Red Canary strives to deliver the highest quality security operations in the industry. This is coupled with our commitment with being completely transparent in communicating how Red Canary and your other security products are performing in comparison to expectations.
While few information security companies post even a basic status page for their cloud-delivered security applications, Red Canary has set an entirely different standard:
- The Red Canary Status page reports the overall status of our operations, including an aggregation of statuses from Endpoint Detection & Response (EDR) or Endpoint Protection Platform (EPP) platforms we retrieve data from.
- We check the status of various EDR/EPP configurations and the performance of those platforms to ensure they are working as expected.
These status checks are an important way we identify misconfigurations that might result in threats not being detected in your environment. They are also used to guide your configurations toward best practices.
Examples of status checks include verifying that...
- The EDR/EPP platform is configured to collect as much telemetry as possible.
- The EDR/EPP platform has tamper checking / identification features enabled to identify adversaries who are tampering with the sensor.
- The EDR/EPP platform is not configured to send sensitive information to third parties (a frequent unexpected surprise of cloud security products).
- The EDR/EPP platform is configured to handle sensor upgrades in an orderly and predictable fashion, rather than automatically upgrading sensors to the latest version whenever it is released.
- The EDR/EPP platform is collecting telemetry from endpoints and sending it to Red Canary in a timely fashion.
Many of these status checks are performed at the sensor group or deployment group level and will be reported under that group. Click on any sensor group to get more detail.
Viewing overall Red Canary system status
The overall system status of Red Canary combines the status of the Red Canary platform; underlying cloud services such as Amazon Web Services (AWS); infrastructure channels including Twilio and Sendgrid for voice, SMS, and email; and your EDR/EPP platform.
You can view the overall status of Red Canary any time at either status.redcanary.com or from within Red Canary.
- Click the ICON_BELL icon near your profile.
- You will find the overall system status listed:
Reviewing status checks
You can review the results of each status check we perform against your environment. Many status checks are executed at the sensor / deployment group level.
Note: To view your instance's Status Check page, you'll need the Admin role assigned to your user.
- Click the ICON_BELL icon near your profile.
- Review the number of configuration checks that passed vs. the total.
- Click the title of any status check to review what it checks, how to remediate any failures, and whether it passed or failed.
What happens when a status check fails?
When a status check fails, an email is sent to all users who have set status check notifications in their profile. You will not be flooded with notifications because this notification is only issued the first time a previously passing check fails.
You can learn more about enabling and disabling these notifications.
What happens when a status check is remedied?
In a similar fashion, when a failing status check recovers, an email notification is triggered to all of your users who have enabled status check recovery notifications via their profile.
What status checks are available?
The status checks active for your organization are specific to your underlying EDR/EPP platforms. You can find a list of those active for your organization by clicking the ICON_BELL icon near your profile.
How often are status checks executed?
Status checks are executed every four hours.
What if I intentionally configure a setting against Red Canary’s guidance?
While certain status checks verify crucial configuration settings required for Red Canary to defend your company, others are better defined as best practices or strong recommendations.
Your organization may choose to deviate from those recommendations and accept the risk associated with that deviation. If you do, you will receive a notification that the relevant status check failed, but no more alerts will be sent to your inbox.
Examples of the risks you’re accepting by deviating from common status checks include the following:
Risk accepted when failing
The EDR/EPP platform is configured to collect as much telemetry as possible.
Both Red Canary and your team will be limited in detecting and investigating threats due to less data being available.
The EDR/EPP platform has tamper checking / identification features enabled to identify adversaries who are tampering with the sensor.
Adversaries can tamper with your EDR/EPP sensor without your or Red Canary's knowledge.
The EDR/EPP platform is not configured to send sensitive information to third parties (a frequent unexpected surprise of cloud security products).
You may unintentionally share sensitive corporate information such as usernames, endpoint hostnames, and binaries with unknown or unvetted third parties.
The EDR/EPP platform is configured to handle sensor upgrades in an orderly and predictable fashion, rather than automatically upgrading sensors to the latest version whenever it is released.
New sensor versions will be installed across your fleet at any time, potentially causing system conflicts, instability, or performance impacts.
Please sign in to leave a comment.