Already a customer of Red Canary MDR for Carbon Black for three years, this popular fast-food chain had been waiting for the day when Red Canary would offer something for threat detection in cloud environments. An early adopter of Red Canary’s new Linux EDR offering, the team has now been using it for several years on some of their most critical Amazon Web Services (AWS) accounts.
BUSINESS SNAPSHOT
5K
employees
180+
AWS accounts
2600
endpoints
CHALLENGES
With a large number of Linux-based systems in their primary public cloud, AWS, the corporate headquarters of this popular, quick-service restaurant chain needed visibility into its cloud workloads. The problem was that every existing cloud endpoint security tool for that space was “just kind of lackluster,” as Eric T., Incident Response and Security Operations Manager for the company, said. The sensors weren’t able to provide sufficient context alongside security alerts, nor were they able to tie into an Amazon account and pull information about all instances.
He needed a solution capable of providing alerts with context that enabled him to act swiftly and confidently to protect the organization.
Red Canary had long ago earned their trust, Eric said. He spent much time talking with Red Canary’s product team to get a better understanding of what Red Canary was trying to build. Through these early conversations, it became clear that Red Canary was building what Eric had wished every other Linux agent would do—an effective but lightweight solution for gaining visibility into cloud workloads.
EVALUATION
Because it was important to Eric’s team to have a Linux agent that had native support for containers and would be able to see what Docker containers on an EC2 instance were doing (and, of course, out of due diligence), they did evaluate competing offerings. The products themselves mostly did well during evaluations, but fell short from a price perspective.
Ultimately, to gain the necessary visibility to detect threats on cloud workloads, Eric selected Red Canary’s Linux EDR offering. For example, they have a process that uses Amazon’s Systems Manager to deploy the Linux EDR agent out to instances when they are created.
“And while they had some of the AWS-specific capabilities that I mentioned, they did not have the more important one that I viewed—the agent being aware that it’s on an EC2 instance and bringing back that data automatically. [Those offerings], at least at the time, weren’t doing that.””
IMPLEMENTATION
Because the company got in on the ground floor as part of an early access program, Eric and team were especially excited about being able to provide feedback that could help Red Canary refine the product with new and valuable features.
“As usual with Red Canary, you guys are very receptive to feedback and try to make those little tweaks and enhancements, if they’re feasible. And so there are things that [Red Canary’s] agent and console are doing that I don’t think any others on the market would be doing in the same way.”
They have worked to make things as “unattended” as possible. For example, they have a process that uses Amazon’s Systems Manager to deploy the Linux EDR agent out to instances when they are created.
“The way I’m doing deployment, I don’t have to coordinate with individual teams. My custom implementation of Systems Manager just does it all for me. Imagine that I had 180 different people that I had to give the Linux EDR agent installation instructions to and walk them through how to do it… and then reconcile if they’re actually doing it. It doesn’t sound like very much fun.”
QUOTES
FUTURE PLANS
Eric and his team are now working on deploying the Red Canary Linux EDR sensor in their traditional data center as well to ensure optimal impact and consistent server performance.