There’s an old adage in cybersecurity that rings as true today as it ever has: “You can’t protect what you can’t see.” In a world where digital assets form the backbone of an organization, maintaining an up-to-date inventory of these assets is a critical and often overlooked aspect of a robust security strategy. It’s no surprise that the Center for Internet Security lists asset and software inventory as the first two most critical controls, as they are foundational to the rest of the controls.
In this blog post, we’ll explore how the Axonius Security team leverages our Axonius Cybersecurity Asset Management solution's powerful correlation capabilities to provide rich context within alerts produced by our SIEM, Panther. This approach has led to faster mean-time-to-alert-resolution and an overall reduction in alert volume requiring human investigation.
Panther for SIEM
Panther is a cloud-native Security Information and Event Management (SIEM) platform. Panther's philosophy includes supporting detections-as-code and the ability to run arbitrary Python code within the detection pipeline. This approach allows for better customization and flexibility, empowering security teams to create tailored real-time detections that address their specific environment and threat landscape.
Here’s an example of a simple Panther detection rule for detecting a user with role “admin” logging in.
Rule Definition:
Log Data:
Detection Result:
Additionally, Panther offers a range of Global Helpers. These are Python libraries that provide reusable functions, which can be utilized within the detection pipeline to expedite the development cycle. Panther provides a number of Global Helpers out of the box, although customers can also write their own.
Axonius for CAASM
Axonius takes an API-driven, agentless approach to collect and correlate asset information from various IT and security solutions. The powerful correlation capabilities from Axonius help identify relationships between assets, enabling customers to gain insights and address vulnerabilities. Using its API, customers can access consolidated and up-to-date users and device inventory information, integrating it into their existing security workflows.
Putting it together: CAASM for SIEM enrichment
Today, we’re releasing our custom Panther Global Helper which queries the Axonius API. This integration enables Panther to enrich security events with asset context from Axonius, providing valuable asset context to security teams for a better understanding of detections. For example, with the Axonius helper, we can identify if a user operating from a specific IP address is associated with one of their authorized devices. This allows us to deprioritize or suppress the alert, as it may constitute known/expected activity.
An additional use case is when a user connects to a system using a root/admin account, based on the logs their specific identity is unknown. With the help of Axonius helpers, we can leverage the public IP address associated with the connection to identify the user, enhancing incident investigations and response accuracy.
By leveraging this integration between Axonius and Panther, security teams can enhance their incident response capabilities and obtain richer context regarding security events. The combination of asset context from Axonius and Panther's detection capabilities empowers organizations to be more confident in taking swift and targeted actions, ultimately strengthening their overall security posture.
Now, let's consider an example where we are unaware of the actor's identity, like a login event for a root user.
Rule Definition:
Log Data:
Detection Result:
Despite the fact that the user logged in as “root”, we can still identify the individual responsible for the activity by analyzing the IP address and the data available in our Axonius tenant.
To use the Axonius Global Helper in your Panther tenant, visit its GitHub repo and follow the instructions in the README.
Monitoring both assets and events
By utilizing the power of the Panther SIEM in combination with Axonius, organizations can achieve a stronger and more scalable threat management strategy. You’re able to easily gain both a bird’s-eye view and a ground-level perspective of your cybersecurity landscape, ensuring that you have all of the information available to you while deciding what actions to take in response to a new threat.