Getting Started

Red Canary provides a security operations platform that proactively monitors for malicious and suspicious behaviors and responds to stop them from becoming serious security incidents. The platform works using several key components:

• Endpoint and cloud workload sensors/agents

• Alert collectors and integrations with your alert-generating security products

• Integrations with your cloud service providers, identity platforms, and SaaS applications

• Cloud-hosted collection, detection, and response platforms

• Our Cyber Incident Response Team (CIRT)

• Our Threat Hunting team

The endpoint and cloud workload sensors run on the endpoints and cloud workloads that make up your corporate and production environments, collecting detailed telemetry about what is happening in those systems.

The telemetry and alerts from your cloud service provider, identity platforms, SaaS applications, and other security products are both sent to our cloud-hosted platform. This allows our CIRT to perform analysis of that data to identify and confirm suspicious activity and security incidents. The security orchestration and response capabilities can execute automations using playbooks on endpoints for response and remediation.

Detecting potential threats

Red Canary’s detection process uses two primary classes of analytics:

• Every piece of telemetry is tested to determine if it matches an indicator of compromise (IOC) that we’ve seen or heard adversaries use.

• Behavioral detectors identify sequences of system activity that match techniques used by adversaries. These could be as simple as running PowerShell with an encoded command line or a highly complex chain of behavior over a long period of time. We map detectors to MITRE ATT&CK® techniques so you can quantify your detection coverage.

Unlike other security products, you do not need to define your own detection rules and indicators of compromise to get extremely effective results. From day one, you get the benefits of years of Red Canary detection engineering.

The Analyzed Events dashboard gives you an immediate view into the potential threats Red Canary is identifying in your organization using our threat intelligence and analytics. This page is where you’ll pivot into events if you want to learn more or check our work.

Investigating potential threats

Threat hunting is performed by the Red Canary CIRT to exclude the false positives you’re used to from other security products and services. Instead of the legacy approach of triaging alerts and forwarding them to you to deal with, Red Canary handles everything up to the point of incident response (some teams call this “tier 1” and “tier 2”).

Threats in the Red Canary platform are classified as Unwanted Software, Suspicious Activity, or Malicious Software. Each threat contains the detail your team needs to assess the risk, which people and systems are affected, and the details of what happened.

Responding to threats

Reducing your time to response is one of our chief goals. Your time to respond is dependent on three activities:

1. How long it takes to detect and confirm a threat (Red Canary does this for you).

2. How long it takes you to receive the threat and decide how you want to respond.

3. How long it takes you to respond.

When you start with the Red Canary platform, the first automation you’ll enable is notifications about confirmed threats via email, phone, SMS, Slack, PagerDuty, etc.

After a few days or weeks, most teams establish their decision-making and response processes (steps 2 and 3) in configurable playbooks that are triggered automatically. Approval steps require manual intervention so you can check and approve each action before it is performed.

The peak of automation maturity is removing the approval safeties and allowing playbooks on endpoints to run without intervention. This enables high-quality response and remediation to take place regardless of where an affected system is located or what time of day it is for your security team.

Linux EDR is a Linux based EDR sensor which is deployed to physical, virtual, or cloud-based systems. Linux EDR monitors these systems and returns telemetry to Red Canary. Telemetry from Linux EDR is then analyzed and investigated for threats through the normal process. Within the platform, users can search their Linux EDR telemetry, and manage deployed sensors.

Here's how Linux EDR strengthens your security posture:

• Unmatched Visibility: Gain real-time insights into endpoint activity, user behavior, and system changes. Unmask hidden threats that may be lurking within your Linux infrastructure.

• Advanced Threat Detection: Move beyond outdated signatures. Linux EDR utilizes behavioral analysis to identify suspicious activities, even novel malware that hasn't been seen before.

Active Remediation is an annual subscription product that can be purchased as an add-on for Red Canary Managed Detection & Response (MDR) for Endpoint subscriptions. Active Remediation provides hands-on-keyboard remediation support for Red Canary-managed endpoints.

How does Active Remediation Work?

Active Remediation utilizes endpoint sensor groups to perform remediation on Red Canary managed endpoints for supported EDRs based on the subscription details outlined above. Please see Getting Started with Active Remediation for more information on how Active Remediation is configured.

