This article is part of an overview of getting started with Red Canary:
- Collect endpoint telemetry
- Collect external alerts
- Monitor endpoints
- Detect potential threats (performed by Red Canary)
- Review potential threats that have been investigated by Red Canary
- Respond to threats using automation
The role of automation in security operations
Use automation in Red Canary to take fast and consistent action when security-related events happen in your organization. Automation is essential to every security program, and Red Canary designed automation to be easy and safe to configure and implement.
Automation consists of the following:
- Actions by the automation, such as sending an email, calling a phone number, isolating an endpoint, or sending an alert to your SIEM.
- Playbooks, which are groups of actions you want to take to achieve a goal. Playbooks can range from the simple (“Email my security mailing list”) to the complex (“Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation”).
- Triggers, which dictate when automation should begin. Triggers begin with an event (such as When a threat is published or When an Endpoint status changes) and can be limited by conditions such as the threat’s severity level is high.
You can manage everything related to automation in the Automation view, which displays a list of your triggers and their corresponding playbooks.
Configure a notification playbook
When starting with Red Canary, your initial automation using Red Canary’s default playbooks will be highly notification-based. For example, these playbooks are set up to notify incident response teams or call 24x7 phone trees.
Begin by creating a trigger for threats that are published and, optionally, limited by specific severities.
Once the trigger is created, associate a playbook that emails or sends an SMS to your InfoSec or Incident Response team. The name and description for the playbook should be concise and easy to understand at a glance. A typical naming structure would be: [Class]: [Activity], for example: Alert Notification: Email Malware.
When the playbook has been created, return to the Trigger page and connect the new playbook to the associated trigger.
Configure a remediation playbook
As your response capability matures, more comprehensive automations help you reduce your time to remediation. Many teams aren’t comfortable diving into fully automated response and remediation when threats are detected. We designed an action called approvals for these situations.
Get started with this next level of remediation by creating a trigger for malicious software detections being published on workstations. Then associate a playbook that bans binaries marked as Indicators of Compromise (IOC) and isolate those endpoints.
When configuring the playbook actions, enable approvals so that you receive a notification requesting your approval before the action executes.
Report on time to remediate threats
Your timely response is critical whenever Red Canary identifies a threat in your environment. Your median time to remediation is an important measure of your program’s effectiveness. This measure is so important that we present the median time to remediation in our platform report Detected Threats: How timely were we at remediating them?
That’s our brief overview of Red Canary! There are many more features throughout the platform that are designed to educate you and improve your security operations.
The Red Canary Help Center has other guides, feature descriptions, and how-to articles covering additional features and functionality. Enjoy your time getting to know Red Canary, and reach out anytime if you need help or deeper explanations.