About two years ago the world of network security changed in a big way as hackers learned how to launch mutating attacks. In effect every new mutation became an evasion, because network security was architected around the recognition of known exploits based on their signatures. Unknown exploits look like innocent traffic.
Sourcefire was founded on a stroke of genius: the idea that a growing community of users and experts could develop signatures for new attacks. That open source security research model spread like wildfire and gave Sourcefire a strategic research and customer acquisition advantage over other network security firms who were burdened with sponsoring global networks of paid researchers.
Sourcefire then focused on developing new product capabilities that helped complement its core open source signature detection capabilities. Yet eventually those capabilities were not enough as the company was stuck between increasingly sophisticated hackers and (increasingly sophisticated) competitors.
As Sourcefire played out its advantage with open source signatures and a growing community of members/customers, competitors started focusing more resources on application layer intrusion detection and prevention, developing more sophisticated means of identifying and blocking attacks. As these companies became more fluent in protocols and vulnerabilities (and the market shifted from deep packet pattern match technology) they eroded Sourcefire’s strategic open source research advantages in signature development.
Oh yeah- the market was also moving away from signature-based detection like a bad habit.
While the larger players still have a long way to go when it comes to having comprehensive fluency and knowledge of data center software vulnerabilities, they had enough to dampen the FIRE. And now FIRE gets taunted with a fishy bid from Barracuda Networks, which I think Rothman was right in denouncing as a PR stunt.
The real story is that Sourcefire has had its competitive advantage eroded by innovation. It now risks becoming a poster child for a simpler era in network security, when hackers were living at home and attacking computers for fame. Those days have passed.
Blue Lane was up against Sourcefire a few months ago, and our customer reported the same old intrusion detection challenges of noise, false alarms, tuning and training. As soon as hackers developed mutating attacks exploit signatures went from being strategic to tactical, from proactive to reactive and from effective to troublesome. As I blogged last year in Where’s Waldo Goes Polymorphic and Attack of the Mutant Bots signatures have run their course as an effective means of proactive protection from exploits. Sourcefire has lost its competitive advantage to more innovative hackers and competitors.
Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004. My recently launched personal blog is: www.archimedius.net . These are all my opinions, and do not represent the opinions of employers, spouses, kids, etc.