Today Cisco announced they are acquiring Sourcefire in what can be seen as an inevitable event. What does this mean to the security industry? It means the party is over for Snort while Cisco becomes a honest player in the security market.
The Inevitable Acquisition of Sourcefire
Ever since Checkpoint’s failed acquisition of Sourcefire in 2005, it was clear to everybody who paid attention to these things that Sourcefire would be acquired. What is surprising is how long it took to get there. After the Checkpoint debacle, Sourcefire walked away looking a little like that weird kid that overbearing Uncle Sam will not let play on the playground. Checkpoint walked away with a huge Israeli flag in their hat as if to remind everybody “they ain’t from ‘round here.”
Sourcefire soldiered on, but it was merely a matter of time before somebody acquired them. Their technology has always been good and they have a very loyal following. However, it is that loyal following that has caused them troubles.
Rise of the Planet of the Pigs
Sourcefire rose out of the Snort open source intrusion detection system/intrusion prevention system (IDS/IPS). Snort has always been a widely respected IDS/IPS engine. Back in the early days of the IDS wars (circa 1998-2002), Snort had legions of devoted followers who would accept nothing short of the divine purity of Snort. In some ways, Snort was the first cult brand of the security industry, something others have attempted to emulate.
However, in Snort’s case, their IDS engine was a pretty remarkable technology (at the time.) Snort entered into a battle with the early commercial IDS engines from the likes of Mantrap, Network Flight Recorder, BlackICE and a bunch of other names that have long since disappeared. When Sourcefire emerged as a commercialized version of the beloved open-source technology in 2001, the ground shook for the Snort faithful. Would the wheels of capitalism corrupt the elegance of Snort?
Surprisingly, the opposite happened. Sourcefire taught the world how to successfully transition from open source to commercial without infuriating the zealots. Sourcefire, and their leader Martin Roesch, kept Snort alive and developed Sourcefire in tandem. Sourcefire consistently went to market with the message that Snort was Sourcefire and vice-versa. This was a daring move, but it paid massive dividends in earning trust with their client base.
However, not everything was unicorns and rainbows. Sourcefire’s early products were slow and buggy. Without a dedicated hardware supplier, they were highly dependent upon a shifting set of OEM suppliers, which lead to persistent quality problems with their early appliances. Their sales channel program has never been good. I speak from direct experience when I say that Sourcefire made some epic blunders in their attempts to engage the channel.
In turn, Sourcefire has struggled to be a big player in the IDS/IPS market. While they had strong sales in government, they were never able to break into the commercial market at the same level of TippingPoint, McAfee, Cisco and even old Internet Security Systems (ISS).
The Fall of the Snort Empire
Then in about 2009, the IDS/IPS market began to stagnate and implode. The rise of UTM and now NGFW began consuming the market. IPS makers shrunk and disappeared. IBM gobbled up ISS and left it to rot on the back porch. TippingPoint, once the darling of the industry became stale and outdated, with HP finally consuming it and treating it like an unwanted stray. Juniper left their IDS product to become a laughable mess. Cisco’s IDS/IPS has never been a serious contender. All of these players lost market share to the likes of Fortinet, Palo Alto and, oddly enough, Checkpoint.
Sourcefire too became a victim of the great UTM/NGFW migration. Sourcefire was the last man standing in a battle where the others had simply become too tired to fight any more. Although Sourcefire enjoyed near universal acclaim for their IDS/IPS products and routinely won NSS labs bake-offs, this was not enough. The great migration was happening. Sourcefire’s late entry into the NGFW market last year has been largely a failure, with virtually no marquee accounts to speak of.
I, For One, Welcome Our New Cisco Overlords
Now comes Cisco, finally, snapping up the Sourcefire product line in what was an inevitable purchase. Cisco really was the only place for Sourcefire to go. Juniper cannot afford their janitorial service, let alone Sourcefire. HP is has that TippingPoint albatross around their necks, so they were out of the question. McAfee already has too many IPS products. Fortinet did not need or want them. Dell was a possibility, but they are too busy going private.
The good thing about this acquisition is that Cisco may actually do something interesting with Sourcefire. The idea of a Sourcefire infused ASA appliance is intriguing. This puts Cisco back into the security market. Sourcefire is an excellent product and Cisco really does not need to do much to keep their quality alive.
Cisco has also demonstrated, lately, that they can handle security products maturely. Their consumption of Ironport a few years back was thought to be the end for that product. Surprisingly, Cisco managed to keep Ironport alive, and did not spoil it. Ironport is still a fairly competitive product in the email security market.
Advice to Sourcefire Customers
This is not good, but it is not all bad. There are much worse things that could have happened to Sourcefire. Do you see that BlueCoat/Tripwire/Solara/Thoma Bravo monster in the corner of the room? Be happy it did not eat Sourcefire. If it did, it would be horrible.
However, Cisco is not exactly a dynamic, forward-thinking security firm like Sourcefire was. They are a milker and they are going to milk the life out of Sourcefire. Some of the things you love about Sourcefire will disappear once the Cisco monster fully consumes them. I would wait for the Ciscoized version of Sourcefire before I invest much more in Sourcefire. And if you are thinking of dumping Sourcefire, there is no time like the present. Now is a good time. Besides, you should be investing in UTM/NGFW anyway.
Yet, there is much to be happy about as well. Cisco could definitively solve Sourcefire’s hardware problems which have plagued them forever. Moreover, the promise of Sourcefire infused into other Cisco products is promising.
As for Snort? Kiss it goodbye. Cisco is not going to give Snort much attention. To their credit, they do not need to. The Cult of Snort has pretty much died off. Whatever is left of it has nowhere near the voice they did a decade ago.
Advice for Cisco Customers
Great, now the Cisco VAR has yet another thing to bug you about. The real winner here is state government. Every state in the country has some big, impenetrable Cisco contract where they can buy everything. Having Sourcefire on that linecard will be a nice addition.
As for the rest of the Cisco customers – there is hope. This is another thing they can procure through their current Cisco channel but will they even want to? In all honesty, neither Cisco or Sourcefire are the way to go right now anyway. While Sourcefire makes an excellent IDS/IPS, the market is all UTM/NGFW and neither of these players are leaders in that market. You too need to push Cisco to make Sourcefire into something cool. Do not let Cisco just sell you another box, demand something better.
Advice to Cisco
We know you are going to do it, so just do it. Kill Snort and let it fork off to some other open source project. Do not placate us with phony concern for the future of Snort. We know you are going to kill Snort and we all need to just pull up our big boy pants and get on with it.
Also, lock the ASA people and the Sourcefire people in a room with a Palo Alto Networks and a Fortinet box and do not let them come out until they produce a NGFW that is actually competitive. You have a GREAT detection engine now, arguably the best in the world. Now use it to make something cool. Give Palo Alto, Fortinet and Checkpoint a serious competitor.
Lastly, will you both go out and find some UI developers from this century? Seriously, Cisco’s GUI developers are all stuck in the ‘90s. They have never advanced beyond Windows 95 file trees and drop-downs with big ugly “SUBMIT” buttons. Sourcefire, you are no better. It is 2013, will you please go find an HTML5 developer who is not high on dope. You employ a hundred and fifty zillion people, surely there is one decent GUI developer out there?
This acquisition was inevitable. It is not that disruptive, however it does bring to a close the dedicated IDS/IPS market. Hopefully, Cisco will Ironport Sourcefire to success.