GitGuardian, an end-to-end NHI and secrets security leader, faced growing pains in security operations common to many companies at a similar stage.  Their team relied on a hard-to-maintain, legacy data aggregation platform that they shared with the engineering team, creating security concerns with log access that resulted in inadequate security monitoring coverage. They transformed their security operations by implementing Panther, dramatically improving their investigation capabilities, detection coverage, and visibility.

Centralizing Security Data for More Efficient Investigations

Before Panther, GitGuardian's security team struggled with fragmented logging systems. Their self-hosted Elastic Search cluster frequently broke down, even with only 20% of security events being logged. The team couldn't pipe in all their security data because every engineer had access to the cluster, creating security concerns. Furthermore, they had to navigate between separate logging interfaces in tools such as Google Workspace, Okta, and HashiCorp Vault, resulting in a disjointed and suboptimal experience for the team. Investigations were painfully inefficient. In one instance, three engineers spent three days investigating a potential breach, only to find no evidence that a compromise had occurred. 

Implementing Panther transformed GitGuardian’s capabilities. They immediately integrated 12 critical log sources, like Okta, OnePassword, Google Workspace, and more. Panther’s query interface offered better usability than the slow process of building queries in Kibana.  

“Panther gave us absolute certainty about an alert in less than 20 minutes.”

Security Engineer at GitGuardian

The team particularly valued the ability to quickly onboard new logs with Panther’s schema inference capabilities. Combined with Panther's search interface, GitGuardian could now efficiently write queries across multiple log sources—something challenging to perform in their previous solution. For AWS cost-spike investigations, they created queries in minutes, tasks that previously took days.

Engineering-Driven Security with Programmable Detections

The GitGuardian security team needed an engineering-driven approach that their previous tools couldn't support. With a small team and a lot of surface area to monitor, programmatic detection management helped them to create and maintain highly effective rules. 

"Panther is how security engineering should work."

Security Engineer at GitGuardian

Panther's programmable detections enabled the team to establish a GitHub repository with a CI/CD pipeline for deploying rules. This workflow allowed continuous improvement with "simple pull requests," minimizing false positives. They leveraged Panther's out-of-the-box rules as a foundation, customizing them to meet their specific needs.

For their web application firewall (WAF), they created custom rules to detect unusually large amounts of requests and potentially malicious traffic in production, setting appropriate thresholds based on their expected traffic patterns. They also modified out-of-the-box OnePassword detections to meet their tech stack; one of the rules is configured to detect sign-ins from unusual devices, such as Linux machines. Since GitGuardian uses Ubuntu machines, they turned off that rule, made a copy, and edited it to account for their organization’s unique definition of an unusual machine.

To monitor for unusual activity across their environment, they implemented a scheduled query that compared each day's log volumes against 30-day historical averages. The query alerts the team when any log source shows more than a certain percentage of its regular activity. They can toggle that percentage to ensure the alerts are valuable and actionable. 

Data Sovereignty with Flexible Cloud Architecture

GitGuardian needed to host their data wherever required, eliminating many security vendors from consideration. The team also had clear budget requirements and ingestion needs, planning for approximately 50 GB/day of logs while needing to optimize their AWS costs.

"We needed the freedom to decide where our data lives. Panther's Cloud Connected deployment model gives us control and ownership over our infrastructure, with none of the operational overhead of on-prem systems."

Security Engineer at GitGuardian

By implementing Panther, GitGuardian achieved compliance with its data sovereignty requirements while significantly improving its security posture. This enabled GitGuardian’s security engineers to manage complex systems with a lean team while still seamlessly responding to and investigating threats.