Black Hat USA 2024 is here: six days of trainings, briefings, keynotes, breakout sessions, and a business hall with hundreds of vendors. Set amidst the scorching Vegas heat, it’s the hottest place to be in cybersecurity—literally and figuratively.
Panther is turning up the heat even more with an incredible Detectapalooza lineup of powerful code-driven detection and response capabilities. At RSA we launched our tour and doubled down on Panther’s commitment to accelerating detection and response at scale by announcing code-driven correlation rules. This week we’re reinforcing that commitment with a series of powerful enhancements to help SecOps teams transform noisy cloud logs into security signals to detect complex cloud attacks.
Panther’s vision has always been code-driven: incorporating engineering best practices into SecOps workflows to enable end-to-end automation. With Detection-as-Code, SIEM rules function as modular building blocks that support standardization, reusability, testing, and collaboration to enable a tailored, scalable detection and response strategy. Correlation rules are a critical extension of this concept.
With correlations, detections can be repurposed and customized to define combinations of security signals spanning multiple log sources, tied to the same threat actor. The result is high-fidelity, contextualized alerts, and much less noise in the system. Since announcing correlation rules at RSA, we’ve gotten incredible feedback from the security community:
We’re excited to continue that momentum with a host of new capabilities that extend the overall flexibility, fidelity, and reliability of correlation rules. Today we’re introducing the following concepts and features:
Sound interesting? Keep reading for the details.
In threat monitoring and detection workflows, sometimes the order and timing of the events is absolutely critical. Think of a brute force attack followed by a successful login, followed by escalating account privileges. When these signals are detected in order, they indicate a high likelihood of a compromised account. That’s what Panther’s sequences are designed for: configuring correlation logic to generate an alert when detected events happen in a certain order, with specific time windows between those events.
Other threat scenarios don’t rely on the specific timing of events, such as when separate systems haven’t yet been patched to address a new vulnerability or exploit. In these cases it’s less relevant which system’s vulnerability was identified first. The team just needs to know that critical systems need patching as soon as possible, and combining those signals into a single alert allows the team to address the vulnerability while minimizing noise in the system.
These kinds of scenarios are what Panther’s groups are designed for: defining a correlation between related events that can happen in any order. When groups and sequences are used across multiple correlation rules, they give SecOps teams maximum flexibility in determining how to detect threats relevant to their risk model.
In addition, Panther’s correlation rules now fully support unit tests. When creating a new correlation rule by coding new detections, repurposing existing detections, or even building on an existing correlation to extend its logic, you want to validate that the correlation rule will work as expected and get an idea of what alert activity it might generate. Unit testing enables that validation, helping teams scale their threat and response workflows to new attack surfaces.
Meanwhile, our Threat Research team has been hard at work developing new out-of-the-box correlation rules that detect common attack paths across cloud infrastructure and connected systems. We’ve listened to feedback from our customers and the broader threat detection community to dial in ten new Panther-Managed Correlation Rules that will allow customers to get faster time to value in elevating their detection strategy.
This all may sound incredible, but seeing is believing. We’d love to show you how these enhancements can elevate your detection and response strategy, so stop by booth 974 anytime during Business Hall hours, Wednesday 10am – 6pm and Thursday 10am – 4pm.
If you want a deeper dive that covers your specific use cases, book a demo. Our team of threat detection experts will walk you through how Panther can accelerate detection and response for your organization’s threat scenarios.
Stay tuned for some even more exciting news this week!