Taking Action on Your Security Alerts with Panther and Tines
0 likes497 views
The document discusses the importance of automation in security operations to manage increasing attack surfaces and data volumes. It highlights the capabilities of Panther for security analytics and Tines for automated responses, providing modular and scalable solutions. Various scenarios are outlined, demonstrating how to effectively detect, respond, and investigate security alerts, ultimately emphasizing automation for efficiency and team sustainability.
Taking Action on Your Security Alerts with Panther and Tines
- 1. Taking Action on Your Security Alerts
- 2. Today’s Speakers Jack Naglieri Founder, CEO Thomas Kinsella Co-Founder, COO 8+ years in Detection and Response Ex-Airbnb and Yahoo Co-creator of StreamAlert 8+ years in Security Operations Ex-DocuSign and eBay
- 3. Security teams must leverage automation to keep up with continuously growing attack surfaces and data volumes The Problem
- 4. Teams can utilize Panther for security analytics and Tines for automated security response at cloud-scale A Path Forward
- 5. ● Keep your team focused ● Avoid team burnout ● Modular, repeatable, tailored ● Scalable! Built for the cloud Benefits of this Approach
- 6. Automating Detection and Response Collect Parse, normalize, and store for analytics Detect Apply real-time Python detections on logs Alert Fire off alerts to Tines for automated response and triage Respond Ping users for more information, hit external APIs, take automated action Investigate Only triage and investigate high- confident alerts
- 8. Scenario 1: Monitor admin assignment in Okta
- 9. Scenario 1 - Collect the Logs
- 10. Scenario 1 - Collect the Logs
- 11. Scenario 1 - Normalize
- 12. Scenario 1 - Understand the Logs
- 13. Scenario 1 - Write a Detection Detection Logic Alerting and Grouping
- 14. Scenario 1 - Activity
- 15. Scenario 1 - Initial Alert
- 16. Scenario 1 - Responding to Alerts Incoming Alerts
- 17. Scenario 1 - Responding to Alerts
- 18. ● Pass Alert Context ● Parameterized requests ● Shared API credentials ● Templates for 150+ tools, but trivial to edit to make your own calls Scenario 1 - Configuring Stories
- 19. Scenario 1 - Analyzing API Responses
- 20. Scenario 1 - Ping Users
- 21. Scenario 1 - Create a Case
- 22. Scenario 1 - Recap ● Flexible Detections ● Data Lake for Analytics ● Get context on initial signal with VirusTotal ● Ping employees to validate activity ● Automate remediation and containment ● Create repeatable Stories and workflows
- 24. Scenario 2: Alert Enrichment and Post-Processing
- 25. Scenario 2 - Initial Alert
- 26. Scenario 2 - Initial Alert
- 27. Scenario 2 - Alert Context
- 28. Scenario 2 - Enrichment
- 29. Scenario 2 - Data Schemas ● Panther normalizes data based on a schema ● Enables detection, analytics, and storage ● YML declaration in the UI
- 30. Scenario 2 - Post-Processing
- 31. Scenario 2 - Alert
- 32. Scenario 2 - Searching Data
- 33. Scenario 2 - Recap ● Flag initial activity ● Send to Tines for automating lookups ● Use a repeatable ‘Send to Story’ to analyze IP ● Feedback into Panther via S3 ● Post-process with Python ● Store in SQL for a history of records
- 34. 03 Wrapping Up
- 35. Automate all of the things! ● High-scale data processing and analytics ● Detections as Code ● Automated Response ● Plug into commonly used security APIs ● Kick-start your investigations ● Tailored to fit your needs ● Flexible deployments Better Together
- 36. Get Started Join Panther & Tines Community We can't wait to see what you build! slack.runpanther.io github.com/panther-labs/panther sales@runpanther.io tines.io/slack tines.io/community-edition sales@tines.io
- 37. Be sure to check out our blog.runpanther.io!
- 38. 04 Q & A
- 39. Thank You