- 21 Aug 2024
- 13 Minutes to read
- PDF
Getting Started
- Updated on 21 Aug 2024
- 13 Minutes to read
- PDF
This guide will serve as a roadmap for getting started with Red Canary. It outlines the essential steps and focus areas to prioritize in your first month, ensuring a seamless deployment and implementation of Red Canary's security capabilities.
In this article, we'll cover the following:
Get to know Red Canary—Learn about your Red Canary platform, the tools, and people supporting you as a Red Canary user.
Configure access to Red Canary—Get your team set up with the right roles and access.
Integrate your Security Stack—Start ingesting data from multiple sources to cover your environment.
Take action with Red Canary—Get the most out of Red Canary by creating automations, monitoring your environment, and responding to threats.
Optimize your Red Canary experience—Enhance your Red Canary experience by engaging in essential actions to stay ahead of emerging threats.
Get to know Red Canary
Before digging in deeper, let’s go over the Red Canary Security Operations Platform. Explore each section below to learn more:
What is Red Canary Managed Detection & Response?
Red Canary provides a security operations platform that proactively monitors for malicious and suspicious behaviors and responds to stop them from becoming serious security incidents. The platform works using several key components:
Endpoint and cloud workload sensors/agents
Alert collectors and integrations with your alert-generating security products
Integrations with your cloud service providers, identity platforms, and SaaS applications
Cloud-hosted collection, detection, and response platforms
Our Cyber Incident Response Team (CIRT)
Our Threat Hunting team
The endpoint and cloud workload sensors run on the endpoints and cloud workloads that make up your corporate and production environments, collecting detailed telemetry about what is happening in those systems.
The telemetry and alerts from your cloud service provider, identity platforms, SaaS applications, and other security products are both sent to our cloud-hosted platform. This allows our CIRT to perform analysis of that data to identify and confirm suspicious activity and security incidents. The security orchestration and response capabilities can execute automations using playbooks on endpoints for response and remediation.
Threat detection & response actions
Detecting potential threats
Red Canary’s detection process uses two primary classes of analytics:
Every piece of telemetry is tested to determine if it matches an indicator of compromise (IOC) that we’ve seen or heard adversaries use.
Behavioral detectors identify sequences of system activity that match techniques used by adversaries. These could be as simple as running PowerShell with an encoded command line or a highly complex chain of behavior over a long period of time. We map detectors to MITRE ATT&CK® techniques so you can quantify your detection coverage.
Unlike other security products, you do not need to define your own detection rules and indicators of compromise to get extremely effective results. From day one, you get the benefits of years of Red Canary detection engineering.
The Analyzed Events dashboard gives you an immediate view into the potential threats Red Canary is identifying in your organization using our threat intelligence and analytics. This page is where you’ll pivot into events if you want to learn more or check our work.
Investigating potential threats
Threat hunting is performed by the Red Canary CIRT to exclude the false positives you’re used to from other security products and services. Instead of the legacy approach of triaging alerts and forwarding them to you to deal with, Red Canary handles everything up to the point of incident response (some teams call this “tier 1” and “tier 2”).
Threats in the Red Canary platform are classified as Unwanted Software, Suspicious Activity, or Malicious Software. Each threat contains the detail your team needs to assess the risk, which people and systems are affected, and the details of what happened.
Responding to threats
Reducing your time to response is one of our chief goals. Your time to respond is dependent on three activities:
How long it takes to detect and confirm a threat (Red Canary does this for you).
How long it takes you to receive the threat and decide how you want to respond.
How long it takes you to respond.
When you start with the Red Canary platform, the first automation you’ll enable is notifications about confirmed threats via email, phone, SMS, Slack, PagerDuty, etc.
After a few days or weeks, most teams establish their decision-making and response processes (steps 2 and 3) in configurable playbooks that are triggered automatically. Approval steps require manual intervention so you can check and approve each action before it is performed.
The peak of automation maturity is removing the approval safeties and allowing playbooks on endpoints to run without intervention. This enables high-quality response and remediation to take place regardless of where an affected system is located or what time of day it is for your security team.
Linux EDR
Linux EDR is a Linux based EDR sensor which is deployed to physical, virtual, or cloud-based systems. Linux EDR monitors these systems and returns telemetry to Red Canary. Telemetry from Linux EDR is then analyzed and investigated for threats through the normal process. Within the platform, users can search their Linux EDR telemetry, and manage deployed sensors.
Here's how Linux EDR strengthens your security posture:
Unmatched Visibility: Gain real-time insights into endpoint activity, user behavior, and system changes. Unmask hidden threats that may be lurking within your Linux infrastructure.
Advanced Threat Detection: Move beyond outdated signatures. Linux EDR utilizes behavioral analysis to identify suspicious activities, even novel malware that hasn't been seen before.
Active Remediation
Active Remediation is an annual subscription product that can be purchased as an add-on for Red Canary Managed Detection & Response (MDR) for Endpoint subscriptions. Active Remediation provides hands-on-keyboard remediation support for Red Canary-managed endpoints.
