Show HN: Panther v1.0 – Open Source, Cloud-Native SIEM
My name is Jack Naglieri. I’m the founder of Panther Labs - an SF-based cybersecurity startup. Prior to Panther, I was an engineering manager at Airbnb. Before that a security engineer/analyst/forensic analyst.
Today, I’m excited to announce Panther v1.0, an open source, cloud-native SIEM:
http://github.com/panther-labs/panther
Teams can use Panther as an alternative to traditional SIEMs like Splunk.
Panther is the culmination of our team’s experience building security tools at scale, including StreamAlert at Airbnb and critical internal monitoring systems at Amazon.
Panther runs entirely on serverless to enable small teams to detect threats at scale. Our backend is Golang and our frontend is React/Typescript. Panther is also self-hosted and uses Python3 for flexible detections.
At a high level:
- Panther receives security logs
- Panther baseline scans cloud infra and determines security posture
- All data is saved to your data warehouse (powered by Athena/Glue/S3)
- Alerts are dispatched to your team via Slack, PagerDuty, etc
- Automatic remediations can also be applied to fix infrastructure
Panther v1.0 includes support for:
- Analyzing logs from AWS, OSS tools such as Osquery, OSSEC, Suricata, and more
- Threat hunting on all your security data with standardized fields (IPs, domains, etc)
- Real-time cloud configuration monitoring
- 150+ built-in detections
- A UI for creating, updating and tuning detections
To get started:
- Quick-start: https://docs.runpanther.io/quick-start
- Read our v1.0 announcement: https://blog.runpanther.io/panther-v1-open-source-siem/
- Register for our webinar tomorrow: https://webinars.runpanther.io/panther-101
You can also find us on Slack (https://panther-labs-oss-slackin.herokuapp.com/), Twitter (@panther__labs), and Github (github.com/panther-labs/panther).
We’re happy to answer your questions. Just drop a message here.
Thanks!
We also send our best wishes to those affected by COVID-19
44 comments
[ 2.6 ms ] story [ 105 ms ] threadThanks!
https://en.wikipedia.org/wiki/Security_information_and_event...
What you've said, in effect, is, "Gee, someone came to the site with some interest (say, from a Hacker News link) but no idea what this secret sauce is. Screw 'em! Gem them out of here!"
Alternatively, if you give them an idea of what they're looking at (and no, I don't think you have to drill down to every tiny detail on the front page), maybe they'll realize, "Hey, that's something I should at least look into."
I suspect that a layperson, they might be getting the impression that this will alert them to security incidents. It will not really do that. It is not an intrusion detection system (which also are not very useful, but I digress). It will be 99.9999999% noise, and an experienced team will have a sense of what they should bother paying attention to, and still spend most of their time chasing dead ends.
It would be like if someone announced the release of a compiler, without explaining what a compiler is. Someone might reasonably say, if you don’t know what a compiler is, this isn’t solving a problem that you’re worried about.
Even if you're too small to have an incident response team, if you work on the cloud, you need to prevent these common security issues. I can't imagine using a tool built for the purpose is more of a money pit than writing it yourself as many cloud engineers end up doing.
We also utilize open source or cloud-native transport mechanisms like fluentd/s3/etc, verses rolling our own.
We are also available on Slack to help out!
https://github.com/panther-labs/panther
I'd say the biggest differences are that Panther:
- Has a UI-driven workflow (vs CLI)
- Has an improved design to be more scalable and cost-effective
- Is written almost entirely in Golang
- Made a larger investment in the Athena side, allowing data pivoting and correlation across types
- Has first-class support for monitoring infrastructure as "resources", opening up more compliance use cases
We applied a lot of lessons learned from running StreamAlert and from my team's experiences at Amazon.
Alerts can deliver to SNS/SQS, which can invoke a Lambda function running your custom script:
- https://docs.runpanther.io/setup/sqs
- https://docs.runpanther.io/setup/sns
Also, since this seems fairly new, do you have SOAR platform integration already? That's a major selling point these days, I need it to play well with automation.
Lastly,many have tried and failed to compete with Splunk's query language.Does this have a query langauge that can compete? I don't need it to detect threats out of the box, if I need a SIEM then I also need to rapidly change correlation logic and for that I need a good query language which is very rare even with top dollar traditional SIEMs.
My read of the license file, is there seems to be some purposefully introduced license confusion and mixing of proprietary/commercial non oss files into the same repo, which makes it really unclear if this is OSS per OSI definition, if running git log will taint a contributor.
The compiled binaries assets are available under Apache 2.0, which appears to be a marketing tactic to capitalize on the name, while being completely unrelated to the actual source license, aka this is closer to free to use binary. IANAL but afaics most orgs should talk to a lawyer if they want to use this as OSS.
moreover this line in the readme also appears to be purposefully sowing confusion, "Panther is dual-licensed under the AGPLv3 and Apache-2.0 licenses." except they actually appear to redefine the common usage of dual license, to mean that parts of the code base are selectively licensed one or the other.
I'd originally just looked at the LICENCE.txt file in the top level, thinking this was presented as a standalone application suite from a single author / company - so I approached it with certain (perhaps naive) expectations.
Logs are probably the worst source one can have. And its faulty by design. Why not think of something new? A better source for your data would be something to start with. Maybe an intelligent infrastructure for data collection could make it more useful with more relevant data. Only ship relevant data from relevant sources if additional info is required. Maybe that would be a great solution. It would at least be something new.