Cedar Scales Security and Gains Better Visibility with Panther
A modern approach to security operations leveraging detections-as-code.
- Storing and searching rapidly increasing volumes of data
- Mapping alerts to business needs
- Centralizing audit logs and security data
- Normalized data to enhance visibility and improve performance
- Customized alerting with Python
- Centralized security data lake to reduce compliance costs
- Detected new risks that had previously been obfuscated
- Reduced baseline generation from 2 weeks to 1-2 days
- Reduced false positives by 80%
About The Company
Cedar is revolutionizing healthcare technology & patient experience. Cedar combines healthcare, tech, and design to create a seamless financial experience for every patient. Cedar serves more than 10 million patients per year and works with 33 client partners around the United States.
Cedar collects, processes, and stores healthcare and financial information for its customers and partners. The Cedar security team needed to unify data, enhance security monitoring, accelerate business decision-making, and document activities to meet strict compliance mandates.
“Panther has made it easier to test, maintain, and collaborate across our teams. By adopting Python for detections and code-driven workflows for detection management, our team has been able to build better rapport with the product engineering squads who use the same tools and processes – now, our security team uses the same GitHub repo, code editor, continuous integration and testing tools as other teams.”
– Aaron Zollman, CISO, Cedar
Too much data from too many places
Cedar’s security team relied on a combination of traditional SIEM solutions and open-source software to monitor its services, applications, and security controls. However, these failed to support the volume of log data generated from disparate cloud sources and were unable to map back to Cedar’s unique business needs for security, leading to poor performance and incomplete visibility.
Inability to scale with business
As Cedar rapidly grew and evolved, it adopted many new applications and cloud services. Across the organization Google Workspace (formerly GSuite) became a key collaboration tool, but each team used it differently. The increased IT complexity increased the risk of data breaches and noncompliance.
Scattered storage and diverse data formats
Cedar lacked a centralized source of cloud data, increasing the costs associated with monitoring security and responding to audit requests. The team sought a solution to future-proof its security program that could standardize data formats and act as a single source of record for investigations.
The Solution: Detections-as-Code
Gaining real-time visibility into security risk changes
Cedar leverages Panther Data Models to create universal detections that apply across multiple log types to generate custom logs. Cedar configured their AWS CloudTrail to send data to Panther, established an alerting threshold, and pushed alerts to their Slack channel for faster review.
Leveraging Infrastructure-as-code to scale security
Cedar deployed Panther as Infrastructure-as-code (IaS) to build its logging infrastructure while also reducing the overhead associated with collecting new data from their cloud. By using serverless functions like SQS, S3, and Lambda, Cedar’s security team can ingest and unify new data across multiple cloud accounts and regions.
Creating a security alerting prioritization process
By using Panther to build alerts with Python, Cedar’s team created a repeatable and easy-to-maintain process that enabled consistency across divergent cloud resources. When the security team creates a new detection, a branch from the repository is pushed to source control, and a pull request is opened. When the merge occurs, Cedar’s new detections are automatically pushed to Panther for consistent and reliable deployments.
Applying CI/CD to security and compliance
Using Panther, Cedar can easily build new rules that allow them to continuously iterate their security program. The Panther platform enables Cedar to easily integrate detection management into its CI/CD pipeline for an automated, hands-off approach to deploying new alerts.
Enhancing controls with detection-as-code
Cedar’s team customizes alerts, sets baseline behaviors, and utilizes popular security libraries for enhanced monitoring, detection, and response. The team now manages all of their detections as code in a GitHub repository and uses source control to conduct code review and versioning. Because all of their alert logic is written in Python, the Cedar team can quickly understand the alerts generated, providing better visibility into patterns and greater control over alerting.
The Results: A Small But Mighty Security Team
With Panther’s ability to create a unified view of people, processes, and technology, Cedar’s security team created an automated, systematic, repeatable, predictable, and shareable approach to security that improves their overall security posture.
Customer Story: Scaling Security With Detections-as-Code with Cedar
Learn how Cedar is using Panther to generate real-time alerts for suspicious behavior and improve its security posture.
5 Benefits of Detection-as-Code
How modern teams can automate security analysis at scale in the era of everything-as-code. TL;DR: Adopt a modern, test-driven methodology for securing your organization with Detection-as-Code. Over the past decade, threat detection has become business-critical and even more complicated. As businesses move to the cloud, manual threat detection processes are no longer able to keep […]