How does Active Remediation Work?
Active Remediation utilizes endpoint sensor groups to perform remediation on Red Canary managed endpoints for supported EDRs based on the subscription details outlined above. Please see Getting Started with Active Remediation for more information on how Active Remediation is configured.
Reporting on your performance
Every great security program continually improves over time, and Red Canary is focused on helping you understand how you’re doing.
Unlike the typical pie-chart-filled dashboards, Red Canary’s reporting library contains pre-built reports that are designed with help from your peers for inclusion in your executive and board presentations.
Your team at Red Canary
Red Canary is a part of your security team. We're here ensure your organization can achieve its goals without disruption or distraction.
When an incident occurs, it is not always obvious what to do. Your Red Canary team is on-call when you need help and provides proactive security architecture and engineering guidance. Most teams engage with threat hunting in three primary ways:
Periodic sync: Your threat hunter joins a regularly scheduled meeting with your team to review recent detections, discuss security architecture, help with automation, and provide any other security guidance you need.
Immediate assistance: Threat Hunting is on-call 24/7/365 for investigation support and remediation guidance.
Proactive outreach: Our team will proactively communicate with your team if the Red Canary CIRT identifies a critical threat requiring immediate action.
Configure access to Red Canary
Configuring access to Red Canary is a straightforward process. Explore the following sections for detailed insights into setting up your access controls effectively.
Complete your Company Profile
Your company profile is where you define your security protocols to enable Red Canary Threat Hunters to know your escalation contacts. This allows Threat Hunters to reach out to your team in extreme circumstances or regarding active threats identified in your environment.
Click your user icon at the top right of your Red Canary, and then click Company Profile.
Edit any of the profile fields.
Click Save changes.
Invite Users to Red Canary
Invite new users to your Red Canary account and manage their access. Onboard your team quickly and efficiently to start leveraging the full capabilities of this comprehensive security platform.
Click your user icon at the top right of the navigation menu, and then click Users & Roles.
Enter the email address of the user that you want to invite.
Click Invite.
Assign one or more roles to the user by clicking the boxes next to each role. What if the user accepts the invite but receives a message that the invitation has expired?
Invitations expire after 48 hours. If the invited user does not accept the invitation during that window, the link will no longer be valid and you will need to resend the invitation.
Understand & assign roles
Set up your team with the roles they’ll need in Red Canary. Roles grant users access to features and functionality in Red Canary.
Click your user icon at the top right of your Red Canary, and then click Users & Roles.
Assign one or more roles to the user by checking the boxes next to each role.
Set up single sign-on
Using a single sign-on (SSO) provider is one of the best ways to improve the security of your Red Canary users. Red Canary supports Security Assertion Markup Language (SAML) identity providers for single sign-on.
Click your user icon at the top right of your Red Canary, and then click Single Sign-On.
Follow the setup instructions for your identity provider.
Click Save.
Integrate with Red Canary
Get the tools your team uses talking to Red Canary.
Review supported integrations
For users with a Red Canary MDR subscription, your service includes Managed Detection and Response (MDR), which applies to many security products and expands investigation capabilities of the supported alerts integrated with Red Canary.
Determine which products you’d like to integrate with Red Canary, and which ingest methods work best for your environment by reviewing the supported integrations.
Integrate your EDR/EPP to Red Canary
Deploy endpoint agents and sensors to start collecting telemetry from your devices to allow Red Canary Managed Detection and Response to continuously monitor and protect your endpoints against ransomware, malware, and other threats.
In your EDR/EPP console, deploy agents/sensors to your endpoints.
Ensure all endpoints are checking in and sending telemetry to your console.
Work with your Technical Implementation Manager to integrate the EDR/EPP with Red Canary using our comprehensive guides:
Integrate your Cloud Control Plane
Red Canary has got you covered, all across the cloud. Work with your Technical Implementation Manager to configure your cloud control planes to send telemetry to Red Canary to provide that extra layer of protection across your environments.
Integrate your Identities
See how Red Canary’s 24×7 email, SaaS app, and identity threat detection and response helps you secure critical business data.
Add third-party alert sources to Red Canary
Red Canary ingests security data from multiple third-party security platforms spanning Endpoints, Networks, Identity, Cloud, and more. Adding supported security data sources to Red Canary ensures that you’re getting the most out of your security products and Red Canary.
Adding supported alert sources to Red Canary is essential for getting the most out of your Red Canary experience and your security products. For more information, see Add Third-Party Alert Sources to Red Canary.
Take action with Red Canary
Red Canary streamlines cybersecurity, empowering you to defend against evolving threats. Get insights, review threats, and automate workflows for quick and efficient responses.
Understand endpoints
Once you’ve integrated your EDR/EPP platform, you can manage endpoints in Red Canary.
Endpoints are the computing devices that are used throughout your organization. Software sensors deployed to those endpoints collect detailed telemetry about what is happening on those systems at the operating system level and transmit it to Red Canary for analysis.
