Bitstamp is the world’s longest-standing cryptocurrency exchange, having provided safe, secure, and reliable access to crypto since 2011. With a proven track record and mature approach to the industry, Bitstamp provides a secure and transparent trading venue to over five million individuals and is the preferred choice for a range of institutional clients seeking a trusted partner to participate in crypto markets. Bitstamp is a sector leader in both security and compliance, with 51 licenses and registrations secured with financial regulators across the globe.
As the world’s most trusted cryptocurrency exchange, security is paramount for Bitstamp. The permanence of transactions in the crypto space leaves no room for error. Due to the decentralized nature of cryptocurrencies, a hack of assets will likely remain anonymous and final. Moreover, financial institutions are held to a strict regulatory standard and organizations must maintain proper security measures. Audits require extensive visibility across infrastructure and application data. Structuring a security program within such stringent requirements is already a challenge, but the difficulty is exacerbated when trying to secure a dynamic cloud environment.
When he joined Bitstamp, Jan Urbanc, Head of Security Operations, already had scars from trying to implement SIEM solutions in previous roles. Traditional tools were often incapable of handling voluminous and diverse log sets, detection logic was written in a complicated vendor-specific language, and testing and updating detection logic was a pain. Frustrated by the engineering hours required for set-up, overhead, and maintenance with many solutions on the market, he wanted to bring something new to Bitstamp.
With traditional tooling, getting a new detection to production took hours of engineering time. With Panther, it’s seconds or minutes,
Jan Urbanc
Head of Security Operations, Bitstamp
When faced with purchasing a SIEM solution at Bitstamp, the security team had several key reasons for choosing Panther.
The pricing of many SIEM tools forces security teams to pick and choose logs they’ll ingest – leading to a lack of visibility. With Panther, Bitstamp is able to efficiently ingest all the logs they need, including nontraditional or custom log sources – it removes the need to prioritize which data is important. “You cannot possibly find a product that could take 1TB of data a day at a similar price point,” Jan said. “That alone sidelines the majority of vendors.”
Moreover, having faced serious security incidents, Jan knows the importance of context. “When an incident occurs, it’s often one random log source that’s going to provide the information you need,” Jan noted. He’s been in active incidents where he needed to bolster the limited information that was placed in the SIEM. He’s tracked down random logs, and tried to organize and make sense of them in real time – a very stressful exercise when the clock is ticking.
With Panther’s flexible custom schemas and architecture built on a security data lake, it’s much simpler to ingest, structure, and query a wide variety of logs so they’re ready for urgent situations. Bitstamp has some standard logs like AWS CloudTrail and M365, but they also have organization-specific application and audit log types aka ‘skeleton in the closet’ logs. “We’re so thankful for the infer schema functionality.” Jan said, “The flexibility to throw any log source into Panther was a critical reason we chose the tool.”
For Bitstamp, a SIEM tool should use widely-adopted languages for detection and query logic. “A big issue I have with a number of SIEMs is their insistence on using some confusing vendor-specific language for detections,” Jan noted. In Panther, detections are written in Python – enabling engineers of all types to work in the tool.
Panther does provide a variety of out-of-the-box detections. “The AWS detections and policies that come with Panther are hyper-valuable,” Jan said. However, the Python language enables interesting use cases for customization and enrichment. “Python gives us flexibility to do a lot of things in a detection: data manipulation, quick queries, quick GET requests to APIs of interest – all of which enrich the detection.”
Moreover, Panther uses SQL for investigations. Given SQL’s longstanding history as a querying language, many engineers have experience writing it, and there is also robust documentation and support for it. “SQL has been around for decades, it’s easy to make efficient use of it.” Jan said, “When it comes to vendor-specific languages, they tend to be convoluted – making things difficult in the moment and adding complexity when it’s important to be fast and succinct.”
Panther enables customers to easily maintain, test, and update their detections via Detection-as-Code. For companies that want to optimize their detection workflows, Detection-as-Code helps them apply software development principles to detection logic. Bitstamp “is not in a business where we can allow changes to detection logic that would break production,” noted Jan. “Everything that impacts production is in a git repo and gets deployed in a CI/CD pipeline.”
With Panther, Bitstamp can easily version control their detections and open up detection logic for review before it enters production. It is also simple to test detections via mechanisms like unit testing or data replay. By implementing these features, Bitstamp sustainably manages changes to ensure detections deployed to production are ready.
A helpful benefit of strong version control and change management is compliance. “We are a highly regulated exchange, and we strive for audit logs for everything we do,” said Jan. Detection-as-Code practices leave a record of changes, giving the Bitstamp team a robust log trail relevant for any audit.
While Bitstamp originally chose Panther for technical capabilities, now that they’re up and running, they continue to be impressed by Panther’s dedication to supporting the operation of security teams. “We’ve been impressed by the team at Panther, they’re people from the security world looking to empower others in the security world,” Jan said. “The support has been really amazing – Panther is definitely customer obsessed.”
When reflecting on the success of Bitstamp’s Panther deployment, Jan gave two metrics: ratio of true positives to false positives and engineering hours to deploy a new detection to production. For the first metric, Panther enables Bitstamp to craft custom logic in Python and tune detections for their specific environment. By making it easy to refine detection logic, Panther helps Bitstamp consistently improve their true positive to false positive ratio.
For the deployment metric to be optimized, many components need to be in place – the team needs to be able to update the logic, test it and review it before it can be deployed into production. “With traditional tooling, getting a new detection to production took hours and hours of engineering time. With Panther, deployment takes seconds.”