for the next big thing. Or at least I hope so. Cisco providing hardware expertise and injecting tons of money, you don’t need to be an optimist to think what’s gonna happen.

    Reply
  3. Mountain Biker

    I gave up on Chuckpoint before the failed SourceFire acquisition debacle and washed my hands of Cisco even earlier (and, companies like Axxent after $ymantec’s acquisition). History tends to repeat itself…

    Other vendors have successfully eaten Cisco’s lunch across the board for years. They’ve acquired, butchered, were slow to integrate or outright ignored so many products acquired over the years: firewall, content filter, SSL VPN, and wireless (super ugly in the early days) to name a few.

    Cisco gave away enough VOIP gear early on to gain a foothold/bulldoze and ironically has now moved into server box pushing (of all things! After two decades of value add this and we will steal your customers even though we say everything goes through the channel that…).

    They should look up Carly Fiorina and bring her in to sell printers and cameras to the masses.

    Reply
  4. Eugene Johnson

    Im surprised their was no mention of Cisco’s purchase of Meraki about a year ago that has doubled in size and has a very competitive UTM and they already were licensing sourcefire in their hardware.

    Reply
    1. Andrew Plato Post author

      I know of a total of zero companies using Meraki. Their market penetration is still quite small. They are mostly known as a wireless company. Their UTM products, at least in my perception, are new. However, you are right, I should have mentioned them. I will give them credit for the “cloud managed” part of their product. This is an area I would say they lead in. None of the other UTM/NGFW makers have solid cloud management products yet. It will be interesting to see if Cisco merges ASA, Meraki, and Sourcefire into a cohesive product. Cisco does not have a real good track record of merging disparate technologies.

      Reply
  5. Mike Crowe

    I wanted to add that there’s one more aspect of this you didn’t discuss – Sourcefire’s FireAMP product.

    After killing off CSA a while back, Cisco completely exited the host security market. This brings them back in a great way, and one that doesn’t overlap so heavily with incumbent players (McAfee, Symantec, etc). It also gives them a mobile security product, which could theoretically be merged with AnyConnect (no overlap). I’ll be interested to see what Cisco does with the Immunet client, which is a fundamental source of malware intelligence for Sourcefire.

    Also, I believe this is fundamentally a talent-based acquisition for Cisco. They’ve had a significant “brain drain” in security over the last several years. If they can keep them around, they just hired 400+ new people who have only being doing security, every day of the week, for quite a while.

    Reply
  6. Mike Crowe

    Disclosure – I currently work for a large Sourcefire reseller/integrator. I do not, however, speak for my company in any way whatsoever. My stupid thoughts are mine alone.

    “As for Snort? Kiss it goodbye. Cisco is not going to give Snort much attention. To their credit, they do not need to.”

    Ideally, they’ll just let it continue on as is pretty much was with Sourcefire – as a side-project “labor of love” thing for the in-house super geeks. In fact, there’s no reason they shouldn’t do that – call it a concession, to help keep the talent around.

    “Lastly, will you both go out and find some UI developers from this century? … Sourcefire, you are no better.”

    Have you actually used the 5.x yet (ideally, 5.2.x)?? It’s one of the best native GUIs on the market now – even gives Palo Alto a run for their money on looks and usability. Cisco will benefit greatly from this – if they can keep those people around, rather than driving them away.

    “with a Palo Alto Networks and a Fortinet box and do not let them come out until they produce a NGFW that is actually competitive”

    Look – I’m probably a bigger Fortinet fanboy than almost anyone, but even I’ll admit that their GUI is still a steaming pile. It’s better than ASDM, sure – but it’s still not anywhere close to where it needs to be. As for PAN … they should probably spend some of that marketing money on getting the “firewall” part of “NGFW” to work worth a crap. Have you tried troubleshooting VPNs on that thing?? Ugh.

    I’m of the opinion that Sourcefire was well on their way to having one of the best NGFWs product available, and were smart enough to downplay it for the time-being. They would’ve been fighting an uphill battle because they’re not seen as a FW vendor, and they were still missing a few key FW pieces. Things like VPN (tunnel or client/SSL), email security, and decent URL filtering – all missing or severely lacking. Cisco is in a position to them help close the loop on ALL of those, with a lot of that coming from their Ironport product line.

    I’d say the clock is ticking on the entire ASA product line, especially considering the reactions to the release of their CX edition. Night and day compared to the reviews of Sourcefire’s NGFWs.

