Friday, March 09, 2007

Sourcefire Is Now FIRE

With the appearance of Sourcefire as FIRE on the NASDAQ, I'd like to congratulate Marty Roesch and friends for bringing their company to the public market. I can't think of another company where one can chat with the CTO and founder in IRC.

Several of you have asked for my thoughts on this development. I posted Thoughts on Sourcefire IPO in October and I don't see anything that changes those opinions. Since then, I've been working with several customers, including one who brought me to a Sourcefire sales demo. At that demo, and in meetings with other customers, the ability for a detection product to act like a Security Event Management / Security Information-Incident Management (SEM/SIM) solution repeatedly arose. Sourcefire's products can feed a SEM/SIM but their Defense Center is not a SEM/SIM.

This is a big hurdle for Sourcefire. I don't see customers buying a Sourcefire intrusion sensor, and RNA, and a Defense Center, and then paying more money for a SEM/SIM. Instead I see customers adding an IDS module to their router or switch and feeding everything into MARS. (You know how much I love MARS, so this is not something I want to see happen. It's just what is happening.)

I think Q1 Labs has the right idea, even though I don't have hands-on time with their gear (yet). Products which are a SEM/SIM and a network management platform are going to be one of the few network-centric security products to not be collapsed into switches. (Network forensic appliances, due to their storage requirements, will also not collapse into switches.) If Sourcefire moves up the food chain into the Q1 Labs model, then I think they have a future as an independent security vendor. If they concentrate on their IDS/IPS solution they will eventually be purchased by a bigger security company like Cisco or a competitor.

2 comments:

Dennis Cox said...

Richard,

An IDS/IPS Engine is constantly moving to handle new threats. They are too complicated and the resources needed are tough to predict. That is the reason those that have been integrated into routers/switches haven't taken hold. Someday the technology may meet the threat perhaps, but I doubt it is within the next 3-4 years. A really good IDS/IPS won't fit on a router blade. Cisco has a IDS in a switch - they aren't close to the IDS market leader, and that product is simply inferior. 3Com has one - the product was end of life'd after only a year on the market.

This is one of those issues like "flying cars" - just because we can build an airplane and get to the moon doesn't mean the technology curve will allow "flying cars".

Dennis Cox
dcox@bpointsys.com

Richard Bejtlich said...

Hi Dennis,

It doesn't matter what is technically superior or truly better for customers from a detection or defense point of view. Cisco is winning for all of the other reasons that businesses win, not because of the strength of their security products. I didn't say I necessarily want this to happen; I'm saying it is happening.