Barracuda CTO dives into cyber depths with strategic defence

Image courtesy of Barracuda Networks.

In the fight against malicious actors, nothing can be left to chance. Enterprises can’t afford to be caught off-guard.

However, not every business can afford to adopt numerous products to solve every gap in their cyber defence. How then to address evolving cyberthreats and rising operational costs? 

Fleming Shi, Chief Technology Officer of Barracuda Networks, shared with Frontier Enterprise their company’s playbook for an effective security design amid growing complexities.

With threats like HTML attacks and SQL injections still in the picture, and artificial intelligence coming into play, how do medium and large enterprises deal with this increasing cybersecurity complexity?

The complexity is getting much more than what people can handle. When I started at Barracuda in 2003-2004, it was very straightforward. It was either a virus or not a virus. In today’s world, attackers don’t necessarily want to hurt you on first contact. They aim to get you to, unfortunately, spill out the credentials. From there, they escalate their privilege and identify other data they can steal, then come back to you, causing much deeper wounds. It’s like a knife that cuts deeper when scraping through. You’re absolutely right; HTML, PDF, and any document types that people frequently use are their weapons.

There are two points I want to touch on. One is that we’re embracing a common language. There’s an organisation called Open Cybersecurity Schema Framework, or OCSF. Industry leaders like Palo Alto Networks, CrowdStrike, Barracuda, Amazon are involved, allowing us to speak the same language, mapping the activities. Remember the MITRE ATT&CK framework? All those activities can emit information about every step of the attackers’ way. We capture the signals, put them in the same format, and publish them into an environment where basic tools can operate. That’s the first thing: speaking the same language.

The second thing is using tools like XDR. The type of XDR we operate on is called Open XDR, which integrates more than just Barracuda products, but also other vendors including Palo Alto and our competitors, like Mimecast. The point is, we can then help a customer who might already have a lot of existing tools. Using the same language and format of the data, we can do correlation and AI on the data we’re getting. And that’s not generative AI. That’s machine learning, deep learning, using tools like Databricks to build the models that allow us to make inferences quickly.

Generative AI comes in as augmentation, helping tell the story of the data. But behind the scenes, if we speak the same language and use the right tool, which is SOC as a service, the way we sell our XDR is not just selling a tool, because if we sell that tool, someone has to hire people to run it. We run the SOC for the customer through MSP. If you are integrated with Barracuda’s XDR tool, we’re picking the signals, putting them into a data lake, and analysing the data constantly, 24/7, 365. If there’s a signal that shows attacks are happening on the very left of the MITRE ATT&CK framework, we can take action, reducing the chance of a more damaging attack. That’s our SOC as a service with XDR underneath. We sell the service.

Are these MSPs usually telcos or system integrators?

The type of MSPs we work best with are those managing laptops and Microsoft 365 accounts. For instance, if I’m a manufacturer of something, like a robot, or if I’m a dentist or a lawyer, I don’t have the cybersecurity or IT expertise. What I do is get an MSP to help me. Then, Barracuda supports the MSP with SOC as a service with XDR. Therefore, the MSP can translate that benefit to the customer.

While it’s not a good idea to pay criminals after a ransomware attack, we repeatedly see many businesses making the payments. What is your perspective on this dilemma?

In the depths of cyberspace, Fleming Shi, CTO of Barracuda Networks, likens paying ransom to “feeding the beast” of threats. Image created by DALL·E 3.

If it’s a life-threatening environment, like a hospital, you might have to save lives. You can’t just sit there and be stubborn. It’s important to think about what it will take you to do that, but it’s also important to consider that when you pay the ransom, you’re feeding the beast. The beast is going to get bigger and stronger. So, my thinking is, we have to completely change our mindset. We’re in a post-data breach era. Our data is already out there. We have to change the mindset, like the COVID virus is already out there. We need to think about how to recover from a situation like that; instead of constantly blocking and putting a mask on, we have to think about injecting vaccines.

What does that mean? It means you have to have a plan for recovery—a business continuity plan that includes the RTO (recovery time objective) and RPO (recovery point objective). You have to be able to say, “If I put my social security number on my car, I’m not worried.” You have to feel that way, which means you will change your behaviour. This is about your ability to recover, and this is where multi-factor authentication, biometrics, and passwordless technology come in. All that stuff will become part of day-to-day operations. When that happens, we’ll never have to worry about paying ransom, because our mindset has already changed.

There are a lot of companies that don’t cooperate. If the bad guys just need one entry point into the good side, and if the good side is disorganised, how can that be fixed?

To some degree, this happens all the time, like developers wanting to move fast. Meanwhile, CISOs want you to be secure so they’re always blocking developers, always saying no. My point is that you have to get the right tools into developers’ hands and make that regular practice. For example, there are tools out there that utilise the TPM chip on your devices. The Trusted Platform Module is like the DNA of your device. You can marry that together with zero trust, in a sense. If I’m writing code, and that code needs to be checked in from the pull request, I need to sign it with the TPM chip on my device, whether it be on my laptop or desktop.

What that means is the developer can move very quickly, because as long as you’re signing it, the security guys are not in your face. What happens is if something goes wrong, they can trace back to the user, the developer, and the device that was used to write that code. What does that mean? It means you will have not only visibility but also some integrity related to the developer. If we constantly make security mistakes, you don’t have to keep that developer anymore, you get a better one. That credibility and also the ability to visualise what’s happening for the security guys, it’s a game-changer. It reduces friction because he doesn’t have to be in front of the developer and say, “Hey, you can’t get access to this box, and you have to file a ticket for two weeks.” Let them do what they need to do. But again, you’re tracking, you’re auditing, and you have your other components. It’s a way to make zero trust run much smoother. One of the biggest problems with zero trust is MFA constantly popping up like, “Hey, you have to sign in again,” but if you do it with an enclave on a TPM chip, you can do it passwordless.

With what’s currently cooking in your R&D labs, what excites you the most?

One important development is our SecureEdge product, which protects manufacturers. This is partly because of Barracuda’s extensive experience with distributed networks. We’ve combined several products under a single umbrella and interface. We aim to offer the best OT security using our next-gen firewall, now encompassing SD-WAN, firewall as a service, zero-trust network access (ZTNA), secure web gateway (SWG), and adaptive session balancing (ASB). This integration is exciting. Though ASB products exist, our approach is different. We’ve partnered with Microsoft, integrating the SD-WAN component into the Azure backbone. The Barracuda protocol is natively implemented in Azure. When you spin up Virtual1 in Azure using Barracuda protocol, the system automatically configures without needing a separate firewall virtual machine. This approach, which offers improved performance at a lower cost, is an aspect I’m very excited about.

The other thing is related to generative AI and XDR. Natural language queries will make analysts’ jobs so much easier. For instance, I can simply ask, “Give me all the logging entries for Fleming from last week,” and, no matter where I am in Singapore, the data will be delivered to me within a matter of seconds.

One important thing: Generative AI is a deflationary technology, which means it drives prices down. However, many startups are trying to sell you everything like snake oil, saying things like, “Hey, I got generative AI, but guess what, it costs you like a million dollars.” You have to be very careful.

We have worked with Microsoft and OpenAI to make training like this possible. Otherwise, how could I afford training 500,000 times if I’m being charged US$1 for each resolution per call? Many companies use this pricing model. That would cost us US$500,000 per day, which is not doable. We have found a way to achieve this for literally pennies.