Wolt Streamlines Security Operations with Detection-as-Code

Wolt, a subsidiary of DoorDash, is a fast-growing Finnish technology company best known for its local commerce platform. Their security team was using a SIEM solution that didn’t offer as much flexibility as they needed, especially regarding their data ingestion, detection deployment, and alert management workflows. Driven by the desire to move to an “everything-as-code” approach, the security team chose Panther as their new security solution. 

With Panther there is a certain kind of transparency in having everything as code. There’s no smoke screen or hall of mirrors thing going on where something is happening behind the scenes and you have no idea what it is. It is all extremely clear and well documented. There is this fuzziness when it comes to many, many security tools, and when it comes to Panther I have been happy to find none of that.

Anssi Matti HeliN

Wolt Security Operations Lead

Wolt’s Preference for Everything-as-Code 

The primary motivation to adopt detection-as-code was the team’s desire to integrate security operations seamlessly into their existing development workflows. By shifting to detection-as-code, Wolt could leverage the same development practices and tools their engineering teams were already familiar with. This approach enables consistent version control, automated testing, and streamlined collaboration among security and development teams.

Making changes with the integrated testing in Panther Analysis Tool makes it possible to be much more fearless with the changes. I don’t need to wonder if this will break something, because I know if it will break something before I even deploy it.

Anssi Matti HeliN

Wolt Security Operations Lead

Wolt implemented detection-as-code using Panther’s integration with version control systems like Git, allowing security engineers to write, test, and review detection rules like any other piece of code. Code reviews and pull requests ensured security rules were thoroughly vetted, improving their quality and accuracy. The Wolt security team uses continuous integration and continuous deployment (CI/CD) pipelines to automatically test and deploy their detections. This automation reduces the manual effort required for managing detections and ensures that changes are deployed rapidly and reliably.

Python-based detection-as-code has enabled the Wolt team to both tune out-of-the-box detections and create their own. They created one global filter function and an import function to easily tune their Okta detections and customize the existing rule set to better suit their needs, an experience Anssi Matti described as “dead simple and very straightforward.” 

Integrating security directly into the development lifecycle, coupled with the automation and collaboration benefits, resulted in an overall more robust and agile security posture, positioning Wolt to better protect its customers and assets.

Flexible, Managed Data Pipelines 

Wolt’s security team faced the common challenge of effectively managing and analyzing vast amounts of data generated by their growing infrastructure. Legacy SIEMs, like the one they were using, task the end users with managing their data pipelines and integrations themselves. When the integrations broke, and they sometimes did, their team had to spend engineering hours resolving those issues. Recognizing these limitations, Wolt sought a solution that could scale their growth and would not require engineering hours to manage. 

Panther’s flexible and scalable cloud-based architecture lets Wolt easily ingest its critical data sources. With native out-of-the-box integrations and support for data transports like S3, Wolt’s engineers no longer need to dedicate time to managing their data pipelines. They could easily start ingesting crucial security logs, like GitHub, AWS, and MongoDB Atlas. For especially high-volume log sources, they employ Panther’s out-of-the-box filtering capabilities to ensure they only ingest their security-relevant data. 

We really value the ease of onboarding our very diverse set of services that we use. External services, hosted services, managed services, all of them. And having all of those logs in the same place with the unified detection model and the unified fields.

Anssi Matti Helin

Wolt Security Operations Lead

With a unified view of all their security logs, Wolt’s security team could detect and respond to threats more quickly and accurately. The real-time ingestion and analysis capabilities allow for the immediate identification of suspicious activities. The increased visibility also gave the security team a holistic view of their environment, leading to more informed decision-making and strategic planning. 

Improved Alert Response & Investigation Workflows 

The Wolt security team needed a solution to streamline alert management and provide comprehensive tools for efficient investigations. With their previous solution, alert investigation and remediation were more manual efforts. They implemented Panther’s Slack bot to act on and resolve alerts more seamlessly. The boomerang feature lets users prompt other Slack users for information about an alert, like confirmation about activity involving their account. Using the Slack bot means that the security team doesn’t need to open the Panther console to resolve an alert, and supports quick remediation even when collaborating with less technical team members. 

While a technical team like Wolt could build their own Slack bot, Anssi Matti, the Security Operations Lead, is glad that they don’t have to spend their dedicated security resources creating and maintaining something themselves. 

Because Panther normalizes data upon ingestion and employs a unified data model, queries in Panther’s data lake backend are fast. During an investigation for an example like a potential insider threat, the unified data model makes it simple to search for a user’s identifier, like an email address across all of their logs at once. 

The data lake’s support for complex searches and correlations across their ingested data enables Wolt to uncover hidden threats and anomalies that might have been missed with less sophisticated tools. This deeper visibility provides insights into potential vulnerabilities and attack vectors, allowing for proactive threat mitigation.

  • Inflexible detections from the existing solution’s rigid logic lead to challenges with scale and performance
  • Significant maintenance overhead with engineering addressing failed pipeline integrations, resulting in limited visibility
  • Disjointed remediation workflows from manual, one-way alert integrations
  • Adopted an everything-as-code approach to their detection and response process
  • Streamlined data onboarding with Panther’s support for data transports like S3 and robust native integrations
  • Started managing alerts more effectively with the Panther Slack Bot
  • High efficacy, rigorously tested detections deployed with version control for improved collaboration and threat detection
  • Consistent visibility into the security ecosystem and less overhead maintenance spent managing data pipeline configurations
  • Smoother, faster alert remediation with the boomerang alert management feature, especially when collaborating with less technical users

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo