Attacks/Breaches
7/23/2013
01:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Cisco Banks On Sourcefire And Snort For Its Security Future

Cisco's security save costs to the tune of $2.7 billion, and the Snort pig stays open source

Cisco's announcement today that it plans to purchase Sourcefire in a $2.7 billion deal signals a major effort to resuscitate the networking giant's increasingly shaky standing in the network security market.

Christopher Young, senior vice president of Cisco's Security Group, said during a shareholder call today that the definitive agreement to buy Sourcefire fits Cisco's goal of becoming the "No. 1" security vendor for customers. "By bringing the innovation that Sourcefire brings in IPS, advance malware prevention, content-awareness ... the combination of the two companies is really going to have a big imprint on the industry overall," Young said.

Under the deal, which is expected to close in the second half of this year, Cisco will pay $76 per share in cash in exchange for each Sourcefire share. Martin Roesch, the renowned founder and chief technology officer of Sourcefire, as well as the creator of the open-source Snort intrusion detection and prevention technology, will become vice president and chief architect of Cisco's Security Group and report directly to Young.

Cisco executives emphasized that the acquisition would pave the way for Cisco to provide a comprehensive and integrated family of security solutions. "[Sourcefire has] done very unique things in thinking about IPS, IDS, advanced malware [detection], threat awareness, and leveraging cloud-based intelligence ... to see malware infections before, during and after an attack," Cisco's Young said, pointing to Cisco's firewall, Web, and email security businesses rounding out the newly combined portfolio. "It all maps very well with our strategy: A path to an integrated solution set that combines the best of both portfolios is achievable in near-term fashion."

While Young wouldn't specify just yet what all of this means for existing Cisco and Sourcefire products, the big question was what happens to Cisco's IDS/ISP products now since there's a glaring duplication with the newly acquired Sourcefire IDS/IPS line. "Next-generation IPS and advanced malware protection will be integrated with our firewall and part of our overall Cisco footprint," he said.

But it's likely the end of the road for Cisco's IDS/IPS line now that Snort is in the house, security experts say. "Dead," says Mike Rothman, president of Securosis and author of The Pragmatic CSO. "The question is when and what is the migration path," and the sooner, the better for Cisco's IDS/IPS customers, he says.

"The big problem is Cisco had underperforming network security products. They had to fix those if they wanted to stay in the business, and this was a way to fix that problem," Rothman says. "Cisco had a problem it had to solve."

For Sourcefire, it's an entree into the firewall space as well as a greenfield of enterprise business where Cisco switches and routers have been network staples for so long. "Cisco has hundreds of thousands of customers and a breadth of distribution. There are only a handful of tech companies that can match" that scale, Rothman says.

John Pescatore, director of emerging security trends at SANS, also sees the Sourcefire deal as a possible game-changer for Cisco's security business -- namely, if Cisco successfully takes Sourcefire's industry-leading IPS products and continues to enhance them. "Cisco had the switchover from PIX firewalls to ASA, and a bunch of stumbles to ASA, especially on the intrusion detection and intrusion prevention side," Pescatore says.

The catch will be in how Cisco orchestrates the acquisition when it comes to the software side of things, he says. While the networking giant has done well in network appliance-type buys, Cisco's desktop software company acquisitions haven't gone so well, he says. "If Cisco is going to [attempt] to be a big player in desktop AV, [that's] going to be a disaster," he says. "If they use the Immunet threat research guys, they will better be able to compete with Palo Alto Networks and FireEye."

Another possible red flag is if Cisco emphasizes building security into the network fabric, Pescatore says. "As a market, we don't really trust infrastructure vendors to secure themselves. That's why Microsoft hasn't been successful in AV," he says.

Sourcefire will also give Cisco a foray into the network forensics space, with monitoring and storing of network traffic information, he says. Sourcefire, meanwhile, had struggled to gain a foothold in the firewall business, so Cisco's ASA firewall family fills that gap, he says.

[How not to respond to a cyberattack. See 3 Big Mistakes In Incident Response.]

Then there's that pig -- open-source Snort, that is -- in the room. While Cisco has not traditionally been associated with the open-source community, Snort will change all of that. "Snort brings a vibrant, open-source community to Cisco," Cisco's Young says. "That was an important attribute that attracted us to Sourcefire ... Together we will have a continued partnership with the open-source community."

Sourcefire's Roesch echoed the promise that Snort would remain open. "Snort will always be free. We will continue that tradition," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web