Executive Summary:
- $3M saved in incident response
- Gained 4 analysts’ worth of work
- 10x more valid detection
- 0 false positives
A Canadian medical standards body, serving more than 50,000 clients across over 15 universities, hosts many tools and servers to support its higher education program delivery. Its security team consists of two people who are responsible for keeping endpoints secure, protecting intellectual property and the personal information of their clients, and ensuring compliance with Canada-specific regulations like PIPEDA and CASL, as well as common requirements like the PCI DSS.
BUSINESS SNAPSHOT
400
Windows laptops
60
Windows servers
60
Linux servers
CHALLENGES
The organization had a lean information security program reliant on traditional signature-based antivirus. An audit uncovered several issues common to most growing organizations, forcing the decision to build a more robust program. The new approach included hiring an information security program manager to lead the charge.
A gap assessment identified that traditional antivirus could not provide the level of defense the organization needed. Their large attack surface suffered from repeated infections and ransomware attacks. About twice a year, heavy system compromises resulted in significant time loss. The team’s confidence level was low due to a lack of visibility into their environment.
Their antivirus would notify that something was wrong but with no context to aid in the response. The team would struggle to answer questions about what else was seen on the machine, if the threat had been seen elsewhere, and what else was running at the time the event happened. The alerts and information from their antivirus were not enough.
Solution
Information Security Program Manager Serge believed endpoint detection and response (EDR) would provide the visibility they needed. “Being a cautious organization, we had taken a fairly traditional approach with our security up until then,” he remembers. “EDR had advanced dramatically over the last five or six years and I knew that it would help us move toward a multi-layered defense.”
Serge spent several months researching and evaluating vendors. He was impressed by the Carbon Black agent and the deep visibility it could provide for their laptops. However, they still needed a solution for their servers, as well as more resources for 24/7 monitoring and data review. They quickly saw that Red Canary could fill those gaps.
Serge says, “Carbon Black alone would have given us great visibility, but we wouldn’t have had SOC analysts in-house that we could call on for support. Red Canary provided so much extra benefit that it was worth it for us to get both.”
The team rolled out Red Canary with Carbon Black and replaced its traditional antivirus with a next-generation anti-malware solution. This multi-layered approach armed the team with best-of-breed antivirus as a first line of defense, backed by a layer of advanced detection and full incident response through Red Canary.
Serge worked with the institution’s network administrators to conduct a phased, two-week rollout and install the agents across the Windows laptops and servers. Everything went smoothly and standing up the portal required no effort or configuration.
Results
The team saw and felt the difference right away. Instead of alerts with no context, Red Canary sent in-depth threat detections notifying of any suspicious activity. Each detection contained full context and a timeline so the team could better understand the threat and how to respond.
Serge says, “Our confidence level immediately improved because of the detections Red Canary sent. Not only could we see a higher volume of detections, we could actually see what was going on behind each one. That visibility is key. With it comes the confidence to make critical decisions like whether you need to take a simple action, wipe and rebuild a machine, or rebuild an entire environment.”
Prior to Red Canary, the team spent a lot of time repairing the damage caused by infections. Now, they’re able to stop threats before they get to that point. Serge estimates that they’re catching 10 times the number of threats they used to—which means they’re saving 10 times the amount of work.
“We used to get ransomware on individual endpoints about twice a year. These were heavy system compromises that took significant time and effort to resolve. Since Red Canary, we’ve been able to stop these events before they escalate. We quarantine and wipe maybe 20 machines a year instead of two. We’re catching the grease fires rather than just the house fires.”
The team has also seen an improvement in the time spent chasing false positives. Serge says, “When Red Canary flags something, we know it’s serious. We never ignore Red Canary alerts because they’re 100% accurate every single time. We’ve had zero false positives.”
ROI
Serge estimates annual savings of $3 million in incident response costs alone. He believes they’re stopping at least an additional 10 incidents a year, and Verizon reports the average cost of an incident as $300,000. He sees further cost savings by being able to keep the organization’s internal security team lean.
Serge explains, “Red Canary is online 24/7, which is easily the equivalent of four people’s worth of work. If we were to have analysts on staff, just looking at logs and nothing else, we’d need a team of five for that alone. When I compare all that with what we’re actually paying for Red Canary, it’s peanuts.”
Serge also notes that he’d need to invest in a plethora of services to receive the same level of defense he gets from Red Canary. “Red Canary is a critical piece of our overall security solution. If we didn’t have Red Canary, I would need to patch that hole with a couple other services. I’d have to invest in a breach coach, a SOC or an MSSP, and a bunch of expensive solutions instead.”
A growing partnership over time
The institution has been a Red Canary customer for almost two-and-a-half years. As time has passed, their trust in the partnership has deepened and they’ve added more Red Canary solutions to their stack.
Serge says, “The relationship has changed and matured quite a bit over the years. We’ve built up enough trust in Red Canary that we’ve enabled automation so they can now quarantine machines on our behalf. I like that we can jump in and modify the playbooks anytime. It was all very easy to set up and super intuitive.”
In October 2020, the team rolled out Red Canary’s new Cloud Workload Protection (CWP) to its Linux servers.
Serge says, “We were thrilled to see that Red Canary built a package that works on a variety of machines. It’s hard to find great solutions for Linux platforms that integrate with the rest of our tools, and these are business-critical systems we need to cover. We installed it on some test and development machines first, then rolled it out on the rest of our production environment.”
Allies in the fight
As a team of two, Serge and his colleague Chris believe that any assistance they can get from the outside is fantastic. In fact, when asked to pick a “favorite feature,” they both heartily agreed: it’s the people at Red Canary that make the biggest difference.
Chris says, “I’ve never had a relationship with a vendor as good as ours is with Red Canary. It really does feel like an extension of our team. We do regular meetings with our threat hunters and customer success managers. They understand our business and our cycles, and any time we have the slightest security problem, we just call them and review things together.”
Serge adds, “Just last weekend, Chris and I called with a question and were able to have an analyst join us on a call in very short order. He walked us through the issue based on similar threats he’d seen before, then told us what to look for and what to do next. He even offered for us to call him if we needed help again. Having an hour’s worth of an expert analyst’s time at that moment was invaluable.”
Being able to rely on an extra set of eyes doesn’t just provide additional coverage; it provides peace of mind.
Chris says, “It lets me sleep at night. We not only have the tools to be able to see things ourselves, but we also have experts looking at it for us. The fact that our threat hunter is available for everything from major incidents to minor things makes the world of difference in my confidence to do my job. I know that I don’t have to be perfect. I don’t have to understand all the intricacies of Windows telemetry, because Paul and Red Canary are there.”