Last week while I was on vacation, Cisco was hard at work when it announced that it was buying Sourcefire for $2.7 billion. Now that I’m back, I’ve got to blog about this deal.
Before I get into the details, I have to give Cisco a lot of credit on this one. By grabbing Sourcefire, Cisco management was in effect admitting that information security needed to be a much bigger part of its overall strategy and that it couldn’t achieve this goal in a timely manner with its existing portfolio of security products. During CiscoLive (i.e., Cisco’s customer conference held in June), John Chambers confessed, “we are not our customer’s primary security vendor and that’s got to change.” This acquisition proves that Chambers is willing to put Cisco’s money where his mouth is. For a network hardware company, this decision took a lot of guts.
So what does Cisco get for its money? Plenty! With this acquisition, Cisco just jumped back into a position of network security leadership in a big way. Cisco gets:
- An established network security architecture. Sourcefire’s next-generation IPS strategy is well ahead of the market and a clear alternative to all the NGFW hoopla. Cisco will merge Sourcefire’s architecture with the grand vision it outlined at CiscoLive adding instant substance to its plan for security policy enforcement throughout the network.
- An anti-malware play. Sourcefire FireAMP and FirePOWER network security appliances combine for advanced malware protection (and forensic data capture) on networks and endpoints. This is a rather unique combination as most vendors offer one or the other (i.e., network and endpoint protection) but not both. For the most part, Cisco has been absent from this market, watching Damballa, FireEye, and Trend Micro grab the lead. Now it can use its massive distribution channel to push Sourcefire broadly as a competitive alternative and a key component of its overall architecture.
- Additional security intelligence. Cisco is betting on a distributed architecture that combines network-based policy enforcement with constant security intelligence updates like IP and URL reputation lists from Cisco Security Intelligence Operations (SIO). With Sourcefire, Cisco adds security intelligence about advanced malware to its cloud and its customers’ policy enforcement decisions. Additionally, Sourcefire endpoint forensic data collection can help Cisco align CIO with specific information and intelligence that can be customized for individual customers.
In aggregate, Sourcefire contributes market leading network security products and services to strong Cisco assets like TrustSec and ISE. Cisco can now pivot in any business or technology direction from a cybersecurity and networking perspective.
Yup, Cisco should be able to combine Sourcefire assets, its massive installed base, and global distribution engine into a positive outcome. To maximize success, Cisco should also:
- Use Sourcefire as an engine to accelerate its security architecture. As previously mentioned, Cisco announced a security architecture at CiscoLive which was long on vision but a bit vague on execution. Since Sourcefire is well ahead in the integrated architecture game, Cisco should make sure that it becomes the tip of the sphere for enterprise security deals in order to compete with HP, IBM, McAfee, and Symantec security architectures.
- Embrace open source. One of Sourcefire’s keys to success was its strong leadership and management of the SNORT community but these folks will likely be a bit nervous about Cisco’s commitment to SNORT moving forward. Cisco must nip this in the bud with appropriate announcements, enhanced support across its product line, and further investment in SNORT development and support.
- Push on open standards. As Cisco merges its own products and intelligence with those of Sourcefire, it would be well served to glue everything together using open standards. For example, all intelligence descriptions and feeds could be based upon the Structured Threat Information Expression (STIX) and the Trusted Automated Exchange of Indicator Information (TAXII) developed by DHS and Mitre. Cisco’s commitment to open standards could set a precedent for the security industry while streamlining enterprise architecture integration. A true win/win for customers.