Case StudiesManaged Detection and Response

A+ coverage: Red Canary MDR fills in security gaps at a higher education institute

With the right MDR partner, a security team of one can reduce risk, extend capacity, and stop overnight attacks.

Executive Summary

  • 2 overnight attacks stopped in minutes
  • 3-4x team capacity
  • Faster MTTR through automation
  • 24/7 detection and response

A nonprofit organization in Canada provides higher education and career development for thousands of students and professionals. The organization’s technology is managed by a small, centralized IT department with just one administrator managing security.

The security administrator is responsible for maintaining the organization’s overall security architecture; ensuring that employees can do their jobs safely; and safeguarding customer data, private student information, and intellectual property. He also ensures compliance with privacy laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA).

130

employees

400

endpoints

35000+

students and members

 
 

Like many higher education organizations, the institution battled significant resource constraints. Its IT environment is highly complex and services tens of thousands of end customers, yet the security team had minimal headcount and a tight budget that made it difficult to keep up with all the demands. They had no endpoint solutions beyond antivirus and would have no way of knowing if someone breached the network.

Eager to step up its security program, the organization conducted a third-party risk assessment and identified a number of critical gaps in endpoint visibility, threat detection, and incident response. Instead of adding headcount, the IT leader decided to outsource detection and response. Building the skill set internally would have been extremely challenging; hiring a team of specialists with deep expertise of the ever-changing landscape would be too costly to maintain.

The team started looking for a unified SIEM solution that would offer both Managed Detection and Response (MDR) and network detection and response. When they were unable to find a vendor that could satisfy both those needs, MDR rose to the top as a potential “big win” for monitoring and containment. The organization could implement the solution relatively quickly and see a big impact.

After looking at a number of MDR vendors, the team was won over by Red Canary MDR with Carbon Black. One of the key deciding factors was Red Canary’s extensive hands-on support. Throughout the proof of concept, they noted a level of attentiveness, knowledge, and genuine partnership they didn’t find with other vendors.

Deployment was fast and easy. Within minutes of installing the client on a new machine, it appeared in the console. From there, the team could go in to view information and manage the device—all while knowing that Red Canary was monitoring endpoints for potential threats and enabling rapid response.

Instead of relying on just one person for security, the organization now has a full team of experts at their disposal. In addition to Red Canary’s security analysts and an account manager, they also have a dedicated incident handler with deep knowledge about their environment. The team meets regularly to stay aware of the organization’s ongoing initiatives.

The security administrator notes, “We’ve had several instances where we relied on our incident handler’s analysis to help us put the pieces together. They always provide good advice—not only when we have an issue, but anytime we want to talk through a security question. They provide insight based on what they’re seeing with other customers to help guide our direction. That kind of intelligence gathering is extremely helpful.”

Red Canary’s automation capabilities are yet another way to extend the team’s capacity, reduce risk, and cut response time. The team is able to create playbooks to automate workflows and can apply different rules to certain groups of machines. This allows the flexibility to tailor response actions for high-priority assets.

The IT leader says the improvement in their response time is even greater than what they’d see with 3-4x their internal resources. “Even if we hired three more security administrators, they wouldn’t be able to monitor endpoint activity all the time. Instead, we can use Red Canary’s automated capabilities to alert our customers to potentially threatening behaviors and lock down a computer or take it offline. It really cuts down how long it takes to remediate threats.”

The team has also discovered unexpected benefits of the platform. During a forensics exercise after an attack, the team was able to pull all the relevant information from Red Canary, then pass it on to forensic investigators to speed up the investigation. Red Canary also acts as a stand-in for an asset management solution by helping the team get a better handle of their assets across the board.

 
 
 

Red Canary stopped two attacks that could have had a serious impact, including one that occurred in the middle of the night. The team would have had no way to know about the threat if not for Red Canary.

The IT leader recalls, “Within 30 minutes, Red Canary spotted the activity and started looking at it, and within 90 minutes, we were able to totally stop the attack. From my perspective, that alone is invaluable. I don’t have to build a case for the solution anymore; it’s already proven its value.”

The security administrator adds, “By stopping those attacks, Red Canary met a mission-critical goal of protecting our customer data. In that sense, it has protected the priorities of the organization by securing a customer and protecting member privacy.”

The platform has added value at every stage of the incident response lifecycle: identification, containment, response, and remediation, as well as continuous improvement. The team is able to gain insight through a report that helps them identify improvements so they can avoid similar situations in the future.

The solution has saved time and eased workload. The administrator says: “It definitely adds a lot of value to my workload. I can’t recall ever having an issue where I struggled to use the tool or doubted its value. It’s proven on multiple occasions to be invaluable to the organization, and it’s a great partnership for us.”