Security practitioners have a tough job, often because the tools at their disposal are hard to use and don’t work very well in the real world. Traditional Security Information and Event Management (SIEM) is a perfect example: it can be costly, slow, error-prone, difficult to query and a bear to manage. No wonder it doesn’t always deliver on the promise of detecting threats or accelerating incident response.
Motivated by the daily “SIEM struggle” they experienced at major companies like Verisign, Yahoo and Airbnb, some Silicone Valley security practitioners have charted a new course: cloud-scale security analytics made orders of magnitude faster, easier and cheaper with “serverless SIEM.”
To discuss the reinvention of SIEM and how it can “detect any breach, anywhere,” a recent episode of The Virtual CISO Podcast features Jack Naglieri, Founder and CEO at Panther Labs. Hosting the show as usual is John Verry, Pivot Point Security CISO and Managing Partner.
Challenges with traditional SIEM
Jack relates the two major challenges he faced as a security practitioner trying to use SIEM: operational overhead and lack of scalability.
“It just wasn’t viable to get the data that I needed into a single place, which required that we severely limit the data that we were collecting,” recalls Jack. “We’d only maintain the last two to four weeks of data, or whatever we could afford from an ops or licensing perspective—and that really put us in a horrible place. You don’t want to be in a position where a breach occurs but we only have 30 days of data because of those limitations, and we can’t answer key questions about what an attacker did in our environment.”
Even in companies with a lot of big data chops, the data science teams aren’t tapped into security needs. They’re focused on the core business, not “How do we get this endpoint data into that Hadoop cluster?”
This leaves security practitioners on the outside of the big data infrastructure, looking in.
Connecting cloud-based services
As cloud computing matured, forward-looking security teams like Jack’s began to leverage public cloud services like AWS Lambda and SQS to “go serverless” with these complicated big data systems. An early win was an open-source project released at Airbnb called StreamAlert, which morphed into Panther.
“StreamAlert was this idea of how we take cloud-based services like Kinesis, Lambda, etc. and connect them together to build effectively a serverless SIEM that allowed us to process any volume of data, get a response that’s really fast because it’s stream processing, and operate at a very high scale with basically no Ops overhead. It also allowed us to be even more flexible about how we do our analysis with things like Python, and eventually the concept of a data lake was also introduced.”
The end result is a sophisticated data warehouse designed to support security, but with all the scale, speed and query flexibility advantages of the serverless, all-cloud architecture.
“As a security team, we’re not caring about the underlying operational components,” Jack observes. “We don’t have to patch servers. We don’t have to care about load balancing. We just think about how efficient our system is at processing the security data. You completely remove all the unnecessary components that don’t play into security whatsoever.”
Even comparatively modern SIEM tools like Splunk and Elastic take considerable care and feeding that’s unrelated to security.
Security is a data problem
A big part of security, especially around threat detection, involves correlating huge amounts of data to answer security questions. But you need good data as an input.
“The thesis of our company is that security is a data problem,” says Jack. “We want teams to be able to bring that data to life. It’s been sitting dormant and disparate and spread everywhere in all these different formats, and it has to come together.”
Panther’s cloud native, SaaS architecture abstracts out those operational roadblocks so security teams can more easily aggregate and query their data at scale.
To listen to the complete episode with Panther CEO Jack Naglieri, click here.
Pondering the question of SIEM versus SOC versus MSSP? This blog post can help you make the call: SIEM, a SOC, an MSSP… Choosing Correctly is Crucial for every SMB