Adopt a modern, test-driven methodology for Detection-as-Code security in your organization.
Threat detection has become more business-critical and complicated over the last decade. Manual threat detection processes are becoming obsolete as businesses migrate to the cloud. How can teams automate security analysis at scale while addressing the threats to business objectives? The solution is to treat threat detections as software, or detection-as-code.
Watch Panther’s On-Demand Webinar: Scaling Security with Detection-as-Code with Cedar to see how Cedar leverages Panther to produce high-signal alerts using Detection-as-Code.
A New Approach to Detection-as-Code (Hope) Paradigm Detections define the logic that will be used to analyze security log data in order to identify attacker behaviors. When a rule is violated, an alert is generated and sent to your team for containment or investigation.
What exactly is detection-as-code?
Detection-as-
Code is a modern, flexible, and structured approach to writing detections that apply best practices from software engineering to security. Adopting this new paradigm allows teams to create scalable methods for creating and strengthening detections in order to detect complex threats in quickly increasing contexts.
The Advantages of Using a Code-Driven Workflow
The most effective threat detection algorithms are those that are tailored to individual surroundings and systems. Teams can produce higher-quality alerts that reduce fatigue and quickly flag suspicious activity by treating detections as well-written code that can be tested, checked into source control, and code-reviewed by peers by treating detections as well-written code that can be tested, checked into source control, and code-re
1 — Use a Programming Language to Create Custom, Flexible Detections
Writing detections in a generally known, versatile, and expressive language like Python has various benefits over using too narrow domain-specific languages (DSL). With languages like Python, you may create more advanced and personalized detections to meet the demands of your business. As the intricacy of the rules rises, they become more accessible and understandable.
Another advantage of this technique is that it makes use of a large range of built-in or third-party libraries established by the security community for communicating with APIs or processing data, which improves detection efficacy.
2 — Test-Driven Development (TDD)
A thorough detection code QA may help teams identify detection blindspots early on, test for false warnings, and increase detection effectiveness. TDD empowers security teams to think like attackers, record that knowledge, and create an internal library of information about the attacker’s lifecycle.
TDD offers more benefits than simply code correctness checking. A TDD method to designing detections increases detection code quality and allows for more modular, extendable, and adaptable detections. Engineers may quickly modify their detection without worry of breaking alarms or impeding daily operations.
3 — Work with Version Control Systems
Version control enables teams to swiftly and easily return to earlier states while creating new detections or updating existing ones. It also ensures that teams are using the most recent detection rather than referencing obsolete or incorrect code. Version control may also assist in providing relevant context for individual detections that prompted an alert or in determining when detections are altered.
Detections must change as new and extra data enters the system over time. A change control procedure is required to assist teams in responding to and adjusting detections as needed, while also ensuring that any changes are well-documented and well-reviewed.
4 — Reliable Detection Using Automated Workflows
A Continuous Integration/Continuous Deployment (CI/CD) pipeline may help security teams that have long desired to push security to the left. Using a CI/CD pipeline aids in the achievement of the following two objectives:
Remove silos between teams as they collaborate on a single platform, code-review each other’s work, and remain organized.
Give your security detections automatic testing and delivery processes. Teams may remain nimble by concentrating on developing fine-tuned detections. Rather than manually testing, deploying, and verifying that the detections are not highly tuned, which might result in false warnings.
5 — Code Reusability
Last but not least, detection-as-a-service
Code reuse may be encouraged across a wide range of detections. As teams write a large number of detections over time, distinctive patterns develop. Engineers may reuse existing code to execute the same or very similar job across several detections without having to write new code.
Code reusability is an important aspect of detection-writing since it enables teams to transfer functions across detections or tweak and adapt detections for unique use-cases. Assume you required to repeat a set of Allow/Deny lists (say, for access control) or a certain processing logic in several locations. In such situation, you may exchange functions across detections by using Helpers in languages like Python.
Panther is a security analytics platform that was created to address the shortcomings of existing SIEMs. Panther was created by security engineers for security engineers. Rather of establishing yet another proprietary language for expressing detection logic, Panther provides security teams with a Python rules-engine for writing expressive threat detection and automating detection and response at scale. Panther’s modular and open architecture allows for simple connections and customizable detections, allowing you to create a contemporary security operations pipeline.
Panther’s detection-as-code methodology
Panther provides dependable and robust detections that make it simple to:
Create expressive and adaptable detections in Python for your company’s requirements.
Structure and standardize logs into a tight structure that allows Python detections and SQL queries.
Conduct real-time threat detection and power investigations on vast amounts of security data.
Take use of 200+ pre-built detections that are tied to various threats, suspicious activities, and security frameworks such as MITRE ATT&CK.
Panther’s detection-as-code methodology
Panther Detection Example
In Panther, you begin by developing a rule() function that specifies a certain behavior to detect. Assume you want an alert whenever a brute force Okta login is detected. Panther can assist identify this behavior by detecting the following:
Panther Okta Brute Force Login Rule
In the above example:
The rule() method accepts one ‘event’ parameter and returns a boolean result.
The title() method is in charge of the created alert message that is provided to analysts. The event values may then be interpolated to provide useful contexts.
Rules may be activated and tested directly in the Panther UI or programmatically using the Panther Analysis tool, which allows you to test, package, and deploy detections using the command-line interface (CLI). Panther rules also include information like as severity, log kinds, unit tests, runbooks, and more to aid with issue triage.
Begin Now
Are you using all of your security data to identify threats and suspicious activity? Panther Enterprise can help you protect your cloud, network, apps, and endpoints. Request a demo right now.