Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)


Published on

Panther Labs Founder & CEO, Jack Naglieri, walks through the Panther UI and explains product functionality.

Panther is an open source, cloud-native SIEM for modern security teams. With Panther, you can detect threats with log data and improve cloud security posture. It's designed for modern security teams to do more with less resources using automation and cloud-first workflows.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)

  1. 1. Jack Naglieri | Founder & CEO | Panther 101 Bootstrapping Your Cloud SIEM
  2. 2. Panther 101 Agenda 1. Panther Overview 2. Architecture Review 3. How to use Panther 4. Live Demo 5. Q&A
  3. 3. CHALLENGES TODAY Traditional security monitoring techniques no longer offer protection against new and emerging threats in a cloud-first world. Hiring ScaleEffective Tools Panther 101
  4. 4. Our team spent years building detection at scale for companies like Airbnb and Amazon. Panther 101
  5. 5. Panther is an open source, cloud-native SIEM for modern security teams.
  6. 6. ARCHITECTURE Panther runs fully on top of AWS services like Lambda, ECS, DynamoDB, S3, Cognito, and more Panther 101
  7. 7. Use Python for expressive and transparent detections FLEXIBLE Built for big data and high performance SCALABLE Self-hosted for maximum data security SECURE Serverless architecture offers efficiency at scale COST EFFECTIVE
  8. 8. Find all IAM roles that have the Administrator or * based policies attached Find Permissive IAM Roles USE CASES Analyze the output of OSSEC/osquery and flag highly suspicious activity Detect Host-Based Compromise Query all logs for IOC matches with standardized data fields Quickly Search Indicators Analyze VPC Flow, Suricata, Bro, or other sensors to identify network traffic to sensitive hosts, command and control, and more Monitor Suspicious Network Traffic Panther 101
  9. 9. ● SSH credentials are stolen ● There’s no 2FA on the EC2 instance ● The attacker logs into the host and begins to enumerate HOW TO USE PANTHER Panther 101 ATTACKER SCENARIO: How can we detect, investigate, and remediate this?
  10. 10. CONCEPTS/TERMS A cloud component, e.g. Users, virtual machines, or storage buckets. RESOURCE A detection to identify suspicious activity. RULE A function representing the desired secure state of a resource. POLICY Notification of a policy failure, or a new alert has triggered on an event. ALERT A normalized log line, e.g. CloudTrail, Osquery, or Suricata. EVENT Panther 101
  11. 11. Incident Response Lifecycle with Panther Detect suspicious activity Gather indicators and evidence Query logs and resources Remediate resources Update detections Panther 101
  12. 12. Panther 101 Step 1: Prepare
  13. 13. Step 1: Prepare Panther 101 Host logins from outside of our trusted network AWS API Access Denied Errors
  14. 14. Step 2: Detect Panther 101
  15. 15. Step 2: Detect Panther 101
  16. 16. All parsed logs Network traffic data 1 i-016e2cb69ac58c2d5 Step 2: Detect Panther 101 SELECT DISTINCT instanceid, COUNT(*) AS login_count FROM "panther_logs"."aws_vpcflow" WHERE srcaddr = '' AND dstport=22 AND month=3 AND day=3 GROUP BY instanceid ORDER BY login_count DESC
  17. 17. Host IP(s) and name
  18. 18. Step 3: Investigate Panther 101
  19. 19. Step 4: Remediate Panther 101
  20. 20. Inputs & Outputs
  21. 21. RESOURCES CloudTrail Config DynamoDB EC2VPC ELB GuardDuty IAM KMS RDS S3 WAF Redshift SQS SNS Write policies for any of the following resource types Panther 101
  22. 22. LOGS Analyze incoming data for suspicious activity Panther 101
  23. 23. DESTINATIONS Dispatch alerts and integrate existing workflows Panther 101
  24. 24. Platform Demo
  25. 25. Subscription Tiers Enterprise Real-Time Log Analysis Cloud Security and Remediation Real-Time Alerting Historical Search of Log Data Powerful User Interface 200+ pre-built Rules and Policies —Free— +Basic Features 24 x 7 Support & Live Chat 150+ Premium Analysis Packs Role-Based Access Control Reporting and Analytics Audit Logging —Contact Us— Max scale and performance Community Panther 101
  26. 26. Q & A