Home Science & Technology 5 Benefits of Detection-as-Code

5 Benefits of Detection-as-Code



Take a modern, test methodology to secure your organization with Detection-as-Code.

Over the past decade, identifying threats has become critical to business and even more challenging. As businesses move to the cloud, manual threat detection processes are no longer able to keep up. How can teams automate large-scale security analysis and address issues that threaten business goals? The answer is to treat threat detection as software or detection as code.

Watch the Panther on-Demand Web Workshop: Scale Security with Detection-as-Code from Cedar to learn how Cedar uses Panther to use Detection-as-Code to generate high signal alerts.

Detection-as-Code: a new paradigm (hope) Detections define the logic for analyzing security log data to detect intruder behavior. If the rule is met, a warning is sent to your team for deterrence or investigation.

What is detection as code?

Detection-as-Code is a modern, flexible and structured approach to writing findings that apply security software best practices. By adopting this new paradigm, teams can create scalable processes for recording and approving discoveries to identify complex threats in a rapidly expanding environment.

The benefits of adopting a code-driven workflow

The most effective are threat detection programs that are customized for specific environments and systems. By treating discoveries as well-written code that can be verified, verified in a source control system, and verified by peers, teams can create better alerts that reduce fatigue and quickly identify suspicious activity.

1 – Create custom, flexible detections using a programming language

    Detecting a record in a generally accepted, flexible, and expressive language, such as Python, offers several benefits instead of using overly restricted domain-specific languages ​​(DSLs). With languages ​​like Python, you can write more sophisticated and custom discoveries that fit the needs of your business. These rules also tend to become more readable and easier to understand as complexity increases.

    Another advantage of this approach is the use of a rich set of built-in or third-party libraries developed by the security community to interact with APIs or data processing, which increases detection efficiency.

    2 – Test Driven Development (TDD)

      Proper quality control of the detection code can allow teams to detect blind spots at an early stage, cover testing for false alarms, and promote detection effectiveness. The TDD approach allows security teams to think like an attacker, document this knowledge, and manage the internal repository of ideas about the attacker’s life cycle.

      The advantage of TDD is more than just checking the code. TDD’s approach to writing discoveries improves the quality of detection code and enables more modular, extensible, and flexible detection. Engineers can easily make changes to their detection without fear of disrupting alerts or interfering with day-to-day operations.

      3 Collaborate with version control systems

      When writing new changes or changing them, version control allows teams to quickly and easily revert to previous states. This also confirms that the teams are using the most up-to-date detection and are not referring to outdated or incorrect code. Version control can also help provide the necessary context for specific findings that triggered an alert, or help pinpoint when a detection changes.

      As new and more data enters the system over time, the discoveries must also change. The change control process is needed to help teams address and adjust detection as needed, while ensuring that all changes are well documented and well tested.

      4 Automated workflows for reliable detection

      The Continuous Integration / Continuous Deployment (CI / CD) pipeline can be useful for security teams who have long wanted to move security further to the left. Using the CI / CD pipeline helps to achieve the following two goals:

      • Eliminate differences between teams when they work together on a common platform, check each other’s work code and stay organized.
      • Provide automated testing and delivery pipelines for your security findings. Teams can stay agile by focusing on building well-tuned discoveries. Instead of manually testing, deploy and ensure that the detection is not too customized, which can cause false alarms.

      5 Reusable code

      And last but not least, Detection-as-Code can facilitate the reuse of code in a large number of discoveries. As teams write a large number of revelations over time, they begin to see that there are certain patterns. Engineers can reuse existing code to perform the same or very similar function on different discoveries, starting from scratch.

      Reusable code can be an important part of writing discovery, allowing teams to share functions between discoveries or modify and adapt the discovery to specific uses. For example, suppose you need to repeat a set of permission / deny lists (say, to control access) or a certain processing logic in multiple places. In this case, you can use tutorials in languages ​​like Python to share features between discoveries.

      Introduction to Panther

      Panther is a security analytics platform designed to alleviate the challenges of traditional SIEM. Panther is built for security engineers. Instead of inventing another language of its own to detect detection logic, Panther offers security teams a Python rule engine for writing clear threat detection and automating cloud-based detection and response. Panther’s modular and open approach offers easy integration and flexible detection to help you build a modern pipeline of security operations.

      Detection-as-Code Workflow in Panther

      Panther offers reliable and durable detections that make it easy to:

      • Write clear and flexible discoveries in Python for the needs of your business.
      • Structure and normalize logs into a rigorous scheme that allows you to detect using Python and queries using SQL.
      • Perform real-time threat detection and power investigations against vast amounts of security data.
      • Take advantage of more than 200 pre-generated detections against specific threats, suspicious activity, and security structures such as MITER ATT & CK.

      Detection-as-Code Workflow in Panther

      An example of detection in Panther

      When recording detection in Panther, you start with the rule () function, which defines the specific behavior to be defined. For example, suppose you want to get a warning when you suspect entering Okta by brute force. The following detection may help determine this behavior with Panther:

      Okta Brute Force Login Rule in Panther

      In the example above:

      • The rule () function takes a single “event” argument and returns a Boolean value.
      • The title () function controls the generated alert message sent to the analyst. Values ​​from events can then be interpolated to add useful context.

      Rules can be enabled and tested directly in the Panther interface or modified and loaded programmatically using the Panther Analysis tool, which allows you to test, package, and deploy discoveries through the command line interface (CLI). And to help sort out incidents, Panther’s rules contain metadata such as severity, journal types, modular tests, reference books, and more.

      Get started

      Do you make full use of all your security data to detect threats and suspicious activity? Learn how to protect the cloud, network, applications and endpoints with Panther Enterprise. Request a demo today.

Previous articleHow I invest in stock earnings for £ 500 passive income per month!
Next articleTwo-headed worms tell us something interesting about evolution