It’s a sad fact, but most alerts just aren’t useful – like at all. We know it, you know it, every vendor knows it, but still, every tool in your stack seems to want to drown you in alerts.
So this RSA, we’re going to do something different. We’re not going to try to scare you about what attackers might be hiding under your bed in your logs and how you should spend every waking moment writing detections and searching for them.
We’re going to tell you why you should be focusing your attention on NOT generating alerts and NOT investigating false positives.
To help us do this, we’re unveiling our new Correlation Rules and AI capabilities at RSA.
** Quick Marketing Aside ** Make sure to come to booth #3416 to check it out live or hit us up to schedule a demo! Our SWAG has been called epic by some.
Ok, now back to the blog.
Imagine a scenario where one of your finance execs logs in from a new IP and then downloads a sensitive file within a short time frame. On their own, these activities might not be a big deal or trigger any alarms. Employees frequently work remotely and download files. There is nothing too crazy here, and it’s probably not worth sending an alert.
But when these things happen in rapid succession or in conjunction with something else sketchy, they could probably use a closer look. This is what we’re solving with Correlation Rules. We give you the control to decide what combinations of conditions, events, and people, across which timeframes, merit an alert. This way you don’t waste time triaging an alert every time Carl from Accounting decides to work from Starbucks.
I spoke with Nick Hakmiller, one of the leads on the feature, and he emphasized the same sentiment, “With Correlation Rules it’s not just about reducing noise. It’s about putting threat detection precision at the center of the experience. By allowing people to combine different detections together to ignore things that aren’t risky, it makes everyone’s lives less annoying. And it makes us safer by focusing attention on things that actually are risky.”
Now, you’re probably asking why this is different from other vendors’ Correlation features that they’ve launched, and that’s a great question. The answer is easy – they tried to do it using queries instead of using code.
The best analogy to use here is the difference between monoliths (other vendors) and microservices (Panther).
With other vendors, every correlation has to be written as a long, complex query. Want to write a new one? Start from scratch. Want to share it with your team? We better hope like hell they don’t change anything. It just doesn’t scale when the threat landscape changes as fast as it does.
For Panther, Correlation Rules are declared as reusable, customizable, testable code using the same Detection-as-Code principles we’re known for. An alert is noisier than you want? Cool, just tweak the Correlation Rule. New TTPs just dropped? Great, re-use your existing rules to make writing new ones even faster.
In the same way, a microservices architecture creates a set of modular services that can be combined and reused across different products, Panther creates a set of modular detections that can be combined and reused across different Correlation Rules.
It wouldn’t be a product blog at RSA 2024 without AI, so here it is. Simply put, our upcoming new AI capabilities will help you save time.
Tell me if you’ve been here before: you joined a new team at a new company, and you’re a couple of months in. All of a sudden, a new high-severity alert hits that you’ve never seen before.
You try to figure out what it means and why it’s important, but you can’t find anything. There’s no documentation, nobody on your team knows, nada. Finally, someone on your team suggests that it was probably Jen’s alert.
Jen left for another job 5 months ago. Great, now what?
We’re building new AI capabilities to make that problem go away. Even better: with our AI, it simply just won’t occur.
Our AI helps everyone on a security team understand the nuances behind each alert. It speeds up the process of determining whether an alert requires attention, and if so, what to do about it. This means less time wasted trying to understand what something is and more time spent dealing with it.
I asked Russel Leighton, our Chief Architect and the originator of our AI project, about how he thinks it will help teams.
“It’s about being able to understand and process information as quickly as possible,” he said. “ You shouldn’t have to dig around for information on what an alert is or whether it’s worth your time. With AI now, we can inject all the context for you. That means all the individual events in your Correlation Rule and all the relevant enrichment data from the most relevant sources. I think it makes our Correlations even better, and it’s going to save people a ton of time gathering all the info they need to make a determination on an alert.”
Talk is cheap, so we’d much rather show you these things live. If you’re going to be at RSA, stop by our booth to check it out. Or even better, attend one of our events and chat with us. Who doesn’t like free food and swag.
See you there!
