Cisco’s Sourcefire Buy Will Let It Monitor Users Instead of Packets

Cisco plans on acquiring Sourcefire for $2.7 billion.

Sourcefire’s founder invented and open-sourced the Snort intrusion detection system, then helped make open-source security acceptable by popularizing a commercial version of the product.

Though Cisco executives made a point of saying acquisitions are a normal part of Cisco’s strategy to advance its own technology, the Sourcefire deal and the February acquisition of Cognitive Security reflect a radical shift in what network security actually means.

Rather than protecting the perimeter of the network on the assumption that it’s possible to keep malware, spear-phishers and other threats outside, the focus has shifted to monitoring activity that could indicate a breach quickly enough to prevent much damage.

“No matter how high or thick you build a castle wall, if someone leaves a door open, you’re stuck,” according to William Murphy, the CTO and managing director of Blackstone Financial Services in a June interview on data security.

“It has become easier and easier for adversaries to essentially target people individually. So, when there is a breach, it has to be contained extremely quickly, to limit the damage,” Murphy said. “That only happens if you add a couple of layers of security around the crown jewels so they’re protected even if someone breaks into the castle.”

Perimeter security was still the goal in 1998, so there wasn’t much uproar when Sourcefire founder and chief technology officer Martin Roesch developed and published the open-source intrusion-detection system Snort. Roesch formed Sourcefire in 2001 to sell Snort pre-configured on a series of appliances, which vastly simplified the complex installation and configuration of the IDS.

Rather than just identifying intruders from outside, Snort developed into an activity monitor that could identify intruders, but could spot “if Bob in Accounts is suddenly sending stuff to China,” Roesch told ZDnet in 2008. Newer versions include intrusion prevention, network behavior analysis, access control, vulnerability assessments and the ClamAV open-source anti-malware gateway product.

The next big security threat isn’t perimeter penetration, according to the 2013 Cisco Annual Security Report (PDF). Not only will the number of access points into a corporate network multiply as smartphones, tablets and other devices become more common as primary corporate computing devices, the “Internet of Everything” will increase the number of connected devices to three billion, multiplying potential security threats by at least as much.

That multiplication of threats will cause global sales of intrusion prevention systems (IPS) to double, from $1.21 billion in 2012 to $2.4 billion in 2017, according to a May report from Frost & Sullivan.

Cisco confirmed this morning that it’s paying $76 per share for Sourcefire. For that price, Cisco will get what it calls substantial additions to Cisco’s own IPS products as well as the addition of artificial-intelligence-driven activity analysis and anomaly detection from Cognitive Security.

A SeekingAlpha report noted that, in Sourcefire, Cisco has acquired the leader among IPS vendors—one whose revenues are likely to grow 25 percent in 2013. But more important to Cisco is the addition of mature security analysis products able to track and interpret user activity within the context of specific applications, and apply security based on that behavior on other applications and services rather than simply the flow of packets through networks.


Image: everything possible/