Operationalizing raw threat data

How an AI-assisted team pulls confidence from chaos

Takeaways

• Barracuda’s AI-assisted XDR platform processes massive volumes of real-time, global threat data and transforms it into actionable insights for rapid cyber incident response.
• The platform ingests over 12 million indicators, constantly updating its data lake with new and relevant threat intelligence to ensure up-to-date protection.
• Threat detection leverages advanced indicator match rules, comparing customer event logs against an extensive index of IOCs to identify suspicious activity efficiently.

Barracuda’s AI-powered XDR platform, managed by Barracuda SOC staff, ingests large amounts of real-time, global threat data. And it turns that data into actionable, operational insights that lead to rapid, highly effective response to cyber incidents.

We spoke to Eric Russo, Barracuda’s Director of SOC Defensive Security, to learn more about how that process of operationalizing threat data takes place, and why it’s central to how Barracuda Managed XDR reduces cyber risk while also reducing IT overhead through automation.

Insights from Barracuda’s Director of SOC Defensive Security

What is the source of the vast amount of threat intelligence, or threat data, that comes into the Barracuda SOC and Barracuda Managed XDR? Can you give us a metric of just how much data is coming in?

The data that is being ingested into Barracuda XDR comes from enterprise-grade threat intelligence streams. Currently we have over 12 million indicators in our data lake. Indicators are constantly being added as new intelligence is gathered and published as well as removed as outdated indicators become stale.

How does that vast flood of data get turned into usable insights and intelligence?

Our XDR platform monitors event logs from customers’ data sources in order to detect potential threats. One approach to this is indicator match rules. For example, we can compare IP addresses in firewall logs against an index of IOCs [indicators of compromise] from our threat intel streams as a way of detecting potentially malicious traffic/connections.

Threat intelligence is also an excellent mechanism for alert enrichment, across all rules/detections. We can look up the IPs addresses, hash values and domains against multiple threat intelligence sources including licensed subscriptions, open-source tools and even Barracuda proprietary threat intelligence. Checking against multiple intelligence sources allows us to establish a degree of confidence which aids in our risk classification and alerting decisions.

How does the process of operationalizing threat data benefit MSPs who incorporate Barracuda Managed XDR into their service offerings?

One of the biggest benefits of our robust threat intelligence platform is that it has enabled us to take automated threat response (ATR) actions on our MSP partners’ behalf, no human intervention needed. If communication with a malicious IP address is observed on a customer’s firewall, Barracuda XDR can automatically block that IP address on the customer’s firewall, preventing further communication.

This automated response action happens when there is a high degree of confidence that the IP is malicious based on reputational data from multiple threat intelligence sources. 

How does it benefit end users?

This buys back significant time/resources for both partners and end users who no longer need to have a technician go through this process manually, which gives their team more capacity to focus on their business. They can rest assured knowing that Barracuda XDR's ATR functionality has this covered for them.

Additionally, some security services require end users to purchase their own threat intelligence licenses and integrate them with the platform. Barracuda XDR takes that financial burden off the end users by directly supplying and managing the threat intel streams on behalf of all our customers.