This content is part of the Essential Guide: RSA 2014: News, analysis and video from RSA Conference 2014
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What's next for Cisco security products after Cisco's Sourcefire buy?

Following Cisco Systems Inc.'s acquisition of Sourcefire last year, many may have wondered if the networking giant would simply absorb Sourcefire's network security products, or if the Sourcefire team would be given the opportunity to reshape Cisco's security product portfolio.

According to Martin Roesch, Sourcefire's founder and former CTO and now vice president and chief architect of Cisco's security group, the market will be impressed with where the combined organization is headed.

"The Sourcefire guys in a lot of ways are like kids in a candy store right now," Roesch said. "We have the opportunity to build fundamentally better security, and I think it's going to surprise a lot of people … especially in the next 12 months."

In an interview with SearchSecurity at the 2014 RSA Conference, Roesch discussed the vendor's plans to combine Cisco's policy-centric security technology with Sourcefire's threat-focused products, including the effort underway now to integrate Sourcefire's Advanced Malware Protection with Cisco's Content Security Gateway products, and extend its DefenseCenter management technology across complimentary Cisco products.

The long-term objective, he said, is to give customers a set of integrated, best-of-breed products that allow them to centralize and correlate security events and choose how to respond.

Roesch also discussed Cisco's commitment to open source security technology, not only sustaining open source products such as Snort and ClamAV, but also fostering its own Open Daylight Project and the recently announced OpenAppID open source next-generation firewall plugin for Snort.

Read the transcript below.

Hi. I’m Eric Parizo, from It’s great to have you with us. Joining me today is Martin Roesch. Marty is the vice president and chief architect of the Security Business Group at Cisco. Marty, thanks so much for joining us today.

Roesch: Thank you.

Let’s talk about the Cisco Sourcefire product strategy for a few minutes. For all intents and purposes now, Marty, you are in charge of developing and executing Cisco security products strategy. Until very recently, you were an outsider looking in. Now that you’re on the inside, what hasn’t worked at Cisco and what are you going to do differently?

Roesch: Going in the door at Cisco, Cisco had a set of well-developed tools that were specially-developed around policy-centric security, which is things like firewalls, VPNs, and the identity services engine, or identity and access management technology, and things of that nature. They also had some threat-focused technology, such as their intrusion prevention engine, and their email and web security gateways.

Going in, we saw opportunities to bring our threat-centric viewpoint to the table, which is something Cisco is very interested in, and also opportunities to do things like leverage the central management technology that we developed for Sourcefire, called our Defense Center, to bring more value to the existing Cisco properties as well as getting data from Cisco technologies to Sourcefire technologies, and really leveraging this additional visibility that we’ve got. There’s been a number of good things right out of the gate that we’ve seen. For example, we announced the Amp Everywhere initiative this week, with putting our advanced malware protection technologies on our content security gateways, which works really great.

I think the thing that is probably taking longer than maybe it would have otherwise, or not would have otherwise, but is taking surprisingly longer is coming up with a combined firewall; ASA firewall plus Sourcefire IDS/IPS technologies, or even a combined next generation firewall story. It’s … we both have products around all of these things, so bringing them together is actually something that’s taking some time.

Unlike amp, which is … this is just new goodness that hadn’t existed before, and Cisco had nothing like it. All the network traffic-facing things, they’ve got technologies, we have technologies; we have to find the right ways to merge them together that’s going to maintain the performance and efficacy that we’re known for at the level of scalability that Cisco is known for. It’s taking a little bit longer than you might think it would otherwise because otherwise it’s just packets. At the end of the day, it’s actually … we want to do it right, and sometimes, like the Apple guys say, ‘Take the time to do it right.’ Sometimes doing it right takes more time than people would like. We’re going to have things to talk about as we go down the road with this technology.

What can you tell me about the rest of the product integration roadmap, specifically what’s happening with Sourcefire’s IPS and Firepower product lines?

Roesch: The Firepower products, we just announced the new 8300 Series of Firepower chassis, basically. These are new platforms with upgraded horsepower, essentially; more horsepower on your Firepower. They’re about 50% faster than our previous 8200 Series line. Firepower’s still out there.

Just curious; was that technology you were already working on or was it combined with some technology Cisco had?

Roesch: That was something we were already working on. This is natural evolutionary path for the technologies taking advantage of faster CPUs, faster memory access buses, and things like that. We’re making natural leaps. For the Sourcefire side, our Firepower plan is always designed to have a lot of head room on it so that we can bring more functionality to it later, which is something that we’ve notably have continued to do. We keep bringing more functionality to this platform, not just features, but whole new products along the same chassis. That’s been going on.

The amp integration we’ve talked about and we’ve seen. We’re actually … we’ve open-sourced our application control components from the Sourcefire next generation firewall. We expect to see that adopted in more places inside Cisco as time marches on. We are working on ways of centralizing both of our management capabilities and using something like Defense Center, or extending Defense Center, to be able to bring that together as time marches on. The other piece of the puzzle, the Firewall NGFW, our next gen IPS set of technologies, that’s still under wraps. We’re not ready to announce that yet, but we will have a story there down the road.

Marty, many industry observers, frankly, would say that Cisco’s product security strategy has been adrift for some time. For enterprises that are considering new security technology, make the case for the upcoming technology from the combined Cisco and Sourcefire. Why is it worth the wait?

Roesch: That’s a great question, and I think people are going to be surprised at how much we’re going to be able to do and how much we’re going to be able to leverage each other’s capabilities over the coming months and years. Something has really occurred to me since I got onboard Cisco; when you’re at your own startup and you’ve got the technologies, you’ve the footprint than you’ve got that’s growing organically, relatively at a high rate but you’re still in a relatively small number of customer sites. Then you come to a place like Cisco where it’s not a question of, ‘Is this company a customer of Cisco?’ The answer 99 times out of 100 is, yes. Maybe they’re just using Switch Route or maybe they’re using Cloud Racing Tools, or whatever, but they are our customer already.

You go in there and you look at what they’ve got for security, and Sourcefire lived and breathed with the best-of-bread security story; that’s a great concept and it’s served us well. The flip-side of that is the kind of integration that you can get, and not necessarily just best-of-breed but by having a large footprint of technologies that you can use like we have at Cisco.

Coming in the door, I looked at … I’ve been talking to customers over the last few days, and I keep hearing the same things over and over again, which is, ‘I’ve got a bunch of best-of-breed technologies, they don’t actually work together or communicate with each other very well, at all. We centralize the events that they produce on backend and correlate them, and then respond when something gets through.’ This shouldn’t be an odd story to anybody listening to this presentation or listening to this video. The interesting thing about it is that I look at what we’ve got now at Cisco, the combination of Cisco and Sourcefire, the combination of our intelligence-driven security technologies; we use a technology called Firesight that we developed specifically to start bringing automation to our next-gen intrusion prevention engines and providing frontline analysis and contextualization of the event streams. What that can do for the rest of the technology that Cisco already has, how we can built, essentially, decision support engines that can drive changes to our security posture in real time. Our technology is very rapidly adopting methods so that they can interoperate with each other, that they can share the visibility that they have in their environment with each other.

If I’ve got Amp agents that are running on an endpoint and they see something about a device that makes me want to change my network security posture, I actually have the ability to transport that information around to the places that it needs to go and make decisions that aren’t just the old-school, ‘I saw a security event so I’m going to change the firewall config,’ but are actually meaningful things: ‘I saw this indicator of compromise fire on this machine only. Tell you what; I’m going to tell the identity service engine to de-authorize this user in the environment and just shut off his network access while we go investigate what happened.’ Being able to do things like that in a highly-accurate manner, a highly-automated manner, can actually change the game.

This isn’t just, ‘I got a bunch of technologies that don’t speak the same language that I’ll dump their events into a bucket and then we’ll see what happens,’ to, ‘I’ve got a bunch of technologies that share what they can see in the network environment that can influence each other’s configuration based on that, that’s backed by a decision engine that’s actually accurate and that will make relevant changes that will be small changes but valuable changes on the fly in order to alert the operators, ‘You need to do something.’’ This really can change the game.

It’s actually pretty excited because it’s … I’ve never had ability because I’ve never had the footprint, I never had the points of presents, I never had access to the technologies, now all of a sudden, they’re all in front of us. The Sourcefire guys in a lot of ways are like kids in a candy store right now because we’re in Cisco now and the level of data that they’ve got, the amount of data that they’ve got, are built in … and the data mining engines that we’ve built at Sourcefire is allowing us to do things that we just couldn’t do before. I think that we have the opportunity to build fundamentally better security. I think it’s going to surprise a lot of people at what we’re able to do, especially in the next 12 months. It should be pretty interesting.

Finally, you had a very interesting Snort-related announcement with Open App ID this week at RAS Conference 2014. Tell me about that. What developments are on the horizon for your open source products?

Roesch: Open App ID is probably the most notable thing that we’ve got going on right now. Open App ID is actually a plug-in for Snort that allows us to do, essentially, application control in an open source engine. This is a little bit like when I first released Snort back in the late ‘90s, when prior to that, there had been a few other intrusion detection engines that were out there, but they didn’t really gain mass adoption. Most people, if they wanted to do intrusion detection, they ended up having to go buy something, because you really couldn’t get a good example of how to do it from most of the open source engines that were out there. Then Snort appeared, and very rapidly, people could run intrusion detection just like they run with commercial products. Maybe it didn’t have all of the supporting tools but the basic function could be done.

Fast forward to 2014, the mid-2010s, and we’ve got next generation firewalls. The only way to experiment with one of the primary features of the next-gen firewall, which is application control, is to go buy one. Now we’re bringing this capability to the open source world and letting people use it, and letting it augment how our intrusion prevention engines work, and things like that, but really, also giving people the opportunity to build their own open source next-gen firewalls.

This is … when we got to Cisco, we got pushed back from the open source community, which was essentially, Cisco’s not an open source-friendly company, what’s going to happen to Snort and [inaudible: 11:48]? Cisco said, “We are an open source-friendly company, especially with the development of the open daylight technologies that we’ve got. We really are dedicated to open source. We understand the power that it can have.” We discussed it once we got into Cisco, and it was, ‘We’re going to continue Snort and [inaudible: 12:08], and keep the content rolling and all of that stuff, of course. Is there anything else we can do?’ We said, “How about we open source the App ID engine that we’re using that lets us do app control inside our NTFW.” We thought this is a great idea; a new open source product that people can use and leverage that will really give them meaningful capabilities. This isn’t a new plug-in for Snort that brings a new option to the rule language, this is a whole new language that allows us to really bring very modern functionality to an open source packet processing pipeline, and just allows people to do things they couldn’t before. Really, it really demonstrates Cisco’s resolve to be an open source company, supportive of open source, and also supportive of the existing open source that we’ve got.

Snork’s not going anywhere. It’s going to continue to be developed. As I have said for 15 years now, Snork is and always will be open source and free.

Marty Roesch, of Cisco. Thanks so much for spending some time with us, today. We appreciate it.

Roesch: Thank you.

Thank you, as well. Remember, for more information security videos, you can always visit Until next time, I’m Eric Pairzo. Stay safe out there.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.