Cisco-Sourcefire union raises many product overlap questions

Industry watchers are bullish about the $2.7 billion Cisco buyout of security company Sourcefire announced today, but they have plenty of questions about how these competitors in intrusion-detection and prevention (IDS/IPS) and next-generation firewalls (NGFW) will sort out significant product overlap.

According to IDC, Cisco can be counted as the market leader in network security in terms of sheer sales of firewalls and IPS. Sourcefire wins plaudits from industry analysts like Gartner for its IPS and remains the champion of the open-source IDS called Snort that was invented in 1998 by Sourcefire founder and CTO Martin Roesch.

[ARCHIVES:Our 2012 interview with Cisco's Chris Young on company's security strategy]

Exactly how the companies' products will sync up remains largely a mystery though. Wall Street financial analysts and IT security analysts grilled Cisco today on whether there are either-or technology choices to be made, but the company is remaining officially mum on this topic until after the deal is finalized later this year.

In the near term at least, "product integration just isn't going to happen," said Gartner security analyst Greg Young about the areas where Cisco and Sourcefire directly compete: IPS and NGFW. Gartner believes Cisco will go forward in the near-term after its acquisition by maintaining both the Cisco ASA firewall product line, where IPS is often a function in that, and separately support the Sourcefire IPS product lines, which have grown to include a NGFW, network-discovery tools and its FireAMP anti-malware and cloud-based threat-detection service.

Gartner's view is that it remains a long-term goal to achieve product integration in this area, though a common management console might come earlier. One influential factor is that the IPS market is not showing growth as the technology is often becoming part of firewalls, Young says.

[ALSO:10 competitors Cisco couldn't kill off]

But Young says a big impetus for Cisco to buy Sourcefire is simply "security credibility," and adding technology and human resources to compete in a crowded IT security market. Cisco has been fighting to hold onto its lead against companies like Palo Alto Networks in NGFW, while FireEye and others make strides in anti-malware sandboxing technologies.

Chris Young, senior vice president in Cisco's security group, acknowledges that Cisco and Sourcefire compete in IDS/IPS, which Cisco often includes as part of its ASA firewalls. He says he is precluded at this time from discussing specific strategy in IDS/IPS and NGFW until after the acquisition is completed. Once the deal is finalized, Cisco plans to put forward a product road map that would include these product and service topics.

Cisco's Young did say that today the company wants to buy Sourcefire for its core technologies (including FireAMP) and threat-research expertise. Cisco is considering how to integrate FireAMP threat detection into security products such as Cisco ASA firewalls and Web security gateways, he says.

Young also says Cisco, which is growing more open in integrating third-party products into its products, was more than ready to take up the banner of open-source IDS. Sourcefire's Roesch is expected to be named vice president and chief architect for Cisco security, and he "will be driving a lot of the strategy around Cisco's portfolio," Young says.

For his part, Roesch in a conference call with Wall Street analysts said discussions between Sourcefire and Cisco leading up to today's announcement had convinced him there's "a great deal of synergy" and that the two companies share "similar cultural ideals." Sourcefire brings 2,500 business and government customers in 180 countries, and it has a strong presence in the Washington, D.C. ,area where it has federal government customers.

Analysts are buying in so far.

"It's a good acquisition for them because there were questions around Cisco security," says Zeus Kerravala, principal at ZK Research. "They can't win the security wars by being a better appliance vendor than all the others at every point in the network."

Sourcefire will help Cisco fill out pxGrid, a framework the company announced last month for allowing third-party developers of security applications to add capabilities to Cisco Identity Services Engine (ISE). ISE is designed to provide policy-based, context-aware security for Cisco networks.

Third-parties will be able to add capabilities to ISE that allow the appliance to share network context information user ID, type of device, access method, access media, privilege level with other systems in the IT infrastructure and then allow those systems to instruct ISE on what remediation actions to take on Cisco network elements, if warranted. Cisco plans to submit pxGrid to the IETF and other standards organizations early next year as an industry-sanctioned framework for injecting context-aware security and remediation into networks.

PxGrid aggregates all security information and analytics, and provides a networkwide view, Kerravala says. "They get more IPS and security management analytics from Sourcefire, as well as a next-generation firewall. I wasn't expecting [an acquisition] that big but it does take care of a couple of things," he says.

IDC security analyst Phil Hochmuth says Sourcefire gives Cisco some cloud-based advanced threat technology in addition to firewall and IPS expertise. "They get cloud-based complex malware analysis and advanced, undetectable threat" detection technology, Hochmuth says. "It will be interesting to see how they tie it together with the Cognitive Security acquisition" announced back in January.

Cognitive Security specializes in real-time behavioral analysis to detect security threats. Cisco is looking to combine Cognitive's technology with its own global, cloud-based threat-intelligence system.

"Cisco needs to get more cloud-oriented with security," Hochmuth says. "They need to tie together cloud security with on-premises devices. They're moving towards that" with the Sourcefire, Cognitive and ScanSafe acquisitions. Cisco bought ScanSafe, a maker of software-as-a-service (SaaS) Web security services for enterprises and small-to-mid-sized businesses in 2009.

Jon Oltsik, senior principal analyst at Enterprise Strategies Group, says the merger struck him favorably. "Cisco got a true leader," he says about Sourcefire. He also expressed optimism the merger would go well and help Cisco "compete against everyone."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags sourcefireIDSGartnerFirewall & UTMIDCsecurityIPSWide Area Network

More about ASACiscoCisco SecurityCisco SecurityFireEyeGartnerIDC AustraliaIDGIETFIPSPalo Alto NetworksWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer and Jim Duffy

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place