Red Canary Managed Detection and Response

My main use case for Red Canary is that a Red Canary analyst monitors our logs, and if they see any abnormality, they create a ticket that we use to analyze the situation. We assign that ticket and analyze it to ensure we have all the details needed. We use other tools to investigate, but we mainly rely on the evidence from Red Canary, and we can also use the isolate feature from Red Canary. There are threat reports and agents, and in our environment, we have endpoints and identity as well.

A recent situation where I used Red Canary to analyze a ticket involved an employee from the US who logged in from the UK, a country he had never visited before. Red Canary's analyst assumed that account was compromised, but after analyzing using our other tools, it seemed the login was legitimate. The user confirmed he had traveled to the UK and used one of our company phones to log into the account to check emails, so the alert triggered was a true positive but a legitimate anomaly.

The best features Red Canary offers are that they monitor our logs and have their own use cases, providing us with these tickets. If we miss anything, we treat Red Canary as a secondary triggering tool, so we use it as a secondary detection tool.

The most valuable feature in my day-to-day work is that those logs are monitored by actual experienced analysts from Red Canary. Although we have tools from our end with use cases, those can miss some events and incidents, but since Red Canary uses active, live agents to monitor and detect these anomalies, we rely on that feature for our security operation center.

Red Canary has impacted my organization positively because we treat any ticket triggered by them as high priority due to the fact that 99 percent of the time it is a true positive. They can isolate machines, which is a feature I really appreciate because if something happens on a weekend when we are not available, they can isolate it and contain the situation.

I wish Red Canary could have a graph that shows the endpoint, user, and how it spreads, providing a visual representation to easily identify what happened.

I have been using Red Canary for one year.

I have not experienced any stability or reliability issues with Red Canary so far.

Red Canary's scalability is good in my experience, and we have not had any problems with scalability.

The customer support has been really good from what I have seen. If I need more details about any incident, there is a contact us option to reach an agent, or another agent can substitute if the previous one is not available, allowing us to get additional details and opinions.

I cannot speak to using a different solution before Red Canary because I started working here, and it has always been Red Canary.

I cannot speak to the process to purchase Red Canary with certainty because I am an end user. Perhaps our managers or directors have a better answer regarding the purchasing process, but I do not know those details.

I lack insight into pricing, setup cost, and licensing because I am an end user.

I believe we have seen a return on investment because we utilize Red Canary effectively. Any missed detection will definitely be triggered by Red Canary. I think it is a good investment since it provides accurate details.

I have no idea if my organization evaluated other options before choosing Red Canary, as that was perhaps another person's or another team's decision. Our role is to utilize this application without involvement in purchasing or decision-making.

We use Red Canary as a secondary monitoring service so if our main tools miss any detection, Red Canary will detect it. We critically treat any alert from Red Canary as a high-priority ticket because it is most probably a true positive, but it can also be a legitimate anomaly, so we will treat it as a priority one case.

Red Canary serves as a secondary triggering tool, and we do not really use any kind of SLA or anything. They monitor and create threat tickets they believe are threats, and we use it as a secondary monitoring tool.

My advice to others looking into using Red Canary is to consider it as a good secondary detection tool, and they have good customer support. I would rate this product an 8 out of 10.

My main use case for Red Canary is to ensure I can sleep at night by getting 24/7 coverage by a capable team to investigate any alerts for the systems that we have in place to ensure we don't have any security or suspicious activity.

I can give you a specific example of a situation where Red Canary helped me out and made a difference: we've had more than a few instances where a user clicked on a phishing link, invoking connections to hostile sites. Through alerts in Defender, the Red Canary team identified, confirmed, and investigated the threat before they reset the user's credentials and contacted us to work with the user to resolve the situation.

I have at least one other instance where Red Canary investigated an alert and continued doing additional investigations of logging and activity from that user and their systems around that proximity to confirm that there was no further suspicious activity.

In my experience, the best features Red Canary offers are their team, their monitoring team, their expertise at incident investigation, and a focus on suspicious or actual indicators of compromise to ensure that we're not spending time just reviewing logs, but that we're actually looking at things that may indicate we have broader issues.

The Red Canary team's expertise stands out compared to others I've worked with because their team is organized into smaller pods that support a given number of clients, so they're not just a bevy of operators going around the clock. The teams themselves have coordination and cohesion, and they get to know us. Their integrations into the different platforms and systems that we use all line up with our needs, whereas a number of other platforms offered a different variety of integrations that did not line up with our requirements.

Red Canary has positively impacted my organization because I don't have to spend and hire resources to look at logs, which has enabled us to do much more in terms of improving security across the organization. With the freed-up resources, we've been able to implement CSPM, SAST, software testing tooling, and engage much more closely with our developers and engineers to focus on secure architecture and design.

Red Canary can be improved by continuing to add new features and capabilities to what they are looking at, including the types of data they're looking at and the types of systems that they're integrating with.

I have been using Red Canary for three and a half years.

Red Canary is stable.

Red Canary's scalability has been a non-issue for us; we've been able to connect and throw all of the data that we have access to over to their systems to parse, process, and monitor without issue. There have been no issues or challenges in scaling, so I have not noticed any pain points when trying to scale up.

Their customer support is excellent, with monthly calls with our CSA, who takes care of us.

I previously used a different solution called Blue something, but I cannot recall the exact name. I decided to switch from that solution to Red Canary because they were a managed SOC provider and they were not good; they were very cheap, with very poor service.

My experience with pricing, setup cost, and licensing is that everything went very smooth. Pricing was straightforward, and we were done with setup during our POC, not having any additional work or rework that we had to do when we moved to production.

I think that we have probably spent maybe 15% of the time that we were spending on incident investigation and system monitoring, demonstrating a return on investment.

Before choosing Red Canary, I evaluated other options, specifically Expel and Cydrus.

My advice for others looking into using Red Canary is that as long as your system integrations line up with their support, I think you'll be happy.