Paul Asadoorian of Security Weekly recently talked with Brian Beyer, Red Canary CEO, to learn about the company’s mission of bringing world-class threat detection and response to every business. Read the highlights below or watch the full 35-minute video.
SW: Tell us about Red Canary.
Brian: Myself and the co-founders, Keith McCammon and Chris Rothe, all had this idea while we were working at Kyrus: This new endpoint security world is focused on looking at what happens on our systems and then helping you do a faster investigation. We said, that’s just broken. What we need to do is look at everything as it happens and identify the threat before it turns into a giant breach that you need to call Mandiant for. We realized very early on that almost no one had the ability to build the team of people to do that themselves, hiring everything from computer scientists to security engineers to security analysts. Because of that, there’s this massive number of companies who have no chance of actually detecting threats before they turn into a breach. So we founded Red Canary, spun it out of Kyrus, and built it into what is today—monitoring over 150,000 endpoints around the world and identifying those attacks.
Learn more about the types of threats Red Canary detects by reading our three-part blog series, What Red Canary Detects.
SW: Is your product focused on detecting the exploit, detecting how the payload injects into the system, detecting payload behavior, or a combination of all three?
Brian: We’re primarily focused on a threat from the time it gets onto the system, and then the attacker’s movement throughout their kill chain. So what we want to look at is how did it get onto a system, how is the attacker gaining persistence, and what are they actually doing on the system. We care less about if it’s a payload or a piece of malware, and much more about broad coverage, about if it’s an insider threat or someone who has compromised your users’ credentials.
SW: Does your solution do this analysis all on the endpoint system or does it rely on sending something up to the cloud for an analysis, or a combination of both?
Brian: The latter. All very detailed endpoint activity comes back to us in the cloud, that’s where our very creatively named “Threat Detection Engine” detects a potential threat.
View a sample of a Red Canary monthly impact report to see how the solution analyzes endpoint activity to detect potential threats.
SW: Are you finding that there is resistance from people around the cloud?
Brian: That was an initial assumption we had where we were completely wrong. We built Red Canary to not have to run in a cloud-like AWS. We built it so that if you had to run parts of it on-premise, everything except the Security Operations Center could do that because we expected there’d be a lot of pushback. As we started to bring the solution to our customers, they were all in the middle of moving all of their infrastructure to the cloud. After two-and-a-half years of doing this and going to market, I can count on one hand the number of times we’ve had really hard pushback where people said, “I just can’t have this data go to the cloud.”
I give a lot of credit to the fact that this founding team, especially Keith McCammon and Chris Rothe, they care so tremendously about security and are so paranoid in how our own security works and what we invest in. That makes it possible to go to those customers and say, “We run this up in the cloud, but here are the security measures we have in place, and here’s what we do so that you can have confidence that your data is safer with us than it is with you.”
SW: You’re in a fairly crowded space in information security today. How do you differentiate yourself?
Brian: The interesting thing about Red Canary is that we aren’t a pure endpoint detection and response product. We’re also not an MSSP. Those two markets are very busy and crowded, and it’s hard to differentiate. We sit in the middle as that hybrid of the best endpoint technology you need but also the Security Operations Center you want to build yourself but can’t. It’s actually a much less crowded space. A lot of what we do is work with our customers to say, this is the EDR product you’re likely going to buy anyway, and this is what you should do afterward. Red Canary is going to manage that detection and response, because we want to help our customers be able to respond to more events. We want to increase their response bandwidth.
Learn why assessing response bandwidth is crucial to improving detection and response
SW: Many security companies are targeting the enterprise. You seem to have a different take on that. Who is your target market and why?
Everybody wants to target the Fortune 100 — thinking, “they have big security budgets, they’ll buy two or three of everything.” That’s not where we felt we could make the biggest difference. The whole point of Red Canary is to make your security better. The people who need help with that more than anything are what we call the mid-enterprise. They have 250 people or maybe up to 10,000, and they have small security teams. They can’t build a Security Operations Center themselves. They can’t hire endpoint security experts. That’s where we can make the biggest difference.
Read more: Forbes Talks to Brian Beyer About Capturing the Mid-Market
About Brian Beyer: Brian leads Red Canary to deliver its mission of bringing world-class threat detection and response to every business. Prior to co-founding Red Canary, Brian incubated cybersecurity products at Kyrus, innovated big data processing solutions for the intelligence community at Northrop Grumman and started his career in cybersecurity in ManTech’s Computer Forensics & Intrusion Analysis group.