We recently held an ask-me-anything (AMA) session with Panther Founder and CEO Jack Naglieri in the Panther Slack Community. Here are Jack’s answers to 13 questions from the event, ranging from general security topics to Panther product-specific questions to the experience of becoming an entrepreneur and more.
Check them out, and don’t forget to sign up for the Panther Community! We’ll be holding more events there soon.
What made you realize you wanted to start your own company?
Jack: I’ve wanted to start a company ever since I was younger, and working on StreamAlert at Airbnb showed me the potential to create a SaaS version of that product where multiple teams could get the same benefits but way easier.
How did you decide on the name “Panther?”
Jack: Naming a company is so hard! But “Panther” perfectly captured the mantra of the product I wanted to create – sleek, fast, and protective.
Were there any alternatives considered when choosing Python as the detection language?
Jack: Never! Python was the most approachable/familiar language for security folks. It was also the first language I hacked on when I would write scripts, and I see Panther as modernizing that older style into a repeatable architecture.
What are some useful Security KPIs you’ve seen developed out of logs?
Jack: On the SecOps Ops front, we’ve seen these baseline KPIs when gauging the usefulness of our monitoring program:
- Coverage across your threat model
- Efficacy – How many of your alerts are true positive?
- MTTR – How quickly can you resolve alerts, either through automation or otherwise?
- Cost – How expensive is our detection program?
Do you get to do any hands-on Security Engineer work still, or do your founder and CEO responsibilities take up all your time?
Jack: Being a CEO is multiple full-time jobs, but I have my own Panther instance that I play around with to stay close to SecEng work! I’ve been aspiring to get back into open-sourcing detections on our Github.
Is Panther keen on improving the
pattern_match function? This function is underrated and can make detection engineering a smooth process across various log sources.
Jack: Oh yeah, we are going to launch something soon that I think you’ll like. Ideally, we can cover all patterns common to detection writing into these functions to streamline the process.
What do you think makes detection-as-code (DaC) the future of threat detection?
Jack: I feel like DaC is evidence of a movement towards bringing automation and engineering to security, which is the future. Specifically, DaC brings structure, power, and reliability to security, and I love that. It removes the previous boundaries with DSLs like in Splunk, Elastic, etc.
What is the biggest obstacle to getting security teams to come around on detection as code?
Jack: Teaching the basics and showing people that it’s not scary to write basic code. Anyone can learn! The system just needs to make it easy to do the right thing.
What is the biggest challenge facing the security industry right now?
Jack: I think every CISO would say, “not enough people to do the job.” It’s also a nuanced and nebulous practice, which doesn’t make it easier. And with the move to the cloud, detection teams also need to be developers, infra people, etc. It makes it even harder.
What’s one piece of advice that you would give to security engineers who are just starting in their careers?
Jack: Take the time to learn about your company’s production environment, core business model, frameworks like CIS/MITRE ATT&CK, and writing code! Also – study TTPs, keep a pulse on recent breaches, and test how you would have detected or responded to them.
Where’s your happy place?
Jack: The beach – 100%. I love warm weather and gladly claim California as my home. Close seconds – mountains, exploring new cities, the gym, and farmer’s markets.
What’s the hardest thing about founding a security company?
Jack: Getting your first customer. Security relies heavily on mutual trust, and it’s tough to convince someone to rely on you for a critical function early in the journey.
How do you stay current on the latest attacker trends and TTPs (tactics, techniques, and procedures)? If Twitter, are there any accounts you would recommend following?
Jack: Definitely Twitter! But also blogs from GROUP-IB, CISA, Threatpost, et cetera.