Title: AWS re:Inforce 2024 - Securing the software supply chain with detection as code (TDR224-S)
Insights:
- Introduction and Background: Ashley Yvonne Howard, a solutions engineer at Panther, has a diverse background in cybersecurity, with experience in SIM, breach and attack simulation, and MDR. She has worked at LogRhythm, AttackIQ, and Expel before joining Panther.
- Software Supply Chain: The software supply chain includes all processes and resources involved in developing, maintaining, and distributing software products. It encompasses code, libraries, tools, services, developers, and infrastructure.
- Importance of Security: Software supply chain attacks target vulnerabilities within interconnected components, potentially compromising software at any stage from development to delivery. These attacks can propagate malicious code or vulnerabilities through trusted software updates or dependencies.
- Examples of Attacks:
- Lazarus Group: Used social engineering via LinkedIn and Slack to send malicious links to developers, leading to compromised systems and GitHub repositories.
- Lapsus Group: A group of teens targeting platforms like Okta and cloud infrastructure by using tactics such as deploying password stealers, purchasing credentials, and paying off employees for access.
- Contemporary Supply Chain Threats: Detailed a multi-phase attack involving Okta admin compromise, GitHub repository infiltration, and AWS environment exploitation, highlighting the complexity and potential damage of such attacks.
- Panther's Role: Panther is a cloud-native SIM built on AWS, focusing on cloud-originated data sources like AWS logs, GitHub, and Okta. It offers extensive coverage and ease of onboarding security-focused log sources.
- Critical AWS Log Source Types:
- Platform-wide Activity: CloudTrail logs all API calls within an AWS account.
- Service-specific Logs: Logs from services like S3, VPC, and GuardDuty capture system-level activity.
- Host-based Logs: Logs from EC2 instances provide insights into application-level activity and security events.
- Panther's Architecture: Panther uses a security data lake powered by Snowflake, offering one year of hot searchable storage. It employs detection as code, allowing for version control and integration with CI/CD pipelines.
- Key Benefits of Panther:
- Clean Data: Parses and normalizes petabytes of security data, reducing false positives and improving detection accuracy.
- Cloud Native: Real-time detection at petabyte scale with a serverless architecture, reducing operational maintenance.
- Detection as Code: Flexible, scalable detections aligned with CI/CD engineering principles.
- Customer Testimonials: Asana praises Panther's detection as code for creating custom detections and managing them as code, highlighting benefits like alert fidelity, total cost of ownership, and efficiency.
Quotes:
- "In cybersecurity, the software supply chain refers to the series of processes and resources involved in developing, maintaining, and distributing software products."
- "A software supply chain attack targets vulnerabilities within these interconnected components, potentially compromising the software at any stage from development to delivery."
- "By injecting malicious code into widely known or widely used projects, attackers can wreak havoc downstream."
- "Lapsus is a real group that has been making headlines."
- "Having the right tools in place to detect and respond to these types of threats is very important."
- "Panther is a cloud-native SIM. We're built on AWS."
- "Our focus is on cloud-originated data. This is Panther's bread and butter."
- "With detection as code, you can send detections to any alert destination whether it be a ticketing system, SOAR platform, even Splunk."
- "Panther excels at parsing and normalizing petabytes of security data within the security data lake."
- "Asana reflects on the benefits of detection as code, stating how nice it is to be able to create custom detections for their specific needs and manage them as code."