Continuous Monitoring

Why the Philosophy of Continuous Monitoring Is Powerful

Phil Hagen

Continuous Monitoring is a methodology by which evidence collection is “baked into” the network. Critical observations are made and recorded continuously and quickly available when needed. The idea is to pre-collect evidence that will support your investigative processes. The power of continuous monitoring is significant, and I encourage all businesses and organizations to adopt the notion of an investigable network—one that … Read More

Threat Investigation 5207

Shutting Down a Hands-on Keyboard Attack: Two Joes vs One Threat Actor

Suzanne Moore

It was a Friday afternoon when the alert came in. One of Red Canary’s customers had experienced a breach. The compromise occurred on an unsecured endpoint—an isolation development box that was used for testing. The customer had deployed Red Canary Managed Endpoint Detection & Response (MEDR) across its most critical endpoints: domain controllers, front-facing web server, executive endpoints, databases, and … Read More

Incident Response Retainers

An Analyst’s Tale of Incident Response Retainers: “It’s All About the Benjamins”

Frank McClain

Once upon a time there lived a boy named Benjamin. Benjamin was very smart, and grew up with a passion for Information Security. As an adult he became part of the InfoSec team at “WidgetCo,” whose highly-prized widgets made their network and computing infrastructure a constant target. Benjamin was constantly making recommendations to help the organization defend against a barrage … Read More

Lack of visibility

Common Security Mistake #1: Lack of Visibility

Phil Hagen

Even mature security teams sometimes make mistakes. This series of blog posts will address common mistakes based on real-world engagements with teams of all sizes and maturity levels. The author, Phil Hagen, is a long-time information security strategist, digital forensics practitioner, and SANS Certified Instructor. Part of Phil’s role at Red Canary is to educate organizations about ways to solve problems … Read More

Passive DNS Unsung Hero

Passive DNS Monitoring – Why It’s Important for Your IR Team

Phil Hagen

DNS is an unsung hero among protocols during a network investigation. It’s almost universally used by other protocols such as HTTP, SMTP, and the like. It’s also a plaintext protocol, which can benefit an incident responder who cannot otherwise examine the contents of an encrypted connection. However, passive DNS monitoring (also known as DNS logging) is still somewhat rare in … Read More

Top 6 Questions & Answers: How to Take Control of Your Response Operations

Keith McCammon, Chief Security Officer

I recently had the pleasure of moderating a webinar on response operations with a panel of security leaders who shared their insights and expertise. It was a lively discussion that addressed everything from prioritizing alerts across your toolset to identifying which key metrics to track in order to demonstrate efficacy. Whether you have an IR program in place and want … Read More

Financial firms information security strategy

3 Essential Components to Build into Your Incident Response Program in 2017

Michael Haag

In my previous role as a network security architect at a Fortune 500 company, I worked on a team of two. This required us to wear a number of hats. One of our core operating functions was performing incident response across 70,000 endpoints globally. Initially, our program was very reactive. Over the course of a year, we began maturing the program … Read More