Earlier this month, when
Sourcefire announced the release of its new open source
Daemonlogger, we speculated that it was driven by a desire to help
Real-time Network Awareness (RNA) lock down a more central role in
the security operations of its customers. Today, Sourcefire
announced its Enterprise Threat Management (ETM) strategy.
Sourcefire says its ETM combines intrusion-prevention system (IPS),
network behaviour anomaly detection (NBAD), vulnerability
assessment (VA) and
network access control (NAC).
Impact assessment
| The message |
| Enterprises are not willing to sacrifice
connectivity for security. They must therefore take a holistic look
at security, and take steps before, during and after an attack by
setting and enforcing network usage policies and being capable of
enforcing them. Enterprises are not willing to sacrifice
connectivity for security. They must therefore take a holistic look
at security, and take steps before, during and after an attack by
setting and enforcing network usage policies and being capable of
enforcing them. |
| Competitive landscape |
| This move puts Sourcefire in direct competition
with several classes of vendor, both large and small. Few of these
spaces are Sourcefire's to lose. With ETM it goes head-to-head with
the likes of IBM/ISS for threat assessment and IPS; Symantec for
assessment and (with partner Mazu) NBAD; and in NAC, it goes
against Cisco, Microsoft and scores of other NAC vendors – some of
whom also began life as IPS vendors. |
|
|
| Assessment |
| Sourcefire has taken a ride since its March IPO,
reaping the rewards of investor enthusiasm until suffering
punishment after announcing flaccid earnings projections. Just
before its stock fell nearly 30% on April 9, we said it was
enjoying an open source premium – investors less than accurately
saw it as an open-source security company. We believe Sourcefire
has useful products, good marketing and sales and a smart,
aggressive roadmap. It effectively leverages its open source
credibility – including the popularity of Snort, its commitment to
support its open source community, and the celebrity of Marty
Roesch – to its advantage. Now it must give investors an accurate
picture of how it makes its money, avoiding buzz terms and hype.
And, it needs to earn some money. |
Context
Sourcefire shares opened at $15 when trading started March 12.
The stock went as high as $18.83 before nose-diving April 9 to
$12.23, down $5.12, or 29.5%, on that day. Since then, movement has
been sideways. We would note that even at today's anemic level (the
stock opened at $11.49 this morning, down 36% from its highs), it
still has a market capitalization of $266m at the time of this
writing – $41m higher than the $225m offered by Check Point
Software Technologies in October 2005 to acquire Sourcefire. We
also note that while it's never good form to go public and then
announce crappy numbers, Sourcefire does quite a bit of its
business in the second half of the year.
Strategy
This strategy effectively rolls up with enhanced centralized
management in the four main areas Sourcefire feels are at the core
of its appeal. The phrase 'Enterprise Threat Management' is of
course not particularly original, but Sourcefire lets the press and
analysts know that it's not trademarked. Sourcefire is arguably
already doing VA, NBAD, IPS and NAC within its customer
installations, and its dashboards already provide some level of
event correlation and unified views. By adding products that
enhance these features, Sourcefire hopes to leverage its real
estate and move into a field that it is arguably well positioned to
exploit: post-admission network access control. The 451 Group is in
the midst of a total reassessment of where we think the NAC market
is going in 2007, but it has long seemed to us that monitoring user
activity after admission to the network is an essential piece of
the NAC puzzle.
Products
The announcement of the strategy coincides with a single piece
of product news: the release of the Master Defense Center (MDC), a
$39,495 appliance that correlates events across multiple RNA
Defense Centers (DCs). Sourcefire says the MDC and Defense Centers
can now make intelligent gathering/forwarding decisions; for
example, Sourcefire RNA installations in Germany might not do full
packet capture due to privacy regulations in that country, but
German DCs would still bubble up alerts back to the MDC for
correlation.
 |
| About The 451 Group: | | The 451 Group is an independent technology
industry analyst company focused on the business of enterprise IT
innovation. Visit
The 451 Group's Web
site. |
|
| |
|
All this talk about widely distributed event correlation paired
with the release of a logging agent does bring to mind expansion
possibilities in the related areas of security event management.
