JupiterOne Takes an Engineering First Approach to Security Operations

JupiterOne, a cloud-native security company, is a leader in security asset management. Their tool focuses on providing added context on the relationships between assets. Its ability to dynamically enrich data and provide focused details to security events enhances security team incident response capabilities.

As JupiterOne grew their security operations, they recognized the importance of having a SIEM to gain insights into high-risk, critical actions within their systems. With events occurring across their tech stack, it was critical to centralize visibility into their logs in one place for monitoring. The decision to adopt Panther stemmed from JupiterOne’s alignment with Panther’s cloud-native and engineering first approach to detections-as-code.

We worked with one of Panther’s amazing engineers, Nate, and he helped us configure the Terraform to fit our needs. Ever since then it has just simply worked. We haven’t had to tweak it. We haven’t had to modify it. Haven’t had bug fixes or anything like that. It just works.

Kenneth Kaye

Security Automation Architect

Deploying Code Driven SecOps

The team knew they would face frustration with generic out-of-the-box detections provided by traditional SIEMs. These detections often result in false positives, flooding the system with unactionable alerts. These poor alerts not only consume valuable time but also hinder the ability to promptly identify genuine security incidents.

Adopting the detections as code approach allowed the security team to customize, test, and fine-tune detections according to their specific environment. By leveraging Python, they gained the flexibility to update and fine tune detections rapidly, reducing the noise generated by traditional SIEMs and ensuring that alerts were tailored to their unique use cases.  

When JupiterOne found the disconnect of cloned detections from upstream updates in the Panther Analysis Tool burdensome, Panther responded to this feedback by adding a feature that allows users to customize Panther-provided detections while retaining customer-applied customizations. This has resulted in better uptime, less maintenance, and specialized detections for JupiterOne’s specific needs.

The team experienced a noted lack of false positives, enabling them to focus their attention on high fidelity alerts and legitimate security concerns. The ability to code detections provided a level of precision and customization that traditional SIEMs lack, resulting in a more efficient and accurate security monitoring process.

Building for the Cloud

JupiterOne, being a cloud-native company, didn’t want to consider SIEM solutions that lacked necessary cloud-native features. Legacy SIEMs are not designed to effectively monitor and secure dynamic cloud environments, posing a significant challenge for modern security teams like JupiterOne.

Panther’s cloud-native architecture addressed this challenge head-on. Specifically tailored for cloud environments, Panther provided the scalability, flexibility, and agility required to effectively monitor assets and events in their dynamic infrastructure.

Panther seamlessly integrated with their systems, ensuring that their security monitoring was aligned with the broader organization’s cloud-first approach.

Growing SecOps Coverage with a Small Team

Being a small security team, JupiterOne wanted to avoid difficulties with constantly tuning their SIEM . With traditional SIEMs, the rule tuning process is time-consuming, and the team may have struggled to keep up with the demands of an ever-evolving threat landscape.

Embracing detections as code not only addressed the challenge of generic detections, but also allowed engineering to get more deeply involved in the tuning process. This collaborative approach empowered the team to leverage Python for honing and managing detections efficiently across team members.

The collaborative effort across the JupiterOne team paired with the adoption of detections as code ensured that the SIEM was finely tuned to their environment, enhancing its overall effectiveness.

More teams are going to have to go towards engineering first, they’re going to have to. The environment is changing and the nature of security engineering and security operations are changing. It’s scaling to the point where you can’t hire enough people anymore to do all the work, you have to get smarter about it and engineer for security.

Kenneth Kaye

Security Automation Architect

  • False Positives from Generic Detections: Many SIEMs provided generic detections that result in false positives and are often not tuned to a specific environment
  • Lack of Cloud-Native Features: Legacy SIEMs lacked the cloud-native capabilities required to address the challenges specific to a cloud-centric infrastructure
  • Limited Team Resources: With a lean team, the tech stack needs to support effortless scalability without requiring additional headcount
  • Detections as Code: The ability to code and configure detections in Python allowed the security team to easily tailor alerts to their environment
  • Cloud-Native Architecture: Panther's cloud-native approach aligned seamlessly with their infrastructure, providing the flexibility and scalability needed for monitoring a dynamic environment
  • Accessible Features like Rule Filters: The addition of rule filters and code-free features in Panther allowed for more fine-tuned control over detections across the team’s skill levels, enhancing the full team's ability to prioritize and act on security alerts
  • Reduced False Positives: Detections as Code empowered the team to refine alerts, reducing false positives and delivering actionable insights
  • Improved Cloud-Native Monitoring: Panther's cloud-native architecture addressed the specific challenges posed by their infrastructure, ensuring effective monitoring without unnecessary noise
  • Enhanced Collaboration: The ability to involve the broader team in tuning and managing detections enhanced collaboration for the security team

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo