Powerful Use Cases for Cloud Security with Snowflake and Orca
Introduction:
Organizations across all industries are struggling to keep up with the multi-cloud complexities that have expanded their attack surface beyond traditional network perimeters. To address similar concerns, the Snowflake IT and Corporate Security team used Orca Security’s Cloud Security Posture Management Platform to identify vulnerabilities, malware and misconfigurations in the Enterprise Cloud environment. We started this journey when we were hit with the Log4j issue and had to identify vulnerable assets and patch them in an urgent fashion.
Orca’s contextualization of cloud security risks and comprehensive approach to delivering new features that effectively map out the darker corners of cloud environments (APIs, Domains and Identity) were a key factor in partnering with them to meet our needs. Orca allows us to more efficiently prioritize risks to our enterprise and as the partnership has evolved, exciting new ways for Snowflake customers to benefit from this relationship have emerged.
This blog covers the Snowflake security data lake architecture, the operational improvements we’ve seen in triaging vulnerabilities, misconfigurations and headline CVE events and our vision for how we look to leverage Orca generated data sets to build business-specific analytics using a Snowflake security data lake.
Orca to Snowflake Integration Architecture
Prior to the Snowflake Connected Application availability, we configured an API integration to an ETL pipeline where Orca Alerts were transformed and loaded into our Snowflake instance. The Snowflake Connected Application model now allows connectivity directly from Orca to a Snowflake account and handles the data ingestion automatically.
Snowflake and Orca partnered to support a connected application option for Snowflake customers to receive their Orca Alerts and cloud provider logs with no additional transformations required for relational representation. In addition, Orca also provides an integration option that allows for ingesting customized alerts and reports from the tool’s powerful inventory query feature Sonar. Doing this requires a customer-owned cloud storage resource like S3 to be configured as an External Stage to Snowflake.
This custom data will require additional modeling efforts to create a relational table from, but creates powerful opportunities for data analysis downstream. Today we’ve configured Orca to send data to Snowflake in both ways.
The diagram below represents the two approaches for data ingestion available to all customers today:
- Connected App — Orca delivers Alerts and Cloud Provider Log data directly into ready-to-query Relational Tables in Snowflake.
- Customer’s External Stage to Snowpipe — Orca customized alerts and inventory reports are ingested into Snowflake via Snowpipe from a customer owned S3 bucket. By attaching IAM permissions via an S3 Resource Policy, it allows Orca’s backend to generate these reports and deliver the JSON output to the storage destination configured in the Ui.
Integrating raw security tool data to a security data lake is a relatively new concept in the security industry and features to ingest customizable reports from those same security tools are even more recent developments. Even though ingesting custom reports requires additional configuration and modeling by the customer, it enables security specialists to generate multi-cloud datasets with precise sets of contextualized information for the data analytics team to build on.
Operationalizing Orca data within Snowflake
With Orca expanding the power of their contextualized cloud data beyond the confines of their platform, Snowflake users can now utilize some of the best cloud security insights available to drive visibility and analysis of their own cloud security posture right alongside existing datasets.
The diagram below highlights the way Snowflake’s Corporate Security team is integrating Orca alerts with our Threat Detection team’s rules engine to operationalize this data. Raw Orca data from the security lake is organized into logical data marts and integrated with our Threat Detection and Violations engine. This system allows us to categorize Orca findings into Alerts which require triage and escalation vs ones more suited as a Violation that don’t require the same immediacy. Both automatically create ServiceNow tickets in a standardized manner and feed into dashboards built in Snowsight or your preferred BI tool.
With Streamlit entering private preview on Snowflake, interactive data applications and machine learning insights can be conceptualized by our security teams all within the Snowflake ecosystem.
The key benefits we’ve seen from our integration thus far are as follows:
1. Centralized Ticketing from Snowflake to ServiceNow to standardize Security Tool findings
While Orca supports ServiceNow integration, our threat detection and violations engine can apply additional logic to determine how a ticket is categorized and delivered to ServiceNow from Snowflake. Standardizing how we integrate security findings to ServiceNow allows us to be consistent across security tools. As a result, we are able to standardize the security insights available on an individual application, team or cost center basis across the company.
The chart below shows tickets cut for a single business application arising from separate security domains and tools. This comprehensive view of all the security findings in a single chart empowers the CorpSec team to identify areas that need attention such as focused security training or process evaluation.
When projects are initiated to solve those identified weaknesses, Orca’s custom cloud reports enable us to drill into the details to surface the data relevant to that initiative.
