
Show HN: Panther v1.0 – Open Source, Cloud-Native SIEM - jacknagz
Hey HN,<p>My name is Jack Naglieri. I’m the founder of Panther Labs - an SF-based cybersecurity startup. Prior to Panther, I was an engineering manager at Airbnb. Before that a security engineer&#x2F;analyst&#x2F;forensic analyst.<p>Today, I’m excited to announce Panther v1.0, an open source, cloud-native SIEM:<p><a href="http:&#x2F;&#x2F;github.com&#x2F;panther-labs&#x2F;panther" rel="nofollow">http:&#x2F;&#x2F;github.com&#x2F;panther-labs&#x2F;panther</a><p>Teams can use Panther as an alternative to traditional SIEMs like Splunk.<p>Panther is the culmination of our team’s experience building security tools at scale, including StreamAlert at Airbnb and critical internal monitoring systems at Amazon.<p>Panther runs entirely on serverless to enable small teams to detect threats at scale. Our backend is Golang and our frontend is React&#x2F;Typescript. Panther is also self-hosted and uses Python3 for flexible detections.<p>At a high level:<p>- Panther receives security logs<p>- Panther baseline scans cloud infra and determines security posture<p>- All data is saved to your data warehouse (powered by Athena&#x2F;Glue&#x2F;S3)<p>- Alerts are dispatched to your team via Slack, PagerDuty, etc<p>- Automatic remediations can also be applied to fix infrastructure<p>Panther v1.0 includes support for:<p>- Analyzing logs from AWS, OSS tools such as Osquery, OSSEC, Suricata, and more<p>- Threat hunting on all your security data with standardized fields (IPs, domains, etc)<p>- Real-time cloud configuration monitoring<p>- 150+ built-in detections<p>- A UI for creating, updating and tuning detections<p>To get started:<p>- Quick-start: <a href="https:&#x2F;&#x2F;docs.runpanther.io&#x2F;quick-start" rel="nofollow">https:&#x2F;&#x2F;docs.runpanther.io&#x2F;quick-start</a><p>- Read our v1.0 announcement: <a href="https:&#x2F;&#x2F;blog.runpanther.io&#x2F;panther-v1-open-source-siem&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.runpanther.io&#x2F;panther-v1-open-source-siem&#x2F;</a><p>- Register for our webinar tomorrow: <a href="https:&#x2F;&#x2F;webinars.runpanther.io&#x2F;panther-101" rel="nofollow">https:&#x2F;&#x2F;webinars.runpanther.io&#x2F;panther-101</a><p>You can also find us on Slack (<a href="https:&#x2F;&#x2F;panther-labs-oss-slackin.herokuapp.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;panther-labs-oss-slackin.herokuapp.com&#x2F;</a>), Twitter (@panther__labs), and Github (github.com&#x2F;panther-labs&#x2F;panther).<p>We’re happy to answer your questions. Just drop a message here.<p>Thanks!<p><i>We also send our best wishes to those affected by COVID-19</i>
======
mbreese
For those of us that didn’t know: SIEM = security information and event
management. Things like analyzing security logs, failed logins, audits, and
much more, I’m sure.

[https://en.wikipedia.org/wiki/Security_information_and_event...](https://en.wikipedia.org/wiki/Security_information_and_event_management)

~~~
chris_st
Thanks! That expansion should really be at the very beginning of the GitHub
README, and as early as possible on the runpanther.io page. Don't drive away
potential customers who don't know your magic phrase.

~~~
jcrawfordor
For what it's worth, the target market for this will all know what SIEM means,
and anyone who doesn't know what SIEM means isn't the target market. To a
certain extent if you explain what it stands for you might have to explain
what it's for and then how to use it... that's probably just beyond the scope
of what they intend in the README.

~~~
chris_st
Okay, you're clearly not a marketer, but maybe try to think like one for a
moment.

What you've said, in effect, is, "Gee, someone came to the site with some
interest (say, from a Hacker News link) but no idea what this secret sauce is.
Screw 'em! Gem them out of here!"

Alternatively, if you give them an idea of what they're looking at (and no, I
don't think you have to drill down to every tiny detail on the front page),
maybe they'll realize, "Hey, that's something I should at least look into."

~~~
lawnchair_larry
They shouldn’t look into it though, is the point. He’s not being elitist or
gatekeeping. He’s saying that because managing a SIEM is going to be a huge
waste of resources for anyone but a dedicated incident response team.

I suspect that a layperson, they might be getting the impression that this
will alert them to security incidents. It will not really do that. It is not
an intrusion detection system (which also are not very useful, but I digress).
It will be 99.9999999% noise, and an experienced team will have a sense of
what they should bother paying attention to, and still spend most of their
time chasing dead ends.

It would be like if someone announced the release of a compiler, without
explaining what a compiler is. Someone might reasonably say, if you don’t know
what a compiler is, this isn’t solving a problem that you’re worried about.

------
Aaronstotle
Congratulations on the launch! Glad to see more options for SIEMs, my
experience is that most of them exist for a compliance checklist rather than
to provide any value for security teams (alert fatigue being the biggest
offender).

~~~
badrabbit
For a checklist, you are better off contracting out a MSSP. If you pay for and
maintain a SIEM, I hope you are extracting value from it.

------
jacknagz
For those who had a pre-release of Panther deployed, check out our release
notes: [https://github.com/panther-
labs/panther/releases/tag/v1.0.0](https://github.com/panther-
labs/panther/releases/tag/v1.0.0)

We are also available on Slack to help out!

------
eddywebs
Nice work ! I wonder how this compares to Graylog which is another open-
source(quite mature) project. Graylog SIEM looks and feels exactly like
enterprise SIEM Splunk.

