Cisco Integrates Sourcefire Advanced Malware Protection Into Web, Email Gateways

Cisco Systems has begun integrating its $2.7 billion Sourcefire acquisition, starting with its S-Series Ironport appliance and also adding advanced threat protection capabilities to its Web, email gateways and its cloud security service. The networking giant also released an update to the Snort intrusion-detection and intrusion-prevention system, pledging continued support for the open-source project.

Cisco, San Jose, Calif., unveiled the integration and the introduction of some new Sourcefire appliances at the RSA Conference 2014 in San Francisco. Sourcefire's advanced malware protection uses file reputation and file sandboxing capabilities to detect malware. The technology can analyze payloads inline as they traverse the network and inspect files using behavioral analysis in a sandbox. It also uses a cloud-based system of connected users to attempt to identify and address attacks before they can spread.

Adding advanced malware protection to Cisco's ASA line is part of the company's strategy to build in an endpoint security component to its broad networking security appliances, said Marty Roesch, founder and CTO of Sourcefire and now vice president and chief architect of Cisco's Security Business Group. Sourcefire has more visibility into files introduced to the environment and Ironport gets better data-mining engines to create an integrated defensive architectures for enterprise environment, Roesch said.

[Related: Sourcefire Partners Pleased, But Cautious On Cisco Acquisition ]

"It builds us a broader footprint and brings advanced malware features into Ironport that they didn't have," Roesch said. "People relying on Ironport to provide antimalware capabilities got a huge boost."

Cisco also rolled out four Sourcefire FirePower appliances that have a 50 percent improved throughput performance over previous models, Roesch said. The 8300 appliance line can be stacked to get up to 120-Gbps throughput, Roesch said.

Cisco added Cognitive Threat Analytics as well, a technology it received from its Cognitive Security acquisition. It uses behavioral modeling and anomaly detection to identify potential malicious activity. The technology is being added on as an option for Cisco Cloud Web Security customers.

Both products will be sold to Cisco customers as an optional license.

Sourcefire and Cisco partners have been watching the two companies come together following the acquisition last July. They told CRN that they were watching how the company deals with some overlapping technologies. Cisco continues to maintain both its Cisco ASA firewalls, which include an IPS, and plans to provide continued support for Sourcefire IPS, which has next-generation firewall capabilities. Roesch said that while both platforms have an intrusion-prevention system, ASA emphasizes next-generation firewall policy rules while Sourcefire focuses more heavily on threat prevention tactics.

Michael Goldstein, president and CEO of LAN Infotech, a Fort Lauderdale, Fla.-based Cisco partner, said the acquisition could reinvigorate Cisco's overall security offerings. Cisco initially was selling to customers because of its brand name and reputation, but another group of customers have recognized that there is perfectly capable networking gear available from competitors that is less expensive, Goldstein said.

"Many people thought Cisco had lost its way, but I thought the Sourcefire acquisition was good, and this looks like the company is executing on its integration strategy in a cool way to improve detection capabilities," Goldstein said.

Questions also remained over whether Sourcefire's active open-source community would continue to be supported. Cisco also unveiled additional support for its Snort open-source intrusion-detection and intrusion-prevention system, adding open-source application identification capabilities that could give users additional application control and the ability to create a next-generation firewall. Open-source application detection and control is enabled by Cisco’s new OpenAppID application-focused detection language. Users can use the language to create, share and implement custom application detection capabilities to thwart threats, Roesch said.

OpenAppID provides detection and reporting capabilities. It uses detectors to identify applications and report on application use.

"Cisco is interested in open source and looking for us to provide some leadership internally to talk about good ways to do open source effectively," Roesch said. "The AppID technology opens a whole new phase of open-source security that hasn't been previously available."

PUBLISHED FEB. 25, 2014