Traditionally, security information and event management (SIEM) solutions have been the primary tool for security teams to collect, manage and analyze log data. However, many of these solutions were not built with cloud-scale data volumes in mind, resulting in high costs, poor performance and excessive operational overhead. Additionally, you typically have to extract, transform, and load (ETL) your AWS data into your SIEM platform which also introduces cost and operational burdens.
The founder of Panther Labs, Jack Naglieri, experienced these challenges first hand while working as a security analyst at companies like AirBnB and Yahoo. He realized that the technologies available for security monitoring were painfully difficult to manage at cloud-scale and ineffective as a result. Rather than accepting that reality, he decided to build the solution he knew modern security teams need.
Panther Labs offers a security monitoring solution capable of analyzing terabytes of data per day in real time, delivering a fast, flexible and scalable platform for threat detection and incident response with zero operational overhead.
The serverless architecture stores normalized log data in a security data lake to support future reporting and investigation needs, with the ability to query months of data in minutes. Panther takes a software development oriented approach to detections, or “detection-as-code”, so users can craft detections using Python which offers much greater flexibility than the proprietary languages required by most traditional SIEM platforms. And, Panther analyzes log data as it is ingested rather than waiting for it to come to rest, providing the fastest possible time to detection.
Because AWS and other cloud applications generate large quantities of log data, security teams need a solution that can ingest, normalize and analyze massive amounts of data per day. “Panther is built based on cloud-native technologies like Snowflake, Lambda, and AWS, and it’s completely serverless, so it can scale to whatever data volume a customer throws at it.” states Erik Goldman, VP of Product and Design at Panther.
Security is ultimately a data problem, and the tools and techniques of data scientists and software engineers should be the tools and techniques of security analysts. After all, it’s not about having the most data, but finding a repeatable, scalable way to make sense of that data so you can make adjustments to improve your overall security program
It’s not just about ingesting that data, either. Security teams need to analyze and correlate data across different log sources and get alerted when signs of a potential threat are discovered. Panther provides 200+ pre-built detections for AWS and other platforms to help security teams get a head-start on threat detection. These detections can be used as-is or customized as needed for the customer’s environment.
In addition to providing pre-built detections, Panther also supports standard CI/CD workflows for creating, testing and hardening detections, similar to the process many software development teams use to manage code. Customers find this aspect of Panther especially valuable. “They can now create a detection, submit it as a pull request, collaborate on that pull request, make remarks on it, verify it, and have a secure development lifecycle for something that won’t get into Panther until it’s authorized. This alleviates a lot of complexity for security teams and helps them operate more efficiently.” states Erik.
“Security is ultimately a data problem, and the tools and techniques of data scientists and software engineers should be the tools and techniques of security analysts,” states Erik. “After all, it’s not about having the most data, but finding a repeatable, scalable way to make sense of that data so you can make adjustments to improve your overall security program.”