Every great security program continually improves over time, and Red Canary is focused on helping you understand how you’re doing.

Unlike the typical pie-chart-filled dashboards, Red Canary’s reporting library contains pre-built reports that are designed with help from your peers for inclusion in your executive and board presentations.

Red Canary is a part of your security team. We're here ensure your organization can achieve its goals without disruption or distraction.

When an incident occurs, it is not always obvious what to do. Your Red Canary team is on-call when you need help and provides proactive security architecture and engineering guidance. Most teams engage with threat hunting in three primary ways:

• Periodic sync: Your threat hunter joins a regularly scheduled meeting with your team to review recent detections, discuss security architecture, help with automation, and provide any other security guidance you need.

• Immediate assistance: Threat Hunting is on-call 24/7/365 for investigation support and remediation guidance.

• Proactive outreach: Our team will proactively communicate with your team if the Red Canary CIRT identifies a critical threat requiring immediate action.

Your company profile is where you define your security protocols to enable Red Canary Threat Hunters to know your escalation contacts. This allows Threat Hunters to reach out to your team in extreme circumstances or regarding active threats identified in your environment.

1. Click your user icon at the top right of your Red Canary, and then click Company Profile.

   

2. Edit any of the profile fields.

3. Click Save changes.

Invite new users to your Red Canary account and manage their access. Onboard your team quickly and efficiently to start leveraging the full capabilities of this comprehensive security platform.

1. Click your user icon at the top right of the navigation menu, and then click Users & Roles.

2. Enter the email address of the user that you want to invite.

3. Click Invite.

4. Assign one or more roles to the user by clicking the boxes next to each role. What if the user accepts the invite but receives a message that the invitation has expired?

Invitations expire after 48 hours. If the invited user does not accept the invitation during that window, the link will no longer be valid and you will need to resend the invitation. 

Set up your team with the roles they’ll need in Red Canary. Roles grant users access to features and functionality in Red Canary.

1. Click your user icon at the top right of your Red Canary, and then click Users & Roles.

2. Assign one or more roles to the user by checking the boxes next to each role.

Using a single sign-on (SSO) provider is one of the best ways to improve the security of your Red Canary users. Red Canary supports Security Assertion Markup Language (SAML) identity providers for single sign-on.

1. Click your user icon at the top right of your Red Canary, and then click Single Sign-On.

2. Follow the setup instructions for your identity provider.

3. Click Save.

For users with a Red Canary MDR subscription, your service includes Managed Detection and Response (MDR), which applies to many security products and expands investigation capabilities of the supported alerts integrated with Red Canary.

Determine which products you’d like to integrate with Red Canary, and which ingest methods work best for your environment by reviewing the supported integrations.

Deploy endpoint agents and sensors to start collecting telemetry from your devices to allow Red Canary Managed Detection and Response to continuously monitor and protect your endpoints against ransomware, malware, and other threats.

1. In your EDR/EPP console, deploy agents/sensors to your endpoints.

2. Ensure all endpoints are checking in and sending telemetry to your console.

3. Work with your Technical Implementation Manager to integrate the EDR/EPP with Red Canary using our comprehensive guides:

   • Crowdstrike Falcon

   • Microsoft Defender for Endpoint

   • Palo Alto Networks Cortex XDR

   • Red Canary Linux EDR

   • SentinelOne

   • VMware Carbon Black Cloud (ThreatHunter/Defense)

   • VMware Carbon Black EDR (Response)

Red Canary has got you covered, all across the cloud. Work with your Technical Implementation Manager to configure your cloud control planes to send telemetry to Red Canary to provide that extra layer of protection across your environments.

• Amazon Web Services (AWS)

• Microsoft Azure

• Google Cloud Platform (GCP)

See how Red Canary’s 24×7 email, SaaS app, and identity threat detection and response helps you secure critical business data.

• Google Workspace

• Office365 (for Email)

• Okta Workforce Identity

Red Canary ingests security data from multiple third-party security platforms spanning Endpoints, Networks, Identity, Cloud, and more. Adding supported security data sources to Red Canary ensures that you’re getting the most out of your security products and Red Canary.

