[ISN] Sourcefire Turns Failed Deal Into an Opportunity

From: InfoSec News (isn@private)
Date: Mon May 29 2006 - 22:07:25 PDT


By Dina ElBoghdady
Washington Post Staff Writer
May 30, 2006

Network security firm Sourcefire Inc. enthusiastically agreed to sell
itself for $225 million in October, watched the deal crumble in March,
then immediately began searching for new investors -- and found them.

Not many companies bounce back after an attention-grabbing deal fails.  
But Columbia-based Sourcefire has secured $20 million in late-stage
funding, announced its first-ever cash-flow positive quarter and
started preparing to go public since its proposed sale to Check Point
Software Technologies Ltd. fell through.

Check Point, of Ramat Gan, Israel, and Sourcefire agreed to withdraw
the deal after a federal panel, the Committee on Foreign Investment in
the United States, expressed concerns about the transaction's national
security implications. Sourcefire makes software that protects against
hackers and sells it to U.S. intelligence agencies and some of the
country's largest companies, such as Lockheed Martin Corp. The
companies and the federal panel declined to discuss details of the
investigation or why the deal was scuttled.

While the deal's collapse was disappointing, it may turn out to be
fortuitous, said Wayne Jackson, Sourcefire's chief executive. As the
investigation into the sale dragged on, Sourcefire's revenue kept
increasing, and presumably so did its value.

"By the end of it, we felt we were leaving quite a bit of money on the
table," said Jackson, who joined Sourcefire in 2002, about two years
after selling his firm Riverbed Technologies Inc. to Aether Systems
Inc. for $1 billion. "The company's value changed quite a bit during
that time, and we started to see a lot of additional potential in the
company as a stand-alone entity."

Sourcefire does not disclose its revenue or income, except to say that
the company is profitable and that its sales in 2005 rose 68 percent
from the previous year. Analysts estimate that the company had $35
million in revenue in 2005 and that its list of customers keeps

For all those reasons, Meritech Capital Partners of Palo Alto, Calif.,
led the most recent round of financing, which injected the largest
one-time infusion of capital into Sourcefire since it was founded in

"We've looked at dozens of security companies out there, and this is
one of two or three that we've decided to invest in," said Mike
Gordon, Meritech's managing director. "In this sector, it's very hard
to get beyond a few initial customers and develop momentum, and
Sourcefire has developed that momentum."

The company has raised $53.7 million and still has about half of that
in cash, Jackson said.

Sourcefire is the creation of Martin Roesch, who invented the coding
program Snort in 1998 in his home in Eldersburg, Md., while juggling a
day job as a software engineer. Roesch posted Snort, which "sniffs"  
packets of data to detect signs of network intrusion, on the Internet.

Snort is an open-source program, meaning anyone can download it free,
modify it, copy it or resell it.

While allowing anyone to inspect and manipulate network security
software may sound counterintuitive, it's not, said Scott Crawford, a
senior analyst at Enterprise Management Associates, an
information-industry research firm in Boulder, Colo.

"One of the security virtues of open source is it's open to
everybody's scrutiny," Crawford said. "You can look at every line of
code, and in that sense, it's inherently more trustworthy. If there's
a weakness that exists, it's more probable that someone will catch it
because so many eyes are looking at it."

Anyone who uses Snort for commercial purposes must publish changes
made to the software or to any software they create that links to
Snort, said Roesch, who is Sourcefire's chief technology officer.

It's an honor system, he said, but ignoring the rules "results in the
technology equivalent of accounting fraud. Someone figures it out and
blows the whistle on you and everyone who writes open-source software
basically blacklists you."

So how does a firm that offers its wares free make money?

By enhancing its offering.

The free Snort basically inspects traffic for potential threats to a
network, but the money-making Snort adds to the technology by enabling
it to make decisions about the flow of traffic and block attacks in
networks on a global scale. Those added features, particularly the
prevention aspects, are what companies and intelligence agencies find

"It's one thing to give away the engine for free, and it's another
thing to build the car," Jackson said. "We make the whole car and make
it robust and fail-proof."

Most of the company's money comes from ready-to-use hardware loaded
with Snort programs that sell for $6,000 to $125,000, depending on the
rate of traffic it is capable of inspecting. The equipment fits
directly into the customers' network. More money comes from
distributing updates of Snort's detection rules in advance of their
release on the Internet.

Greg Young, an analyst at information-technology research firm Gartner
Inc., said the real value of open-source Snort is that it gives
Sourcefire greater foot-in-the door recognition for selling the
souped-up commercial product.

"There's a mistaken perception that Check Point was buying Sourcefire
for open-source Snort," Young said. But they were really buying them
for the intellectual property they have around the commercial product,
he said.

 2006 The Washington Post Company

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon May 29 2006 - 22:26:37 PDT