What is Red Canary?

Red Canary provides a security operations platform that proactively monitors for malicious and suspicious behaviors and responds to stop them from becoming serious security incidents. The platform works via several key components:

• Endpoint and cloud workload sensors/agents
• Alert collectors and integrations with your alert-generating security products
• Cloud-hosted collection, detection, and response platform
• Our Cyber Incident Response Team (CIRT)
• Our Incident Handling team

The endpoint/cloud workload sensors run on the endpoints and cloud workloads that make up your corporate and production environments, collecting detailed telemetry about what is happening in those systems. 

That telemetry and alerts from your other security products are both sent to our cloud-hosted platform. This allows our CIRT to perform analysis of that data to identify and confirm suspicious activity and security incidents. The included security orchestration and response capabilities can execute automations using playbooks on endpoints for response and remediation.

Your Red Canary incident handler assists and coaches your team about ways to improve your security program and reduce your risk through reporting, prevention recommendations, and deeper integrations between your other security products.

Collecting endpoint telemetry

Getting started with the Red Canary platform typically takes less than one hour, depending on how your organization deploys software to your endpoints. Once deployed, your organization is immediately protected by a highly advanced security operations team.

To get started, visit the Collect endpoint telemetry article. Note that for the Red Canary platform to work, you must do one of the following:

• Purchase supported endpoint detection and response (EDR) software from a third party
• Purchase supported third-party EDR software from Red Canary
• Subscribe to the Red Canary Linux EDR component of the platform

Collecting external alerts

Integrating the Red Canary platform with your other alert-generating security products is a straightforward process of instructing those products to send alerts to the platform. Most integrations take less than five minutes per product.

To get started, visit the Collect external alerts article. Note that this functionality is only available if you subscribe to the Alerts component of the Red Canary platform.

Detecting potential threats

Red Canary’s detection process uses two primary classes of analytics:

• Every piece of telemetry is tested to determine if it matches an indicator of compromise (IOC) that we’ve seen or heard adversaries use. These are brittle and often short-lived analytics, but if an adversary is foolish enough to reuse infrastructure or tools, they are easy to catch.
• Behavioral detectors identify sequences of system activity that match techniques used by adversaries. These could be as simple as running PowerShell with an encoded command line or a highly complex chain of behavior over a long period of time. We map every detector to MITRE ATT&CK® techniques so you can quantify your detection coverage.

Unlike other security products, you do not need to define your own detection rules and indicators of compromise to get extremely effective results. From day one, you get the benefits of years of Red Canary detection engineering.

The Analyzed Events dashboard gives you an immediate view into the potential threats Red Canary is identifying in your organization using our threat intelligence and analytics. This page is where you’ll pivot into events if you want to learn more or check our work.

Learn more about how Red Canary detects threats.

Investigating potential threats

Threat investigation is performed by the Red Canary CIRT to exclude the false positives you’re used to from other security products and services. Instead of the legacy approach of simply triaging alerts and forwarding them to you to deal with, Red Canary handles everything up to the point of incident response (some teams call this “tier 1” and “tier 2”).

Threats in the Red Canary platform are classified as Unwanted Software, Suspicious Activity, or Malicious Software. Each threat contains the detail your team needs to assess the risk, which people and systems are affected, and the details of what happened.

Learn more about how Red Canary investigates and confirms threats.

Responding to threats

Reducing your time to response is one of our chief goals. Your time to respond is dependent on three activities:

1. How long it takes to detect and confirm a threat (Red Canary does this for you).
2. How long it takes you to receive the threat and decide how you want to respond.
3. How long it takes you to respond.

When you start with the Red Canary platform, the first automation you’ll enable is notifications about confirmed threats via email, phone, SMS, Slack, PagerDuty, etc.

After a few days or weeks, most teams establish their decision-making and response processes (steps 2 and 3) in configurable playbooks that are triggered automatically. Approval steps require manual intervention so you can check and approve each action before it is performed.

The peak of automation maturity is removing the approval safeties and allowing playbooks on endpoints to run without intervention. This enables high-quality response and remediation to take place regardless of where an affected system is located or what time of day it is for your security team.

Learn more about taking action on threats with automations.

Active Remediation

If you subscribe to the Red Canary Active Remediation add-on to the Red Canary platform, Red Canary will respond to high- and medium-severity threats identified by the Red Canary platform by taking remedial action on your covered endpoints via the tools available in your supported EDR software.

After subscribing, the Red Canary team will work with you to organize your covered endpoints into groups with your instructions as to how each endpoint should be handled in the event of a threat.

Investigating threats beyond the endpoint

With the Threat Investigation add-on, the Red Canary platform ingests alerts from non-endpoints, such as network, email, and identity tools, and applies investigation and remediation techniques to threats identified via these sources, similar to those identified on your endpoints. These threats are reviewed by a Red Canary incident handler who can provide additional context about the attack.

Reporting on your performance

Every great security program continually improves over time, and Red Canary is focused on helping you understand how you’re doing. 

Unlike the typical pie-chart-filled dashboards, Red Canary’s reporting library contains pre-built reports that are designed with help from your peers for inclusion in your executive and board presentations.

Learn more about how to get started with reporting.

Your ally in the fight

When an incident occurs, it is not always obvious what to do. The Red Canary team is on-call when you need help and provides proactive security architecture and engineering guidance. Most teams engage with incident handling in three primary ways:

• Periodic sync: Your incident handler joins a regularly scheduled meeting with your team to review recent detections, discuss security architecture, help with automation, and provide any other security guidance you need.
• Immediate assistance: Incident Handling is on-call 24/7/365 for investigation support and remediation guidance.
• Proactive outreach: Incident Handling will proactively communicate with your team if the Red Canary CIRT identifies a critical threat requiring immediate action.