Hacker News new | comments | show | ask | jobs | submitlogin
Show HN: Panther v1.0 – Open Source, Cloud-Native SIEM
143 points by jacknagz 6 months ago | hide | past | web | 44 comments | favorite

For those of us that didn’t know: SIEM = security information and event management. Things like analyzing security logs, failed logins, audits, and much more, I’m sure.


Thanks! That expansion should really be at the very beginning of the GitHub README, and as early as possible on the runpanther.io page. Don't drive away potential customers who don't know your magic phrase.

For what it's worth, the target market for this will all know what SIEM means, and anyone who doesn't know what SIEM means isn't the target market. To a certain extent if you explain what it stands for you might have to explain what it's for and then how to use it... that's probably just beyond the scope of what they intend in the README.

Okay, you're clearly not a marketer, but maybe try to think like one for a moment.

What you've said, in effect, is, "Gee, someone came to the site with some interest (say, from a Hacker News link) but no idea what this secret sauce is. Screw 'em! Gem them out of here!"

Alternatively, if you give them an idea of what they're looking at (and no, I don't think you have to drill down to every tiny detail on the front page), maybe they'll realize, "Hey, that's something I should at least look into."

They shouldn’t look into it though, is the point. He’s not being elitist or gatekeeping. He’s saying that because managing a SIEM is going to be a huge waste of resources for anyone but a dedicated incident response team.

I suspect that a layperson, they might be getting the impression that this will alert them to security incidents. It will not really do that. It is not an intrusion detection system (which also are not very useful, but I digress). It will be 99.9999999% noise, and an experienced team will have a sense of what they should bother paying attention to, and still spend most of their time chasing dead ends.

It would be like if someone announced the release of a compiler, without explaining what a compiler is. Someone might reasonably say, if you don’t know what a compiler is, this isn’t solving a problem that you’re worried about.

I doubt that’s true. There are plenty of people who would like to improve their cloud security but find the tooling very inaccessible. Particularly in small teams which the blog says is a target market.

He’s not wrong, and because of all the snake oil in the security industry, it’s kind of important to point this out and set realistic expectations for investing in these kinds of products. This won’t improve your security. An incident response team will (well, maybe). It’s a tool for incident response teams. It is a money pit to anyone else - even if it’s “free”.

Looking through Panther, I think many of the cloud security tools are useful for the standard cloud engineer. Many of the features I've seen small companies build by hand - usually poorly. And if the autoremediation works as advertised, this tool would drastically simplify some common pain-points (i.e. we all know the practices to avoid, but hooking up the infrastructure to detect and fix it is a time-consuming PITA).

Even if you're too small to have an incident response team, if you work on the cloud, you need to prevent these common security issues. I can't imagine using a tool built for the purpose is more of a money pit than writing it yourself as many cloud engineers end up doing.

Congratulations on the launch! Glad to see more options for SIEMs, my experience is that most of them exist for a compliance checklist rather than to provide any value for security teams (alert fatigue being the biggest offender).

For a checklist, you are better off contracting out a MSSP. If you pay for and maintain a SIEM, I hope you are extracting value from it.

Thank you! Our goal with Panther is to allow security engineers to customize and scale it to fit their needs.

For those who had a pre-release of Panther deployed, check out our release notes: https://github.com/panther-labs/panther/releases/tag/v1.0.0

We are also available on Slack to help out!

Nice work ! I wonder how this compares to Graylog which is another open-source(quite mature) project. Graylog SIEM looks and feels exactly like enterprise SIEM Splunk.

Thank you! I'd say the biggest difference is that Panther uses Python3 for detections and SQL/Presto for searching the data. This gives analysts/engineers more freedom and flexibility to find what they're looking for.

We also utilize open source or cloud-native transport mechanisms like fluentd/s3/etc, verses rolling our own.

They are both similar (graylof and splunk) but they lack bells and whistles traditional SIEMs like Arcsight or Qradar have so I hope Panther does a lot more!

The bane of any SIEM is data ingestion costs. I need to put every log in it but with cloud, not only do I have to worry about resource costs but also data bases pricing models for the SIEM license. Imagine I need to ingest data from 500K endpoints including 500k users and their web,ip,dns,authentication and endpoint event logs (Sysmon for example). Can I do this for under $6/user ($3M) including support costs? Edit: just a thought here, perhaps onprem agents to summarize logs before shipping to cloud storage might help?

