Snowflake's Anvilogic Investment Signals Changes in SIEM Market

Data service provider Snowflake deepened its strategic partnership with cybersecurity-analytics provider Anvilogic this week with a joint offering that could further shake up the security information and event management (SIEM) market.

The two cloud service providers are targeting business customers that already use Snowflake's software-as-a-service (SaaS) offering for data storage and analytics and want to use the stored data and log information for security operations and threat detection. Anvilogic works alongside other SIEM systems, capturing data, such as logs produced by cloud services and alerts produced by cloud-security products, typically missed by such systems.

The joint solution will lead to reduced costs — on the order of 50% to 80%, the companies state — and will eventually replace legacy SIEM platforms, says Karthik Kannan, CEO of Anvilogic.

"It's a bit of a changing of the guard, something that both Snowflake and Anvilogic have been expecting for a long time," he says. "We've been building toward this day, for when our type of approach ... will take center stage and kind of start to take some of those old legacies out and replace them for the next decade."

The SIEM market has undergone tremendous changes in the past two years. In August 2022, OpenText agreed to purchase Micro Focus — owner of the well-known ArcSight SIEM platform — for $6 billion. Last September, Cisco announced it would move into the SIEM sector by purchasing Splunk for $28 billion, a deal that was completed in March. Earlier this month, IBM exited the market and sold its QRadar division of SaaS cybersecurity products — which include SIEM capabilities — to Palo Alto Networks, with the two companies agreeing to work together as partners. Neither company divulged how much Snowflake is investing in Anvilogic. (In April Anvilogic closed a $45 million third investment Series C round, bringing its total funding to $85 million.)

'Cybersecurity Is a Data Problem'

Snowflake and Anvilogic's data-focused partnership makes sense as businesses find themselves awash in data. The average company currently uses only about half of the information available through logs but hopes to track up to 80% in the next few years, according to a survey conducted by consultancy McKinsey.

"We believe firmly that cybersecurity is a data problem," says John Bland, head of cybersecurity strategy at Snowflake. "We've had data volumes explode, and it's hard to get visibility into all the data you need — all your security data and sources you need visibility into — and then it's also hard to retain it and keep it around in a searchable fashion for as long as you need to."

The Anvilogic and Snowflake pairing will likely make sense for companies that are already committed to the data platform, as pairing with a cybersecurity analytics providers will provide additional benefits, which a standalone SIEM provider might not, says Allie Mellen, principal analyst for security and risk at Forrester Research.

"This is appealing for organizations that are already leveraging the data platform for IT operations, product, or other use cases, as it can help support data consolidation efforts and enable better data governance practices," she says. "However, it is challenging for practitioners to leverage, as it means managing multiple different vendors for different elements of what would traditionally be a single security analytics platform."

Are Monolithic SIEMs Over?

Both Anvilogic and Snowflake argue that the era of monolithic SIEM products is coming to a close. Instead, businesses need to effectively manage their data and provide it to specific use cases, whether that is business intelligence or threat intelligence. With the Anvilogic partnership and its ability to work alongside legacy SIEM systems, Snowflake aims to allow companies to gradually move to a data-centric architecture, Snowflake's Bland says.

"Every customer I've talked to is ready to break up with their legacy SIEM, but they just don't know how," he says. "They've built dashboards and detections over the last five years, or it could be that they feel like they have other competing initiatives and are not sure they want to take the risk of a full 'rip and replace' right now."

The companies also have the benefit of working native in the cloud, while many traditional SIEM systems have added cloud-based operations after starting as appliances or as applications run inside data centers.

With so much of business operations happening in the cloud, non-native cybersecurity platforms are at a disadvantage, says Saryu Nayyar, CEO of rival cybersecurity analytics firm Gurucul.

"Legacy SIEMs are legacy for a reason — there is far better technology available today," she says. "I think that's the root cause behind many of these mergers. In an effort to fill the deficiencies in their SIEM platforms, vendors are mashing together capabilities that weren't designed to work in a unified way and probably won't any time soon."

Yet, while the traditional SIEM market is certainly undergoing a challenging evolution, the major players continue to benefit from a focus on tight integration with third parties and other existing relationships, says Forrester's Mellen.

"Ultimately, it's a matter of trade-offs," she says. "Using a data platform like Snowflake is an opportunity for some enterprises to consolidate business data storage and access. However, it comes with challenges, such as managing the data architecture and leveraging third-party partners for analytics, automation, and data pipeline management."