FloQast Accelerates Detection Testing and Deployment with Panther

FloQast is an accounting software company based in Los Angeles, California. The business streamlines accounting workflows so their customers can complete critical accounting processes faster and more efficiently.

Technically, FloQast is a cloud-native organization with no on-premise hardware. The organization’s infrastructure footprint in Amazon Web Services (AWS) was rapidly expanding – leading to a drastic increase in security-relevant logs. Its security team needed a modern Security Information and Event Management (SIEM) that was easy to manage and could scale alongside AWS. However, the team found that traditional SIEM solutions relied on proprietary coding languages and inefficient data ingestion – making progress difficult.

The Challenge

Unreliable data ingestion

FloQast’s threat detection solution lacked centralized logging, and the team relied on disparate systems, each individually integrated with Slack, to do alerting for them. FloQast lacked a central solution to allow them to make changes that would benefit their entire security stack.

Limited detection capabilities

Using a proprietary language to code detections hindered FloQast’s security team. Adapting to vendor-specific code and tooling was not as applicable across other functions and security teams. They were seeking a solution to allow them to easily hire people who could write detections in a widely accessible language.

Adversity with detection testing

Writing detections without a practical way to test them was becoming a significant frustration for the FloQast security team. Whenever a detection was tweaked, they were forced to wait until that event reoccurred to determine its accuracy.

The Solution

Increased data ingestion and retention

After deploying Panther, FloQast was able to ingest approximately ten times the amount of data compared to their legacy platform. Plus, types of logs that could be ingested expanded dramatically, as the team no longer needed to create custom ingestions for applications with no native integration. With Okta logs, for example, Panther provides a built-in integration to ingest and normalize key “indicator of compromise” fields, along with built-in detections to enable effective alerting on specific behaviors. Finally, the team was able to remove restrictions on data retention significantly after deploying Panther.

Robust out-of-the-box detection for AWS and modern technology stack

When getting started, FloQast was able to turn on a variety of detections immediately. The pre-built logic for AWS environments and other common SaaS tools made it easier to hit the ground running with Panther.

Ability to grow the team and train staff quickly

Panther opened the door for FloQast to access a broader talent pool given how widely SQL and Python are used across security and other functions. Even FloQast colleagues from other teams (such as application security) now have the toolset to investigate independently without engaging the Detection & Response team.

Powerful and flexible detection-as-code

By leveraging the universal coding power of Python, FloQast grew confident that as their detection requirements increased in complexity, Panther would be up to the task. With Panther, FloQast could not only use the out-of-the-box detections but also easily translate pre-written detections from other platforms.

The Result

With Panther, FloQast is well-positioned to continue optimizing its detection and response process. With easy-to-learn detection writing (Python) and query functionality (SQL) for everyone on the security team, the Detection & Response team has more time to focus on their role in maintaining the company’s security posture. 

Panther has enabled FloQast to: 

  • Ingest ten times more data from a wider list of data sources
  • Significantly reduce restrictions on data retention
  • Craft powerful and flexible detections with Python
  • Analyze logs as they are ingested and leverage more context for alerts
  • Improve the flexibility and scalability of their detection and response processes

The ability to customize detections really quickly and easily and then test them with the Panther analysis tool makes life a lot easier.

Page Glave

Security Engineer, FloQast

  • A lack of centralized visibility into their systems made threat monitoring difficult
  • Legacy solutions required specialized knowledge to write and deploy new detection rules
  • The absence of testing and controls in their detection development pipeline slowed down progress
  • Native support for data sources and centralized logging enhanced visibility
  • Detections-as-code and OOTB rules with version control and easy testing
  • Python based detections expanded hiring options to rapidly grow the team
  • Ingesting and monitoring 10x more data than with their legacy solution
  • Enhanced threat monitoring improved security posture and threat coverage
  • Removed silos between teams to improve collaboration and speed up investigations

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo