How Barracuda’s security operations center (SOC) engineering team turns real-world ransomware tradecraft into proactive detections and earlier, automated containment
Takeaways
- Ransomware often moves faster than out‑of‑the‑box EDR can detect. Many attacks reach encryption quickly, leaving little time to respond if detection happens too late.
- Custom STAR rules detect ransomware earlier in the attack chain. Barracuda’s SOC builds STAR detections from real‑world ransomware tradecraft to surface pre‑encryption activity.
- Early detection enables faster containment and disruption. High‑confidence detections can trigger automated containment to stop attacker progress while the SOC responds.
Why “good endpoint protection” isn’t enough against modern ransomware
Ransomware gangs don’t win because defenders have no tools. They win because they compress time. Initial access, privilege escalation, defense evasion, credential harvesting, lateral movement, backup sabotage, and encryption can unfold in hours – sometimes less. If your endpoint security solution only alerts when the payload begins encrypting, you’re already behind and headed for trouble.
The practical solution is earlier detection. That sounds great, but it’s easier said than done.
One key differentiator that sets Managed XDR Endpoint Security apart is bespoke STAR rules engineered by our SOC
Barracuda Managed XDR Endpoint Security is a SOC-managed endpoint security offering that leverages SentinelOne Complete, a best-of-breed endpoint detection and response platform. As a result, customers get the strong baseline protection of a leading endpoint detection and response (EDR) solution. And that’s just the beginning. Customers also get a Barracuda-managed service layer that brings continuous detection engineering, automated threat response workflows, threat intelligence, and telemetry from our broader XDR operations.
The service layer is a big deal because it turns the raw capabilities of the EDR into outcomes. This is where Barracuda’s SOC and its endpoint security engineers work together to kick protection up a notch with earlier, higher-confidence detections and faster disruption of ransomware activity, so your organization can contain the threat sooner and avoid a painful, expensive incident.
A big part of that advantage comes from combining SentinelOne’s Storyline Active Response (STAR) capability with Barracuda SOC expertise. STAR lets teams turn deep visibility queries into custom rules that evaluate endpoint telemetry as it’s collected, triggering alerts and, when configured, automated response actions.
Our SOC’s Endpoint Security Engineering Team continuously develops, tunes and expands custom STAR detections for ransomware and other high-impact malware. These bespoke detections are engineered from real-world techniques the SOC has directly observed, including methods used by some of the most notorious threat groups, and are reinforced by ongoing threat research. The team then proactively delivers these new and meaningful STAR detections to help protect Managed XDR Endpoint Security customers against emerging threats and evolving attacker tactics as they appear in the wild.
Practically, this means the Barracuda SOC hunts for the repeatable pre-impact steps ransomware operators tend to take. These signals show up during staging, defense impairment, lateral movement, and backup disruption. The SOC then translates those patterns into detections that can fire early and trigger containment ahead of any out-of-the-box EDR detections.
Examples of Barracuda custom STAR rules (and what they’re looking for)
Custom STAR rules are where Managed XDR Endpoint Security sets itself apart from EDR-only deployments. These are SOC-engineered detections that Barracuda builds on top of SentinelOne to spot pre-impact, ransomware-related behavior earlier and, when warranted, trigger automated containment. Here is a representative set of examples.
- Akira Ransomware Early Detection Rule
Targets specific behavioral patterns and early-stage artifacts associated with Akira-style intrusions, enabling preemptive action, including network containment before encryption. Examples of Akira-style threats include DLL sideloading, bring your own vulnerable driver (BYOVD) activity and attempts to compromise VMware ESXi hosts. - Cephalus Ransomware Early Detection Rule
Detects execution chains consistent with ransomware loaders that use DLL sideloading, where a legitimate executable is used to load a malicious DLL. Designed to raise signals earlier in the attack lifecycle and trigger automated network containment when confidence is high. - ConnectWise ScreenConnect DNS query for suspicious TLD
Flags suspicious ScreenConnect-related DNS activity that can indicate malicious remote access and early-stage footholds often used ahead of ransomware deployment. - Krueger EDR Evasion Rule
Detects attempts to manipulate endpoint application control policies, including observed abuse of Windows Defender Application Control (WDAC), to bypass endpoint defenses. Triggers automated network containment when critical signals are detected. - Play Ransomware Early Detection Rule
Focuses on early preparation steps seen in Play-style attacks, including attempts to suppress EDR solutions, firewall tampering and privilege escalation vectors. - Ransomware Indicator Rule
Serves as an early warning signal of ransomware-like behavior, including fileless attacks launched from a remote device. Designed to reduce dwell time, limit lateral movement and buy time for containment and remediation.
From detection to disruption: automated containment at the organizational level
Early detection only pays off if you can act quickly to overcome the threat. When a high-confidence custom STAR rule triggers, Managed XDR Endpoint Security can execute automated threat response, most notably network containment of the affected endpoint(s), to immediately slow or stop attacker progress.
Bottom line
Out-of-the-box EDR is a good first step, but threat actors routinely operate in the gap between “suspicious” and “confirmed malicious.” Barracuda Managed XDR Endpoint Security closes that gap by continuously translating frontline ransomware and other malware-related investigations into custom STAR rules, then pairing those detections with real-time Automated Threat Response and 24/7 SOC-led triage, investigation, containment, and remediation guidance.
If you’re evaluating EDR, MDR or XDR options and SentinelOne is already on your shortlist, two questions you need to ask yourself are:
- Do I have the cybersecurity expertise in place to properly manage endpoint security day to day, respond to threats and handle incidents?
- Who is going to do the continuous detection engineering above and beyond out-of-the-box protection to keep pace as threat actor ransomware tools and tactics evolve?
With Barracuda Managed XDR Endpoint Security, you don’t just get SentinelOne’s best-of-breed endpoint protection. You also get Barracuda’s SOC-powered cybersecurity experts to manage the platform, investigate and respond to alerts and build, tune and operationalize STAR detections that can identify ransomware earlier and help stop it prior to encryption.
Further reading
- SentinelOne: Storyline Active Response (STAR) solution brief / datasheet
- CISA: #StopRansomware: Play Ransomware (AA23-352A, revised June 4, 2025)
- CISA: #StopRansomware: Akira Ransomware (AA24-109A, last revised Nov 13, 2025)
