JupiterOne Takes an Engineering First Approach to Security Operations

JupiterOne, a cloud-native security company, is a leader in security asset management. Their tool focuses on providing added context on the relationships between assets. Its ability to dynamically enrich data and provide focused details to security events enhances security team incident response capabilities.

As JupiterOne grew their security operations, they recognized the importance of having a SIEM to gain insights into high-risk, critical actions within their systems. With events occurring across their tech stack, it was critical to centralize visibility into their logs in one place for monitoring. The decision to adopt Panther stemmed from JupiterOne’s alignment with Panther’s cloud-native and engineering first approach to detections-as-code.

Deploying Code Driven SecOps

The team knew they would face frustration with generic out-of-the-box detections provided by traditional SIEMs. These detections often result in false positives, flooding the system with unactionable alerts. These poor alerts not only consume valuable time but also hinder the ability to promptly identify genuine security incidents.

Adopting the detections as code approach allowed the security team to customize, test, and fine-tune detections according to their specific environment. By leveraging Python, they gained the flexibility to update and fine tune detections rapidly, reducing the noise generated by traditional SIEMs and ensuring that alerts were tailored to their unique use cases.  

When JupiterOne found the disconnect of cloned detections from upstream updates in the Panther Analysis Tool burdensome, Panther responded to this feedback by adding a feature that allows users to customize Panther-provided detections while retaining customer-applied customizations. This has resulted in better uptime, less maintenance, and specialized detections for JupiterOne’s specific needs.

The team experienced a noted lack of false positives, enabling them to focus their attention on high fidelity alerts and legitimate security concerns. The ability to code detections provided a level of precision and customization that traditional SIEMs lack, resulting in a more efficient and accurate security monitoring process.

Building for the Cloud

JupiterOne, being a cloud-native company, didn’t want to consider SIEM solutions that lacked necessary cloud-native features. Legacy SIEMs are not designed to effectively monitor and secure dynamic cloud environments, posing a significant challenge for modern security teams like JupiterOne.

Panther’s cloud-native architecture addressed this challenge head-on. Specifically tailored for cloud environments, Panther provided the scalability, flexibility, and agility required to effectively monitor assets and events in their dynamic infrastructure.

Panther seamlessly integrated with their systems, ensuring that their security monitoring was aligned with the broader organization’s cloud-first approach.

Growing SecOps Coverage with a Small Team

Being a small security team, JupiterOne wanted to avoid difficulties with constantly tuning their SIEM . With traditional SIEMs, the rule tuning process is time-consuming, and the team may have struggled to keep up with the demands of an ever-evolving threat landscape.

Embracing detections as code not only addressed the challenge of generic detections, but also allowed engineering to get more deeply involved in the tuning process. This collaborative approach empowered the team to leverage Python for honing and managing detections efficiently across team members.

The collaborative effort across the JupiterOne team paired with the adoption of detections as code ensured that the SIEM was finely tuned to their environment, enhancing its overall effectiveness.