    “Cisco has also demonstrated, lately, that they can handle security products maturely. ”

    Ummmm … no, not really. The Ironport acquisition was the one and only time they have completely destroyed whatever they gobbled up. The road is littered with bodies of their other victims (MARS/Protego, CSA, etc). And that’s solely because they did what everyone’s hoping they’ll do this time around – left them the hell alone. It appears they’re going to approach this in the same way IBM said they would handle Q1 Labs (and has thus far) – give the new guys anything and everything security-related, put the leadership from the new company in charge of it, and let them do what they do best. Then just bankroll the whole operation, and reap the rewards after the fact.

    I’d say there are a few more things to be concerned about for current Sourcefire customers and partners:

    1) Partners – Sourcefire significantly improved their channel partner programs, to the point that they’re one of the best out there. How the 800-pound gorilla of Cisco’s current channel program will change that is anyone’s guess.

    2) Customers – Sourcefire’s “open-ness” is probably their most fundamental, crucial philosophy along the way. Their willingness to open their door and show “how they do it” (read: their signatures), along with their open APIs, are truly unique. This is diametrically opposed to how Cisco has ALWAYS done business, and they’ve shown ZERO indication that’s changing – EVER.

    A quick look at Sourcefire’s technology partners page (read: integrating products) lists a few Cisco competitors, but not Cisco itself. Bradford Networks is for NAC – but Cisco ISE isn’t there. What a shock.

    This whole thing really could go either way. I’d say this is ripe for follow-up posts at 6, 12, and 18 months.

    Reply
    1. Andrew Plato Post author

      Great comments, Mike. You raise a lot of good points and I have a few responses.

      Partners: I have direct experience being a Sourcefire partner. I agree their program got a lot better in the last few years. But, they are still a tough company to work with. They have minimal respect for smaller resellers and will take deals direct or hand them to a competitor on a whim. That reeks of desperation and it does not win you loyal partners. Cisco’s partner program is ridiculous for smaller players, but they are honest about it. As a smaller reseller, I know its utterly pointless to bid any Cisco work, ever. But Cisco does not hide that fact from anybody. They are brutally honest – the big guys will always dominate you, like it or lump it. I am more inclined to trust Cisco in an odd way because of that honesty. Sourcefire on the other hand acts like they care about their partners, but (in the past) was very deceptive.

      Cisco’s plans: It is important to remember that from a purely financial perspective, milking the life out of proven technologies makes more money than continuing to invest in them. So the real question is – how good will Cisco’s financials be for the next year or two? If Cisco maintains a strong financial position, then they will probably let Sourcefire be and may even let the Sourcefire people continue to contribute to Snort. But if Cisco’s numbers take a dive, then you can count on them squeezing Sourcefire to get every dime out of it they can. The more desperate Cisco gets, the more pressure there will be from their bean-counters to get maximum return on this acquisition.

      I am still of the opinion that this could be a really great union. But, you’re right there is plenty of concern for customers and partners alike.

      Reply
  7. Kyrra

    It will be interesting to see what happens with Snort and ClamAV over the coming years. Seeing that Cisco does not do a lot of open source today, maybe they will try something different with Sourcefire (since the culture is already there). But we’ll have to wait and see what happens there.

    I’m interested to know what issues you have with the Sourcefire UI? Working with some of their older boxes, the colors/style were definitely… different. Looking at some of their new product offerings, they feel a little more up-to-date.

    Reply
  8. Pingback: Log all the things | practically virtual

  9. sanitybit

    “Do not placate us with phony concern for the future of Snort. We know you are going to kill Snort and we all need to just pull up our big boy pants and get on with it.”

    Hopefully the “Snort community” will respond soon with a preemptive fork; if they sit around and wait for Cisco to slowly kill it, they likely won’t bounce back.

    “It is 2013, will you please go find an HTML5 developer who is not high on dope.”

    Wild goose chase.

    Reply
  10. Señor Itchy

    Wow. This is one of the best pieces I have read in a long time. I love your blunt and direct style. There is so much truth in here.

    Bravo to you for saying what we all fear, that Cisco will kill off Snort. I think its pretty much a done deal now. Very sad, since Snort has been one of the few big success stories of the open source world. Cisco will probably go the Tenable route and close off the source and alienate all their users.

    Great work, Mr. Plato.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*