Active Remediation is an annual subscription product that can be purchased as an add-on for Red Canary Managed Detection & Response (MDR) for Endpoint subscriptions. Active Remediation provides hands-on-keyboard remediation support for Red Canary-managed endpoints.
When Red Canary confirms and publishes a medium or high-severity threat occurring on a Red Canary-managed endpoint, Active Remediation’s Threat Response Engineers (TRE) perform remediation tasks utilizing a combination of Security Orchestration, Automation, & Response (SOAR) technology as well as Endpoint Detection & Response (EDR) provided remote response capabilities.
Understand Threats in Red Canary covers Red Canary’s philosophy on Threats and classification. TREs respond to medium or high severity Threats which are composed of Malicious Software and Suspicious Activity.
Can I customize automations and response actions taken?
Unique user-specific environmental scenarios will be supported at best effort and will require a discussion and approval from the Threat Response Engineering Team.
Given our operational processes and workflows, some modifications to either automations and/or our response may not be supported.
How does Active Remediation Work?
Active Remediation utilizes endpoint sensor groups to perform remediation on Red Canary managed endpoints for supported EDRs based on the subscription details outlined above. Please see Active Remediation: Administration for more information on how Active Remediation is set up.
When Red Canary MDR publishes a Threat occurring on a Red Canary managed endpoint tagged within a designated remediation group, the Active Remediation TRE team is notified to begin working through remediation based on the subscription details outlined above (example: threat classification and time zones if applicable).
Simultaneously, SOAR capabilities will take immediate actions to ensure the endpoint is in a standard state, including commands to isolate the host and removing artifacts known as identified indicators of compromise (IOCs).
Upon notification of the Threat, the team Acknowledges it, indicating in your portal that a Threat Response engineer has begun working on it. If a Threat is marked as remediated by your team while a Threat Response Engineer is actively investigating or remediating the Threat, we will conclude our investigation and response at that time.
Following our investigation and completion of remediation tasks, a Remediation Summary is documented that includes the Threat details and a log of all actions taken on the endpoint through the TRE team. These details are shared directly on the Threat timeline.
If the Threat cannot be fully remediated through the EDR remote response capabilities, then the following will occur:
The Threat Response Engineers’ actions will be included in the Remediation Summary, along with additional recommended actions.
The Threat will be left open for review and closed appropriately after the recommendations are considered and/or complete.
Is Active Remediation 24/7?
Active Remediation will be performed 24/7 with a combination of SOAR and EDR-provided remote response capabilities. Threats are prioritized based on severity and are acted on accordingly.
High severity Threats are contained with automation and are then reviewed, with additional actions taken as necessary by the TRE team.
Medium-severity Threats are contained with automation during non-business hours and are then reviewed. Additional actions are taken as necessary during business hours by the TRE team.
Business hours are 6AM MT-6PM MT Monday through Friday, excluding holidays. Red Canary holidays are in line with US Federal holidays, for additional information contact your CSM.
How long does it take to respond/is there an SLA?
Red Canary Active Remediation has no publicly shareable Service Level Agreements (SLAs) or Objectives (SLOs) due to threat severity and complexity differences. This approach enables Red Canary Active Remediation to deliver high-quality services at scale continuously.
What EDR Sensors does Active Remediation support?
Carbon Black Response
Carbon Black Cloud
Microsoft Defender for Endpoint
Palo Alto Cortex XDR
What Operating Systems does Active Remediation support?
What Operating Systems does Active Remediation not support?
Active Remediation does not support Linux due to the following:
Wide variety of of Linux distributions
Response complexity and impact of 24/7 hands-on remediation without in-depth knowledge of the environment
Operational importance of most Linux endpoints
What is the Request Remediation button in my portal?
All Red Canary portals include a “Request Remediation” button that is only unlocked for full Active Remediation users.
The Request Remediation button allows for on-demand requests for remediation on a published High or Medium severity Threat. The purpose of this feature is to provide users with a mechanism for requesting additional support in instances where:
Endpoints were previously not tagged within a designated remediation group but now are, and the user would like support addressing the threat
Threats were acknowledged by the user, who then prompted remediation efforts for a variety of reasons, but now would like to reengage a TRE for support
Threats that we were unable to remediate due to the host being offline. The Remediation summary will request that you utilize the Request Remediation button to notify the team when the host is back online.
What happens when the Request Remediation button is pushed?
The Active Remediation team will begin remediation efforts on the affected endpoint, adhering to the standard remediation practices outlined earlier in this document.
I have a pentest or Red Team engagement coming up. What should I do?
If you would like the TRE team to respond to all threats during your engagement as if they are true threats, you do not need to notify us. Red Canary will treat these threats as legitimate threats and take the necessary remediation actions.
If you would like the TRE team to be aware of the engagement and respond differently to threats that are associated with the engagement, click Contact Us before the engagement begins and we can work with you to customize our response.