This is something Sourcefire won't comment on, but would be, we
feel, a logical extension of functionality and a sensible
leveraging of more Sourcefire enterprise real estate and extant
functionality. We note, though, that there are no announcements
about Daemonlogger since the launch of the
open source project earlier this month.
Sourcefire's 3D System's Intrusion Sensors gather information,
which is then processed by the open source Snort IDS engine.
Sourcefire's inline IPS takes Snort information, provides
additional proprietary analysis and is capable of blocking traffic.
Sourcefire's Defense Center is a management console that provides
policy and reporting interfaces, sensor health monitoring and event
correlation. The RNA discovery tool gathers information about hosts
and correlates this data with vulnerabilities.
Competition
The main competition comes from giants such as IBM/ISS, Cisco,
Microsoft and the like, offering wide-ranging product lines that
take up the same kind of real estate within customer networks as
does Sourcefire; any of the above could make a compelling marketing
case that they're already doing this.
Startups such as Mirage Networks, Insightix and ForeScout
Technologies already offer post-admission NAC. To an extent, so do
NBAD vendors such as Arbor Networks, Lancope and Mazu Networks,
through their little-used auto mitigation features, which have been
available for at least a year. We would note, however, that NBAD
seems to be the weakest of Sourcefire's claims in the potpourri of
features that comprise ETM. Arbor, Lancope and Mazu, troubled NBAD
player GraniteEdge Networks, and even enterprise security
management vendor Q1 Labs can make claims of technical superiority.
However, we also point out that Cisco has sold a whole lot of its
NBAD/Security Event Management hybrid, Cisco Monitoring, Analysis
and Response System (MARS), and its NBAD functionality is blobby at
best. But back to NAC: Cisco's NAC program lists dozens of vendors
who make anti-spyware, patch management and other related products,
that Cisco hopes to tie into its overall NAC picture, which is part
of the reason for our aforementioned review of just what we think
of all this. Juniper Networks' Infranet Controller policy engine
uses the company's firewalls as enforcement points; Lockdown
Networks can employ multiple vendors' managed switches as policy
enforcement points, and other appliance producers include Vernier
Networks and ConSentry Networks. Post-admission behavior is also
monitored by troubled policy management vendor Elemental Security
(perhaps equally troubled vendor FireEye moved away from the NAC
market this spring and has repurposed its technology toward malware
detection); other policy management comes from BindView, iPolicy
Networks, Pedestal Software, Polivec and Tripwire. Endpoint policy
enforcement comes from 3Com (TippingPoint Technologies), eEye
Digital Security, BigFix, CheckPoint Software Technologies, McAfee
and Symantec.
Vulnerability assessment -- as we wrote when
PatchLink bought Harris in March 2007 -- is
increasingly becoming commoditized. Companies like PatchLink,
nCircle, McAfee (Foundstone), Tripwire and others are moving
away from that as a core functionality and more toward building
analysis and intelligence atop that commodity functionality.
SWOT analysis
| Strengths |
| The real estate it commands within the network of
its customers makes the strategy a powerful one that, managed well,
can get Sourcefire a significant new growth engine at incremental
extra expense to its customers. |
| Weaknesses |
| Now that it's public, Sourcefire has to manage not
just hype but also expectations, or risk further punishment at the
hands of investors. |
| Opportunities |
| Sourcefire can still spin a compelling, believable
story of a security company that uses open source to leverage its
strengths and mitigate weakness. |
| Threats |
| Now it's messing with the big boys: IBM/ISS,
McAfee, Cisco and Microsoft, and also pretty large fellas in
PatchLink, nCircle, McAfee, Symantec, Tripwire,
etc. |
Nick Selby is a Boston-based analyst covering enterprise
security for The 451 Group.