Consider a data breach. While security measures like data encryption secures data in the event of a breach, it’s proactive monitoring for suspicious events—like a change in data access permissions—that enables teams to identify and prevent threats before they turn into incidents. This is why effective threat detection and response is recognized as a key part of maintaining full protection of your organization’s assets, data, and operations.
But modern threat detection needs to measure up to modern demands. With ever-changing business requirements and a constantly evolving threat landscape, security teams need agile solutions—threat detection that is flexible enough to pivot with shifting priorities, scales with business, and can be optimized through automation and customization, all while remaining highly accurate.
Enter detection-as-code (DaC), the modern approach to threat detection and response that enables security teams to write, manage, and deploy their detections through code.
Like other “as-code” approaches in DevOps and DevSecOps, DaC enables security teams to reap the same process and control benefits that are available to any software code base, such as version control, automation, scalability, and quality assurance. In particular, detection-as-code can be easily customized and extended to cover security gaps. This translates to improved workflows, better alerts, and ultimately an enhanced security posture. But, most important, teams remain flexible to change along with business requirements.
Let’s take a closer look at how DaC works, its features, and how it enhances security posture.
Detection-as-code is offered as part of modern SIEM software. A SIEM monitors your applications and infrastructure for threats in real-time, sends an alert when a threat is detected, and enables teams to respond to threats in real-time. SIEMs do this by ingesting and aggregating logs, normalizing them, and then analyzing them against detections.
A detection is a rule that defines when an alert should trigger based on when an event happens or certain conditions are met. For example, you could create a rule that detects brute force attacks by monitoring for five failed login attempts in a row followed by a successful login. The detection defines both the condition and the alert.
Modern SIEMs offer detection-as-code, which enables teams to write detection rules in code, like Python, and manage the coded detections with version control. Just like with a traditional SIEM, these detections process all ingested log data in real-time, and generate alerts as-needed. Check out the next image for an example. You’ll see a detection rule written in Python and how it translates to an alert regarding a possible misuse of root credentials for an OpenVAS vulnerability scanner.
With detection-as-code (DaC), the process of writing and managing detections is structured, yet flexible and customizable. Here are the key features that give detection-as-code this calling card:
Let’s connect the dots and understand how detection-as-code improves security posture and operations. Keep in mind that a robust security posture minimizes the risk of threats and ensures that an organization is prepared to respond efficiently when incidents occur. Here’s how detection-as-code improves both:
In traditional SIEMs, detections are used in the same way as detection-as-code—they process normalized and aggregated log data in order to detect threats and generate alerts in real-time. However, they are created and managed in a substantially different way:
Overall, more effective security coverage comes back to a better security posture. That’s why it’s vital for security teams to use a threat detection solution that is flexible, so that detections can be customized to cover every threat, as they change.
There’s more to learn about detection-as-code! Check out the case study of how Bitstamp uses Panther to accelerate its detection testing and deployment. You’ll learn about Bitstamp’s challenges in creating detections with a vendor-specific language, and how switching to use Panther’s Python-based detection-as-code accelerated their operations.
Curious about Panther? Request a demo.