Last Updated on March 16, 2023
Being able to proactively detect and block attacks before they breach your systems is one of the Holy Grails of cybersecurity. But with so much security data to analyze, so much operational hassle to gather it and so much time spent waiting on queries, the real-time analysis capability needed for proactive threat detection still seems far out of reach.
Until it isn’t… Panther Labs “cloud-scale security analytics” delivers near real-time analysis and automation today against your full security data store.
On a recent episode of The Virtual CISO Podcast, Jack Naglieri, Panther Labs Founder and CEO, talked with host John Verry about the potential for proactive incident detection and response.
The need for speed
A core complaint with many security information event management (SIEM) solutions, including cloud-based offerings like Splunk, is that it takes too long to get answers back from your queries. Panther has focused on speed from the outset for this reason.
Jack explains: “When you think about traditional security monitoring, let’s say you have certain TTPs that you’re modeling from MITRE ATT&CK across the kill chain. You would run this as a scheduled search. So going back to the coupling of storage and compute, when you have a lot of data, it just takes a lot longer to process and it’s much less efficient in those systems. The reason that we built the real-time element in Panther is to completely wipe that away to where, if you have very simplistic sort of point-in-time things, it becomes very easy to find that right away. The beauty with Panther also is that because we’re effectively doing stream processing, and we’re using Python, we can get really creative and really clever with how we do analysis.”
Because Panther is using Python and streaming the data, query speed and flexibility are unrivaled. For example, Panther can cache data elements like counters or other event data in very high-speed storage like DynamoDB. A built-in detection example is so-called improbable logins. Say Jack logged in from San Francisco, and then five minutes later he logged in from Rome. Panther can pick that up as it happens.
Changing the detection game
Real-time, stream level processing of security data will change your perspective on what is possible with threat detection.
“We have this ability to also query your data lake periodically,” Jack describes. “You can say that you want that to become a source in your event stream. So, you can say, in the last hour, show me all the logins that happened. And then when filter those. There’s a lot of ways [to filter] because we’ve created this powerful streaming engine plus rules engine. It creates a huge amount of flexibility in how we do this detection, which allows Panther to be more proactive.”
The analytics come down to number crunching, not AI “magic.” But it’s still early days and the possibilities are obviously huge.
“I think there’s certain applications of statistical analysis and machine learning that play a lot into useful security, but largely I would say 80% of those things are expressible by behaviors because every single environment is different,” Jack states. “And really good attackers look like normal humans. So, it’s very typical to just throw machine learning and AI into the problem and be like, ‘Okay, you go solve it.’ It’s a little bit harder than that.”
The power of Python
Being able to model your queries in code gives a huge amount of flexibility. It also gets security practitioners into the data analytics game.
“Python’s a very approachable language,” Jack observes. “Most security practitioners have used Python for processing data because they had an incident.”
Maybe you’ve used Python in the past to process a bunch of log data relevant to an incident. With Panther, you can do that as the data is streaming in real-time.
“We give users that ability and that allows them also to sort of up-level their own skills in software development,” notes Jack. “And it doesn’t have to be very complicated. It’s actually quite basic: field equals value, field in list. There are these very basic patterns that emerge. But savvy developers can really go in and extract the power of third-party libraries, built-in libraries, using security tools that are very popular. Like Netflix has a number of open-source Python tools that are great.”
“Panther really does change the perspective of how we can do this analysis,” Jack adds. “That’s the part that’s been the most interesting for me. It’s a whole new capability that security teams haven’t really had yet.”
To listen to the full podcast with John Verry and Jack Naglieri, Panther CEO, click here.
Does your current SIEM tool monitor your cloud environments? If not, here’s what you’re missing: Why Your SIEM Tool Needs to Monitor Cloud Environments… or Else