Cisco-Sourcefire union raises many product overlap questions

Industry watchers are bullish about the $2.7 billion Cisco buyout of security company Sourcefire announced today, but they have plenty of questions about how these competitors in intrusion-detection and prevention (IDS/IPS) and next-generation firewalls (NGFW) will sort out significant product overlap.

According to IDC, Cisco can be counted as the market leader in network security in terms of sheer sales of firewalls and IPS. Sourcefire wins plaudits from industry analysts like Gartner for its IPS and remains the champion of the open-source IDS called Snort that was invented in 1998 by Sourcefire founder and CTO Martin Roesch.

[ARCHIVES:Our 2012 interview with Cisco's Chris Young on company's security strategy]

Exactly how the companies' products will sync up remains largely a mystery though. Wall Street financial analysts and IT security analysts grilled Cisco today on whether there are either-or technology choices to be made, but the company is remaining officially mum on this topic until after the deal is finalized later this year.

In the near term at least, "product integration just isn't going to happen," said Gartner security analyst Greg Young about the areas where Cisco and Sourcefire directly compete: IPS and NGFW. Gartner believes Cisco will go forward in the near-term after its acquisition by maintaining both the Cisco ASA firewall product line, where IPS is often a function in that, and separately support the Sourcefire IPS product lines, which have grown to include a NGFW, network-discovery tools and its FireAMP anti-malware and cloud-based threat-detection service.

Gartner's view is that it remains a long-term goal to achieve product integration in this area, though a common management console might come earlier. One influential factor is that the IPS market is not showing growth as the technology is often becoming part of firewalls, Young says.

[ALSO:10 competitors Cisco couldn't kill off]

But Young says a big impetus for Cisco to buy Sourcefire is simply "security credibility," and adding technology and human resources to compete in a crowded IT security market. Cisco has been fighting to hold onto its lead against companies like Palo Alto Networks in NGFW, while FireEye and others make strides in anti-malware sandboxing technologies.

Chris Young, senior vice president in Cisco's security group, acknowledges that Cisco and Sourcefire compete in IDS/IPS, which Cisco often includes as part of its ASA firewalls. He says he is precluded at this time from discussing specific strategy in IDS/IPS and NGFW until after the acquisition is completed. Once the deal is finalized, Cisco plans to put forward a product road map that would include these product and service topics.

Cisco's Young did say that today the company wants to buy Sourcefire for its core technologies (including FireAMP) and threat-research expertise. Cisco is considering how to integrate FireAMP threat detection into security products such as Cisco ASA firewalls and Web security gateways, he says.

Young also says Cisco, which is growing more open in integrating third-party products into its products, was more than ready to take up the banner of open-source IDS. Sourcefire's Roesch is expected to be named vice president and chief architect for Cisco security, and he "will be driving a lot of the strategy around Cisco's portfolio," Young says.

For his part, Roesch in a conference call with Wall Street analysts said discussions between Sourcefire and Cisco leading up to today's announcement had convinced him there's "a great deal of synergy" and that the two companies share "similar cultural ideals." Sourcefire brings 2,500 business and government customers in 180 countries, and it has a strong presence in the Washington, D.C. ,area where it has federal government customers.

Analysts are buying in so far.

"It's a good acquisition for them because there were questions around Cisco security," says Zeus Kerravala, principal at ZK Research. "They can't win the security wars by being a better appliance vendor than all the others at every point in the network."

Sourcefire will help Cisco fill out pxGrid, a framework the company announced last month for allowing third-party developers of security applications to add capabilities to Cisco Identity Services Engine (ISE). ISE is designed to provide policy-based, context-aware security for Cisco networks.

Third-parties will be able to add capabilities to ISE that allow the appliance to share network context information user ID, type of device, access method, access media, privilege level with other systems in the IT infrastructure and then allow those systems to instruct ISE on what remediation actions to take on Cisco network elements, if warranted. Cisco plans to submit pxGrid to the IETF and other standards organizations early next year as an industry-sanctioned framework for injecting context-aware security and remediation into networks.

PxGrid aggregates all security information and analytics, and provides a networkwide view, Kerravala says. "They get more IPS and security management analytics from Sourcefire, as well as a next-generation firewall. I wasn't expecting [an acquisition] that big but it does take care of a couple of things," he says.

IDC security analyst Phil Hochmuth says Sourcefire gives Cisco some cloud-based advanced threat technology in addition to firewall and IPS expertise. "They get cloud-based complex malware analysis and advanced, undetectable threat" detection technology, Hochmuth says. "It will be interesting to see how they tie it together with the Cognitive Security acquisition" announced back in January.

Cognitive Security specializes in real-time behavioral analysis to detect security threats. Cisco is looking to combine Cognitive's technology with its own global, cloud-based threat-intelligence system.

"Cisco needs to get more cloud-oriented with security," Hochmuth says. "They need to tie together cloud security with on-premises devices. They're moving towards that" with the Sourcefire, Cognitive and ScanSafe acquisitions. Cisco bought ScanSafe, a maker of software-as-a-service (SaaS) Web security services for enterprises and small-to-mid-sized businesses in 2009.

Jon Oltsik, senior principal analyst at Enterprise Strategies Group, says the merger struck him favorably. "Cisco got a true leader," he says about Sourcefire. He also expressed optimism the merger would go well and help Cisco "compete against everyone."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.

This story, "Cisco-Sourcefire union raises many product overlap questions" was originally published by NetworkWorld.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies