This article is part of a walkthrough of getting started with Red Canary:
- Collecting endpoint telemetry
- Collecting external alerts
- Detecting potential threats (performed by Red Canary)
- Investigating potential threats (performed by Red Canary)
- Responding to confirmed threats
Timely response is critical whenever Red Canary confirms a threat in your environment. Your median time to remediation is an important measure of your program’s effectiveness. This measure is so important that we present that performance in one of the Red Canary platform reports:
The role of automation in security operations
Automation is essential to taking fast and consistent action when events happen in your organization. Red Canary’s automation capabilities are designed to enable you to complete specific security tasks, as opposed to infinitely customizable SOAR products that require weeks of configuration.
Automation comprises:
- Actions by the automation, whether it be sending an email, calling a phone number, changing a firewall rule, or sending an alert to your SIEM.
- Playbooks, which are groups of actions you want to take to achieve a goal. Playbooks can range from the simple (“Email my security mailing list”) to the complex (“Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation”).
- Triggers dictate when automation should begin. Triggers start with an event (such as When a detection is published or When an Endpoint status changes) and can be limited by conditions such as the Detection’s severity is high.
Automation is essential to every security program. Red Canary is designed to make it incredibly easy and safe to implement.
The Automations view lists your automation triggers and associated playbooks and is the place to manage all things automation:
Configuring a notification playbook
When getting started with Red Canary, your initial automation will be highly notification-based. Your playbooks will notify incident response teams, call 24x7 phone trees, etc.
Get started by creating a trigger for detections being published (optionally limited by specific severities). Then associate a playbook that emails or sends an SMS to your infosec or incident response team.
Configuring a remediation playbook
As your response capability matures, more comprehensive automation is essential to reducing your time to remediation. Many teams aren’t comfortable diving into fully automated response and remediation when threats are detected. We designed action approvals for these very situations. Allowing certain actions to require approval by your team is a smart way to begin using automation.
Get started with this next level of remediation by creating a trigger for malicious software detections being published on workstations. Then associate a playbook that bans binaries marked as indicators of compromise (IOC) and isolate those endpoints.
When configuring the playbook actions, enable approvals so that you receive a notification requesting your approval before the action executes.
That’s it! You’ve completed your initial walkthrough of Red Canary. There are significantly more features throughout the platform, designed to educate you and improve your security operations.
This Help Center has other guides, feature descriptions, and how-to articles teaching you about other features and functionality. Enjoy your time getting to know the Red Canary platform, and reach out anytime if you need help or deeper explanations.