Respond to an Endpoint Threat in 90 Seconds

Chris Rothe

Share this Project

At Red Canary, we’re always looking to simplify our customers’ security operations. We designed our portal to present information in a simple, understandable, and actionable way. Our newest feature continues this effort and shortens the time from incident to remediation so intuitively that your grandmother could do it.

The release of Carbon Black 5.0 introduced several new capabilities including endpoint isolation and “live response” (read all about it over on the Bit9+Carbon Black blog).  With this power to affect the endpoint, we thought, why couldn’t we give responders the ability to take action straight from a Red Canary detection?

So we did.

Responding to the confirmed threats you receive from Red Canary is simple: isolate the endpoint, craft a response plan, and execute. Ready? Start the clock.

Your Red Canary detections now include two new buttons: “Isolate Endpoint” and “Respond”.

Isolate Endpoint Button

Isolating the endpoint disables all network communication from the endpoint to anywhere except the Carbon Black server. Fair warning: with great power comes great responseability to isolate your domain controller, so be careful. Once you’ve clicked Isolate, you have instantaneously quarantined an endpoint and stopped the bleeding whether you and the endpoint are 5 feet or 5,000 miles apart.

Now we need to respond to the threat by clicking the big ‘ol Respond button.

The respond functionality allows users to

For every relevant bit of endpoint activity or indicator of compromise in the timeline, you have associated actions to assist your response. Kill a process. Delete a file. Even capture a binary for later analysis.


Once you have selected the actions that you would like included in your response plan, review and reorder the elements as necessary (you should probably capture a file for further analysis before you delete it) and then execute the plan.

An overview of the response plan that the user selected

At this point, Red Canary connects to the endpoint, executes the actions, and reports back to tells you what out of your response plan succeeded and what failed.  The results of the response plan are recorded so you can avoid cleaning things multiple times and audit who has executed response activities on your endpoints.

Details around results of the response plan

As you can see, responding to threats in your organization doesn’t need to be overly complex. We understand the battle security teams are in against attackers and insider threats and how every improvement in threat detection and response can be the difference between a successful attack and a foiled breach. We hope you’ll join us and let Red Canary help you defend your endpoints.

Request a demo with Red Canary