×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cisco To Acquire Sourcefire For $2.7 Billion

timothy posted about 9 months ago | from the billions-with-a-b dept.

Businesses 38

Orome1 writes "Cisco will acquire Sourcefire, a provider of intelligent cybersecurity solutions. Under the terms of the agreement, Cisco will pay $76 per share in cash in exchange for each share of Sourcefire and assume outstanding equity awards for an aggregate purchase price of approximately $2.7 billion, including retention-based incentives. The acquisition has been approved by the board of directors of each company. Once the transaction closes, Cisco will include Sourcefire into its guidance going forward. Prior to the close, Cisco and Sourcefire will continue to operate as separate companies."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

38 comments

Time to fork Snort (2)

sl4shd0rk (755837) | about 9 months ago | (#44360565)

Hope most of it is under GPL.

Re:Time to fork Snort (0)

Anonymous Coward | about 9 months ago | (#44360987)

I don't think this is necessary. You have almost all features available and more advanced ones in Suricata: http://www.suricata-ids.org/

What Sourcefire Currently Does (3, Informative)

billstewart (78916) | about 9 months ago | (#44362175)

Disclaimer: At $DAYJOB, I work on managed security services using Sourcefire, but this is my own personal commentary, not that of my employer.

Sourcefire's primary product line takes Snort, wraps it in hardware appliances, and adds a lot of management tools that you can use in an enterprise or managed services environment. This past year, they've added a firewall capability to compete with Palo Alto* and the UTM vendors like Fortinet - in addition to basic firewall support they've got application identification, so you can do things like allow users to read Facebook but block Facebook games, and you can also do things like URL censorship and known-bad-site blacklisting. They've also been buying up other companies like ClamAV and Immunet, so they've got feeds of malware site identification, and are starting to integrate that with the firewall/IDS as well as continuing the host-based versions.

Cisco's IDS/IPS offers have been pretty lame the past few years, but they've got decent firewalls, so we'll see how those product lines play against each other. (I don't know what Cisco's doing in Anti-virus and cloud malware detection these days.)

Sourcefire's hardware at the low end is basically Linux box appliances, and at the high end they're doing a bunch of hardware acceleration. Their largest single box will handle 10 Gbps of inspection, and they can cluster up to four of those to support 40 Gbps. There's not much competition up at the high end - McAfee may have come out with a 10 Gbps follower to their previous 5 Gbps box, and Juniper has some boxes that are bigger but are mainly firewalls with some limited IPS capability. If you've got existing Snort on Linux, Sourcefire does also sell connection tools to integrate with their management systems.

*The term "Next Generation Firewall" means "whatever Palo Alto's marketing says it means", but is at least firewall plus application identification. I've heard that Cisco tried to buy Palo Alto last year.

"provider of intelligent cybersecurity solutions" (1)

Joining Yet Again (2992179) | about 9 months ago | (#44360605)

Obviously this is a press release for Sourcefire, so... what are people's real-world experience with Snort? Have you used it successfully to block attacks?

Re:"provider of intelligent cybersecurity solution (0)

Anonymous Coward | about 9 months ago | (#44360643)

yes, it works as well as the rules you give it.

Re:"provider of intelligent cybersecurity solution (2)

afidel (530433) | about 9 months ago | (#44360667)

Snort is an IDS not an IPS, in the role of an IDS it is VERY good (probably the best out there), though with the sourcefire modules it can be a bit annoying because it's hard to tell what exactly might be a false positive (with the community modules you can tell exactly what the rules is doing so you can tell if it's tripping on legitimate traffic). It does take some care and feeding, luckily we outsource that job to a local group that does nothing but security monitoring and management so we didn't have to develop the expertise inhouse.

Re:"provider of intelligent cybersecurity solution (0)

Anonymous Coward | about 9 months ago | (#44360743)

Snort quickly becomes an IPS with the addition of SNORTSAM.

Re:"provider of intelligent cybersecurity solution (0)

Anonymous Coward | about 9 months ago | (#44363277)

Or simply make the rules drop instead of alert

Re:"provider of intelligent cybersecurity solution (2)

Notabadguy (961343) | about 9 months ago | (#44360809)

Yes...Snort is an IDS, not an IPS.

Log Snort through Ethereal, or another network protocol analyzer of your choice, and you've just created a free version of what all these companies want to sell you.

Re:"provider of intelligent cybersecurity solution (1)

Anonymous Coward | about 9 months ago | (#44361421)

Snort can be used as an IPS, and Sourcefire IS an IPS. Also, to the guy below saying "Log snort, do some analysis, and you get what companies charge you for", you are completely ignorant. Sourcefire has a proprietary and useful GUI to manage multiple sites and tons of sensors. Sensors that can handle 40Gb/s of traffic. No biggie.

I'm running Snort as an IPS through pfSense at my home.

Re:"provider of intelligent cybersecurity solution (2)

Drakonblayde (871676) | about 9 months ago | (#44360695)

There are a number of security companies, including one of Dell's acquired business units, that sell security appliances that are basically snort boxes. So yes, Snort is pretty widely used and deployed and not just messed around with by open source enthusiasts.

Personally, given Cisco's (mis)management of acquired companies in the past, and the inability of their business units to actually work together, I just lost all interest in Snort, unless someone forks it and manages to keep it up to the snuff that Sourcefire has. In the meantime, I'll be giving Bro IDS a very strong look

Re:"provider of intelligent cybersecurity solution (0)

Anonymous Coward | about 9 months ago | (#44361509)

Take a look at Suricata. Built from the ground up, fully supports snort rules and alerts, barnyard, pulledpork, etc. But it has a TON of cool features (like file carving, LUA support, certificate logging, etc)

In fact I would suggest looking at the Security Onion distro since it has bro, snort, suricata, ELSA, and a bunch of other stuff all combined. VERY cool.

Re:"provider of intelligent cybersecurity solution (1)

aztracker1 (702135) | about 9 months ago | (#44362357)

It's very difficult to take an AC's software suggestion seriously. This is the second mention of Suricata by an AC in the comments so far, and pretty high up. It does look interesting though.

Re:"provider of intelligent cybersecurity solution (1)

Anonymous Coward | about 9 months ago | (#44361063)

Snort is a great piece of technology considering its origin and when used in the right environment. That said, and having years of first hand experience with it, there are definite "cons".

First, and as others have pointed out, Snort is an IDS not an IPS. This isn't necessarily a negative, but it's an important distinction. Snort tells you that something bad has happened. It doesn't prevent bad things from happening.

Snort is a giant PITA in a large enterprise environment. It will scale, but it takes a LOT of work to do so and it is still somewhat limited.

Snort rules are cool. Everyone knows how to write them and they are a defacto standard in the industry. Even the big players generally let you write Snort rules on their boxes. That said, Snort is VERY rules-heavy. A good for instance; we have two IDS vendors in one of our larger (60K+ users) installations. One of those is Snort, the other is McAfee. I'd say a good average in terms of rules to catch is 25:1. I see similar circumstances at other locations with other vendors vs. Snort. Snort just requires a hell of a lot of rules to do it's job and EVERY DAMN TIME the slightest thing changes with the exploit or vuln...new rule. Snort doesn't do analyitcs, but simply watches for rules matches. 10 years ago this was great, but it's past it's prime.

This last bit is what really puzzles me about the Cisco acquisition. Snort is strong in the SMB market and certainly has ubiquity, but it's on the downward trend unless SourceFire does something quick in order to play catch-up in terms of their technology. Writing and maintaining 40K rules is just stupid and takes a crapload of operations and sustainment staff. Along with those massive rule sets come a massive increase in false positives unless your guys writing the rules are just unbelievably good (and therefore very costly).

Anyway, my two cents. I use Snort at home, but detest having to use it in an enterprise environment, especially in cases where it is provided as a service (fixed cost) as opposed to t&m (bill per hour).

Re:"provider of intelligent cybersecurity solution (0)

Anonymous Coward | about 8 months ago | (#44364853)

I work in a small vendor supplying, among other things, middlebox deep inspection solutions.

To put it nicely, IPS market is in a sad state. The whole business of most major players is based on FUD and marketing geared towards CEOs, CFOs and CIOs. Also, it would appear that relatively few security researchers are even interested or knowledgeable enough to torture these products in ways that high-profile criminals probably do. Often under-the-hood engineering appears to be woefully inadequate if you actually try to fool specifically the middlebox. Products just don't do what they are advertised to do, unless you present them with a bit-perfect attack. Sometimes so bit-perfect that they demand it to have various version strings inserted by security analyst companies to be present. This is advertised as protection! At worst, these products don't even record the fact that connection has been established, at all.

Another sad part on this story is that Snort is not extraordinarily soundly engineered IPS, although it's above average. If you don't twist its' arm, it's an OK IDS, though. It's definitely better than what Cisco has to offer, which, of course, doesn't say much.

