Already a customer of Red Canary MDR for Carbon Black for three years, this popular fast-food chain had been waiting for the day when Red Canary would offer something for threat detection in cloud environments. An early adopter of Red Canary’s new Cloud Workload Protection (CWP) offering, the team has now been using it for the better part of 2020 on some of their most critical Amazon Web Services (AWS) accounts.
While the initial plan was to deploy the lightweight Red Canary sensor on everything the company had residing in AWS, the global pandemic did change that timeline. With the visibility and automation benefits realized so far, the company is eager to implement CWP on everything it can in 2021.
BUSINESS SNAPSHOT
5K
employees
180+
AWS accounts
2600
endpoints
CHALLENGES
With a large number of Linux-based systems in their primary public cloud, AWS, the corporate headquarters of this popular, quick-service restaurant chain needed visibility into its cloud workloads. The problem was that every existing cloud endpoint security tool for that space was “just kind of lackluster,” as Eric T., Incident Response and Security Operations Manager for the company, said. The sensors weren’t able to provide sufficient context alongside security alerts, nor were they able to tie into an Amazon account and pull information about all instances.
He needed a solution capable of providing alerts with context that enabled him to act swiftly and confidently to protect the organization.
Already a customer, Red Canary had long ago earned their trust, Eric said. He spent much time talking with Joren McReynolds, GM of CWP, and team to get a better understanding of what Red Canary was trying to build. Through these early conversations, it became clear that Red Canary was building what Eric had wished every other Linux agent would do—an effective but lightweight solution for gaining visibility into cloud workloads.
EVALUATION
Because it was important to Eric’s team to have a Linux agent that had native support for containers and would be able to see what Docker containers on an EC2 instance were doing (and, of course, out of due diligence), they did evaluate competing offerings. The products themselves mostly did well during evaluations, but fell short from a price perspective.
Ultimately, to gain the necessary visibility to detect threats on cloud workloads, Eric selected Red Canary’s new Cloud Workload Protection (CWP) offering and got in as an early customer, well before the product launched to the market.
“And while they had some of the AWS-specific capabilities that I mentioned, they did not have the more important one that I viewed—the agent being aware that it’s on an EC2 instance and bringing back that data automatically. [Those offerings], at least at the time, weren’t doing that.””
IMPLEMENTATION
Because the company got in on the ground floor as part of an early access program, Eric and team were especially excited about being able to provide feedback that could help Red Canary refine the product with new and valuable features.
“As usual with Red Canary, you guys are very receptive to feedback and try to make those little tweaks and enhancements, if they’re feasible. And so there are things that [Red Canary’s] agent and console are doing that I don’t think any others on the market would be doing in the same way.”
While implementation is still ongoing in the grander scheme of the team’s plans, they are working to make things as “unattended” as possible. For example, they have a process that uses Amazon’s Systems Manager to deploy the CWP agent out to instances when they are created.
“The way I’m doing deployment, I don’t have to coordinate with individual teams. My custom implementation of Systems Manager just does it all for me. Imagine that I had 180 different people that I had to give the Cloud Workload Protection agent installation instructions to and walk them through how to do it… and then reconcile if they’re actually doing it. It doesn’t sound like very much fun.”
Key results
While it’s still early days, Eric expects Red Canary Cloud Workload Protection is going to save the company money and save him and his team time and energy. The time saved is largely due to features like the ability to tie into an Amazon account and pull information about all instances, which eliminates much of the manual work of finding data by bringing it straight to them.
“We’re usually at a deficit for time, so you’re digging me out of the hole.”
Once Eric gets to a surplus of time due to CWP, he intends to look more toward monitoring and detection of classes of data and systems that require more specialized context. Specifically, Eric would start looking more at logs from AWS accounts, such as cloud trail logs, and work on optimizing detection of potential abuse or fraud in customer-facing sites.
QUOTES
FUTURE PLANS
Eric and his team are now working on deploying the Red Canary CWP sensor in their traditional data center as well to ensure optimal impact and consistent server performance.
“[Red Canary’s] agent being as lightweight as it is, is a tremendous boon.”