Panther Labs Founder & CEO, Jack Naglieri, walks through the Panther UI and explains product functionality.
Panther is an open source, cloud-native SIEM for modern security teams. With Panther, you can detect threats with log data and improve cloud security posture. It's designed for modern security teams to do more with less resources using automation and cloud-first workflows.
3. CHALLENGES TODAY
Traditional security monitoring techniques no longer offer protection
against new and emerging threats in a cloud-first world.
Hiring ScaleEffective Tools
Panther 101
4. Our team spent years building detection at
scale for companies like Airbnb and Amazon.
Panther 101
5. Panther is an open source, cloud-native
SIEM for modern security teams.
7. Use Python for expressive
and transparent detections
FLEXIBLE
Built for big data and high
performance
SCALABLE
Self-hosted for maximum
data security
SECURE
Serverless architecture
offers efficiency at scale
COST EFFECTIVE
8. Find all IAM roles that have the Administrator
or * based policies attached
Find Permissive IAM Roles
USE CASES
Analyze the output of OSSEC/osquery and
flag highly suspicious activity
Detect Host-Based Compromise
Query all logs for IOC matches with
standardized data fields
Quickly Search Indicators
Analyze VPC Flow, Suricata, Bro, or other
sensors to identify network traffic to sensitive
hosts, command and control, and more
Monitor Suspicious Network Traffic
Panther 101
9. ● SSH credentials are stolen
● There’s no 2FA on the EC2 instance
● The attacker logs into the host and begins to enumerate
HOW TO USE PANTHER
Panther 101
ATTACKER SCENARIO:
How can we detect, investigate, and remediate this?
10. CONCEPTS/TERMS
A cloud component, e.g. Users,
virtual machines, or storage
buckets.
RESOURCE
A detection to identify suspicious
activity.
RULE
A function representing the desired
secure state of a resource.
POLICY
Notification of a policy failure, or a new
alert has triggered on an event.
ALERT
A normalized log line, e.g. CloudTrail,
Osquery, or Suricata.
EVENT
Panther 101
11. Incident Response Lifecycle with Panther
Detect suspicious activity
Gather indicators and evidence
Query logs and resources
Remediate resources
Update detections
Panther 101
16. All parsed logs Network traffic data
1 i-016e2cb69ac58c2d5
Step 2: Detect
Panther 101
SELECT DISTINCT instanceid, COUNT(*) AS login_count
FROM "panther_logs"."aws_vpcflow"
WHERE srcaddr = '157.130.196.214'
AND dstport=22 AND month=3 AND day=3
GROUP BY instanceid
ORDER BY login_count DESC
23. RESOURCES
CloudTrail Config DynamoDB EC2VPC
ELB
GuardDuty IAM KMS RDS
S3 WAF
Redshift
SQS SNS
Write policies for any of the following resource types
Panther 101
27. Subscription Tiers
Enterprise
Real-Time Log Analysis
Cloud Security and Remediation
Real-Time Alerting
Historical Search of Log Data
Powerful User Interface
200+ pre-built Rules and Policies
—Free—
+Basic Features
24 x 7 Support & Live Chat
150+ Premium Analysis Packs
Role-Based Access Control
Reporting and Analytics
Audit Logging
—Contact Us—
Max scale and performance
Community
github.com/panther-labs/panther
Panther 101