~~~
jacknagz
Thank you! I'd say the biggest difference is that Panther uses Python3 for
detections and SQL/Presto for searching the data. This gives
analysts/engineers more freedom and flexibility to find what they're looking
for.

We also utilize open source or cloud-native transport mechanisms like
fluentd/s3/etc, verses rolling our own.

------
badrabbit
The bane of any SIEM is data ingestion costs. I need to put every log in it
but with cloud, not only do I have to worry about resource costs but also data
bases pricing models for the SIEM license. Imagine I need to ingest data from
500K endpoints including 500k users and their web,ip,dns,authentication and
endpoint event logs (Sysmon for example). Can I do this for under $6/user
($3M) including support costs? Edit: just a thought here, perhaps onprem
agents to summarize logs before shipping to cloud storage might help?

Also, since this seems fairly new, do you have SOAR platform integration
already? That's a major selling point these days, I need it to play well with
automation.

Lastly,many have tried and failed to compete with Splunk's query language.Does
this have a query langauge that can compete? I don't need it to detect threats
out of the box, if I need a SIEM then I also need to rapidly change
correlation logic and for that I need a good query language which is very rare
even with top dollar traditional SIEMs.

~~~
Jedd
It's Apache licenced, so presumably ingest / transit, compute, and storage
costs are whatever you normally pay for them.

~~~
kapilvt
The source licensing here is a mess, AGPL, commercial, etc.
[https://github.com/panther-
labs/panther/blob/master/LICENSE](https://github.com/panther-
labs/panther/blob/master/LICENSE)

My read of the license file, is there seems to be some purposefully introduced
license confusion and mixing of proprietary/commercial non oss files into the
same repo, which makes it really unclear if this is OSS per OSI definition, if
running git log will taint a contributor.

The compiled binaries assets are available under Apache 2.0, which appears to
be a marketing tactic to capitalize on the name, while being completely
unrelated to the actual source license, aka this is closer to free to use
binary. IANAL but afaics most orgs should talk to a lawyer if they want to use
this as OSS.

moreover this line in the readme also appears to be purposefully sowing
confusion, "Panther is dual-licensed under the AGPLv3 and Apache-2.0
licenses." except they actually appear to redefine the common usage of dual
license, to mean that parts of the code base are selectively licensed one or
the other.

~~~
Jedd
This is great insight, thank you.

I'd originally just looked at the LICENCE.txt file in the top level, thinking
this was presented as a standalone application suite from a single author /
company - so I approached it with certain (perhaps naive) expectations.

------
Papric0re
Nice to see an Open-Source Project in this area. But I don't see the point of
"just another" SIEM. Why is everyone trying to collect, normalize and and
trigger on log data?

Logs are probably the worst source one can have. And its faulty by design. Why
not think of something new? A better source for your data would be something
to start with. Maybe an intelligent infrastructure for data collection could
make it more useful with more relevant data. Only ship relevant data from
relevant sources if additional info is required. Maybe that would be a great
solution. It would at least be something new.

------
willow9886
Clickable repo link here:

[https://github.com/panther-labs/panther](https://github.com/panther-
labs/panther)

------
staticassertion
Congrats Jack. Really excited to see where Panther is headed - code based
detection is the future!

~~~
jacknagz
Thank you!! It definitely is the future.

------
soumyadeb
Great to see an open-source alternative to Splunk SIEM!! Thanks for making
this and all the best.

~~~
jacknagz
I'm sure a lot of teams will be excited about something new. We are taking a
more cloud-centric, automation-first, and big data approach that should
alleviate most of the overhead/cost.

------
perryh2
Hi Jack! I worked with you a long time ago. Congrats on the launch!

~~~
jacknagz
Hey! Thank you :)

------
achillean
Congratulations on the launch and the product looks great! Are there plans for
allowing 3rd-party integrations?

~~~
jacknagz
Thanks! What type of integrations? On the input or output side?

------
rob-olmos
Is calling a custom script for an alert notification going to be an Enterprise
level feature?

~~~
jacknagz
Nope, that's available in OSS!

Alerts can deliver to SNS/SQS, which can invoke a Lambda function running your
custom script:

\-
[https://docs.runpanther.io/setup/sqs](https://docs.runpanther.io/setup/sqs)

\-
[https://docs.runpanther.io/setup/sns](https://docs.runpanther.io/setup/sns)

------
tunk
Is this a spinoff of StreamAlert? Any differences between the 2?

~~~
jacknagz
Yes, I was the original core dev of StreamAlert during my time at Airbnb.

I'd say the biggest differences are that Panther:

\- Has a UI-driven workflow (vs CLI)

\- Has an improved design to be more scalable and cost-effective

\- Is written almost entirely in Golang

\- Made a larger investment in the Athena side, allowing data pivoting and
correlation across types

\- Has first-class support for monitoring infrastructure as "resources",
opening up more compliance use cases

We applied a lot of lessons learned from running StreamAlert and from my
team's experiences at Amazon.

~~~
tunk
Thank you!

------
cpard
congrats for the launch. Based on the documentation Panther operates only in
an AWS environment at this point. Are there plans to include also deployments
on GCP?

Thanks!

~~~
jacknagz
Thank you! We are planning to go multi-cloud by either integrating with
Snowflake or pulling the data into a hosted Panther environment.

~~~
cpard
thanks for the quick reply, the choice of Snowflake is interested. Would you
like sharing the reasoning behind it?

~~~
jacknagz
I really like the idea of integrating with shared data-stores! It is a quick
win for going multi-cloud since it's quite challenging to run a complex arch
on multiple clouds. There also isn't great parity yet across them.

------
FanaHOVA
Congrats on the launch Jack & team!

~~~
jacknagz
Thank you!!

------
monabber
Congratulations on the launch!

------
psankar
All the best

------
MassConvert
Epic!

