A lot of tools and capabilities can fall under the heading of SIEM—Security Information and Event Management. But at the conceptual core of SIEM is the ability to cut through noise and alert on suspicious signatures in security data feed(s); a.k.a. threat detection and response.
Among the greatest wins for any threat mitigation program would be the ability to proactively monitor the entire security environment (not a fingers-crossed subset of the data you’d ideally want) in near real-time. To block threats before they manifest. And get there fast and affordably, while realizing more value from your security data than ever.
Panther Labs has positioned its “cloud-scale security analytics” solution squarely on that possibility. Jack Naglieri, Founder and CEO at Panther, spoke with host John Verry on a recent episode of The Virtual CISO Podcast about “the state of SIEM,” including deployment time and total cost vectors.
What Panther does best
Jack explains Panther’s threat detection and response use case and why it’s so valuable for cloud service providers (CSPs), managed security service providers (MSSPs), or any org needing to move towards proactive security and/or continuous compliance requirements:
“So that’s corroborating all the data together—from anywhere. When I say, ‘any breach anywhere,’ what I’m referring to is taking your cloud data, your endpoint data, your network data, your application data and pulling it all together into a unified format that’s searchable, pivotable, correlative, all of these things that even individually are a very hard problem to solve.”
“And then on top of that, now you can look for certain types of behaviors. So, I’d say the primary use case is true incident response and proactive detection. And the secondary use case is compliance. It’s helping your Ops team out with certain things. It’s understanding those patterns and being able to relay that to other internal stakeholders, which is common for security.”
Cutting SIEM costs up to 70%
Among users and maintainers, SIEM has a reputation for driving hard-to-control costs. Panther disrupts the traditional cost model with its serverless architecture and on-demand scaling across independent storage and compute dimensions.
Making it more affordable to analyze more security data faster and more meaningfully adds potentially gargantuan savings and business value on top of the cost savings. Think of the benefits of thwarting even one significant breach.
“The economic reasons why people hate SIEMs are they’re expensive, they’re slow and they’re impractical, right?” asserts Jack. “Expensive and slow get fixed at the same time when you have cloud-native, because you’re becoming more efficient with processing, and you’re outsourcing certain things because it’s very expensive to just run servers. It becomes consumption based and that’s just more economical and more efficient.”
Jack continues: “And there’s a byproduct where by designing things in an efficient way, we naturally have a lower overhead and we pass that down to our customers. We come in at a 50% to 70% discount over a typical SIEM at that same scale—actually at a much higher scale than was even viable before.”
“So that’s a huge benefit of a platform like Panther. And it’s a huge reason why we wanted to build something cloud native. When you get those scale benefits, you get the lower cost benefits, too,” adds Jack.
Savings compare across the board
The savings with Panther hold up against conventional on-prem SIEM, cloud-based SIEM and everything in between. This is reflected in Panther Labs’ “State of SIEM” report polling over 400 security pros who actively use SIEM.
“It’s across the board, in my opinion,” Jack relates. “I don’t think there’s a huge difference. Even if we compared like Elastic, Sumo, Splunk… you’re still paying to get true production scale. You’re going to pay millions and millions of dollars for that to work. And then you probably still won’t get what you want out of it. That’s the most frustrating part.”
Comparing SIEM deployment times
Another “State of SIEM” finding that stood out to John Verry was that approximately 20% of companies said it took 12 months or more to deploy their SIEM.
“I think there’s always going to be a very long tail on deployment [with traditional SIEM],” Jack qualifies. “And I’d be really curious on why teams would answer a certain way. What is ‘done’ to them? Is done, like, ‘I got my critical data sources in and now we’re good?’ It literally took that long to just get it viable, is my assumption.”
Both with customers and from his direct experience, Jack sees how grueling SIEM deployments can be: “I can see why [long SIEM deployments] happen in certain companies, especially when the infrastructures are so complex and you have to get a lot of sign-offs and approvals to deploy SIEMs. In the world where I was racking servers or spinning up all the necessary components, that could certainly take months. It would not surprise me whatsoever.”
Often the gatekeeper on approvals is the Ops team: “When I made these changes at companies like Yahoo and Airbnb, it was getting the blessing from the Ops team. Because if you think about what you’re doing, it’s deploying tools that are going to collect a lot of data and push it to a single place. I need to make sure there’s not going to be a bad performance hit on those servers that support the business. Because if that goes down because of security, then you have caused a lot of problems, right?”
Panther rollout times
In comparison, how long does it take to stand up a representative Panther implementation?
You could get into the tool today, onboard data [which includes some “normalization” of the data], and then start getting alerts on the built-in detections that we’ve created,” amplifies Jack. “It’s pretty much immediate. Because it’s a serverless architecture, you just need us to stand up your account for you.”
Then you’re ready to start crafting your own analytics in Python. The more monitoring experience your team has, the faster you step up the scale of value.
Here’s a link to the show with Jack Naglieri, Panther Founder/CEO.
All SIEM tools are not created equal. Here’s a podcast with John Verry on the well regarded AlienVault solution, now part of AT&T Cybersecurity: EP#9 – Danielle Russell – When an SMB Should Implement a SIEM