To our surprise, we’ve found that even the most seasoned security teams often lack a detailed incident management process. Sometimes, they even have internal debates about what incident management should be, what it should involve, and who’s responsible. Having spoken with hundreds of companies in this situation and found solutions, we’d like to share what we’ve found works.
Many managed detection and response services emphasize automation—and that’s smart. Automation is great, as long as you’re clear on what you’re automating, and you have the human side of the automation ready to support, sort, and respond appropriately to various levels of threat. How does this balance work? Let’s look.
The Red Canary difference
At Red Canary, we start by collecting powerful telemetry and alerts from your endpoints and workloads that make up your corporate and production environments. But that’s just the start.
Red Canary also gathers data from your non-endpoint security products (network, identity, email) on our cloud-hosted platform. This is where the human side needs to come in—and where it doesn’t in most solutions.
Our cyber incident response team (CIRT) acts as your quarterback to guide you through detection and response more quickly and surely than an internal team could. The CIRT performs analysis of the telemetry and alert data to identify and confirm suspicious activity and security incidents that warrant additional attention. They have additional security orchestration and response capabilities that enable them to execute playbooks on endpoints for fast, targeted response and remediation.
As a Red Canary client, you have access to the incident handling team. They assist and coach your team to improve your security program and reduce your risk through reporting, prevention recommendations, and active response actions. This reduces your risk in several ways:
Improved security outcomes
As soon as you become a Red Canary client, you gain the expertise you need for next-level security, from strategic support and program development to tactical advice and actionable threat intelligence. Right away, you add a Red Canary team—an instant security operations center (SOC).
Expert security support 24/7
Whether it’s Tuesday afternoon at 3:00 or Sunday morning at 7:45, you have a team of on-call seasoned security experts monitoring your environment. So if you need help analyzing suspicious activity, your Red Canary incident handler is ready to quickly help you identify and neutralize the threat.
Instantly scalable security
Say a major new threat bursts on the scene, as Hafnium or Kaseya did. Now you need to understand what the threat is and pivot your defense in response. Red Canary enables you to have the additional security staff on-hand and ready to implement and fend off any attack in very short order. No hiring. No training. Just security.
When an incident occurs, your process should be clear from the systems that first detect anomalies to the people who help you remediate them. The Red Canary team is always on-call and provides proactive security guidance. Most teams engage with incident handling in three primary ways:
- Periodic sync: Your incident handler joins a regularly scheduled meeting with your team to review recent detections, discuss security architecture, help with automation, and provide any other security guidance you need.
- Immediate assistance: Red Canary monitors your environment 24/7/365 and is always on call for investigation support and remediation guidance.
- Proactive outreach: Incident handling will proactively communicate with your team if the Red Canary CIRT identifies a critical threat requiring immediate action.
Find out more about how Red Canary imposes order, automation, and human expertise on the unpredictable world of cyber threats.