Authors: Sree Gokul Ram, Muhammad A Farooqui, Shaik Mohammad Imran, Prashantshekhar Mishra & Ayush Chaturvedi
What is SIEM?
SIEM or Security Information and Event Management, data refers to the information collected from various sources within an organization's IT infrastructure. This data includes logs from servers, network devices, and applications, as well as security events such as failed login attempts and malware infections.
SIEM tools are used to collect and analyze this data in order to detect and respond to security threats in real-time.
Why Panther?
Though SIEM provides a one-stop solution for most security issues, the legacy SIEM systems were causing issues of complexity, compatibility, contextualization, and cost. Hence modern-day SIEM solutions like Panther came into picture to transform terabytes of raw logs per day into a structured security data lake to power real-time detection and swift incident response.
Panther data source setup
Panther provides an easy way to set up the logs source.
Panther works with many data sources like AWS, OKTA, Azure, Google workspace, Github, Duo and lot many sources. With little configuration panther access these logs and processes them to identify threats In our project we're using AWS Cloudtrail, AWS S3serveraccess, AWS VPCFlow, OKTA which acts as panther data sources We also have other data sources like HR data and service now(destination) AWS CloudTrail: CloudTrail is a service that provides a record of all API calls made to AWS services. This can be used to track user activity, troubleshoot problems, and audit our AWS usage. To access CloudTrail logs, you can use the AWS Console, the AWS CLI, or the AWS SDKs.
Select the log source, for example, cloudtrail
Configuration & verification
Enter basic details like source name, aws bucket name, account id, KMS key(optional), and log stream type like lines, JSON, JSON Array, CloudWatch Logs.
User will be directed to some configuration steps which will be automatically handled by the panther itself
Explore Data
Once data is landed into Panther user can explore the data through the data explorer
Panther Dashboard
Dashboard will be an overall view of the alerts and their severity.
Insights
The total number of alerts
Alerts by severity
Panther to snowflake integration
The loading of logs data from Panther to Snowflake is done with the help of Snowpipe in the form of micro-batches. automatically ingest the data into the snowflake without any intervention. This integration is taken care of by Panther.
Panther integration with ServiceNow
With a simple Scripted Rest API configuration in the ServiceNow console, alerts fired from Panther can be mapped directly to new incidents
Panther integration with ServiceNow
Create a Scripted Rest API in ServiceNow & then create a Custom Webhook integration in Panther. Once the integration is successful, you should be able to see the events in your ServiceNow Incidents table.
Panther along with Snowflake
Though Panther helps to ingest, detect, and alert potential cyber threats in real-time, there is always a need to perform robust security investigations and analytics against this data, and this is where Snowflake comes into the picture.
With Panther’s Snowflake integration, we can collect normalized security data from Panther in Snowflake for affordable long-term retention. A Snowflake-powered security data lake offers affordable long-term storage, a rich ecosystem of integrations, and a massively scalable infrastructure to power investigations against years of data.
Snowflake enables us to even join Panther events data with CRM tools (e.g. ServiceNow which acts as a destination for Panther alerts) on a single interface. We can create meaningful dashboards for the security teams to assess the security posture of our organization by integrating the BI tools with Snowflake.
Analytics using Snowflake
The data lake created in Snowflake through Panther majorly contains two kinds of data:
Events: Events are simply ‘raw activity data’ independent of the context of that data being good or bad.
Alerts: Alerts are the qualified events that are generated when Panther rules and policies detect suspicious behavior.
These alerts are divided into various severity categories like High, Medium, Low and Informational based on the rule matched and suspicious behavior detected.
This data along with data from other sources can be used to perform analytics and provide a lot of valuable insights. A few of them are:
Total events volume with respect to each source
Total alert volume with respect to each source
Alerts to Events ratio
Events vs. alerts by source - Volume of events and alerts generated for each source
Events vs. alerts weekly statistics
Severity-wise alerts - Differentiation of alerts based on their severity
Average response or closure time of alert incidents - This can be done based on the ServiceNow incidents data brought in Snowflake.
Alerts based on geography - The states in which most alerts were generated
Frequently detected IPs - The IPs that were detected in most of the alerts
Business Impact
With the digital ecosystem system continuously evolving and becoming increasingly sophisticated with each passing day, it has become an absolute necessity for almost every organization to implement ways to become digitally secure. The combination of a comprehensive SIEM solution like Panther along with a robust modern day analytics platform like Snowflake not just makes organizations secure but serve the below-mentioned additional purpose as well:
Operational Efficiency: Operational efficiency was a major challenge in the legacy SIEM systems. With the help of modern SIEM solutions, efficiency has highly improved due to the centralization of ingestion of events logs, processing, run time alert detection and even analytics and reporting. This centralized approach eliminates the need for manual data aggregation and analysis, saving security teams significant time and effort.
Cost Savings: SIEM solutions help in cost savings in multiple areas. By automating security event analysis and incident response processes, the need for manual intervention is reduced, resulting in decreased operational costs. Additionally, the platform helps prevent costly security breaches, potential legal ramifications, etc.
Brand value: The worst damage that can happen to any organization due to a security breach is reputational damage. The loss of customers’ faith in the company's integrity is irreparable, but timely implementation of SIEM solutions can save them from landing in such situations.
Compliance and Regulatory Requirements: Compliance with industry regulations and standards is critical for our organization. Panther SIEM simplifies compliance reporting by collecting and analyzing the necessary security event data. The platform generates comprehensive reports that help demonstrate adherence to regulatory requirements, such as GDPR, HIPAA, PCI DSS, and others. This capability saves us valuable time during audits and ensures that we meet the necessary compliance obligations.
Conclusion
Implementing Panther SIEM will have a significant positive impact on our organization's security posture, incident response efficiency, compliance efforts, operational efficiency, cost savings, and overall risk mitigation. By leveraging Panther SIEM's advanced security analytics capabilities, we can enhance our cybersecurity measures, protect our critical assets, and maintain a robust security posture to safeguard our organization's interests.