Adding human experts to IT security with Red Canary

Because machines, despite what you might have read, will never entirely replace humans

Adding human experts to IT security with Red Canary

News this morning from cybersecurity company Red Canary, which has just raised $6.1 million by way of a Series A funding round.

Red Canary is part of a growing trend in the security world: that of adding real live humans into a security product. The particular space that Red Canary is involved in—managed detection and response—has a few players (SecureWorks and eSentire, to name a couple), all of whom try to subvert the orthodox thinking around cybersecurity with the addition of a human touch.

+ Also on Network World: Black Hat: 9 free security tools for defense & attacking +

Instead of simply trying to productize security response with a monolithic endpoint product, these players take a "best of both worlds" approach, combining human experts with powerful machine learning security software. All of these companies contend that cyber threats are bypassing existing tools. As such, simply installing a tool and expecting it will protect the organization is naive.

At the same time, however, all but the largest of organizations lack the resources to be able to effectively detect and respond to threats. Organizations need a multi-layered approach that covers monitoring and investigation of suspected threats and response to those threats. Covering all of those basics requires multiple tools, but—and this is the important thing—those tools are generally better with a degree of human decision making and expertise alongside them. Red Canary's raison d'être is to assemble these different tools into a single, cohesive offering.

Research suggests that this is a very real problem to resolve. Gartner found that the average time it takes an organization to detect a breach is 205 days. At the same time, research firm Frost & Sullivan estimate the shortfall in the global information security workforce to reach 1.5 million by 2020. And the load on security solutions and professionals isn't decreasing—the AV-TEST Institute registers over 550,000 new malicious programs every day.

Details of Red Canary's offering

What is the Red Canary offering all about? The product covers the security lifecycle of data collection, detection of risks, investigation and response. Some details on the specific product offerings:

  • Collection: Red Canary uses the EDR sensor Carbon Black to collect event information from every endpoint across a customer’s environment. An average endpoint produces about 150,000 events/day. That means for a typical Red Canary customer with 1,000 endpoints, Red Canary collects 150,000,000 events per day
  • Detection: Red Canary uses multiple detection technologies to analyze every endpoint event: application behavioral analysis, user behavior analytics, threat intelligence, binary analysis and intelligence customers provide about their organizational policies. In the past 10 months, Red Canary claims to have detected 969,565 potentially threatening events.
  • Investigation: Because Red Canary does not want to burden customers with false positives, its solution includes analyst investigations of potentially threatening events. Red Canary analysts have investigated each of the 969,565 potentially threatening events. Around 7.5 percent of them converted into confirmed threats (72,592 confirmed to be part of malicious activity).
  • Response: Red Canary sends customers a detection that includes the intelligence they need to understand what is happening and the tooling to address the threat. Red Canary has detected and confirmed 7,914 threats in the past 10 months.

And just in case you thought Red Canary's approach of using human beings ignored the very real potential that machine learning can bring to these types of solutions, the company feeds its human analyst data back into the solution, which over time should ensure fewer false positive findings.

This idea of applying a human element to a security tool may be somewhat unsexy, but it is an accurate reflection of the best way to deal with these issues. As Brian Beyer, CEO and co-founder of Red Canary, put it:

“What most organizations are realizing is that these tools miss threats, and they still require dedicated security professionals. Organizations don’t need silver bullet products; they need security solutions that solve their technology, process and expertise problems.”

Red Canary clearly isn't alone in this space, but the good thing about a product plus service company is that it doesn't need to be. As long as the company can continue to deliver good results for its customers, Red Canary should have a positive future.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)