Cisco FIREs up a Network Security Strategy

By Mike Rothman

This morning Cisco made its first decisive move in the network security space in years, acquiring Sourcefire for $2.7 billion. That represents a 30% premium over Sourcefire’s closing price yesterday. But much more importantly it is a clear signal that Cisco hasn’t given up on security and intends to compete as organizations rebuild their network security around the poorly named next generation application awareness technology.

This was a move Cisco had to make. Pure and simple. We suspect there were other bidders to drive the 30% premium on an already rich valuation. But Cisco couldn’t lose out, mostly because there really isn’t anything else to buy for as reasonable a price. If you think $2.7 BILLION is reasonable, at least.

The trends are clear. Enterprises are rearchitecting their perimeter security. They want application-aware technology for both firewall and IPS to enforce policies on web-based applications. They want the option to consolidate numerous devices and capabilities onto a common platform enforcing a common policy – what we call a perimeter security gateway. This common platform will also have other capabilities, such as advanced malware protection and web filtering. Cisco had none of the above. So they had no choice.

I had joked that Chris Young (Cisco’s GM of Security) had a blank check, but it was only good for Starbucks cards. But I was wrong to joke. With one decisive move Cisco is back in the network security game – in concept, at least. Now they can tell their customers a story about how they haven’t abandoned the ASA platform, and can move forward with innovative and competitive technology from Sourcefire. Cisco can leverage their tremendous distribution reach to drive Sourcefire products well beyond what Sourcefire could do themselves, or likely with any other partner.

Of course all this unicorn dust is on paper. Now the work begins to figure out how to wedge Sourcefire’s Agile Security strategy onto the latest Cisco marketecture. You couldn’t take more diametrically opposed paths to market. Cisco relied on marketecture to obscure product issues. Sourcefire focused on product and historically didn’t do a good job of painting a broad and compelling picture, although they have improved over the past 18 months.

After the deal closes they need to figure out how to migrate the ASA base onto FirePOWER ASAP. They need to communicate a strong message based on product rather than PowerPoint. Job #1 is to protect what’s left of their installed base and ensure Sourcefire maintains their IPS share in a very competitive market. Of course Palo Alto and Check Point will step up their Cisco displacement efforts bigtime, grabbing all they can in the shortening window until Cisco has a competitive product.

Big IT (IBM and HP) have IPS platforms. They will maintain that there is still a market for standalone IPS, and for a while they will be right. But that plays right into Cisco’s hands. Now they both get to compete with Cisco, instead of fighting Sourcefire for the chance to rip out existing Cisco IPS devices.

On the firewall front Sourcefire is still playing at a disadvantage. They got into the market late and have been building the technology internally, and it takes time to reach feature parity with companies in the firewall market for a decade. But this deal buys Sourcefire time. Most of the folks still buying Cisco network security gear aren’t innovators. They are the late majority, don’t have overly rigorous requirements, and can wait for the integration story.

Check Point, Palo Alto, and Fortinet will continue to fight mano a mano for the NGFW business. Due to the vagaries of Finnish public company trading rules, McAfee will actually be starting their true integration efforts with the acquired Stonesoft technology after Cisco completes the Sourcefire deal (expected in late Q3/early Q4).

So what’s in it for Sourcefire? Besides $2.7B? They needed to find a partner at some point. They probably could have waited a bit to prove the viability of their NGFW/NGIPS integrated platform story. But there is a definite advantage to getting paid a high multiple on potential rather than on results. As the wise investor says, you never lose money when you take a profit. And Sourcefire investors are taking lots of profit from this deal. So the timing works well for Sourcefire.

For this deal to pay off Cisco needs to hand the network security reins to Marty Roesch and his team. The group will report to Chris Young, but if Marty isn’t driving the security strategy for all Cisco they are missing a huge opportunity. And if they can’t keep Marty visible and engaged beyond his contractual commitment there will be a mass exodus, as we saw with all the other big security deals – with the exception of IBM/Q1 Labs.

This is not a slam dunk for Cisco – they still need to do the work and regain their network security mojo, which has been long gone. But they really didn’t have a choice. They wrote a big check to solve a big problem. And it is not much more complicated than that.

No Related Posts

I couldn’t agree more with Chort. I was on the Ironport Customer Advisory Board and have known Tom Gillis for many years.

Once the engineers realise they are on a Cisco realise cycle and they lose that, this is my product and it turns into a Cisco product. They will leave and go to another nimble start up. It will then slowly limp along.

A company that still wants you to install Java to manage your security appliance (ASA) must be on the wrong track. I am still on the Cisco CAB and they have some very clever engineers, but it seems to be the foundation they’re trying to put this technology on won’t work.

We bought AnyConnect Essentials as we needed more licenses than our AnyConnect Premium. Turn it on, AnyConnect Premium was disabled. I have never seen a cheap product turn off the expensive product. The ASA can’t work out how a user has connected to allow them both to work together. Spoke to product manager. It has been on the roadmap for years!

Before they add more features, they need to work on their SKUs. They complex, resellers don’t understand them. Cisco should go out and do some secret shopping and see how hard it is to buy their stuff. I reckon if you ask 3 resellers for a quote and don’t tell them what you want, you would get 3 different answers.

By Michael Curtis

+1 chort.  This is the kind of quality you can expect from the Sourcefire product in the future:

“IOS that can unexpectedly halt all processes/services when signature update S639 or greater is applied”

I don’t think this was strategic in the sense that they planned it as a way to acquire new capabilities. They JUST released their new IDPS lineup and tout all those features you mention in spades. Personally, I think it’s more of the same flailing Cisco has been doing for years in this space.  For Snort’s sake, I hope that is not the case, but I have near zero faith in Cisco’s ability to deliver in the security space.  They simply can’t move fast enough.

By Matt

As a current Sourcefire IDS customer, this is incredibly disheartening.

Cisco will neglect and squander this technology like every other security acquisition they’ve ever done. Cisco’s idea of delivering “value” is cramming a bunch of obsolete, bug-ridden technologies in a single appliance and calling it “unified.” That’s like putting all your horse crap, cow crap, and pig crap in one pile and calling it “unified crap delivery.” It’s still crap.

I don’t care if Cisco will throw in a Sourcefire appliance when we buy 30 Cisco switches. We don’t like Cisco switches, we don’t like Cisco routers, so the grand vision doesn’t mean squat to us. What does mean squat is continuing to innovate that the speed of attackers, which is not something Cisco (or any other massive, bloated company) has been, or ever will be good at.

If you want to know what Sourcefire will look like in 5 years, look at IronPort.

By chort

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.