Sourcefire expands security strategy

Sourcefire has announced plans to expand its overall product strategy to span network access control, intrusion prevention, network behavior anomaly detection

Earlier this month, when Sourcefire announced the release of its new open source Daemonlogger, we speculated that it was driven by a desire to help Real-time Network Awareness (RNA) lock down a more central role in the security operations of its customers. Today, Sourcefire announced its Enterprise Threat Management (ETM) strategy. Sourcefire says its ETM combines intrusion-prevention system (IPS), network behaviour anomaly detection (NBAD), vulnerability assessment (VA) and network access control (NAC).

Impact assessment

The message
Enterprises are not willing to sacrifice connectivity for security. They must therefore take a holistic look at security, and take steps before, during and after an attack by setting and enforcing network usage policies and being capable of enforcing them. Enterprises are not willing to sacrifice connectivity for security. They must therefore take a holistic look at security, and take steps before, during and after an attack by setting and enforcing network usage policies and being capable of enforcing them.

Competitive landscape
This move puts Sourcefire in direct competition with several classes of vendor, both large and small. Few of these spaces are Sourcefire's to lose. With ETM it goes head-to-head with the likes of IBM/ISS for threat assessment and IPS; Symantec for assessment and (with partner Mazu) NBAD; and in NAC, it goes against Cisco, Microsoft and scores of other NAC vendors – some of whom also began life as IPS vendors.
Sourcefire has taken a ride since its March IPO, reaping the rewards of investor enthusiasm until suffering punishment after announcing flaccid earnings projections. Just before its stock fell nearly 30% on April 9, we said it was enjoying an open source premium – investors less than accurately saw it as an open-source security company. We believe Sourcefire has useful products, good marketing and sales and a smart, aggressive roadmap. It effectively leverages its open source credibility – including the popularity of Snort, its commitment to support its open source community, and the celebrity of Marty Roesch – to its advantage. Now it must give investors an accurate picture of how it makes its money, avoiding buzz terms and hype. And, it needs to earn some money.


Sourcefire shares opened at $15 when trading started March 12. The stock went as high as $18.83 before nose-diving April 9 to $12.23, down $5.12, or 29.5%, on that day. Since then, movement has been sideways. We would note that even at today's anemic level (the stock opened at $11.49 this morning, down 36% from its highs), it still has a market capitalization of $266m at the time of this writing – $41m higher than the $225m offered by Check Point Software Technologies in October 2005 to acquire Sourcefire. We also note that while it's never good form to go public and then announce crappy numbers, Sourcefire does quite a bit of its business in the second half of the year.


This strategy effectively rolls up with enhanced centralized management in the four main areas Sourcefire feels are at the core of its appeal. The phrase 'Enterprise Threat Management' is of course not particularly original, but Sourcefire lets the press and analysts know that it's not trademarked. Sourcefire is arguably already doing VA, NBAD, IPS and NAC within its customer installations, and its dashboards already provide some level of event correlation and unified views. By adding products that enhance these features, Sourcefire hopes to leverage its real estate and move into a field that it is arguably well positioned to exploit: post-admission network access control. The 451 Group is in the midst of a total reassessment of where we think the NAC market is going in 2007, but it has long seemed to us that monitoring user activity after admission to the network is an essential piece of the NAC puzzle.


The announcement of the strategy coincides with a single piece of product news: the release of the Master Defense Center (MDC), a $39,495 appliance that correlates events across multiple RNA Defense Centers (DCs). Sourcefire says the MDC and Defense Centers can now make intelligent gathering/forwarding decisions; for example, Sourcefire RNA installations in Germany might not do full packet capture due to privacy regulations in that country, but German DCs would still bubble up alerts back to the MDC for correlation.

About The 451 Group:
The 451 Group is an independent technology industry analyst company focused on the business of enterprise IT innovation. Visit The 451 Group's Web site.

All this talk about widely distributed event correlation paired with the release of a logging agent does bring to mind expansion possibilities in the related areas of security event management. This is something Sourcefire won't comment on, but would be, we feel, a logical extension of functionality and a sensible leveraging of more Sourcefire enterprise real estate and extant functionality. We note, though, that there are no announcements about Daemonlogger since the launch of the open source project earlier this month.

Sourcefire's 3D System's Intrusion Sensors gather information, which is then processed by the open source Snort IDS engine. Sourcefire's inline IPS takes Snort information, provides additional proprietary analysis and is capable of blocking traffic. Sourcefire's Defense Center is a management console that provides policy and reporting interfaces, sensor health monitoring and event correlation. The RNA discovery tool gathers information about hosts and correlates this data with vulnerabilities.


The main competition comes from giants such as IBM/ISS, Cisco, Microsoft and the like, offering wide-ranging product lines that take up the same kind of real estate within customer networks as does Sourcefire; any of the above could make a compelling marketing case that they're already doing this.

Startups such as Mirage Networks, Insightix and ForeScout Technologies already offer post-admission NAC. To an extent, so do NBAD vendors such as Arbor Networks, Lancope and Mazu Networks, through their little-used auto mitigation features, which have been available for at least a year. We would note, however, that NBAD seems to be the weakest of Sourcefire's claims in the potpourri of features that comprise ETM. Arbor, Lancope and Mazu, troubled NBAD player GraniteEdge Networks, and even enterprise security management vendor Q1 Labs can make claims of technical superiority. However, we also point out that Cisco has sold a whole lot of its NBAD/Security Event Management hybrid, Cisco Monitoring, Analysis and Response System (MARS), and its NBAD functionality is blobby at best. But back to NAC: Cisco's NAC program lists dozens of vendors who make anti-spyware, patch management and other related products, that Cisco hopes to tie into its overall NAC picture, which is part of the reason for our aforementioned review of just what we think of all this. Juniper Networks' Infranet Controller policy engine uses the company's firewalls as enforcement points; Lockdown Networks can employ multiple vendors' managed switches as policy enforcement points, and other appliance producers include Vernier Networks and ConSentry Networks. Post-admission behavior is also monitored by troubled policy management vendor Elemental Security (perhaps equally troubled vendor FireEye moved away from the NAC market this spring and has repurposed its technology toward malware detection); other policy management comes from BindView, iPolicy Networks, Pedestal Software, Polivec and Tripwire. Endpoint policy enforcement comes from 3Com (TippingPoint Technologies), eEye Digital Security, BigFix, CheckPoint Software Technologies, McAfee and Symantec.

Vulnerability assessment -- as we wrote when PatchLink bought Harris in March 2007 -- is increasingly becoming commoditized. Companies like PatchLink, nCircle, McAfee (Foundstone), Tripwire and others are moving away from that as a core functionality and more toward building analysis and intelligence atop that commodity functionality.

SWOT analysis

The real estate it commands within the network of its customers makes the strategy a powerful one that, managed well, can get Sourcefire a significant new growth engine at incremental extra expense to its customers.
Now that it's public, Sourcefire has to manage not just hype but also expectations, or risk further punishment at the hands of investors.
Sourcefire can still spin a compelling, believable story of a security company that uses open source to leverage its strengths and mitigate weakness.
Now it's messing with the big boys: IBM/ISS, McAfee, Cisco and Microsoft, and also pretty large fellas in PatchLink, nCircle, McAfee, Symantec, Tripwire, etc.

Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group.

Read more on IT risk management