Red Canary at RSA

Join Red Canary at RSA for Real Security Conversations With Real Security People

Suzanne Moore

Share this

If you’ve been to RSA, you know the expo hall can be full of flashy product pushes. Join Red Canary at RSA Booth #2225 for real security conversations with real security people. We’ll have a combination of founders, security operations, researchers, technical account managers, and customer success managers on-site. (And of course, everyone’s favorite: free t-shirts and stickers.)

Are you a blog subscriber? Come by early to score a special limited edition Canaries of War shirt!

Check out these popular posts and stop by to talk to the authors.

Threat Hunting vs Threat Mining

Red Canary at RSA: Joe Moles, Red Canary, Director of Detection Operations

By Joe Moles, Director of Detection Operations

As Red Canary’s director of detection operations, I get a lot of questions about how our analysts use threat hunting to find threats on behalf of our customers. My team eats, sleeps, and breathes process telemetry data. We spend our days digging into what is happening on our customers’ endpoints. I want to emphasize the term “digging” because the way we work through data and raise alerts to our customers is more akin to mining than it is to hunting. You could say we perform threat mining as a service (because, hey, if the security industry needs anything, it is a new buzzword or marketing term). Read more >>

Stop by to talk to Joe about:

  • How Red Canary uses threat hunting and finds threats on behalf of our customers
  • Operationalizing threat hunting and driving efficiencies through automation
  • Blue team strategies, team structure, and processes

Testing Detection and Prevention Tools With Atomic Red Team

Red Canary at RSA: Casey Smith, Director of Applied Research

By Casey Smith, Director of Applied Research

The very nature of Atomic Red Team is to allow for customization of different testing units to determine coverage, prevention, or detection within your environment. Chain reactions are a concept we developed to enable security teams to combine multiple MITRE ATT&CK™ techniques and execute them simultaneously. This article walks through how to build a chain reaction by utilizing multiple ATT&CK tactics and techniques, then shows how to identify whether the solutions you have in place prevented and/or detected the behaviors. Read now >>

Stop by to talk to Casey about:

  • Using Atomic Red Team to identify gaps across your detection and ATT&CK coverage
  • New adversary techniques and how to test against them
  • Becoming part of the Atomic community

Operationalizing Data With Carbon Black and Splunk (3-Part Series)

Red Canary at RSA: Michael Haag, Red Canary Director of Advanced Threat Detection & ResearchBy Michael Haag, Director of Advanced Threat Detection & Research

Data analysis at any scale can be cumbersome and overwhelming. However, Splunk has the ability to greatly reduce this complexity. It is known for the speed at which it can search for data, the reliability of its architecture, and the ability to spin up multiple indexers and ingest terabytes of information—all while swiftly combing through piles information. The only thing more awesome than Splunk? Combining Splunk and Carbon Black Response. To help organizations leverage the power of these two critically powerful tools, I’ve been working with the team at Carbon Black to roll out a collection of educational materials. Explore the series >>

Stop by to talk to Michael about:

  • Analyzing data using Carbon Black Response, Splunk, Surveyor, and other tools
  • Testing your security stack and evaluating EDR products
  • Techniques for measuring risk and driving continuous improvement

Common Security Mistakes (3-Part Series)

Red Canary at RSA: Phil Hagen, DFIR StrategistBy Phil Hagen, DFIR Strategist

Even mature security teams sometimes make mistakes. Part of my role at Red Canary is to educate organizations about ways to solve problems and improve their security posture. This three-part series addresses common mistakes based on real-world engagements with teams of all sizes and maturity levels. Read the series >>

Stop by to talk to Phil about:

  • Why gaining visibility is a critical first step
  • Threat prevention vs detection
  • Endpoint security vs network security

How to Detect and Defend Against the EggShell Surveillance Tool for MacOS

Red Canary at RSA: Adam Mathis, Red Canary Technical Account ManagerBy Adam Mathis, Technical Account Manager

As macOS and Linux systems have become more commonplace in enterprises, so has the tooling to compromise them and facilitate post-exploit hijinks. For those charged with defending macOS and Linux systems, knowing how to detect and defend against this activity is critical. Even unsophisticated attackers can use these tools to infiltrate a system, perform reconnaissance, escalate privilege, and move laterally throughout a network. In this blog I’ll provide practical methods to detect and prevent EggShell, a post-exploitation framework focusing on surveillance on macOS and iOS devices. Read Now >>

Stop by to talk to Adam about:

  • Testing your defenses on macOS and Linux
  • Commonly seen post-exploitation frameworks
  • How to build a defense-in-depth approach that combines layers of detection and prevention

Red Canary ATT&CKs: Mapping Our Detectors to ATT&CK Techniques

Red Canary at RSA: Kyle Rainey, Red Canary Detection Engineering & AnalysisBy Kyle Rainey, Detection Engineering & Analysis

Earlier this year, Red Canary decided to adopt the MITRE ATT&CK framework across every part of Red Canary operations and platform. This would give us a common framework to effectively share information amongst our internal teams, our customers, and the community at large. This post walks through the process of mapping our 800+ behavioral detectors to the ATT&CK framework and shares key lessons we learned along the way. Read Now >>

Stop by to talk to Kyle about:

  • How we use ATT&CK to identify gaps and prioritize detection research
  • Collaborating with the ATT&CK team to create new techniques and expand on existing ones
  • Strategies for developing effective incident response plans and tabletop simulations

Microsoft DDE Exploit Arriving in Email Accounts

Red Canary at RSA: Keya Horiuchi, Security AnalystBy Keya Horiuchi, Security Analyst

Red Canary detected a Dynamic Data Exchange (DDE) attack in which an unsuspecting user received an email with a weaponized document. DDE exploits commonly masquerade as an attached invoice and leverage a Microsoft internal usability feature that allows one application to share data with another. It’s important for defenders to take note of this type of attack because the traditional method of filtering for embedded macros will not be effective. This post walks through the threat detection timeline, showing telemetry from the attack. Read Now >>

Stop by to talk to Keya about:

  • Exploits observed in real-world environments
  • Why it’s critical to monitor endpoint processes and behaviors
  • How Red Canary’s security operations team analyzes data to quickly detect threats

Talk to Our Founders

Red Canary at RSA: Red Canary Co-Founders
Keith McCammon, Chief Security Officer; Chris Rothe, Chief Product Officer; Brian Beyer, Chief Executive Officer

Come by and talk to our founders about:

  • Building one of the most trusted security companies
  • Why we’re using ATT&CK across Red Canary
  • Analyzing massive amounts of data without drowning your security team
  • Which party to go to that night (Keith gets all the invites)

Share Ideas for Our Blog

Red Canary at RSA: Suzanne Moore, Content Marketing ManagerSuzanne Moore, Content Marketing & Editor-in-Chief

We’re always looking to build our team of talented contributors. I’ll be at RSA and would love to talk. Whether you want to share an idea for an article or throw your hat in the ring to be an author or webinar speaker, let’s connect. We rely on real-world security professionals to build our content and educational resources.

See you in San Francisco!