Automation is essential to taking fast and consistent action when events happen in your organization. Red Canary’s automation capabilities are designed to enable you to complete specific security tasks, as opposed to infinitely customizable SOAR products that require weeks of configuration.
There are several key elements that comprise automation:
An action is the specific action taken by the automation, whether it be sending an email, calling a phone, changing a firewall rule, or sending an alert to your SIEM. The actions supported by Red Canary continually expand as we enable new integrations; you can see a few of them here.
Playbooks are a group of actions you want to take to achieve a goal. Playbooks can range from the simple (“Email my security mailing list”) to the complex (“Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation”).
Triggers describe when automation should begin. Triggers start with an event (such as When a detection is published or When an Endpoint status changes) and can be limited by conditions such as the Detection’s severity is high. Each trigger can be bound to one or more playbooks, which allows both triggers and playbooks to be highly reusable.
Automation is essential to every security program. Red Canary is designed to make it incredibly easy and safe to implement.
How should I get started with automation?
The first automation you’ll enable is how you want to be notified when Red Canary confirms a threat in your environment. This might involve actions of sending emails, calling phone numbers, or triggering a system like PagerDuty.
The next automation should be describing the incident response plan that you will follow whenever Red Canary confirms a threat. This should involve some form of endpoint containment and remediation, and may involve additional triggers that customize which playbooks are executed on different types or groups of endpoints.
What if I’m not comfortable with automation?
Many teams aren’t comfortable diving into fully automated response and remediation when threats are detected. That’s not surprising—most security products have a high false positive rate that makes it impossible to allow an aggressive response.
Red Canary’s accuracy rates are much higher, but it still can take you weeks or months to get comfortable. There are also situations in which any action taken on specific endpoints (domain controllers, for example) would be impactful for your business to be allowed.
We designed action approvals for these very situations. Allowing certain actions to require approval by your team before executing is a smart way to begin using automation.
Learn more about easing into automation with human approvals.