COLUMN

Sourcefire expands strategy in effort to leverage its network real estate

By Nick Selby 16 Apr 2007 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

Impact assessment

The message

Enterprises are not willing to sacrifice connectivity for security. They must therefore take a holistic look at security, and take steps before, during and after an attack by setting and enforcing network usage policies and being capable of enforcing them.

Competitive landscape

This move puts Sourcefire in direct competition with several classes of vendor, both large and small. Few of these spaces are Sourcefire's to lose. With ETM it goes head-to-head with the likes of IBM/ISS for threat assessment and IPS; Symantec for assessment and (with partner Mazu) NBAD; and in NAC, it goes against Cisco, Microsoft and scores of other NAC vendors – some of whom also began life as IPS vendors.

The 451 assessment

Sourcefire has taken a ride since its March IPO, reaping the rewards of investor enthusiasm until suffering punishment after announcing flaccid earnings projections. Just before its stock fell nearly 30% on April 9, we said it was enjoying an open source premium – investors less than accurately saw it as an open-source security company. We believe Sourcefire has useful products, good marketing and sales and a smart, aggressive roadmap. It effectively leverages its open source credibility – including the popularity of Snort, its commitment to support its open source community, and the celebrity of Marty Roesch – to its advantage. Now it must give investors an accurate picture of how it makes its money, avoiding buzz terms and hype. And, it needs to earn some money.

Context

Sourcefire shares opened at $15 when trading started March 12. The stock went as high as $18.83 before nose-diving April 9 to $12.23, down $5.12, or 29.5%, on that day. Since then, movement has been sideways. We would note that even at today's anemic level (the stock opened at $11.49 this morning, down 36% from its highs), it still has a market capitalization of $266m at the time of this writing – $41m higher than the $225m offered by Check Point Software Technologies in October 2005 to acquire Sourcefire. We also note that while it's never good form to go public and then announce crappy numbers, Sourcefire does quite a bit of its business in the second half of the year.

Strategy

This strategy effectively rolls up with enhanced centralized management in the four main areas Sourcefire feels are at the core of its appeal. The phrase 'Enterprise Threat Management' is of course not particularly original, but Sourcefire lets the press and analysts know that it's not trademarked. Sourcefire is arguably already doing VA, NBAD, IPS and NAC within its customer installations, and its dashboards already provide some level of event correlation and unified views. By adding products that enhance these features, Sourcefire hopes to leverage its real estate and move into a field that it is arguably well positioned to exploit: post-admission network access control. The 451 Group is in the midst of a total reassessment of where we think the NAC market is going in 2007, but it has long seemed to us that monitoring user activity after admission to the network is an essential piece of the NAC puzzle.

Products

The announcement of the strategy coincides with a single piece of product news: the release of the Master Defense Center (MDC), a $39,495 appliance that correlates events across multiple RNA Defense Centers (DCs). Sourcefire says the MDC and Defense Centers can now make intelligent gathering/forwarding decisions; for example, Sourcefire RNA installations in Germany might not do full packet capture due to privacy regulations in that country, but German DCs would still bubble up alerts back to the MDC for correlation.

About The 451 Group: The 451 Group is an independent technology industry analyst company focused on the business of enterprise IT innovation. Visit The 451 Group's Web site.

All this talk about widely distributed event correlation paired with the release of a logging agent does bring to mind expansion possibilities in the related areas of security event management. This is something Sourcefire won't comment on, but would be, we feel, a logical extension of functionality and a sensible leveraging of more Sourcefire enterprise real estate and extant functionality. We note, though, that there are no announcements about Daemonlogger since the launch of the open source project earlier this month.

Sourcefire's 3D System's Intrusion Sensors gather information, which is then processed by the open source Snort IDS engine. Sourcefire's inline IPS takes Snort information, provides additional proprietary analysis and is capable of blocking traffic. Sourcefire's Defense Center is a management console that provides policy and reporting interfaces, sensor health monitoring and event correlation. The RNA discovery tool gathers information about hosts and correlates this data with vulnerabilities.