Your endpoints are the most critical assets to protect from adversaries because:
For most organizations, they are where important data resides or is accessed.
They are the systems that vulnerable users use every day.
Red Canary’s endpoints page allows you to filter your endpoints by many attributes, including several pre-built filters for common use cases, such as recently enrolled endpoints, isolated endpoints, and endpoints running end-of-life operating systems. Just click on the filter
Review threats
Red Canary gives you detailed breakdowns of threats in your security environment. Reviewing this information, and how it affects your alert sources, is a key step in securing your environment.
An event is an indicator of potentially threatening activity. Other security products can refer to events as alerts.
When Red Canary detects a threat, we receive and log a variety of information, such as the following:
The endpoints and identities that were involved
Any MITRE ATT&CK® techniques that were used
Analytics, threat intelligence, and alerts that led to the identification of the threat
An annotated timeline highlighting key endpoint activities involving the threat
Set up automations
Learn about and create automations to streamline and expedite threat response. Automation is essential to taking fast and consistent action when events occur in your organization. Red Canary’s automation capabilities are designed to enable you to complete specific security tasks.
Triggers
Triggers describe when automation should begin. Triggers start with an event (such as When a threat is published or When an Endpoint status changes) and can be limited by conditions such as and Threat Severity is.... Each trigger can be linked to one or more playbooks, making both triggers and playbooks highly reusable.
Playbooks
Playbooks are a group of actions you want to take to achieve a goal. Playbooks can range from the simple (“Email my security mailing list”) to the complex (“Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation.”)
Action
An action is the specific action taken by the automation, whether sending an email, calling a phone, changing a firewall rule, or sending an alert to your Security information and event management (SIEM). Red Canary’s supported actions are constantly expanding as we enable new integrations.
Optimize your Red Canary experience
Enhance your Red Canary experience to its full potential by actively engaging in essential actions: View reports to gain insights into your security landscape, set up file integrity monitoring, leverage intelligence insights to stay ahead of emerging threats, customize detection of unwanted applications, and disable threats.
View reports
Reporting is an essential part of every security program, for the following reasons:
Security leaders need great reporting to understand whether their people, investments, and programs are delivering outcomes that properly improve their program.
Security leaders also need to be able to communicate the value of their investments and performance to their executive leadership.
Incident responders need to understand how quickly they are responding to and remediating threats affecting their environment.
The teams responsible for purchasing Red Canary need to understand how much value is being provided and how Red Canary us performing vs. expectations.
Red Canary’s Report Library is focused on giving you actionable information that you can use as quickly as possible.
Since most security teams provide reporting via slide decks, Red Canary’s reports use the same format. Some teams will paste screenshots of these reports directly into their internal slide decks; others will use snippets of each report.
View various reports by clicking Reports in the navigation menu. Here, you have access to a report library where you can see summarized activities and statistics in graphical form that are ready to be added to any presentation or report.
Set up file integrity monitoring
Activity monitors provide a key advantage to security programs by identifying modifications to specific files or paths. These may be critical system files, paths containing valuable intellectual property, or files that must be tracked for regulatory or compliance purposes.
You can use activity monitors to observe file modifications and leverage detection engines that can pull double duty by identifying file modifications of interest.
This feature is not currently supported with Linux EDR.
Create a file modification activity monitor
You can create an activity monitor that identifies the creation, modification, or deletion of specific files on your endpoints. These monitors are dependent on the fidelity of file telemetry collected by your EDR/EPP sensor (not all sensors record file activity for all files).
From the navigation menu, click the Analytics dropdown, and then click File Activity Monitors.
Click New file activity monitor.
Configure your monitor by completing the form.
Note: You can specify either whole directories or individual files for each activity monitor
Click Save.
Understand Intelligence Insights
Red Canary’s Intelligence Team researches and publishes Intelligence Insights to provide you with timely information about trending security threats and cybersecurity news.
Read about emerging trends and threats in cybersecurity by clicking Intelligence and then Insights in the navigation menu.
There are two types of Intelligence Insights:
Monthly insights provide a retrospective look at top threats over the past month and any trends.
Ad hoc insights provide time-sensitive intelligence about threats on a specific topic.
You can filter for intelligence insights by an intelligence insight’s name or text found within the intelligence insight. The most recent threats will display along with the most important information from the note.
Customize Handling of Potentially Unwanted Programs (PUPs)
Red Canary provides powerful tools to specify which potentially unwanted programs (PUPs) you’d like monitor. You can configure Red Canary to only observe the execution of an unwanted software product instead of producing Unwanted Software threats.
There are three ways to customize detection.
Disable all threats for a product by adding Justification Notes that describe why the product is acceptable in your environment.
Choose to disable threats for a product under specific circumstances by using the Endpoint Tag, Hostname, or Username fields to specify situations where the product is acceptable in your environment.
Identify which applications should not trigger threats.