How Docker uses Panther to Cut False Positive Alerts by 85% While 3Xing Ingestion
Industry:
Software Development
HQ:
San Francisco, CA
Founded:
2013
Employees:
501-1K employees
When Docker's Detection and Response Manager joined the company, they needed to build a lean but effective security team. And, with aggressive SOC 2 Type 1 compliance deadlines looming, the team needed to implement centralized logging and alerting quickly while establishing an affordable and scalable foundation that could grow with their future security requirements.
Legacy security monitoring products weren’t built with the infrastructure required for today’s high-volume cloud logs, resulting in prohibitively expensive costs to meet increasing ingestion requirements. As a multi-cloud company (AWS/GCP/Azure), comprehensive log ingestion at an affordable and predictable cost was a top priority for Docker.
"Without visibility, detection is impossible. Panther gives us 100% visibility of our security logs, giving us cross-cloud visibility at scale."
Docker’s Detection & Response Manager
Building a Security Program with Scalability in Mind
Docker's growth as a company required a security approach that could scale without exponential headcount increases. Their solution was to develop a detection engineering-focused team rather than a traditional SOC analyst model.
"Panther lets Docker build programmable detections with confidence, reducing the time spent by our lean security team.”
Docker’s Detection & Response Manager
Panther's Python-based programmable detections were the perfect solution. Unlike traditional SIEMs with proprietary, limited query languages, Panther allowed Docker's security team to leverage a flexible universal programming language they were already familiar with. Additionally, utilizing Python in their security workflows improved collaboration with other engineering teams since Python is not uncommon at Docker.
The Python programmable detections' flexibility enabled the Docker team to easily tune and customize their rules, resulting in an 85% reduction in their false positive alert rate year over year.
Achieving Cost-Effective Visibility Across a Multi-Cloud Environment
Panther's cloud-native architecture allowed Docker to ingest and analyze logs from diverse sources that were previously difficult to process and correlate, including VPC flow logs, HA proxy, GuardDuty, and Security Hub. This expanded visibility provided crucial context for their detection and investigation workflows. Using Panther signals and correlation rules, Docker was able to build automation that reduced the volume of false-positive alerts requiring manual triage and investigation.
“Panther’s correlation rules provide us with cross-log context to investigate and close more alerts without manual effort.”
Docker’s Detection & Response Manager
Despite an impressive 3x increase in log ingestion, Docker maintained complete control over its costs. With predictable and affordable pricing, the team didn’t have to make calculated risks by omitting certain sources, a rarity for today’s security operations teams using legacy solutions. They get to make decisions based on security priorities instead of cost constraints.
Meeting Compliance Deadlines with Ready-to-Use Security Monitoring
Docker’s Detection and Response Manager was hired and immediately tasked with helping the organization achieve SOC 2 Type 1 Compliance on a tight deadline. To meet compliance requirements, they needed to implement comprehensive security monitoring and alerting capabilities quickly.
Panther's out-of-the-box integrations and detection packs provided immediate value. The team quickly onboarded their most critical data sources to Panther, like Okta and AWS CloudTrail, establishing baseline security monitoring with minimal configuration effort. The platform's pre-built detections for common threats and compliance use cases meant that Docker could establish the required security controls in time for their audit.
“Panther makes ingestion straightforward, and the support team helped me onboard our custom data quickly. They made my job very easy.”
Docker’s Detection & Response Manager
With Panther, Docker achieved their SOC 2 certification on schedule while building the foundation for ongoing security operations excellence. As they continue to mature their program, they're exploring capabilities like correlation rules to create higher-fidelity detections by combining multiple signals.
Challenges
Scaling a security team alongside rapid company growth
Achieving 100% visibility across multi-cloud environments with a limited budget
Meeting accelerated SOC 2 compliance deadlines through centralized logging and alerting requirements
Solutions
Automating workflows with CI/CD and Panther’s programmable detections
Deploying Panther to increase ingestion with predictable and affordable costs
Implementing Panther's out-of-the-box detections and log source integrations to achieve compliance readiness quickly
Results
Reduced false positive alert rate by 85% year-over-year through automated workflows and higher-fidelity detection logic
Gained comprehensive visibility into the environment, including AWS, GCP, and Azure, while managing a 3x increase in log volume since deploying Panther
Achieved SOC 2 Type 1 certification on schedule with centralized security data and alerting