Competition

The main competition comes from giants such as IBM/ISS, Cisco, Microsoft and the like, offering wide-ranging product lines that take up the same kind of real estate within customer networks as does Sourcefire; any of the above could make a compelling marketing case that they're already doing this.

Startups such as Mirage Networks, Insightix and ForeScout Technologies already offer post-admission NAC. To an extent, so do NBAD vendors such as Arbor Networks, Lancope and Mazu Networks, through their little-used auto mitigation features, which have been available for at least a year. We would note, however, that NBAD seems to be the weakest of Sourcefire's claims in the potpourri of features that comprise ETM. Arbor, Lancope and Mazu, troubled NBAD player GraniteEdge Networks, and even enterprise security management vendor Q1 Labs can make claims of technical superiority. However, we also point out that Cisco has sold a whole lot of its NBAD/Security Event Management hybrid, Cisco Monitoring, Analysis and Response System (MARS), and its NBAD functionality is blobby at best. But back to NAC: Cisco's NAC program lists dozens of vendors who make anti-spyware, patch management and other related products, that Cisco hopes to tie into its overall NAC picture, which is part of the reason for our aforementioned review of just what we think of all this. Juniper Networks' Infranet Controller policy engine uses the company's firewalls as enforcement points; Lockdown Networks can employ multiple vendors' managed switches as policy enforcement points, and other appliance producers include Vernier Networks and ConSentry Networks. Post-admission behavior is also monitored by troubled policy management vendor Elemental Security (perhaps equally troubled vendor FireEye moved away from the NAC market this spring and has repurposed its technology toward malware detection); other policy management comes from BindView, iPolicy Networks, Pedestal Software, Polivec and Tripwire. Endpoint policy enforcement comes from 3Com (TippingPoint Technologies), eEye Digital Security, BigFix, CheckPoint Software Technologies, McAfee and Symantec.

Vulnerability assessment -- as we wrote when PatchLink bought Harris in March 2007 -- is increasingly becoming commoditized. Companies like PatchLink, nCircle, McAfee (Foundstone), Tripwire and others are moving away from that as a core functionality and more toward building analysis and intelligence atop that commodity functionality.

SWOT analysis

Strengths

The real estate it commands within the network of its customers makes the strategy a powerful one that, managed well, can get Sourcefire a significant new growth engine at incremental extra expense to its customers.

Weaknesses

Now that it's public, Sourcefire has to manage not just hype but also expectations, or risk further punishment at the hands of investors.

Opportunities

Sourcefire can still spin a compelling, believable story of a security company that uses open source to leverage its strengths and mitigate weakness.

Threats

Now it's messing with the big boys: IBM/ISS, McAfee, Cisco and Microsoft, and also pretty large fellas in PatchLink, nCircle, McAfee, Symantec, Tripwire, etc.

Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group.

Tags: Network Intrusion Prevention (IPS),  Network Behavior Anomaly Detection (NBAD),  Monitoring Network Traffic and Network Forensics,  Network Intrusion Detection (IDS),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Prevention (IPS) Aligning network security with business priorities Best Intrusion Prevention and Detection Products Port scan attack prevention best practices Lesson 4: How to use wireless IPS Lesson 1 quiz: Risky business Hacker attack techniques and tactics: Understanding hacking strategies SIMs tools and tactics for business intelligence IPS and IDS deployment strategies I'll be watching you: Wireless IPS Know when you need IDS, IPS or both Network Intrusion Prevention (IPS) Research Network Behavior Anomaly Detection (NBAD) Trend Micro to acquire Third Brigade for virtualization, cloud security Use BotHunter for botnet detection Is centralized logging worth all the effort? How helpful is the centralized logging of network flow data? Can reputation services be applied to network security? SIM and NBA product combination is powerful Can network behavior anomaly detection (NBAD) products stop rootkits? Sourcefire, Nmap deal to open vulnerability scanning Combining NetFlow analysis with security information management systems Security information management finally arrives, thanks to enhanced features Monitoring Network Traffic and Network Forensics Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Diffie-Hellman key exchange  (SearchSecurity.com) intrusion prevention  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary