What is most valuable?
Having experienced the frustrations of poorly designed/executed interfaces first-hand, one of the most valuable features for me is the graceful, responsive, and compatible web-UI. It works well across all browsers that I’ve tried, and even on mobile browsers. The snort engine, which is the muscle behind the Sourcefire IPS technology, has always been a joy for me to work with. I have almost 10 years of experience with snort and the power, customization, and ease-of-use has yet to be replicated. Lastly, I find great value in the context-sharing behavior across technologies with Sourcefire. Each active technology on the sensor enjoys access to the context of the others, and this has the great benefit of increasing accuracy and efficacy of automated response functions.
How has it helped my organization?
The network host/user/application visibility gained by leveraging FireSIGHT have produced collateral benefits that are time/money saving. The helpdesk uses this information often to troubleshoot issues rather than having to set up and configure WireShark or configuring an access-list to log specific traffic. The system gleans so much information from network traffic that it can simultaneously act as an organization’s SIEM and IPAM while performing role its purposed role of comprehensive threat defense.
What needs improvement?
I’d personally like to see some additional customization capabilities in the reporting section. This is already extremely customizable, more so than most other technologies, but specifically regarding formatting I think there is opportunity for improvement.
For how long have I used the solution?
I started using Sourcefire technologies in early 2013 – upon the change in ownership my focus on this technology group was increased significantly. I’ve worked with Sourcefire products and technologies both before and after they were acquired by Cisco Systems. When I first started working with FirePOWER it was on version 5.2, and the earliest version of FireAMP for Endpoints for me was v4.4. Sourcefire has had many options regarding platform/chassis. I’ve personally deployed all defense center variations except for the DC4500, all 3D sensor variations as well as all AMP sensor variations. Additionally, I’ve deployed the virtual defense center and 3D sensor appliances.
What was my experience with deployment of the solution?
I’ve deployed a lot of these products, and I’ve come across just one technology-related complication; if the sensor is not shut down gracefully there is a chance that the ‘sftunnel’ function, which secures communications between the sensor and the defense center, may become corrupt and require expert-user intervention/support. This has happened to me just twice across in over 80 deployments. I suppose I could take better care to gracefully shut down the sensor each time to alleviate the condition entirely. Any other complications have been the result of my configuration and/or typographical error.
What do I think about the stability of the solution?
I have never encountered any stability issues, I do always ensure that my sensors’ inline-pairs have configurable bypass modules – this ensures that if the sensor were to fail entirely my traffic will still flow through the inline appliance.
What do I think about the scalability of the solution?
How are customer service and technical support?
Unless you work with Cisco directly, it all depends on the Cisco partner you’re working with. My experiences have been great thus far. Technical Support
Old-school Sourcefire technical support was unbelievably excellent – an absolute pleasure to work with them every time. The technical support has since moved to Cisco TAC, which is hit or miss regarding the proficiency of the engineer you get – with taking advantage of the available case escalation in those instances I would rate the current technical support as 7/10.
Which solution did I use previously and why did I switch?
I’ve previously worked with and deployed Checkpoint, Juniper, and Palo Alto security technologies. The switch was due to the empirical track record. Sourcefire has a much lower security-incident rate than the others, especially Palo Alto which has been the primary security technology in many of the recent high-profile breaches.
How was the initial setup?
It was very straight-forward, though my level of focus on security technologies affords me the time necessary for sufficient preparation.
What about the implementation team?
The deployments I’ve completed have been both in-house and as the vendor team for our clients. My level of expertise would have to be rated by those clients.
What was our ROI?
ROI is extremely difficult to estimate in the network security world – you can see that your security posture is preventing threats from succeeding but what you cannot see is what the threat’s end-game is if it were to succeed in the initial intrusion/exploit. So for any given successful threat defense, I could have prevented defacement of my web-interface or I could’ve prevented the large-scale loss of digital property. Given the collateral benefits that Sourcefire provides, such as being a very efficient tool for our helpdesk as previously mentioned, the ROI is often much better than originally anticipated.
What's my experience with pricing, setup cost, and licensing?
Difficult to answer due to the large number of deployments.
Which other solutions did I evaluate?
Certainly, I’ve evaluated
- Palo Alto firewalls
I've also looked at the follow NG solutions (FW, IPS, AVC, URL, Malware Protection).
What other advice do I have?
Start with the end in mind – prepare for your implementation and have a plan for reacting to complications or failure. Also, position your sensors strategically to get the most comprehensive visibility in your environment; if you cannot see it you cannot defend it.