A rapidly growing technology company that worked with much of the Fortune 500 appointed a Chief Information Security Officer to build out its security program. The company regularly faced advanced and malwareless attacks and needed to safeguard critical customer data and valuable IP against threats that slipped past antivirus.
The company not only needed coverage against external attackers, but also insider threats who might have access to sensitive customer information or source code. Having the ability to detect suspicious activity based on behavioral analysis rather than signature-based detection was crucial.
Business snapshot
5
employees on the security team
650
endpoints
$100M+
annual recurring revenue
Evaluating EDR solutions
The security team is comprised of several different teams that report to the CISO. The infrastructure security team evaluated EDR and next-generation antivirus solutions, comparing critical functionalities and technology components.
The lead infrastructure security engineer (we’ll call him Bryan) determined that EDR would provide the layer of defense the organization needed. Not only would the solution stop advanced threats that antivirus didn’t catch, but it would also record all endpoint activity.
EDR has become the most critical security tool for endpoints because you are capturing everything that is happening. Anything that executes, you’re tracing it, tracking it, and doing analytics on it. If someone manages to do something bad on an endpoint, EDR will see it. Without it, you’re missing a critical component of defense. —Bryan, Lead Infrastructure Security Engineer
The team selected Carbon Black Response based on the sensor’s depth of visibility and data, but they knew it would be a full-time job to look at all the data, write rules and logic, and investigate alerts. They would either need heavy automation and additional staff or a very technical managed provider.
Bryan strongly believed that partnership was the better route. “It is my firm belief that in any security program, you cannot solve it with automation alone,” he explained. “You still need to have human eyes, reasoning, and logic. Without it, you might catch 95% of things—but what about the other 5%? A solid security program requires a two-pronged approach of automation and people.”
Extending the security team
Partnering with Red Canary provided Bryan and his team with multiple benefits: an extended team of focused experts, resources, scalability, and a high quality of detections without the burden of chasing false positives.
Bryan commented: “My best advice for other security teams is to make sure you understand the value EDR provides. Once you see why it’s important, you can decide whether to bring in people and have analysts hunting through those events, or partner with a managed provider. For us, the choice to use Red Canary was obvious. We get a team of analysts to make sure nothing is missed, and we still get access to the endpoint data so we can look at everything we need or want to review. It’s a win-win.”
Key results
Bryan and his team saw a number of improvements after partnering with Red Canary.
Immediate value
Bryan deployed the sensor to his endpoints and Red Canary took care of the rest. With 24/7/365 monitoring and investigation, he didn’t need to worry about advanced attacks going undetected.
Time saved
Red Canary catches the threats antivirus misses and eliminates false positives. This saves Bryan and his team the time and effort of analyzing thousands of events per hour.
Deep visibility
Bryan and his team can dig into the endpoint data at anytime to see what’s happening.
Defense against insider threats
Relying on behavioral analysis rather than signature-based detection improves the company’s protection against malwareless attacks and insider threats.