Learn it Firsthand: How Zapier Uses Detection-as-Code to Increase Their Alert Fidelity

Michael Kuchera, Zapier’s Security Incident Response Leader. Michael imparted invaluable insights for other security practitioners to learn from. He shed light on modern security teams’ challenges and how Zapier overcame them by adopting a detection-as-code approach. Keep reading for key takeaways from Michael’s insights during the webinar.

Transition from Legacy Solutions

Michael highlighted the limitations of traditional methods like legacy SIEMs or large analyst teams. These approaches often involve many manual processes, deliver outdated information, and increase analyst fatigue. In contrast, detection-as-code offers improved efficacy, scalability, and collaboration, leading to better alert triage and response.

Engineering-First Approach to Detection and Response

Emphasizing the engineering-first approach of detection-as-code, Michael discussed the importance of rigorous testing and how it empowers teams to do more with less. This approach streamlines alert logic adjustments and enhances security posture by facilitating collaboration, increasing detection efficacy, and improving alert fidelity. 

Practical Implementation of Python Detections

Michael shared practical aspects of implementing detection-as-code in contrast with legacy SIEM solutions. Focusing on its flexibility and low barrier to entry for new engineers, he discussed how detections written in Python make detection logic easy to comprehend, leading to improved collaboration and faster onboarding timelines. 

Analyzing Your Environment for Gaps 

The discussion underscored the importance of analyzing your security environment to identify gaps in threat coverage and prioritize new detections. Michael stressed the need for continuous analysis, creation, tuning, and testing of detections to enhance the detection engine continually. He outlined how to start with a gap analysis of your environment to help prioritize the next steps for security engineers seeking to improve their detection and response efforts. 

The Scalability of Panther and Detection-as-Code

Michael discussed Panther’s scalability with their other tools and systems, addressing questions from the webinar attendees about performance and scalability. Because of Panther’s Snowflake Data Lake backend, he has found its performance faster than other security tools he has used in the past. Paired with a detection-as-code approach to detection and response, his team of only three can accomplish the same output as much larger security teams. 

Accessibility and Learnability of Detection-as-Code

Michael debunked the myth that detection-as-code requires dedicated engineers to maintain. Using detection-as-code enables small security teams to do more with fewer resources, without sacrificing their security posture. Affirming its accessibility for teams of varying backgrounds and expertise, Michael highlighted some of the no-code features in Panther that allow newer engineers to use detection-as-code principles regardless of existing skill level. 

Continuous Improvement and Iteration

Finally, Michael spotlighted the iterative nature of detection-as-code. You are always improving your alert fidelity by continuously analyzing your environment to prioritize new detection creation and then tuning and iterating on existing detections. 

By leveraging detection-as-code, security teams can streamline alert triage and response, enhance their security posture, and scale detections effectively without significantly increasing personnel. As security threats evolve, embracing a modern approach like detection-as-code will help security teams adapt ahead of attackers. Couldn’t catch the webinar live? Watch the recording.

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo