Realize SIEM Value from Day One

Ted Kietzman

TL;DR: Panther is here to provide high-signal value to all security teams from day one. To do so, we’ll be constantly and consistently improving four core product capabilities of SIEM: collect, detect, alert, and investigate. Today, we’re excited to announce key feature enhancements to help teams collect their most valuable data and easily tune their detections. We’ll be back with more to share for alerting and investigating in August.

SIEM’s Bad Reputation

Despite a flurry of new marketing terms and tools, SIEM is still essential in 2023.

The industry may be exploring new terms like XDR or SOC Platform, but at the end of the day – cybersecurity is still a data problem, and a SIEM’s core function is to make sense of all that data. 

New marketing terms are being created to dodge the challenges and friction points traditionally associated with SIEMs. For those in security, legacy SIEM challenges are pretty well-worn at this point:

  • They’re expensive
  • They don’t scale, especially not to meet cloud volumes
  • They’re hard to customize or tune to specific environments
  • They’re difficult to get up and running 

Given these frustrations, the term SIEM rightfully leaves a sour taste in many security professionals’ mouths. Many SIEMs can feel like a money pit of wasted time and resources. 

On the other hand, the rise of cloud infrastructure drastically expands data volumes, making a security team’s mandate to centralize and monitor data from their environment more essential and demanding than ever. 

A New Hope for SIEM

At Panther, we aren’t hiding behind a new marketing acronym. We’re just building a SIEM to address these key challenges. We are laser-focused on developing a platform that provides high-signal value to all security teams from day one.

To enact this vision, the team will be constantly and consistently improving four core product capabilities of SIEM:

  • Collect and transform logs into valuable security data
  • Detect suspicious activity in your environment
  • Alert your team to take action on identified threats
  • Investigate incidents quickly and effectively

Today, we’re excited to announce key feature enhancements from the Collect and Detect functions. We’ll be back with more to share with the Alert and Investigate functions in August.

It’s one thing to state a vision, but a concrete use case illustrates an experience more clearly. To connect the dots, let’s follow a fictional security engineer “Ali” on day one of using Panther to monitor the environment of returns.ai, a new finance application.

To elaborate on the functionality from the video in a little more detail, here is the vision for both Collect and Detect pillars.

Collect: Your Data, Your Way

A serious problem arises when security teams aren’t given control over their data flow.

Many legacy SIEM tools have a wide variety of integrations to put data into their platforms. However, a serious problem arises when security teams aren’t given control over that data flow to ensure it’s only the data they need and that they are ingesting the data effectively. Lack of control leads to the ingestion of ill-formatted, low-value data – which ends up causing bloated license costs, noisy alerts, and frustrated security teams.

To combat collection friction, Panther is building a variety of data control mechanisms into the platform to increase relevant visibility while simultaneously reducing unnecessary noise and costs.

The flexibility to throw any log source into Panther was a critical reason we chose the tool.

Jan Urbanc – Head of Security Operations, Bitstamp

To start, Panther is ensuring that data ingestion is easy and reliable from the most valuable sources by including seamless integrations with all major cloud platforms (AWS, GCP, and Azure) as well as direct integrations with our platform via HTTPS

Directly ingesting Auth0 logs via HTTPS

Moreover, Panther understands that data ingestion is not a one-size-fits-all problem. That’s why Panther is developing robust filtering functionality to ensure that only relevant and valuable security data is ingested and stored in the security data lake. 

Filtering AWS Application Load Balancer logs that have 400 status codes

Finally, the team is building out core data transformation capabilities providing another way to control the structure and value of security data as it enters the platform. By leveraging both filtering and transformations, teams can cost-effectively magnify the security value of their data.

Using “Concat” transformation to combine IP and Port fields into a new Socket field

Detect: Simple Detections Enable Detection-as-Code for Everyone

The rapid increase in attack surface associated with the rise of cloud infrastructure has many teams scrambling to get robust detection coverage in place and experimenting with operational tactics like Detection-as-Code. While tools often offer out-of-the-box detections, they are almost always a pain to customize to a specific environment. And, Detection-as-Code, a practice that enables teams to track, edit, test, and deploy new or customized detection logic seamlessly – is still relatively untapped in its potential.

To help all security teams get the coverage they need and realize the benefits of Detection-as-Code from day one, Panther is introducing Simple Detections. Simple Detections enables any security team member to easily build and customize detections without relying on deep coding experience

The feature expands the detection creation process to include a GUI builder based on simple YAML constructs, alongside the power of Python. This enables more team members to seamlessly tune and optimize detection logic for their specific environment. Additionally, all Panther-provided Simple Detections will inherit future logic updates without impacting your customizations.

Easily tune an Auth0 detection with filter logic

Simple Detections also provide a bridge for users to begin writing logic in code and using developer tools like CI/CD workflows – gaining valuable on-the-job technical experience. Panther will always enable the most powerful aspects of Detection-as-Code, but the platform is now focused on supporting all teams in their journey into the new paradigm.

Realizing Day One Value with Panther

To learn more about Panther’s vision, we’ll be providing updates via detailed product webinars for both the Collect and Detect pillars. The first webinar will be a deep dive into the new data ingestion and control mechanisms on June 22nd. Register here to attend.

The second will be an exploration of Panther’s new Simple Detections functionality and how it enables all teams to effectively customize and tune detection logic delivered in July. 

We’re excited to be building a SIEM that actually provides security value from Day One. If you can’t wait to get in on the action, you can request a demo of the platform now.