Active Remediation is an annual subscription product that can be purchased as an add-on for Red Canary Managed Detection & Response (MDR) for Endpoint subscriptions. Active Remediation provides hands-on-keyboard remediation support for Red Canary-managed endpoints.
When Red Canary confirms and publishes a medium or high-severity threat occurring on a Red Canary-managed endpoint, Active Remediation’s Threat Response Engineers (TRE) perform remediation tasks utilizing a combination of Security Orchestration, Automation, & Response (SOAR) technology as well as Endpoint Detection & Response (EDR) provided remote response capabilities.
How does Active Remediation Work?
Active Remediation performs remediation on Red Canary-managed endpoints for supported EDRs using endpoint tagging groups based on the subscription details outlined above. Please see Active Remediation: Administration for more information on how Active Remediation is set up.
When Red Canary MDR publishes a Threat occurring on a Red Canary managed endpoint tagged within a designated remediation group, the Active Remediation TRE team is notified to begin working through remediation based on the subscription details outlined above (example: threat classification and time zones if applicable).
Simultaneously, SOAR capabilities will take immediate actions to ensure the endpoint is in a standard state, including commands to isolate the host and removing artifacts known as identified indicators of compromise (IOCs).
Upon completing remediation tasks, a Remediation Summary is started that includes the Threat details and a log of all actions taken on the endpoint through the TRE team. These details are shared directly on the Threat timeline.
If the Threat cannot be fully remediated through the EDR remote response capabilities, then the following will occur:
The Threat Response Engineers’ actions will be included in the Remediation Summary, along with additional recommended actions.
The Threat will be left open for review and closed appropriately after the recommendations are considered and/or complete.
Is Active Remediation 24/7?
Active Remediation will be performed 24/7 with a combination of SOAR and EDR-provided remote response capabilities. Threats are prioritized based on severity and are acted on accordingly.
High severity Threats are contained with automation and are then reviewed, with additional actions taken as necessary by the TRE team.
Medium-severity Threats are contained with automation during non-business hours and are then reviewed. Additional actions are taken as necessary during business hours by the TRE team.
How long does it take to respond/is there an SLA?
Red Canary Active Remediation has no publicly shareable Service Level Agreements (SLAs) or Objectives (SLOs) due to threat severity and complexity differences. This approach enables Red Canary Active Remediation to deliver high-quality services at scale continuously.
What EDR Sensors does Active Remediation support?
Carbon Black Response
Carbon Black Cloud
Microsoft Defender for Endpoint
Palo Alto Cortex XDR
What Operating Systems does Active Remediation support?
Note: Microsoft Defender for Endpoint for MacOS is still in Public Preview and will be supported by Active Remediation upon full release from Microsoft.
What Operating Systems does Active Remediation not support?
Active Remediation does not support Linux due to the following:
Wide variety of of Linux distributions
Response complexity and impact of 24/7 hands-on remediation without in-depth knowledge of the environment
Operational importance of most Linux endpoints
What is the Request Remediation button in my portal?
All Red Canary portals include a “Request Remediation” button that is only unlocked for full Active Remediation users.
The Request Remediation button allows for on-demand requests for remediation on a published High or Medium severity Threat. The purpose of this feature is to provide users with a mechanism for requesting additional support in instances where:
Endpoints were previously not tagged within a designated remediation group but now are, and the user would like support addressing the threat
Threats were acknowledged by the user, who then prompted remediation efforts for a variety of reasons, but now would like to reengage a TRE for support
What happens when the Request Remediation button is pushed?
The Active Remediation team will begin remediation efforts on the affected endpoint, adhering to the standard remediation practices outlined earlier in this document.
I have a pentest or Red Team engagement coming up. What should I do?
If you would like the TRE team to respond to all threats during your engagement as if they are true threats, you do not need to notify us. Red Canary will treat these threats as legitimate threats and take the necessary remediation actions.
If you would like the TRE team to be aware of the engagement and respond differently to threats that are associated with the engagement, click Contact Us before the engagement begins and we can work with you to customize our response.