Securing their Cloud 

The team migrated its hosting to AWS and, as a result, took greater responsibility for its security. Migrating to AWS necessitated a flexible security tool that matched their scale and budget needs and integrated quickly with AWS. Panther, a cloud-native solution built entirely on AWS, allowed them to centralize security operations in one platform and manage their production environment with complete visibility. Panther’s scalable and flexible Lambda-based architecture simplified data onboarding with OOTB integrations for AWS services.

Migrating hosting to AWS and deploying Panther empowered Spring Health to take ownership of its security posture without overextending their budget. The ability to quickly ingest and analyze logs from any source means the team can quickly adapt to changing needs. 

“We've brought so much more security data into Panther than we were able to on the previous platform. Now, we feel like we have the freedom to throw literally anything we want into Panther and be confident that it is searchable and usable and that we'll be able to parse it correctly. That was another challenge with the previous platform. If the logs were not automatically parsed, doing a custom parser was incredibly difficult. We had to hunt down somebody from engineering who knew how to write a schema because their support team would not even help us.” Cory Roop, Senior Manager of Security 

Accelerating Investigations 

Spring Health, the leading global mental health solution for employers and health plans, needed to find a new security solution. Their prior tool lacked extended data retention, which meant the security team depended on native logs outside their tools for investigations. This created investigation inefficiencies, often requiring hours of manual effort to piece together data from multiple log sources. The engineering team frequently flagged potential security issues, letting the security team know rather than vice versa.

“There are certain event types that require us to query three or four services to investigate, and it was very cumbersome. It used to take a couple of hours to verify an activity, but now it only takes a few minutes in Panther.” Cory Roop, Senior Manager of Security 

With Panther, Spring Health adopted a data-lake-backed SIEM with 12 months of included hot storage. This extended retention eliminated blind spots and sped up investigations. While the prior solution used a limited query language for searches, Panther’s intuitive interface enabled the team to search their logs without requiring advanced SQL skills.

Armed with all their data in easy-to-access storage, Spring Health significantly reduced their mean time to resolution (MTTR). What previously took hours to investigate now takes only minutes. For example, correlating activity across Okta, AWS CloudTrail, and CloudWatch logs—once a painstaking process—is now seamless. 

Monitoring in Real-Time

Their previous solution lacked OOTB detection capabilities and used limiting scheduled query monitoring. These types of SIEM obstacles can increase the mean time to detection (MTTD) and create reactive instead of proactive security workflows. 

Using Panther’s real-time monitoring capabilities and leveraging flexible Python detections enabled the Spring Health team to up-level their threat monitoring. Panther’s detection-as-code model allowed the team to automate testing, validation, and deployment of detections. This flexibility enabled them to create custom rules tailored to their business needs, like identifying record access anomalies or monitoring WAF rate-limiting events.

Having access to real-time insights transformed Spring Health’s approach to threat detection. The team now identifies threats before the engineering team notices anomalies, flipping the narrative from reactive to proactive. The ability to quickly tune and refine detections has also reduced false positive rates and improved the team’s confidence in their alerts.

“We've been able to write detections that fit business use cases that would not be available out of the box with any platform in a reasonably short amount of time.” Cory Roop, Senior Manager of Security