By Chris Rothe, Red Canary
At Red Canary, we’re always looking to simplify our customers’ security operations. We designed our portal to present information in a simple, understandable and actionable way. Our newest feature continues this effort and shortens the time from incident to remediation so intuitively that your grandmother could do it.
The release of Carbon Black 5.0 introduced several new capabilities including endpoint isolation and “live response” (read all about it over on the Bit9 + Carbon Black blog). With this power to affect the endpoint, we thought: “Why couldn’t we give responders the
responseability to take action straight from a Red Canary detection?” So we did.
Responding to the confirmed threats you receive from Red Canary is simple: isolate the endpoint, craft a response plan, and execute. Ready? Start the clock.
Your Red Canary detections now include two new buttons: “Isolate Endpoint” and “Respond.”
Isolating the endpoint disables all network communication from the endpoint to anywhere except the Carbon Black server. Fair warning: with great power comes great responsibility to isolate your domain controller, so be careful. Once you’ve clicked Isolate, you have instantaneously quarantined an endpoint and stopped the bleeding whether you and the endpoint are five feet or 5,000 miles apart.
Now we need to respond to the threat by clicking the Respond button.
For every relevant bit of endpoint activity or indicator of compromise in the timeline, you have associated actions to assist your response. Kill a process. Delete a file. Even capture a binary for later analysis.
Once you have selected the actions that you would like included in your response plan, review and reorder the elements as necessary (you should probably capture a file for further analysis before you delete it) and then execute the plan.
At this point, Red Canary connects to the endpoint, executes the actions, and reports back to tell you which elements of your response plan succeeded and which failed. The results of the response plan are recorded so you can avoid cleaning things multiple times and audit who has executed response activities on your endpoints.
Responding to threats in your organization doesn’t need to be overly complex. We understand the battle security teams are in against attackers and insider threats and how every improvement in threat detection and response can be the difference between a successful attack and a foiled breach.