Interview: Fleming Shi On The Global Investment In Cyber Resilience And How Businesses Can Improve Their Own Security Without Breaking The Bank
Fleming Shi of Barracuda Networks discusses what more the U.S. should be doing to invest in cyber resilience at a global scale, and how organizations can improve their own resilience without breaking the bank.
On March 2nd 2023, the Biden-Harris Administration released an updated National Cybersecurity Strategy that calls for stronger cybersecurity regulations, more counter-hacking from law enforcement, and more collaboration between the government and private sector regarding security threats, vulnerabilities, and risks. The Strategy was released in response to the increasingly sophisticated and targeted attacks that organizations are seeing globally.
“We’re in a post-data breach era, where close to probably 20 billion pieces of information have been lost, a lot of which is personal information,” says Fleming Shi, Chief Technology Officer at Barracuda Networks. “Those data leaks lead to very sophisticated, socially engineered attacks that are much harder [to detect], compared to 20 years ago, or even 10 years ago.”
“Unfortunately, without sophisticated capabilities that can correlate these signals, it is very hard for someone to […] solve the problem. So, to that degree, the landscape is at a point where it’s kind of similar to COVID; we need to find a vaccine, we’re not in a situation where you can just put a mask on and wash your hands.”
Fleming joined Barracuda Networks in 2004 as Director of Engineering, and has since played an important part in the evolution of the company’s security offerings. In his current role, Fleming is responsible for delivering transformative technologies, from inception to launch, to support Barracuda Networks’ data protection portfolio.
In an exclusive interview with Expert Insights at RSAC 2023, Fleming discusses the benefits and drawbacks of the Biden-Harris Administration’s National Cybersecurity Strategy, what more the U.S. should be doing to invest in cyber resilience at a global scale, and how organizations can improve their own resilience without breaking the bank. He also shares his predictions on how the threat landscape will evolve as we move further into 2023 and beyond.
You can listen to our full conversation with Fleming on the Expert Insights Podcast.
Cyber Resilience Starts With The Developers
Earlier this year, the Biden-Harris Administration released a National Cybersecurity Strategy to try and create a secure digital ecosystem for all Americans. While this is a great start, some security experts say that the U.S. should be doing more to invest in cyber resilience at a global scale, in order to push back against some of the most sophisticated attacks that organizations are facing worldwide.
“Recent attacks […] involve bad guys taking the email—not just the email address, but the actual conversation—and what they’re able to do is modify those conversations and come back and impersonate one of the parties in that conversation,” says Fleming. “This means they’re able to get ahead of us in terms of designing the threat.”
“So, I think it’s important, with the Biden Administration, to be thinking about the future, where security needs to be built into applications.”
Most businesses today are relying on SaaS applications to run their operations, improve collaboration, accessibility, productivity, and reduce running costs. But because of the shared ownership model operated by most SaaS apps, the data that businesses store in SaaS applications often doesn’t reside with them; it resides with the vendor. Because of this, it’s critical for application vendors to build security features into their applications from the start, and for businesses to be able to monitor the security of their SaaS apps.
“There’s a new category [of security] called SaaS Security Posture Management, which is related to providing continuous monitoring and observability of your environment,” says Fleming. “Now your data lives in someone else’s SaaS application, we want to make sure there are no policy drifts, and that the user is doing the right thing, in a secure way, […] wherever they are.”
“But how we provide investment into the future is not only by putting money in people’s hands, but also encouraging developers of SaaS applications to start to evolve and put a standard together, so they can produce those security features.”
“What I mean is, you have APIs for vendors like Barracuda to interact with, to examine the configuration or the state of the security posture for the users of that SaaS application.”
Educating The Next Generation
As well as encouraging developers to build security into the application lifecycle, we need to do a better job at educating the next generation of technology users, says Fleming. And this education should start much earlier than it does currently.
“Instead of someone starting a new job in a new place after they graduate, with a diploma in their hands, and the first thing they do is a security awareness training, they should be educated while they’re in K-12 and in college. They should be aware already, because it’s a lot of responsibility to handle customer data in the digital world, especially when you’re starting a new job.”
“So, I think it should be a part of the criteria before you get into the workplace to have cybersecurity awareness in place. For public sector education, we need to start early. That means the first time [students] touch a digital device, they should be starting to build some security awareness.”
“That takes investment.”
Investing In Resilience Without Breaking The Bank
While it’s important to look at the bigger picture when it comes to the future of cybersecurity, in terms of how the industry needs to evolve, it’s also important for businesses to know what they should be doing to improve their cyber resilience. That can be especially difficult for small and mid-sized businesses, that many not have the in-house resource—in terms of both budget and technical expertise—to invest in and manage multiple advanced security tools.
One way of solving that problem is by outsourcing security to a Managed Security Service Provider (MSSP). MSSPs take care of the deployment and ongoing management of cybersecurity tools for you—from email security to endpoint protection, backup and recovery to identity and access management. And some MSPs also provide a SOC team as a managed service, in which they—or the security vendor they’re partnered with—identify and respond to incidents for you.
“If you just build a tool and then say, ‘go and buy it and you should be good’, [the company] probably has to hire two or three people to run it,” explains Fleming. “What Barracuda did is provide a SOC service through MSPs, which means we are the ones that do the analytics and run the 24/7 SOC.”
“This provides access to these tools.”
Moving Forward With AI
One of the biggest topics currently sweeping the cybersecurity industry is AI. With the rapid development of generative AI tools like ChatGPT, many security experts are concerned with how threat actors may begin using it. It’s likely that generative AI will make it easier for cybercriminals to carry out sophisticated attacks more efficiently. This is possible through reducing the time it takes to write malicious code, for example, or scraping social media pages for information that can be used in a phishing attack.
But modern email security solutions that are already using machine learning should still be able to stop these attacks, says Fleming.
“We have to find a way to responsibly use [AI] in product so we can actually stay on par with the bad guys using phishing attacks, for example,” says Fleming. “Bad grammar will be gone. But the good news is, most of the ML models that we have in our email security protections solutions go way beyond just language itself—natural language— we look at other signals related to that email and how it’s transmitted.”
“So, just pure natural language processing is probably going to get some challenges, but otherwise I think we do see… that what we do is more than enough to capture those.”
At the same time, generative AI may help the cybersecurity industry to fill its talent gap by helping increase the efficiency of threat hunting teams. Using AI, threat teams may be able to identify and prioritize threats sooner, reducing the mean time to respond so that they can more effectively intercept and attack and stop it from spreading.
“Those are the things that I think it’s worth moving forward with,” says Fleming, “and we’re not shy; Barracuda is already working very closely with Microsoft and finding ways to utilize the technology correctly.”
Listen On Spotify:
Listen On Apple Podcasts
About Expert Insights
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.