2. Improved project visibility via Snowsight and integrated BI Apps
While Orca provides a rich dashboard for the alerts and insights to cloud asset information, dashboard proliferation across separate security tools becomes frustrating for teams when every insight requires access to a new tool. Cross-functional teams need to know the status of our initiatives to improve security, not high level reports of all issues the tool has enumerated. Using the Snowpipe integration to ingest customized cloud inventory reports from Orca, we are able to leverage Snowsight dashboards to visually communicate the impact of our security initiatives while they are underway.
For example, with a simple query in Orca we can run a custom report against our cloud inventory data and export it to Snowflake to provide visibility into the status of our project to install a security agent across our cloud fleet. With the help of our security analytics team, we can quickly create a project dashboard from these reports that will reflect daily progress on the effort throughout the initiative.
Compute with State = “running” and DistributionName and CloudAccount and RunningServices with Name like “*Insert Agent Name*”
The dashboard above is an example of how one custom Orca Report could be leveraged to quickly visualize the project status of an effort to install an Agent-based service across the entire cloud VM fleet. Having centralized dashboards leveraging integrated BI tools and Snowsight allows the Snowflake security team to model cloud security data and chart trend data on key initiatives.
Going beyond analytics, Orca has also transformed our response speed and prioritization strategy during major CVE events by taking the mystery out of triaging impacted resources using their CISA Alert feature.
3. Managing High-Profile CVE Events
Orca makes prioritizing vulnerabilities easy for security teams. Our first major success in operationalizing Orca Alerts, was using the embedded CISA alert panel containing precompiled reports on all cloud assets with a trending CVE.
Not only did this shave days off the time to complete a full impact assessment while investigating CVE-2021–44228, but it also provided the contextualization necessary to prioritize remediations for all public facing cloud resources first. These Alerts provide an excellent foundation for us to turn increasingly reactive events into proactive responses with Orca’s connected app coming to fruition. With the exponential rise in CVEs, web applications and regulatory fines for cyber negligence, having a system in place to triage and respond to these events in the cloud has become a critical business functionality.
Now that Alert data can automatically sync to Snowflake, we are exploring opportunities in our cybersecurity ecosystem to deliver comprehensive CVE assessments across multiple asset domains using data from Crowdstrike, ServiceNow, Tenable and other enterprise datasets. Orca’s Connected App will populate the CISA Alert Panel Data with all impacted resources grouped under that CVE in Snowflake. Knowing that we can expect Orca data to be there shortly after a headline CVE breaks allows us to feed that data directly into dashboards and turn our focus onto the logic needed to piece together data from other security tools.
As a cloud-first enterprise, this solved a major problem in understanding the full scope of impact and turned cloud resources into the easiest category to identify in these situations. Looking towards the future, ways we can leverage Orca’s cloud data with additional integrations in our cybersecurity ecosystem have limitless potential.
Modernizing Cybersecurity Analytics
Security teams haven’t been getting the same value from analytics because our tooling ecosystem historically limits data analysis to the confines of the tool. Orca data used in conjunction with Snowflake’s ecosystem of integrated business intelligence tools and third-party security data can play a key role in building out a holistic view of a company’s cloud attack surface while also enabling business specific insights to cloud applications and ongoing initiatives.
While efforts to enhance this data with additional insights are still being organized, the availability of contextualized cloud data in Snowflake has produced excitement across teams eager to explore use cases because this level of granular cloud data previously required exhaustive efforts to produce internally.
Orca continues to build or acquire capabilities that extend beyond posture management into API/Domain monitoring and identity entitlements which significantly expand insights into the shifting perimeters of cloud-first enterprises. Being able to analytically leverage an ecosystem of third-party cyber intelligence data is becoming less of a luxury and more of a necessity as more businesses expand their internal network to encompass cloud resources.
Conclusion
Leadership needs a quantifiable understanding of how their corporate security landscape shifts with their decision to embrace cloud solutions. By partnering to easily sync cloud security data from Orca, Snowflake customers can analyze their cloud data with the same analytical lens they use to drive other business decisions and Orca customers are now just one conversation away from exploring how we can help amplify that value for their company as well.
Orca’s security platform and partnership efforts have had an immediate impact in the evolution of our corporate cloud security strategy. Our ability to identify malware, misconfigurations and vulnerabilities in our corporate cloud environment has improved significantly. By further leveraging our cybersecurity ecosystem we have integrated Orca with Snowflake threat detection logic, centralized ticketing automations and improved how we visually communicate insights to ongoing cloud initiatives.