I am aware of only one vendor that seems to have engineered IPS products in the possible scenario of attacker fooling around middleboxes, not just endpoints in order to cover his tracks. This is pretty sad; it wouldn't hurt to have healthy competition of products that truly deliver what marketing materials claim.

I know at some point, PRC used stateless Cisco inspection devices to implement some parts of their great firewall. They were, at least back then, surprisingly easy to fool. But then again, that wasn't actually a security-critical setting.

What is a bit more worrying is that I've seen at one nation-level security-critical entity with huge Snort ruleset of their own, and I know it gives them only some protection, not all that they would hope. The saddest part is that what they have at the moment is probably the best they can get, after over a decade of "mature" market of inspection middleboxes, especially if they need to use Snort signatures. It's also sad that they effectively need to live relying on security through obscurity; if well-equipped nation would know what to attack inside their network or what signatures they use, their IPS solution could probably be worked around without even leaving a log trace.

There are some signs more engineering, instead of marketing material and poor benchmarking driven products are getting prominence. Snort is not really the worst of them, but high hopes as part of Cisco? I'm quite suspicious of it.

I'm happy about one thing (0)

Anonymous Coward | about 9 months ago | (#44360755)

http://www.sourcefire.com/content/securing-cloud
They secure the cloud! I'm always interested in anything relating to the word cloud. I'm a cloud cowboy! Once I connect to the cloud, I backup all my personal files to the magical cloud. There, my files float around safely and all fluffy like. Who needs personal storage these days when you can give your sensitive data to ....... someone else!
Oh, yea!

Re:I'm happy about one thing (2)

TTL0 (546351) | about 9 months ago | (#44361227)

Plus they provide "Agile Security". Ever get the feeling that Cisco is buying buzzwords and not a working product ?

Re:I'm happy about one thing (0)

Anonymous Coward | about 9 months ago | (#44361517)

Marketing doesn't necessarily reflect engineering quality.

just in time (1)

slashmydots (2189826) | about 9 months ago | (#44360797)

Wow, that's just in time to still get crushed on price and service level by Fortinet.

Re:just in time (0)

Anonymous Coward | about 9 months ago | (#44361313)

My experience with Fortinet (which we had a very large installation of and ended up replacing) is that it doesn't even begin to live up to its advertised performance numbers outside of a very controlled environment. I'm not a huge fan of SourceFire, but I don't think Fortinet is really much in the way of competition.

Re:just in time (0)

Anonymous Coward | about 9 months ago | (#44369877)

Is AC a troll from a competing vendor or an actual customer?
I'll go ahead and disclaim right away that I am a Fortinet employee.

Fortinet UTM specifications are on a per-feature basis usually, and because of stateful firewall hardware acceleration, there is an observable discrepancy between the base firewall specs. Wrap it however you want, FPGAs/ASICs are not available today to fully accelerate the much more complex analysis required for antivirus engines, but are quite adequate for the simple task of caching firewall stateful decision entries, or streaming symmetric cryptography protocols like those used for IPSEC. Thus the much different specs for pure firewalling and IPSEC capabilities.

That said, Fortinet does offer substantial performance for FW+IPS capabilities, to the tune of about 8Gbps of real world throughput on a 3240C( a roughly 60k list unit). I will venture that the matching Sourcefire box, an 8140 model, sits in the viscinity of 120k and is very much a pure play IPS product.

As state above, AV is one of the more complex analysis to be doing on traffic. Competing vendors that offer very high speed AV havent done so because of the incorporation of quantum computing capabilities in their platforms, last I heard. They simply perform a much weaker malware inspection which consists of matching the file's hash. This can typically be implemented by an IPS engine with traffic flowing through the unit, will typically run at the advertised IPS performance AND will be prone to being fooled the moment the file's "hash" no longer matches the inspection engine's signatures. With the number of new malware variants out on a daily basis along with code polymorphism, this is probably the worst possible method of malware inspection available today, but its fast and doesnt hurt your datasheet as much as a full out, secure AV engine.

Fork ClamAV...PLEASE! (0)

Anonymous Coward | about 9 months ago | (#44360933)

Fork ClamAV...PLEASE!

Re:Fork ClamAV...PLEASE! (1)

Ilgaz (86384) | about 9 months ago | (#44361053)

Fork ClamAV...PLEASE!

I bet everyone hopes Clamav will become what it deserves to be, a superior and unbeatable security solution with the financial/professional support of Cisco.

Oh, SourceFIRE (1)

SailorSpork (1080153) | about 9 months ago | (#44361233)

Did anyone else read "Sourceforge" and start to worry about everyone's (1st/2nd/3rd) favorite code repository?

