TL;DR: Adopt a modern, test-driven methodology for securing your organization with Detection-as-Code.
Over the past decade, threat detection has become business-critical and even more complicated. As businesses move to the cloud, manual threat detection processes are no longer able to keep up. How can teams automate security analysis at scale and address the challenges that threaten business objectives? The answer lies in treating threat detections like software or detection-as-code.
Watch our On Demand Webinar: Scaling Security with Detection-as-Code with Cedar to find out how Cedar uses Panther to leverage Detection-as-Code to build high-signal alerts.
Detections define logic for analyzing security log data to identify attacker behaviors. When a rule is matched, an alert gets sent to your team for containment or investigation.
Detection-as-Code is a modern, flexible, and structured approach to writing detections that apply software engineering best practices to security. By adopting this new paradigm, teams can build scalable processes for writing and hardening detections to identify sophisticated threats across rapidly expanding environments.
Threat detection programs that are fine-tuned for specific environments and systems are the most impactful. By treating detections as well-written code that can be tested, checked into source control, and code-reviewed by peers, teams can produce higher-quality alerts that reduce fatigue and quickly flag suspicious activity.
A proper QA for detection code can enable teams to discover detection blind-spots early on, cover testing for false alerts, and promote detection efficacy. A TDD approach allows security teams to think like an attacker, document that knowledge, and curate an internal repository of insight into the attacker’s lifecycle.
The advantage of TDD is more than just validation of code correctness. A TDD approach to writing detections improves the quality of detection code and enables more modular, extensible, and flexible detections. Engineers can easily make changes to their detection without fear of breaking alerts or hamstringing everyday operations.
When writing new detections or modifying them, version control allows teams to quickly and easily revert to previous states. It also confirms that teams are using the most up-to-date detection rather than referencing outdated or wrong code. Version control can also help give needed context for specific detections that triggered an alert or help pinpoint when detections are changed.
As new and additional data enters the system over time, detections must also change. A change control process is essential to help teams address and adjust the detections as needed, while simultaneously ensuring that all changes are well-documented and well-reviewed.
A Continuous Integration/Continuous Deployment (CI/CD) pipeline can be beneficial for security teams that have long wanted to move security further left. Using a CI/CD pipeline helps achieve the following two goals:
Writing detections in a universally-recognized, flexible, and expressive language such as Python offers several advantages instead of using domain-specific languages (DSL) that are too limited. With languages, such as Python, you can write more sophisticated and tailored detections to fit the needs specific to your enterprise. These rules also tend to be more readable and easy to understand as the complexity increases.
Another benefit of this approach is utilizing a rich set of built-in or third-party libraries developed by the security community for interacting with APIs or processing data, which increases the effectiveness of the detection.
Last but not least, Detection-as-Code can promote code reusability across a large set of detections. As teams write large numbers of detections over time, they start to see specific patterns emerge. Engineers can reuse the existing code to perform the same or very similar function across different detections without starting from scratch.
Code reusability can be a vital part of detection-writing that allows teams to share functions between detections or modify and adapt detections for specific use-cases. For example, suppose you needed to repeat a set of Allow/Deny lists (let’s say for access management) or a particular processing logic in multiple places. In that case, you can use Helpers in languages such as Python to share functions between detections.
Panther is a security analytics platform designed to alleviate the problems of traditional SIEMs. Panther is built for security engineers, by security engineers. Rather than inventing yet another proprietary language for expressing detection logic, Panther offers security teams a Python rules-engine to write expressive threat detection and automate detection and response at cloud-scale. Panther’s modular and open approach offers easy integrations and flexible detections to help you build a modern security operations pipeline.
Panther offers reliable and resilient detections that can make it easy to:
When writing a detection in Panther, you start with a rule()
function that identifies a specific behavior to identify. For example, let’s suppose you want an alert when a brute force Okta login is suspected. The following detection can help identify this behavior with Panther:
from panther_base_helpers import deep_get, okta_alert_context
def rule(event):
return (deep_get(event, 'outcome', 'result') == 'FAILURE' and
event['eventType'] == 'user.session.start')
def title(event):
return 'Suspected brute force Okta logins to account {} due to [{}]'.format(
deep_get(event, 'actor', 'alternateId'),
deep_get(event, 'outcome', 'reason'))
def alert_context(event):
return okta_alert_context(event)
Code language: Python (python)
Okta Brute Force Login Rule in Panther
In the above example:
Rules can be enabled and tested directly in the Panther UI, or modified and uploaded programmatically with the Panther Analysis tool, which enables you to test, package, and deploy detections via the command-line interface (CLI). And to assist with incident triage, Panther rules contain metadata such as severity, log types, unit tests, runbooks, and more.
Are you taking full advantage of all your security data to detect threats and suspicious activity? Learn how to secure your cloud, network, applications, and endpoints with Panther. Request a personalized demo today.
To learn how you can write custom Python detections in Panther, watch our on-demand webinar.