Skip to main content
Red Canary help

How Red Canary works

  • Updated .

What is the Red Canary architecture?

Red Canary is a security operations platform and service that proactively monitors for malicious and suspicious behaviors and responds to stop them from becoming serious security incidents. The service is comprised of several key components:

  • Endpoint and cloud workload sensors/agents
  • Alert collectors and integrations with your alert-generating security products
  • Cloud-hosted collection, detection, and response platform
  • Our Cyber Incident Response Team (CIRT)
  • Our incident handling team

The endpoint/cloud workload sensors run on the endpoints and cloud workloads that make up your corporate and production environments, collecting detailed telemetry about what is happening in those systems. 

That telemetry and alerts from your other security products are both sent to our cloud-hosted platform. This allows our CIRT to perform analysis of that data to identify and confirm suspicious activity and security incidents. The included security orchestration and response capabilities execute playbooks for response and remediation.

Your Red Canary incident handler assists and coaches your team about ways to improve your security program and reduce your risk through reporting, prevention recommendations, and deeper integrations between your other security products.

Collecting endpoint telemetry

Getting started with Red Canary typically takes less than one hour, depending on how your organization deploys software to your endpoints. Once deployed, your organization is immediately protected by a highly advanced security operations team.

mceclip0.png

To get started, visit the installing a sensor guide.

Collecting external alerts

Integrating Red Canary with your other security products that generate alerts is a straightforward process of instructing those products to send alerts to Red Canary. Most integrations take less than five minutes per product.

mceclip1.png

To get started, visit the collecting alerts from security products guide.

Detecting potential threats

Red Canary’s detection process uses two primary classes of analytics:

  • Every piece of telemetry is tested to determine if it matches an indicator of compromise (IOC) that we’ve seen or heard adversaries use. These are brittle and often short-lived analytics, but if an adversary is foolish enough to reuse infrastructure or tools, they are easy to catch.
  • Behavioral detectors identify sequences of system activity that match techniques used by adversaries. These could be as simple as running PowerShell with an encoded command line, or a highly complex chain of behavior over a long period of time. We map every detector to MITRE ATT&CK® techniques so you can quantify your detection coverage.

Unlike other security products, you do not need to define your own detection rules and indicators of compromise to get extremely effective results. From day one, you get the benefits of years of Red Canary detection engineering.

The Analyzed Events dashboard gives you an immediate view into the potential threats Red Canary is identifying in your organization using our threat intelligence and analytics. This page is where you’ll pivot into events if you want to learn more or check our work.

mceclip0.png

Learn more about how Red Canary detects threats.

Investigating potential threats

Threat investigation is performed by the Red Canary CIRT to eliminate the false positives you’re used to from other security products and services. Instead of the legacy approach of simply triaging alerts and forwarding them to you to deal with, Red Canary handles everything up to the point of incident response (some teams call this “tier 1” and “tier 2”).

Threats confirmed by Red Canary are called detections and are classified as Unwanted Software, Suspicious Activity, or Malicious Software. Each detection contains the detail your team needs to assess the risk of the threat, which people and systems are affected, and the details of what happened.

mceclip2.png

mceclip3.png

Learn more about how Red Canary investigates and confirms threats.

Responding to detections

Reducing your time to response is one of our chief goals. Your time to respond is dependent on three activities:

  1. How long it takes to detect and confirm a threat (Red Canary does this for you).
  2. How long it takes you to receive the detection and decide how you want to respond.
  3. How long it takes you to respond.

When you start with Red Canary, the first automation you’ll enable is notifications about confirmed threats via email, phone, SMS, Slack, Pagerduty, etc.

After a few days or weeks, most teams establish their decision making and response processes (steps 2 and 3) in playbooks that are triggered automatically. Approval steps require manual intervention so you can check and approve each action before it is performed.

mceclip1.png

The peak of automation maturity is removing the approval safeties and allowing playbooks to run without intervention. This enables high-quality response and remediation to take place regardless of where an affected system is located or what time of day it is for your security team.

Learn more about responding to detections with automation.

Reporting on your performance

Every great security program continually improves over time, and Red Canary is focused on helping you understand how you’re doing. 

Unlike the typical pie-chart-filled dashboards, Red Canary’s reporting library contains pre-built reports that are designed with help from your peers for inclusion in your executive and board presentations.

mceclip0.png

Learn more about how to get started with reporting.

Your ally in the fight

When an incident occurs, it is not always obvious what to do. The Red Canary incident handling team is on-call when you need help and provides proactive security architecture and engineering guidance. Most teams engage with incident handling in three primary ways:

  • Periodic sync: Your incident handler joins a regularly scheduled meeting with your team to review recent detections, discuss security architecture, help with automation, and provide any other security guidance you need.
  • Immediate assistance: Incident handling is on-call 24/7/365 for investigation support and remediation guidance.
  • Proactive outreach: Incident handling will proactively communicate with your team if the Red Canary CIRT identifies a critical threat requiring immediate action.

Learn more about ways your incident handler can serve your team.