Adding supported alert sources to Red Canary is essential for getting the most out of your Red Canary experience and your security products. For more information, see Add Third-Party Alert Sources to Red Canary.

Once you’ve integrated your EDR/EPP platform, you can manage endpoints in Red Canary.

Endpoints are the computing devices that are used throughout your organization. Software sensors deployed to those endpoints collect detailed telemetry about what is happening on those systems at the operating system level and transmit it to Red Canary for analysis.

• Your endpoints are the most critical assets to protect from adversaries because:

• For most organizations, they are where important data resides or is accessed.

• They are the systems that vulnerable users use every day.

Red Canary’s endpoints page allows you to filter your endpoints by many attributes, including several pre-built filters for common use cases, such as recently enrolled endpoints, isolated endpoints, and endpoints running end-of-life operating systems. Just click on the filter

Red Canary gives you detailed breakdowns of threats in your security environment. Reviewing this information, and how it affects your alert sources, is a key step in securing your environment.

An event is an indicator of potentially threatening activity. Other security products can refer to events as alerts. 

When Red Canary detects a threat, we receive and log a variety of information, such as the following:

• The endpoints and identities that were involved

• Any MITRE ATT&CK® techniques that were used

• Analytics, threat intelligence, and alerts that led to the identification of the threat

• An annotated timeline highlighting key endpoint activities involving the threat

Learn about and create automations to streamline and expedite threat response. Automation is essential to taking fast and consistent action when events occur in your organization. Red Canary’s automation capabilities are designed to enable you to complete specific security tasks.

Triggers

Triggers describe when automation should begin. Triggers start with an event (such as When a threat is published or When an Endpoint status changes) and can be limited by conditions such as and Threat Severity is.... Each trigger can be linked to one or more playbooks, making both triggers and playbooks highly reusable.

Playbooks

Playbooks are a group of actions you want to take to achieve a goal. Playbooks can range from the simple (“Email my security mailing list”) to the complex (“Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation.”)

Action

An action is the specific action taken by the automation, whether sending an email, calling a phone, changing a firewall rule, or sending an alert to your Security information and event management  (SIEM). Red Canary’s supported actions are constantly expanding as we enable new integrations.

Reporting is an essential part of every security program, for the following reasons:

• Security leaders need great reporting to understand whether their people, investments, and programs are delivering outcomes that properly improve their program.

• Security leaders also need to be able to communicate the value of their investments and performance to their executive leadership.

• Incident responders need to understand how quickly they are responding to and remediating threats affecting their environment.

• The teams responsible for purchasing Red Canary need to understand how much value is being provided and how Red Canary us performing vs. expectations.

Red Canary’s Report Library is focused on giving you actionable information that you can use as quickly as possible. 

Since most security teams provide reporting via slide decks, Red Canary’s reports use the same format. Some teams will paste screenshots of these reports directly into their internal slide decks; others will use snippets of each report.

View various reports by clicking Reports in the navigation menu. Here, you have access to a report library where you can see summarized activities and statistics in graphical form that are ready to be added to any presentation or report.

Red Canary’s Intelligence Team researches and publishes Intelligence Insights to provide you with timely information about trending security threats and cybersecurity news.

Read about emerging trends and threats in cybersecurity by clicking Intelligence and then Insights in the navigation menu. 

There are two types of Intelligence Insights:

• Monthly insights provide a retrospective look at top threats over the past month and any trends.

• Ad hoc insights provide time-sensitive intelligence about threats on a specific topic.

You can filter for intelligence insights by an intelligence insight’s name or text found within the intelligence insight. The most recent threats will display along with the most important information from the note.

Red Canary provides powerful tools to specify which potentially unwanted programs (PUPs) you’d like monitor. You can configure Red Canary to only observe the execution of an unwanted software product instead of producing Unwanted Software threats.

There are three ways to customize detection.

• Disable all threats for a product by adding Justification Notes that describe why the product is acceptable in your environment.

• Choose to disable threats for a product under specific circumstances by using the Endpoint Tag, Hostname, or Username fields to specify situations where the product is acceptable in your environment.

• Identify which applications should not trigger threats.