Sourcefire 101 Overview

For those not following recent technology news, Cisco just acquired Sourcefire for 2.7 billion dollars. This has generated a ton of interest in Sourcefire and something I’ve been hammered on the last few weeks being a Cisco engineer responsible for security. As a result, I’m posting a summary of what Sourcefire is all about.

NOTE: Expect changes as Cisco and Sourcefire merge. Also assume I may be off on some areas as I’m still learning the technology. 

 Sourcefire from a high-level focuses on three stages of a cyber attack. Those stages are BEFORE, DURING and AFTER. Before means defending against common attacks such as compromised websites hosting malware, outsiders attempting to breach your network and so on. Typically this falls into the network based defense category such as Firewalls and IDS/IPS.

The DURING stage is identifying and stopping real time attacks meaning scanning for signatures, malicious behavior and other triggers to catch and stop a attack in progress. This stage falls between network and host as attacks can hit both areas.

The AFTER stage is focusing on what to do once systems are compromised. This includes identifying who is compromised and what to do to remediate those systems. This typically is addressed by endpoint vendors however some network products can look for phone-home communication from endpoints to identify which systems are compromised post attack.

To address these three stages, Sourcefire offers a physical or virtual appliance known as firePOWER with various additional features that can be purchased, an host based product called fireAMP sold as subscription license per host and network intelligence feed mixed with centralized management known as fireSIGHT to bring everything together.

Sourcefire’s history started with free open source IPS and now is a multi-feature security offering as shown above. There are three major open source projects known as Snort (IPS), Clam AV (anti-virus) and Razerback (Anti-malware).  The value of these projects is tons of security data that is used with other research sources that make up the Collective Security Intelligence included with Sourcefire’s commercial grade products.

firePOWER is Sourcefire’s virtual or physical appliance that can be licensed to act as a next generation firewall, IPS and Malware protection solution. The licensing works by purchasing the core appliance as a next generation IPS. For an additional license cost, Firewall features are included. To add URL context and malware protection, annual subscription licenses are purchased.  A fully licensed firePOWER appliance can provide user level application and traffic visibility, identify and stop advanced threats both from a network and user view and work with fireAMP to remediate compromised systems.

fireAMP has a network appliance and endpoint application. For the network component, fireAMP can be an existing firePOWER appliance or a separate dedicated fireAMP appliance. Host licenses are purchased in bundles. Today, most forms of Windows and Android mobile platforms are supported. fireAMP offers the ability to check and remediate end-users systems for threats. This includes how end user devices communicate when compromised,  how malware hides in systems and methods to not only remove compromised files but also identify who “patient zero” is meaning where the infection started. Basically, fireAMP provides continuous host file forensics with remediation. Combine this with firePOWER and you have tools to prevent identify and remediate advanced cyber threats.

In summary, Sourcefire is the combination of threat intelligence from research and open source products, virtual and physical next generation Firewall, IPS and malware features paired with a host security product to give protect during the entire lifecycle of a cyber attack. Sourcefire is NOT the silver bullet green blinky light solution to solve all security issues however this approach can reduce your risk of compromise. It should be very interesting to see how Cisco and Sourcefire blend their approaches of security into future generations of security products.