CTO reflects on 20 years of innovation and change at Barracuda

Last month, I joined our colleagues, partners, and friends in a global celebration of Barracuda’s 20-year anniversary. It’s been so refreshing to see the collective pride in the journey that’s behind us and the remarkable enthusiasm for what lies ahead. We started protecting customers with our Barracuda Spam Firewall, which was an appliance designed to operate in a client’s ‘back room’ or datacenter. Today we defend customers with a complete cybersecurity platform and the most comprehensive protection in the industry. We’ve moved from product to portfolio, on-premises to cloud-first.

Barracuda is certainly not the only tech vendor that has changed. In the early 2000’s Cisco only had four revenue groups, and two of them were routers and switches. Microsoft was phasing out BackOffice Server and launching Active Directory. Google started selling ads, and Amazon started selling more than just books. Barracuda isn’t the only one that looks different today than it did in 2003. But in an industry full of disruption and transformation, it’s comforting to reflect on those things that have stayed the same.

Solving problems

When Barracuda Spam Firewall hit the market, email spam had already become an epidemic. Without firewalls and filtering, spam messages easily outnumbered legitimate emails. And although these spam messages weren’t very sophisticated, they certainly weren’t harmless. Many were phishing attacks like we see today, designed to steal user credentials and business data. But many others were flooding communications with sales pitches for sketchy merchandise or offensive messages like ethnic slurs. Spam was also a big problem for Internet service providers (ISPs), which had to process and route digital junk to millions of recipients.

Opportunities for malicious spam and other types of cybercrime have exploded over the last 20 years. Ransomware, nation-state attacks, cybercrime-as-a-service, advanced persistent threats (APTs), AI-enabled phishing … all of these came of age after we launched the Barracuda Spam Firewall. Our email security evolved with these attacks, meeting them head-on wherever they appear. We’ve done this by focusing on customer needs and staying close to the threat landscape and attack vectors. Barracuda supports the customer’s business mission by protecting productivity, bandwidth, users, and data. We solve our customers’ problems, just like we did 20 years ago. Our commitment to the customer has never changed.

Identity is everything

Digital identity is said to have been born at the Massachusetts Institute of Technology (MIT) in the mid-1960s when researchers started password-protecting files. These MIT researchers were among the first to say that their system had its flaws, yet this type of credentialing grew exponentially over the following decades. Password-based credentials are still the most common type of identity verification in use today. 

Identity is a cornerstone of cybersecurity, whether you’re dealing with one password-protected file or a perimeterless network protected by zero trust access and multi-factor authentication. Identity is truly everything, so much so that it spawned its own multi-billion-dollar industry. A recent analysis predicts the Identity Access Management (IAM) market will grow from $17.14 billion in 2022 to almost $40.87 billion 2029.

We can illustrate the importance of identity this way – our first Barracuda Spam Firewall verified the identities of email senders, recipients, and account holders. Where the message went and who could read it depended on identity, which was usually proven with a username and password combination. Our current cybersecurity platform performs continuous verification on every network request and may combine login credentials with contextual data like user location, user device, and time of day. These identity verification systems are advanced enough that we no longer need to protect our resources behind a network firewall. Users can access cloud workloads, SaaS applications, remote Operational Technology (OT) devices, and more, without a firewall to process security policies. Edge computing is made possible by the advancements in identity.  

Using the enemy’s arrows

There is great wisdom in martial arts and tales of ancient warfare. One of the most enduring lessons comes from the story of General Zhuge Liang, who tricked his enemy into firing thousands of arrows into dummy soldiers made of palm leaves. These arrows were retrieved by the general and used against his enemy in the following battle. It’s a brilliant illustration of using your enemy’s strength against him.

Cybercriminals interfere with public safety, they hold our critical assets for ransom, steal our research, and spy on our military. It isn’t hyperbole to say we are at war against an enemy that never sleeps. Threat actors are agile and motivated, and they’re always developing new weapons. The tale of General Zhuge Liang teaches us to understand our adversary, be proactive, and to use our enemy's tactics to our advantage. For example,

• Our security awareness training uses samples from real attacks that we’ve caught in our systems. With consistent input of these attacks into our threat intelligence systems, we’re able to train customers to defend themselves against the most current attacks.
• Our Security Operations Center (SOC) uses the data collected from forensic observation to build models that help us predict, identify, and respond to threats we haven’t seen yet. With these models we can also respond to known threats more quickly because the model helps us catch the attack earlier in the process.
• Attacks like Heartbleed and Log4J have shown that developers have to integrate security into the entire software development lifecycle. The growth of application security solutions is a direct result of attackers looking for vulnerabilities in every piece of an application. Everything from the user interface to the smallest building block is under attack. What we learn from these attacks is used to improve our own solutions and increase the knowledge and effectiveness of the entire cybersecurity industry.

Observable attack behavior allows us to build a resilient defense and turn their strengths into our own.

Be like water

It’s an understatement to say that Bruce Lee has profoundly impacted my life. His Jeet Kune Do martial arts philosophy is based largely on his principles around strength, formlessness, and detachment. This is best articulated by his famous quote:

"Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot. Now, water can flow or it can crash. Be water, my friend."

People can interpret this differently, but what I take from this is that you cannot be trapped in a certain mindset. Water is formless and adaptable, and it cannot be harmed by the strike of a hand or foot. Lee wanted to become like the nature of water, and he felt this was possible through the art of detachment. In short, he trained himself to reject the limitations of rigid thoughts and discard practices that were of no use.

While this has been important to me personally, it’s also a ‘north star’ when it comes to being a successful security provider. For example, look to Barracuda’s journey from portfolio to platform, or from datacenter appliances to SaaS and cloud-native solutions. Cybersecurity is no longer just a defensive process. Effective security requires both a defense and an offense that employs active threat hunting and rapid incident response. Resiliency is baked into our solutions because we know that attacks are no longer a matter of ‘if’ but ‘when.’ All this transformation was possible because we view ourselves as formless. We stay close to the threat. If the threat is in the cloud, we become the cloud.

Another example of the ‘be like water’ principle can be found in the signal sharing throughout the broader security community. Signal sharing is the practice of publishing threat intelligence found through research, incident investigations, surveillance, and so on. Barracuda and other security vendors participate in signal sharing because this elevates everyone’s ability to defend against threats. The benefit of collective intelligence is greater than the business risk of sharing data with potential competitors.

Vendors are also increasing their interoperability with other solutions. The security vendors are working together to create solutions that speak the same language so that mixed environments can better produce actionable signals and cover the entire MITRE framework. This is a significant shift for security vendors, but again we can look to the nature of water.  If a community is needed, we become the community.

Bruce Lee’s Jeet Kune Do is also known as “The Way of the Intercepting Fist.” Lee’s style was based on delivering maximum power at lightning-fast speed. The martial artist should be able to intercept attacks with an effective defense and quick retaliation. Barracuda teams strive to deliver solutions that operate this way within the realm of security and data protection.

The Barracuda story started 20 years ago, and we’re still in our early chapters. I’m proud to be part of this story, and I hope you’ll follow along as we continue our journey of innovation and growth.