Learn how Cedar is leveraging Detections-as-Code with Panther to build high-signal alerts to gain visibility into user activity, suspicious behaviors, and unauthorized data sharing.

1. Scaling Security with
Detections-as-Code
SPEAKERS:
Jack Naglieri, CEO & Founder - Panther
Aaron Zollman, CISO - Cedar

2. Cedar & Panther
01
Introduction

3. Today’s Speakers
Jack Naglieri
Founder, CEO, Panther Labs
Aaron Zollman
CISO, Cedar
9+ years in detection and response
Ex-Airbnb and Yahoo
Co-creator of StreamAlert
20+ years in security
Offense -> Threat Intel -> Defense
Startups -> Finance -> Back again

4. Scaling up detection and response in a
rapidly changing environment is hard
Intro

5. How Cedar Scales Security:
● Going from 0 to 1 with a small team
● Using detections-as-code to identify “badness”
● Operationalizing alerting response
● Scaling all of the above by onboarding new data
Today We’ll Cover

6. The billing process
was not made for patients
W H Y C E D A R
R E C E I V E S T R E A T M E N T
P A Y E R T O U C H P O I N T S
● Provider bill(s)
● Calls, payment plans, discounts
● Pay bill
P R O V I D E R T O U C H P O I N T S
● Complicated payer EOB(s)
● Calls, appeals, denials
● COB and subrogation calls
Patient
of healthcare consumers
had a healthcare bill go to
collections in the last year1
34%
T O P R E A S O N S I N C L U D E :
43% 26%
confusion about
bill amount1
outdated billing &
notification process1
22m
Americans with otherwise clean
credit have had their credit score
affected by medical bills <$2502
1.Cedar/Survata research
2.U.S. Consumer Financial Protection Bureau

7. A standout
user experience
7
Remove barriers to
engagement (and payment)
● Reach patients at the time in the
right place with dynamic outreach
● Drive engagement with
easy-to-understand messaging
● Guide patients to the best possible
outcomes with tailored payment options

8. 8
2020 Cedar, Inc. All rights reserved
157m
$ 10m+
33 50b
$
funding
client partners
patients served
per year
net patient
revenue of clients
8
Top technology investors
150+ team members from
About Cedar
+
+

9. Who? Small team, in a highly regulated industry
Goal: To keep up with speed of business &
rapidly evolving attack surface
Cedar Security Team

10. Panther alleviates the problems
with traditional SIEMs
Why?
Detections-as-Code Structured Data Lake Cloud-Native

11. Alerts
Incident
Orchestration
Incident
Management
Panther’s Arch
Data Sources
Real-time
Monitoring
Detect
Normalize
Parse
Your security Data Lake
Search
Indicators
Explore
Data
B.I. Tools
Custom
Visualizations

12. Detecting manual AWS changes in production
02
Scenario 1

13. Detecting manual AWS changes in production
● Ideally: Changes happen with infrastructure-as-code
● Scary scenario: Identify attackers attempting to circumvent controls or exfil
● More likely scenario: senior engineer with a high priority change request
● Demo example: manual changes to security groups
Scenario 1

14. CloudTrail
Events are sent
to Panther in
real-time via S3
Panther
Panther parses,
normalizes, applies
Python detections
Scenario 1
Slack
The team is notified in
Slack, reviews the
alert, and responds
with emojis

15. Demo #1 - CloudTrail

16. Scale without becoming overloaded with alerts
03
Techniques

17. Benefits
● Repeatable
● Consistent
● Easy to Maintain
What is it?
● Express cloud components as reusable
code
● Support for CloudFormation or Terraform
● Onboarding additional accounts is fast
● Serverless for high-scale
#1 - Infrastructure-as-Code (IaC)

18. A modern and systematic way to write detections
using software engineering principles
Detection-as-Code

19. Monitoring Google Drive Shared Files
● Single SIEM managing both “prod” and “corp” environment
● PHI, PII and sensitive data loss is a risk to the business across the board
● Google Workspace is one of our key collaboration tools
● Teams vary widely in risk and operational complexity
● Approach has to be targeted but scalable
Scenario 2

20. Demo #2 - G Suite

21. Add reliability to your detections
● Promotes detection efficacy
● Positive/negative use-cases
● Test-driven development
● Protect against regressions
#2 - Testing

22. Demo #3 - Testing

23. Code review and versioning
● Cross-team collaboration
● History of changes and approvals
● Satisfy auditing and compliance
needs
#3 - Source Control

24. Hands-off detection management
● Consistency and reliably
● Auto-upload on merge
● Staging/prod parity
#4 - Continuous Deployment
Develop
Security team
creates new
detections
GitHub
A branch is pushed to
source control and a
pull request is opened
Panther
On merge, a job will
automatically push
directly to Panther

25. Shared logic applied to multiple detections
● Convenience functions
● Global configurations
● Data models
#5 - Helpers and Models

26. Evolving detection over time
04
Moving Forward

27. Discovery and onboarding of new data
● Ingesting custom logs
● The process
○ Write schema and data models
○ Ingest the data
○ Discover behaviors
○ Write detections
Next Steps

28. Small security teams can be mighty!
● Understand your environment and the right approach for your team
● Centralize and normalize data
● Iterate and evolve your detections over time
● Techniques for Scaling:
○ Infrastructure-as-Code
○ Detection-as-Code
○ Testing
○ Source Control
○ Continuous Deployment
○ Helpers and Models
Key Takeaways

29. Resources
● Demo Scenario: https://github.com/panther-labs/panther-
analysis
● Panther Community Edition: https://github.com/panther-
labs/panther
● Panther Docs: https://docs.runpanther.io/
● Panther Slack Community: https://slack.runpanther.io/

30. Q & A

31. THANK YOU!