Snowflake this week during the RSA Conference announced its Snowflake Data Cloud, which aims to help cybersecurity teams break down data silos to enable better visibility, deliver advanced analytics that remove manual processes, and give security teams a clear picture of evolving risks and threats coming their way.
Today, customers such as Dropbox, TripActions, Figma, Netgear, Clari, and many others — including Snowflake’s security team — run their cybersecurity workloads and use cases with Snowflake.
Aside from providing a single, unified location for an organization’s security data and letting the team run powerful analytics with SQL and Python, Snowflake has also built an ecosystem of connected applications that lets customers bring full-featured security capabilities from leading vendors to their data in the Snowflake Data Cloud. These applications offer off-the-shelf capabilities for various use cases, from SIEM and vulnerability management to compliance automation and third-party risk management.
For Snowflake, the limitations of legacy SIEMs were clear: expensive storage, short retention periods, slow queries, and the exacerbation of data silos drove slow and manual incident response. Under those circumstances, security engineers had to find a way to crunch petabytes of data with Snowflake, just like their financial analysts often did daily, without any resource contention or complexity to access data.
Frank Dickson, who covers security and trust for IDC, said Snowflake’s platform is really more about applying the proper tool to the proper task. Dickson said SIEMs are fantastic at managing event centric data, essentially actions that create a log and are effectively leveraged for compliance use cases quite often.
“When it comes to security though, managing of event data is still important, but there’s also real-time telemetry that does not generate a log that must be analyzed,” Dickson explained. “The amount of telemetry data that a typical security agent may collect on daily basis may be as much as 100 or 150 megabytes a day ... and you can have thousands of agents. Thus, the scale of telemetry data that must be managed and analyzed in near real time is not a good use case for a SIEM; other tools are more appropriate to that use case.”
Jon Oltsik, senior principal analyst at the Enterprise Strategy Group and an ESG Fellow, added that Snowflake definitely has the right underlying technology to handle the scaling needs for security operations. Now, the challenge is to deliver incremental value on top of the data layer with threat intelligence enrichment, detection rules, and process automation.
“If Snowflake can follow this type of evolution, the security community will welcome it with open arms,” Oltsik said.
Chris Clymer, director and CISO, MRK Technologies, said when startups without a strong security background see dollar signs in the security space, he’s learned to be skeptical. Clymer said quite often, solutions are pitched that sound reasonable to a single developer, but miss fundamental long-standing security concepts.
“If I had a nickel for every time I have been pitched someone’s homegrown, proprietary ‘encryption’ method, I’d be a wealthy man,” Clymer said. “That said, security analysts are increasingly inundated with more and more data, and less and less time to spend analyzing it. The tools that have promised to help haven’t fully delivered, and the problem isn’t fundamentally different than what the broader data science world has been focused on for years. I’ll have a lot of tough questions for a non-security vendor before I start feeding them my sensitive data … but I’m certainly interested in seeing data science approaches that have worked on larger datasets applied to security information.”