Snowflake’s Humble Role in the New Security Stack
As security data lakes become established as best practice and The Great Splunkbundling accelerates, what will be the role of data platforms like Snowflake? The new security stack won’t look like the vertically integrated SIEMs of the past. The data platform will play a humble but essential role supporting specialized solutions in an ecosystem that delivers better security, lower costs and more automation.
Centralization is a Big Data Problem
A number of trends have pushed security architectures to extreme fragmentation. The shift to cloud infrastructure, which is highly instrumented and generates logs for every little thing, results in a ten-fold increase in machine data. The move from endpoint antivirus like McAfee and Symantec to EDR agents like CrowdStrike and Osquery means having not just alerts but a complete “flight recorder” on every server and laptop. These data sources are prohibitively expensive to centralize in a SIEM like Splunk.
SIEM sticker shock is a symptom of a legacy architecture that limits security teams across multiple dimensions, including daily ingest and retention time. Security architects must work around these limits, mainly by carving out silos where the data may be considered accessible, at least in theory. If you want to ruin their morning, ask a security architect what their incident response plan takes to investigate a suspected breach going back nine months.
Achieving centralization is crucial not just for effective incident response but for automation at any scale. Small security teams need automation because each member wears many hats and the business is growing quickly. Large security teams deal with complexity, sophisticated threats and audit requirements that call for automation to an even greater degree. Nasir Khan, Divisional CISO at Capital One, recently posted that automation before centralization leads to chaos instead of solutions.
The fragmentation caused by the limitations of dedicated SIEMs makes them the nemesis of centralization and blockers to automation. But it also underscores the challenge posed by so many terabytes and petabytes of security data. Centralization itself is a big data problem, and one that only platforms like Snowflake can solve.
99 Problems
But here’s where the new security stack diverges from the vertically integrated SIEM. Just enabling analytics at scale is a full-time job. Data volumes continue to grow exponentially while increasingly sophisticated security analysts demand new platform features like smart indexes, relationship graphs, lower latency, more languages… there’s many years of work to be done just at the data platform level.
Keep in mind that Snowflake supports analytics across departments and verticals like sales, marketing, finance, health care, retail and others. Can one company solve all problems for all use cases? Of course not. From the outset, Snowflake has emphasized the importance of complementary solutions in areas like ETL, BI, CDC and ML.
Cybersecurity is no different. As a challenging field where even veterans like FireEye struggle to stay ahead of the bad guys, security analytics can only be tackled as a team effort. Consider integrations, where log data must be pulled from dozens of sources and normalized to a common event schema. Or a rules engine, where similar detections are deduplicated and enriched before paging the on-call analyst at 2am. Even BI tools, while suitable for security reporting, should be augmented with an analyst experience tailored to incident response and threat hunting.
Security teams must leverage solutions with cyber DNA to tap into the potential of Snowflake as a security data lake.
Building on a Unified Data Layer
Solutions like Panther and Hunters in threat detection, Vulcan Cyber in vulnerability management, and anecdotes in compliance automation all plug into a unified data layer within the customer’s Snowflake. Data and insights from one solution can feed into another while the security team develops custom analytics for detection, response, metrics and automation without having to start from scratch. This architecture takes the vertically integrated components of the SIEM and breaks them up into three distinct parts tied together by data.
Does this approach mean more complexity, integration headaches and ballooning costs? Not at all. If the status quo has taught us anything, it’s that there are no silver bullets and no single vendor can fix cybersecurity. Instead, specialization is the only way to achieve solutions that deliver on their promise. Integrations are easier in the Data Cloud where there are no APIs to worry about and each solution can benefit from the work of all the others. And with typical savings exceeding 80%, cloud-native data platforms free up budget that can more than cover several specialized solutions.
This message is meant for security leaders and Snowflake account executives alike. As you’re considering how Snowflake can help address the shortcomings and overages of dedicated SIEM solutions, don’t repeat the mistakes of past security architectures. Don’t plan to “start with just Snowflake, then check out some partners.” Be humble and embrace the new security stack where each part does what it can do better than anyone else.