Several years ago, when we were still very much a start-up, we sent three of our team (of five) to conduct an incident response for a much larger company. Two of the team members had done incident response before; the third was more the kind of guy who caused incidents rather than responded to them.
Three weeks later, after delivering our final report to the customer, we did an internal after-action review. Our offense-minded colleague pointed out that a lot of the work associated with ‘generally accepted IR principles’ was unnecessary if you had the ability to record execution on a host. This was not a novel idea – others had toyed with it around the same time – but as recent events have illustrated, we were the most successful of those who were considering such an approach.
That idea — a surveillance camera on a CPU — is on hosts all around the world, but wherever it is operating the refrain from system owners is the same: “This is the best threat data I have ever seen, but I don’t have the resources to deal with it all.” Turning the old proverb on its head: we provided people with a boatload of fish when what they really needed was an order of sushi. The idea of changing incident-response-as-usual was never going to come to fruition if we could not provide people with some way to control the power we had given them.
Thus Red Canary was born.
Red Canary provides awareness of threats before they become intractable. Because we are always watching what goes on at the very lowest levels of an enterprise, we have unparalleled insight into what happens, when it happens, and where it happens. Our algorithms and expert human analysts quickly triage these events so that the greatest threats to the enterprise are addressed at speeds that are orders-of-magnitude faster than traditional response methodology.
Why is speed important? Consider the Verizon Data Breach Investigation Report, which every year tells the same story: most organizations go for months without realizing they’ve been hacked. When they do find out they’ve been hacked its because someone else tells them. At that point it doesn’t matter how good the response team is because everything of value is long gone. The future of the industry belongs to those who can accelerate from detection to remediation faster than today’s approaches. IR will become a game of minutes not months, and as with everything related to computer security, once consumers catch on they will realize the futility of any other approach.
We are actively looking to work with those who recognize that it is time for a change in this business, and who want to be at the vanguard of that change. Members of the Red Canary team will be at RSA this week. Drop us a line if you would like to set up a date/time to meet.