Re:Oh, SourceFIRE (0)

Anonymous Coward | about 9 months ago | (#44366997)

No. Moron.

so lemme get this straight... (1)

Anonymous Coward | about 9 months ago | (#44361417)

Martin Roesch becomes a billionaire, cisco pays him what he is worth, snort gets forked, sourcefire becomes an evil tool with vendor lockin, and open source alternatives to the sourcefire tools go into serious development. cisco gets the less tech savvy enterprises that were trashing their products for sourcefire to keep paying cisco, and the rest just save money by using snort with the new tools to compete with the proprietary/commercial tools at cisco. sounds good to me.

Martin, you would have made more money if you stayed in the game, but somewhere between a million and a billion or so money is meaningless. you inspire us all.

Re:so lemme get this straight... (1)

xmas2003 (739875) | about 8 months ago | (#44366327)

I used Snort quite a few years ago when Marty was just starting to commercialize it. Great product back then (I'm sure now) and Marty put a TON of time into it ... so I say he deserves every penny for all the hard work that he has done.

Bad news for SourceFire customers (0)

Anonymous Coward | about 9 months ago | (#44361691)

SourceFire has amazing customer support and products. Both the SourceFire IPS (yes, actual inline Intrusion Prevention) and the FireAMP endpoint agents have helped us identify and contain several 0day outbreaks. However, as a present customer of both SourceFire and Cisco, I am deeply troubled by this news and what it means for customer support, product innovation, and costs.

NETBSD? (0)

Anonymous Coward | about 9 months ago | (#44361761)

Horndog: cat $ grep "puss" >psy.txt
Sic Grep | LPT1
Feinstein: ...---... detel ym reason /.: agentd Microsoft advapapalopasnipper.exe P40M key
Tra La La La La La La Tra La La La La La La

7 SECONDS UNIX BBS

2nd or is it 3rd time lucky? Good luck! (0)

Anonymous Coward | about 9 months ago | (#44362121)

In 1998 Cisco entered the "hot" intrusion detection market buy buying WheelGroup and their NetSonar product. Seemingly unable or unwilling to understand/develop the product, it was finally killed in 2003, by which time Cisco had put some (not very good) IDS technology into their own core products.

Largely an irrelevance in the IDS world up until today.... they just decided to have another go at it..

"Cisco Systems Inc. said today it will acquire IDS, IPS and anti -malware specialist Sourcefire Inc.for $2.7 billion."

Cisco are NOT going to merge with Sourcefire, but this time around say they will leave it as a separate business unit, perhaps it will work better for them than NetSonar in 1998, perhaps it wont wither and die.

Incredible that Cisco could not successfully grow such capability in-house. Just goes to show that large companies cant achieve much!

Re:2nd or is it 3rd time lucky? Good luck! (1)

Lord Kestrel (91395) | about 9 months ago | (#44363265)

In 1998 Cisco entered the "hot" intrusion detection market buy buying WheelGroup and their NetSonar product. Seemingly unable or unwilling to understand/develop the product, it was finally killed in 2003, by which time Cisco had put some (not very good) IDS technology into their own core products.

Largely an irrelevance in the IDS world up until today.... they just decided to have another go at it..

"Cisco Systems Inc. said today it will acquire IDS, IPS and anti -malware specialist Sourcefire Inc.for $2.7 billion."

Cisco are NOT going to merge with Sourcefire, but this time around say they will leave it as a separate business unit, perhaps it will work better for them than NetSonar in 1998, perhaps it wont wither and die.

Incredible that Cisco could not successfully grow such capability in-house. Just goes to show that large companies cant achieve much!

It's pretty simple, Cisco is notorious for writing spectacularly shitty software, especially anything security related. They make decent enough hardware, but their software is attrocious.

So, they just periodically buy up vendors who have fairly good software in the market they want, and use it. Generally after a few revisions it turns into the same Cisco shitpile as their own home-grown stuff, but that's when they decide to go buy someone else.

Wave goodbye to the Sourcefire you knew until now (1)

John Saffran (1763678) | about 9 months ago | (#44367749)

It seems that specialised IDS/IPS vendors that get bought up by generalised players dramatically drop off in quality soon after. The generalised players just don't look after their new acquisitions as well as they ran themselves when they were independent.

It happened with ISS when IBM bought them and happened with Tipping Point when HP bought them.

Given Cisco's track record I have little faith that Sourcefire will be as good as it was.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...