With the appearance of Sourcefire as FIRE on the NASDAQ, I'd like to congratulate Marty Roesch and friends for bringing their company to the public market. I can't think of another company where one can chat with the CTO and founder in IRC.
Several of you have asked for my thoughts on this development. I posted Thoughts on Sourcefire IPO in October and I don't see anything that changes those opinions. Since then, I've been working with several customers, including one who brought me to a Sourcefire sales demo. At that demo, and in meetings with other customers, the ability for a detection product to act like a Security Event Management / Security Information-Incident Management (SEM/SIM) solution repeatedly arose. Sourcefire's products can feed a SEM/SIM but their Defense Center is not a SEM/SIM.
This is a big hurdle for Sourcefire. I don't see customers buying a Sourcefire intrusion sensor, and RNA, and a Defense Center, and then paying more money for a SEM/SIM. Instead I see customers adding an IDS module to their router or switch and feeding everything into MARS. (You know how much I love MARS, so this is not something I want to see happen. It's just what is happening.)
I think Q1 Labs has the right idea, even though I don't have hands-on time with their gear (yet). Products which are a SEM/SIM and a network management platform are going to be one of the few network-centric security products to not be collapsed into switches. (Network forensic appliances, due to their storage requirements, will also not collapse into switches.) If Sourcefire moves up the food chain into the Q1 Labs model, then I think they have a future as an independent security vendor. If they concentrate on their IDS/IPS solution they will eventually be purchased by a bigger security company like Cisco or a competitor.