Automated threat response for firewalls: By the time you spot the threat, you’re already protected

In the last 12 months, Barracuda Managed XDR’s automated threat response (ATR) for firewalls prevented thousands of potentially serious attacks against customers.  

It does this by correlating advanced threat intelligence and other tools, such as AI and machine learning to automatically detect, analyze and respond to cybersecurity threats targeting customers firewall infrastructure — in real-time, 24/7/365 with no human input needed. 

Fast and evasive threats

It can take just minutes for attackers to break in and try to establish a foothold in the network, but it can take hours or even days for security teams to detect and respond to an incident, especially if the attackers are using IP links or malware that defenders haven’t encountered before or that isn’t flagged as suspicious. 

Security professionals can’t work round the clock every day, and they may not always have the tools or skills to understand what they’re seeing. At the same time, attackers are investing ever more energy and resources into evading security and hiding among normal, legitimate activity and network traffic.

Automated threat response (ATR) can help organizations to address such challenges.

The guardian at the gate

Barracuda’s firewall ATR detects and captures all inbound and outbound traffic that involves external IPs. It then deduplicates data, checks whether the firewall has already blocked the detected traffic and identifies whether the traffic is inbound or outbound. 

Drawing on an unrivaled threat intelligence database of over 10 billion indicators of compromise, as well as AI and machine learning, Barracuda’s ATR determines the risk scores and threat reputations of the external IPs detected in a customer’s traffic. 

If the reputation and risk score exceed a predefined threshold, ATR immediately blocks the IP on the firewall and notifies the customer within 30 seconds. It’s also possible for Barracuda Managed XDR customers or their service providers to manually block IPs.

Threats countered by Barracuda’s firewall ATR

The common types of security incidents detected through firewall ATR include:

• Remote execution tools and activity, including tools such as PsExec and Mimikatz designed for unauthorized lateral movement or credential theft 

• Suspicious login and access patterns, which flag potentially unauthorized access attempts from IPs with dubious reputations or unusual geographic locations

• Traffic to high-risk destinations, highlighting communication with blocklisted countries or regions known for cybersecurity threats

• High-volume data transfers, which could potentially indicate data exfiltration

• Threat signature and intelligence matches involving the detection of known malicious signatures or interactions with previously identified malicious IPs, as this can signal an ongoing or attempted attack 

The benefits of ATR

ATR delivers a wide range of benefits for customers and their managed service providers.  For example:

• ATR saves time. There is no need for security professionals or their managed service providers to get involved in detecting and blocking suspicious or malicious IPs. This helps streamline the threat response process.

• It shortens the time to response (TTR) by up to 99%. Threats are blocked as they appear, and other response activities are initiated within minutes. 

• It strengthens overall security posture. ATR means that malicious traffic is blocked at the gate, fortifying the first line of defense against potential breaches, significantly reducing the attack surface and creating a safer digital environment. 

Barracuda Managed XDR Network Security supports a wide range of firewall-based detections for automated blocking, seamlessly integrating data from many other vendor products, as well as Barracuda’s own IDS spam-based (port mirroring) detection for high-security signatures.

Conclusion

In a threat landscape characterized by growing complexity, constant evolution and the discovery and exploitation of new vulnerabilities, critical assets like firewalls and applications remain prime targets for malicious actors.  

ATR offers organizations and their managed service providers a proactive approach to reducing the attack surface by swiftly eliminating and blocking threats as soon as they try to attack. 

This protects organizations from the risk of an escalating attack, where a small initial breach could quickly turn into a devastating ransomware incident.  ATR can intercept attacks at the outset, freeing up time for security teams to focus on core business operations. 

Barracuda Managed XDR Cloud Security offers ATR capabilities across Microsoft 365, immediately disabling compromised user accounts. There are also ATR capabilities in place for Barracuda XDR Managed Endpoint Security, which includes quarantining devices that have been infected with ransomware or malware.