Background

Red Canary Cloud Workload Protection (CWP) does not currently support Prevention or Response capabilities. This article outlines how our CWP offering is different than your usual Endpoint Detection & Response (EDR) or Endpoint Protection Platform (EPP) product, why these capabilities are not supported (yet), and what to expect in the future.

CWP vs. EDR/EPP

Common customer pain points with EDR/EPP products for Linux are

1. Limited Linux distribution and version support

2. Limited Cloud support and integrations

3. Limited telemetry collection

4. Limited detection capabilities

1. Due to (3. Limited telemetry collection)

2. Due to a lack of investment in threat research and detection writing for Linux

5. Limited visibility and guarantees into sensor safety, performance and reliability

These issues are the largest reason why many businesses do not deploy traditional EDR or EPP products into their Linux Datacenter or Cloud environments. For these businesses, detection expectations are low, and the risk of things going wrong are perceived as high.

Red Canary Cloud Workload Protection is different and addresses these pain points head on:

• Provides the broadest support for Linux distributions and versions

• Written in a safe, performant language (Rust) and does not require the installation of a kernel module

• Supports AWS, Azure and Google Cloud

• Provides sensor performance reporting in the Portal, giving you, your team and your internal stakeholders confidence that the sensor is performant and not causing system degradation. This includes CPU and memory utilization, with p50, p90 and p99 percentiles.

• 100% focused on Linux and has dedicated engineers, consistently delivering on fixes and new capabilities

• Dedicated threat researchers and detection engineering, consistently tuning and delivering on Linux threat detection

Prevention Capabilities

Red Canary Cloud Workload Protection does not provide Prevention/AV/NGAV capabilities yet.

Why:

• Prevention capabilities are limited in their value for traditional EDR/EPP products because of points (3) and (4) - there are few or zero threats to block due to the vendors lack of investment in Linux capabilities and detection. We're changing this.

• Traditional EDR/EPP prevention capabilities require the use of low-level code that halts execution until the product gives a "yes/no", "is this safe" answer, which introduces performance degradation and quickly violates (5). This tends to be a deal breaker for many businesses, as Linux systems by design have workloads to perform, and slowing them down can result in resource exhaustion and therefore cause customer facing impact (internal, or external). The stakes of impacting a server are often higher than impacting an employee's laptop.

• Most vendors do not support Prevention for Linux, and for those that do, very few customers enable it due to perceived risk (see above)

• Prevention capabilities will be considered only after we have absolutely delivered on detection outcomes for our customers.

Response (Containment/Eradication) Capabilities 

Red Canary Cloud Workload Protection does not provide endpoint containment/eradication capabilities yet.

Why:

• Response capabilities are limited in their value for traditional EDR/EPP products because of points (3) and (4) - there are few or zero threats to respond to due to the vendors lack of investment in Linux capabilities and detection. We're changing this.

• Even if a threat is identified, most containment and eradication actions need to be carefully thought out for Datacenter and Cloud environments, otherwise production outages and revenue impact could occur.

• Many vendors do not provide Response capabilities for Linux (or offer limited capabilities), and for those that do, very few customers enable it due to perceived risk (see above) or compliance concerns (access and auditing).

• Response capabilities will be considered only after we have absolutely delivered on detection outcomes for our customers.