Skip to main content
Red Canary help

Understanding status checks

  • Updated .

Red Canary strives to deliver the highest quality security operations in the industry. This is accompanied by our obsession with transparency in communicating exactly how Red Canary and your other security products are delivering against expectations.

Estimated reading time: 5 minutes

While few information security companies post even a basic status page for their cloud-delivered security applications, Red Canary has set an entirely different standard:

  • The Red Canary Status page reports the overall status of Red Canary operations, including an aggregation of statuses from EPP/EDR platforms we retrieve data from.
  • We check the status of various EDR/EPP configurations and the performance of those platforms to ensure they are working as expected.

These status checks are an important way we identify misconfigurations that might result in threats not being detected in your environment. They are also used to guide your configurations toward best practices. Example of status checks include verifying that:

  • The EDR/EPP platform is configured to collect as much telemetry as possible.
  • The EDR/EPP platform has tamper checking / identification features enabled to identify adversaries who are tampering with the sensor.
  • The EDR/EPP platform is not configured to send sensitive information to third parties (a frequent unexpected surprise of cloud security products).
  • The EDR/EPP platform is configured to handle sensor upgrades in an orderly and predictable fashion, rather than automatically upgrading sensors to the latest version whenever it is released.
  • The EDR/EPP platform is collecting telemetry from endpoints and sending it to Red Canary in a timely fashion.

Many of these status checks are performed at the sensor group or deployment group level and will be reported under that group.

mceclip0.png

Viewing overall Red Canary system status 

The overall system status of Red Canary combines the status of the Red Canary platform; underlying cloud services such as Amazon Web Services; infrastructure channels including Twilio and Sendgrid for voice, SMS, and email; and your EDR/EPP platform.

You can view the overall status of Red Canary anytime at either status.redcanary.com or from within Red Canary.

To view the status of Red Canary:

  1. Click the ICON_BELL icon near your profile.
  2. You will find the overall system status listed:
    mceclip1.png

Reviewing status checks

You can review the results of each status check we perform against your environment. Many status checks are executed at the sensor / deployment group level.

Note: To view your instance's Status Check page, you'll need the Admin role assigned to your user.

  1. Click the ICON_BELL icon near your profile.
  2. Review the number of configuration checks that passed vs. the total.
    mceclip3.png
  3. Click the title of any status check to review what it checks, how to remediate any failures, and whether it passed or failed.

What happens when a status check fails?

When a status check fails, an email notification is triggered to all of your users who have enabled status check notifications via their profile. This notification is only sent the first time a previously passing check fails, so you will not be inundated with notifications.

You can learn more about enabling and disabling these notifications.

What happens when a status check is remedied?

In a similar fashion, when a failing status check recovers, an email notification is triggered to all of your users who have enabled status check recovery notifications via their profile.

What status checks are available?

The status checks active for your organization are specific to your underlying EDR/EPP platforms. You can find a list of those active for your organization by clicking the () icon near your profile.

How often are status checks executed?

Status checks are executed every four hours.

What if I intentionally configure a setting against Red Canary’s guidance?

While several status checks verify essential configuration settings that are critical to Red Canary defending your organization, some are better described as best practices or strong recommendations. 

Your organization may choose to deviate from those recommendations and accept the risk associated with that deviation. If you do, you will receive a notification that the associated status check failed, but you will receive no further notifications that crowd your inbox.

Examples of the risks you’re accepting by deviating from common status checks include:

Status check Risk accepted when failing

The EDR/EPP platform is configured to collect as much telemetry as possible.

Both Red Canary and your team will be limited in detecting and investigating threats due to less data being available.

The EDR/EPP platform has tamper checking / identification features enabled to identify adversaries who are tampering with the sensor.

Adversaries can stealthily tamper with your EDR/EPP sensor unknown to you or Red Canary.

The EDR/EPP platform is not configured to send sensitive information to third parties (a frequent unexpected surprise of cloud security products).

You may unintentionally share sensitive corporate information such as usernames, endpoint hostnames, and binaries with unexpected third parties that you have not vetted.

The EDR/EPP platform is configured to handle sensor upgrades in an orderly and predictable fashion, rather than automatically upgrading sensors to the latest version whenever it is released.

New sensor versions will be installed across your fleet at any time, potentially causing system conflicts, instability, or performance impacts.

 

Comments

0 comments

Please sign in to leave a comment.