Also, since this seems fairly new, do you have SOAR platform integration already? That's a major selling point these days, I need it to play well with automation.

Lastly,many have tried and failed to compete with Splunk's query language.Does this have a query langauge that can compete? I don't need it to detect threats out of the box, if I need a SIEM then I also need to rapidly change correlation logic and for that I need a good query language which is very rare even with top dollar traditional SIEMs.

It's Apache licenced, so presumably ingest / transit, compute, and storage costs are whatever you normally pay for them.

The source licensing here is a mess, AGPL, commercial, etc. https://github.com/panther-labs/panther/blob/master/LICENSE

My read of the license file, is there seems to be some purposefully introduced license confusion and mixing of proprietary/commercial non oss files into the same repo, which makes it really unclear if this is OSS per OSI definition, if running git log will taint a contributor.

The compiled binaries assets are available under Apache 2.0, which appears to be a marketing tactic to capitalize on the name, while being completely unrelated to the actual source license, aka this is closer to free to use binary. IANAL but afaics most orgs should talk to a lawyer if they want to use this as OSS.

moreover this line in the readme also appears to be purposefully sowing confusion, "Panther is dual-licensed under the AGPLv3 and Apache-2.0 licenses." except they actually appear to redefine the common usage of dual license, to mean that parts of the code base are selectively licensed one or the other.

This is great insight, thank you.

I'd originally just looked at the LICENCE.txt file in the top level, thinking this was presented as a standalone application suite from a single author / company - so I approached it with certain (perhaps naive) expectations.

That's just it, I've been at a few fortune 100's and I've never seen siem data pushed into cloud but also, I've seen teams struggle with just vpc network flow logs due to resource /stackdriver costs.

Nice to see an Open-Source Project in this area. But I don't see the point of "just another" SIEM. Why is everyone trying to collect, normalize and and trigger on log data?

Logs are probably the worst source one can have. And its faulty by design. Why not think of something new? A better source for your data would be something to start with. Maybe an intelligent infrastructure for data collection could make it more useful with more relevant data. Only ship relevant data from relevant sources if additional info is required. Maybe that would be a great solution. It would at least be something new.

Congrats Jack. Really excited to see where Panther is headed - code based detection is the future!

Thank you!! It definitely is the future.

Great to see an open-source alternative to Splunk SIEM!! Thanks for making this and all the best.

I'm sure a lot of teams will be excited about something new. We are taking a more cloud-centric, automation-first, and big data approach that should alleviate most of the overhead/cost.

Hi Jack! I worked with you a long time ago. Congrats on the launch!

Hey! Thank you :)

Congratulations on the launch and the product looks great! Are there plans for allowing 3rd-party integrations?

Thanks! What type of integrations? On the input or output side?

Is calling a custom script for an alert notification going to be an Enterprise level feature?

Nope, that's available in OSS!

Alerts can deliver to SNS/SQS, which can invoke a Lambda function running your custom script:

- https://docs.runpanther.io/setup/sqs

- https://docs.runpanther.io/setup/sns

Is this a spinoff of StreamAlert? Any differences between the 2?

Yes, I was the original core dev of StreamAlert during my time at Airbnb.

I'd say the biggest differences are that Panther:

- Has a UI-driven workflow (vs CLI)

- Has an improved design to be more scalable and cost-effective

- Is written almost entirely in Golang

- Made a larger investment in the Athena side, allowing data pivoting and correlation across types

- Has first-class support for monitoring infrastructure as "resources", opening up more compliance use cases

We applied a lot of lessons learned from running StreamAlert and from my team's experiences at Amazon.

Thank you!

congrats for the launch. Based on the documentation Panther operates only in an AWS environment at this point. Are there plans to include also deployments on GCP?


Thank you! We are planning to go multi-cloud by either integrating with Snowflake or pulling the data into a hosted Panther environment.

thanks for the quick reply, the choice of Snowflake is interested. Would you like sharing the reasoning behind it?

I really like the idea of integrating with shared data-stores! It is a quick win for going multi-cloud since it's quite challenging to run a complex arch on multiple clouds. There also isn't great parity yet across them.

Congrats on the launch Jack & team!

Thank you!!

Congratulations on the launch!

All the best


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact