Red Canary - Improving Threat Detection

Several years ago, when we were still very much a start-up, we sent three of our team (of five) to conduct an incident response for a much larger company. Two of the team members had done incident response before; the third was more the kind of guy who caused incidents rather than responded to them. When we did an internal after-action report of the IR, our offense-minded colleague pointed out that a lot of the work associated with 'generally accepted IR principles' was unnecessary if you had the ability to log execution on a host. This was not a novel discovery - others had toyed with the idea around the same time - but as recent events have illustrated, we were the most successful of the bunch.

That idea - Carbon Black - is now installed on hosts all around the world, but wherever Cb is operating the refrain from system owners is the same: "Carbon Black produces the best data I have ever seen, but I don't have the resources to deal with it all." The idea that Cb would disrupt incident-response-as-usual was not going to come to fruition if we could not provide a governor to the power we had developed. Turning the old proverb on its head: we provided people with a boatload of fish when what they really needed was an order of sushi.

On a more granular level the problem is not just being able to know something bad has happened faster and with more fidelity than ever before, but to accelerate from threat detection to remediation. You've read the Verizon Data Breach Investigations Report. You know that year-after-year the conclusion is the same: most people go for months without realizing they've been hacked. When they find out its usually because someone else tells them.

Red Canary is our answer to these problems.