Cybersecurity teams can now use Snowflake as their data platform for a range of critical use cases, making it possible for security teams to deploy a security data lake and unify their security data in one place.
Snowflake's Cybersecurity workload offers customers access to cybersecurity capabilities including security information and event management (SIEM), security orchestration, automation, and response (SOAR), compliance automation, and vulnerability management through connected applications that run on top of their existing Snowflake environmentx.
Snowflake serves as the security data lake, providing scalable storage, while analytics enable security metrics for live insights into an organization's security posture.
Partners including Hunters, Panther Labs, and Securonix offer security capabilities on top of Snowflake accounts through connected applications, removing the need for the homegrown tools security teams used to rely on to build for scale.
Context Is Key
"Whether it's spotting risky configurations or catching threat actors in the act, security insights depend on available data," explains Omer Singer, Snowflake's head of cybersecurity strategy. "Less obvious is the need for context and cross-source correlation."
He says many risks and attacks cannot be identified just by looking at a single finding or event log, with unified visibility the key to fewer false positives and false negatives.
For example, a vulnerability may have a CVSS score of 8.0 and be not so concerning if it's affecting a test system without Internet access. "The same issue may be super critical, on the other hand, if it affects a publicly facing Web server that handles customer financial transactions," he adds.
Another example is around user deprovisioning, which Singer calls "a real scourge" for many security compliance teams.
"Has access been revoked from all systems for all terminated employees? If not, has a terminated employee taken advantage of their access?" he asks. "It takes unified visibility to answer these questions."
Consolidated Data Shows the Whole Picture
Singer explains that Snowflake is enabling an alternative to typical security tools that operate in a silo and place the burden of connecting the dots on overstretched security teams.
"Our customers kept telling us that their traditional SIEM solutions didn't consolidate security logs — the legacy SIEMs actually create silos since their cost for comprehensive ingest and retention is prohibitively high," he says. "The result has been that security teams struggle to achieve necessary prevention, detection, and response outcomes."
Prabhath Karanth, senior director of security, compliance, and trust at TripActions, says that Snowflake has helped the company with log aggregation, better triaging, removing noisy alerts, faster threat detection and response, applying new threat intelligence to data, and continuous compliance.
"All of this ultimately results in better security assurance and building customer trust," Karanth says. He adds that the adoption of Cybersecurity workload is central to most of the company's data and strategic security initiatives.
"The platform allows us to leverage one single source of truth for multiple use cases," Karanth explained. "It helps us collect all data sources in a centralized location and run analytics on top, both for our business and security use cases."
In addition, integrations with Snowflake partner tools like the autonomous threat monitor Hunters and the compliance program Anecdotes on top of the Snowflake security data lake has helped TripActions further enhance some security use cases.
The Importance of Compliance
On the security compliance side, Karanth says TripActions is looking to achieve near-real-time controls automation using Snowflake's Cybersecurity workload and continuous compliance.
"We push all security tooling data into Snowflake data lake," he says. "This includes tools like cloud security posture management, application security posture management, and endpoint security tooling. Most of the compliance controls belong to one of these domains."
He adds that the company can get a unified view of the controls posture to meet compliance requirements like SOC2, ISO, PCI, and others by integrating with Anecdotes.
"This helps us identify control effectiveness from an audit perspective, quicker metrics reporting to leadership, and remediation activities," he says. "From a threat detection and response standpoint, again security tooling is the basis for all of this."
Karanth explains that the deviation from the desired state of assets can be identified from the data the platform collects, and integrations with autonomous tools like Hunters help his company respond with corrective action in a timely manner using custom-built and prebuilt alerts.
"Our ultimate goal as a security team is to enable our business and protect our customers' data," he says. "The need of the hour is to enable our business and at the same time reduce risk. We need to protect our customers' travel data both from a security and privacy perspective. We take customer trust very seriously. It's the foundation for how we do business."