How FloQast Transforms Security Ops with Detection-as-Code

FloQast is an accounting workflow automation software fully architected in the cloud. Their engineering team is already leveraging DevOps and CI/CD. The benefits of DevOps are clear, including testing, version control, rollback, code reuse, and automation. They aimed to apply these processes and advantages to the security engineering function, which led them to the concept of Detection-as-Code and Panther.

FloQast Security Challenges 

As FloQast continued to grow and expand its infrastructure footprint in AWS, their legacy SIEM became increasingly difficult to manage and scale. Traditional SIEM solutions were not flexible enough to accommodate the company’s evolving needs, and the proprietary coding languages used in legacy SIEMs made progress challenging for FloQast’s security team. As a result, the team realized that they needed to explore other solutions to improve their security practices. 

In response to these challenges, the FloQast team turned to Panther to optimize their detection and response tasks. Utilizing Panther’s platform, FloQast’s security team enhanced their detection capabilities by crafting custom detection rules with the widely-adopted Python language. Python provided FloQast the ability to create flexible and powerful detections, enabling specific adaptation to their environment. Another advantage of harnessing a versatile language like Python was the ease of recruiting and training staff due to the prevalence of Python experience across various fields and roles.

To learn more about how Panther helped FloQast, explore this customer case study.

Panther has enabled us to quickly detect and respond to security incidents with more efficiency and less effort.

Detecting More, Faster: The Benefits of Detection-as-Code for FloQast’s Security Operations 

Detection-as-code represents a powerful approach to managing detection alerts through code. This approach involves managing detections and associated tasks using code rather than manually through a console or GUI. The FloQast team successfully implemented Detection-as-Code with Panther, allowing them to seamlessly manage and automate the editing, testing, and deployment of detection logic. This adaptation has enabled them to handle the ever-evolving and highly dynamic nature of their environment, resulting in more efficient threat detection and increased operational sustainability.

Consequently, despite the daily growth and changes in their AWS environment, the team is achieving more efficient threat detection and operating with greater sustainability.

Leveraging Panther’s modern, cloud-native architecture, FloQast was also able to ingest ten times more data from a broader range of sources and significantly reduce restrictions on data retention.

Caching Data for Detection

When it comes to handling exceptions, it’s important to have a plan in place and continuously tune out false positives during the development lifecycle. However, caching takes it to the next level. In Panther, caching is implemented to prevent alert fatigue and improve the detection of higher value alerts by using counters and string sets. 

With caching, you can surface alerts that are more complex or unique, and exclude ones that you don’t care about if there are only a few of them. But once there are several of a certain type, it’s worth taking a look. 

In the following example, Panther audit logs are used as they are readily available and provide quick feedback. Using these logs, you can easily test a new detection and see what triggers it.  

In the video below, we’ll dive a little deeper into how FloQast used caching to improve the speed and efficiency and enabled them to scale to handle larger amounts of data and more users by reducing the number of times it needed to query the original data source and preventing performance issues and system slowdowns.

Automating Response Tasks 

FloQast’s goal when it came to automating response tasks was to reduce manual toil for alerts. The team had been doing the same actions in different places, which was very inefficient. They were looking to tighten that up and make it so that an analyst only had to deal with one software for all their needs. 

When an alert triggered, it would populate three queues:  Slack, which was used as a notification queue;  JIRA, where everything was logged, triaged, and notes were written; and Panther, which would turn off the alert. After triaging alerts, analysts would have to set the status in Slack, log the ticket in JIRA, and resolve the ticket in Panther, which was very time-consuming. 

The team realized that their previous workflow for responding to alerts was inefficient and led to too much manual work. They set out to create a new workflow that would reduce the amount of manual toil required by analysts and streamline the process.

The new workflow involves populating three queues when an alert triggers: Slack, JIRA, and Panther. However, with the new system, an analyst only needs to assign the ticket to themselves in JIRA, which triggers a post request to an AWS load balancer. This request then authenticates and moves to a lambda function that uses a GQL query to assign the alert in both JIRA and Panther. When the analyst closes the ticket in JIRA, another workflow rule is triggered to pass the alert ID to a different lambda that executes an update alerts GQL query to close the corresponding alert in Panther. 

The team’s main goal was to reduce alert fatigue and allow analysts to focus on more important tasks. By aligning their sources of reference, they were able to streamline the process and reduce manual work. The team’s new workflow is described in more detail on their blog, along with the rest of their detection code series.

Conclusion 

FloQast’s implementation of Panther is a testament to the effectiveness of Detection-as-Code in improving security operations. By automating and managing their security practices more efficiently, they were able to enhance their detection and response capabilities and scale their operations quickly in AWS. Overall, Detection-as-Code is a powerful tool for any organization looking to streamline their security operations and enhance their security posture. 

Watch the full webinar to see how FloQast’s adoption of Panther drove innovation and efficiency within security engineering, with in-depth examples of their powerful detection and automation techniques.

Table of Contents

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo