We recently held an ask-me-anything (AMA) session with Panther Founder and CEO Jack Naglieri in the Panther Slack Community. Here are Jacks answers to 13 questions from the event, ranging from general security topics to Panther product-specific questions to the experience of becoming an entrepreneur and more.
Check them out, and dont forget to sign up for the Panther Community! Well be holding more events there soon.
What made you realize you wanted to start your own company?
Jack: Ive wanted to start a company ever since I was younger, and working on StreamAlert at Airbnb showed me the potential to create a SaaS version of that product where multiple teams could get the same benefits but way easier.
How did you decide on the name Panther?
Jack: Naming a company is so hard! But Panther perfectly captured the mantra of the product I wanted to create sleek, fast, and protective.
Were there any alternatives considered when choosing Python as the detection language?
Jack: Never! Python was the most approachable/familiar language for security folks. It was also the first language I hacked on when I would write scripts, and I see Panther as modernizing that older style into a repeatable architecture.
What are some useful Security KPIs youve seen developed out of logs?
Jack: On the SecOps Ops front, weve seen these baseline KPIs when gauging the usefulness of our monitoring program:
Coverage across your threat model
Efficacy How many of your alerts are true positive?
MTTR How quickly can you resolve alerts, either through automation or otherwise?
Cost How expensive is our detection program?
Do you get to do any hands-on Security Engineer work still, or do your founder and CEO responsibilities take up all your time?
Jack: Being a CEO is multiple full-time jobs, but I have my own Panther instance that I play around with to stay close to SecEng work! Ive been aspiring to get back into open-sourcing detections on our Github.
Is Panther keen on improving the pattern_match
function? This function is underrated and can make detection engineering a smooth process across various log sources.
Jack: Oh yeah, we are going to launch something soon that I think youll like. Ideally, we can cover all patterns common to detection writing into these functions to streamline the process.
What do you think makes detection-as-code (DaC) the future of threat detection?
Jack: I feel like DaC is evidence of a movement towards bringing automation and engineering to security, which is the future. Specifically, DaC brings structure, power, and reliability to security, and I love that. It removes the previous boundaries with DSLs like in Splunk, Elastic, etc.
What is the biggest obstacle to getting security teams to come around on detection as code?
Jack: Teaching the basics and showing people that its not scary to write basic code. Anyone can learn! The system just needs to make it easy to do the right thing.
What is the biggest challenge facing the security industry right now?
Jack: I think every CISO would say, not enough people to do the job. Its also a nuanced and nebulous practice, which doesnt make it easier. And with the move to the cloud, detection teams also need to be developers, infra people, etc. It makes it even harder.
Whats one piece of advice that you would give to security engineers who are just starting in their careers?
Jack: Take the time to learn about your companys production environment, core business model, frameworks like CIS/MITRE ATT&CK, and writing code! Also study TTPs, keep a pulse on recent breaches, and test how you would have detected or responded to them.
Wheres your happy place?
Jack: The beach 100%. I love warm weather and gladly claim California as my home. Close seconds mountains, exploring new cities, the gym, and farmers markets.
Whats the hardest thing about founding a security company?
Jack: Getting your first customer. Security relies heavily on mutual trust, and its tough to convince someone to rely on you for a critical function early in the journey.
How do you stay current on the latest attacker trends and TTPs (tactics, techniques, and procedures)? If Twitter, are there any accounts you would recommend following?
Jack: Definitely Twitter! But also blogs from GROUP-IB, CISA, Threatpost, et cetera.