GitLab’s SIEM-journey in a Cloud-Native World: Build vs Buy
How GitLab Inc. deprecated their homegrown SIEM solution for its own internal monitoring and adopted detection-as-code and a scalable security data lake with Panther.
- Too much data across multi-cloud and Software-as-a Service infrastructure
- Visibility into peripheral data sources
- Time-consuming internal development to build a homegrown solution
- Ingest data from cloud, SaaS, endpoint management, and internally built red team tools
- Complete feedback loop by connecting to GitLab Inc.’s case management solution
- Continuous real-time testing with detection as code
- Established more robust change management processes
- Streamlined communications and monitoring
- Refocused engineering cycles on security projects
GitLab Inc. provides The DevOps platform that empowers organizations to maximize the overall return on software development by delivering software faster and efficiently while strengthening security and compliance. As an all-remote company, they needed a scalable solution that enabled them to manage security for more than 30 million estimated registered users and over 1350 employees across 65 countries.
I love your product. It’s exactly what we were trying to build ourselves.
-Jan Urbanc, Director of Security Operations
The Build Challenge
GitLab Inc.’s security team built and deployed a SIEM tool for monitoring security internally. However, achieving the needed visibility and keeping up with rapidly increasing organizational demands and scaling, proved to be more challenging than expected; effectively turning them from a security team into a business product development team.
Vast attack surface with an overwhelming amount of data
The GitLab security team wanted to ingest as many different data sources as possible, including SaaS logs, cloud provider logs, infrastructure logs, security monitoring tool logs, and more for complete visibility across their internal and external environments.
Lack of peripheral view as part of cost reduction
To reduce costs, the GitLab security team found that they ingested only the most valuable or obvious data sources. In doing so, they neglected many of the peripheral ones. They sought a solution that would allow them to incorporate those peripherals because they would be valuable to threat hunting and response.
Unwieldy homegrown tool increased operational costs
In early 2019, the GitLab security team launched its internally built tool into early production, with full deployment in summer 2019. However, three months later, problems started to emerge. As the team added more data sources and new alert types, the inability to prioritize alerts and increased usage led to availability issues, duplicated alerts, and increased noise. By the time they decided to look for another option, the team was spending three weeks of engineering time every month to maintain availability.
Inability to scale reduced cost-savings
With no way to change the management process, pushing new detections and alerts became problematic. The security team encountered data retention problems. They proposed multiple solutions, like sending only specific logs and sending logs to cold storage after a certain amount of time. They suggested spinning up on-demand replicas of the ELK stack just to ingest that data. In the end, none of these worked well.
Solution: Buying Beats Building. Ingest More. Enhance Security. Spend Less.
With Panther, GitLab Inc.’s security team can ingest cloud infrastructure logs from GCP and AWS. They ingest single sign-on, Google workspace, and audit logs to review for information over-sharing some information. Additionally, they ingest data from their endpoint management system and their Endpoint Detection and Response (EDR) tool. Finally, Panther gives them the ability to incorporate business-critical SaaS logs that help secure daily operations.
Detection-as-code for continuous testing and reduced operational costs
Using Panther, the GitLab Inc. security team uses GitLab as the code repository for their alerts. Since all alerts use Python code, the team can write and save them to the repository. Then, they use CI/CD pipelines in GitLab to test and deploy these rules to Panther. Leveraging Panther’s detection-as-code capabilities means that the team can test the rules in real-time, eliminating false positives. Instead of spending engineering cycles on upkeep, they can focus on projects.
Complete feedback loop
With companies moving toward engineering-centric workflows, Panther’s flexibility enables the GitLab security team to connect directly with their case management solution. This gives them the ability to track changes as well as build alerts and investigations directly into their workflows. The GitLab Inc. Security Incident and Response Team team works more effectively with the rest of the engineering and security teams who use their case management solution, and it helps them manage repositories across teams.
Flexibility for cross-functional communication
Panther’s flexibility enables the different security and business functions across GitLab Inc. to work together more effectively. The red team builds their own tools for monitoring the company’s IP space and forwards the logs to Panther.
The GitLab Inc. security team recently found that other departments started relying on their data. Now, the legal, compliance, and IT departments are relying on the data ingested in Panther. With security increasingly a cross-functional business imperative, the ability to extend their Panther use across multiple departments streamlines communication.
Detection and Investigation with the Security Data Lake
Bring your Snowflake data lake to life by applying retrospective analysis across Petabytes of high-scale security data.
Figma, Snowflake & Panther Discuss: A Fresh Approach to Security
Modern security goes beyond threat detection & response to operationalize security for the business