Security Market Segment LS
Wednesday, 08 June 2022 23:02

Snowflake launches new cybersecurity workload powering SIEM with the data cloud Featured


Snowflake has announced its new cybersecurity workload, allowing security products and security teams to use the Snowflake data cloud with the same rich capabilities that data analysts enjoy. The launch redefines B2B SaaS says Snowflake head of cybersecurity Omer Singer, bringing the work to your data rather than spreading your data across your apps.

Snowflake is many things; it's an elastic, scalable cloud database with zero-copy secure sharing and cloning, rapid zero-copy undelete, scriptable engine, and more. It brings these strengths to your data analytics and business intelligence needs, and now to your security information and event management - or SIEM - needs also, helping security teams eliminate blind spots and respond to threats at cloud scale.

What this all means, Omer Singer (pictured) explained exclusively to iTWire, is the security team can join the rest of the company on the data cloud. “A lot of security teams are working in a separate stack,” he said, explaining this creates pain and challenges as security specialists deal with fragmented data silos. “There are burdens on the analysts resulting in decisions made without the benefit of live data.”

"We want to make it easy for the CISO to align with the CIO, and for security teams to join the rest of the company,” Singer said.

By creating this cybersecurity workload the security teams begin using Snowflake’s data cloud and gain a single source of truth for the first time. They have visibility across all access logs, all activity, and other items in one place. Importantly, it’s stored cost-effectively while simultaneously eliminating the concept of archives and cold storage. “It’s all one source of truth with analytics the way the rest of the company can do with SQL and Python without needing proprietary languages,” Singer said.

Let's go back a step to clarify why this is such a big thing. If you’ve worked with security tools you’ll know they allow you to search on data and interrogate logs with speed and agility - but with limitations. You pay for the amount of data you ingest. Typically all SaaS-based SIEM products charge based on storage and based on ingestion. The lesson you learn quickly is to only ingest data you’re going to use - but how do you know what you will use, particularly when discovering a threat actor has been in your network for 12 months but your device logs have rolled over and are now lost?

By contrast, Snowflake charges a trivial storage fee, instead predominantly billing based on compute. Thus, in the Snowflake world, you can store as much as you want for as long as you want and really only pay when you delve into it. There is no reason not to collect all the logs and event information you can.

Yet, you might rightly note, Snowflake is a data platform and while it can do fantastic things with data, how do you get your security data into it in the first place and how do you make your tools work with it?

This is where the nuts and bolts of Snowflake's announcement come in. “That’s happening today,” Singer said. “A big hurdle (in establishing the Snowflake cybersecurity workload) was the effort in setting up security data lakes.”

“We’ve met this with an ecosystem," he said.

"It's a very big shift in the security stack. We have best of breed security options that sit on top of Snowflake all pointing to a single source of truth.”

That's the big news; cybersecurity partners like Hunters, Panther Labs, and Securonix will now provide security capabilities on top of customers’ Snowflake accounts with connected applications.


Thus, security teams can continue using the great applications they know and love but will sit atop Snowflake. The more apps you use within this ecosystem, the greater the benefit as you blend your data in the one environment - and the more you can store, and further, the greater your ability to analyse and visualise your data using the precise same access into Snowflake and BI and analytical tools that you would otherwise use with Snowflake.

Singer provides an example; "As travel and expense management solution Trip Actions was growing it needed a bigger SIEM. It looked at providers and got ‘sticker shock’. Its cloud infrastructure was generating huge amounts of data. Traditional SIEM options can only collect some data and keep it for some of the time,” he said. “Yet, on the other side of the business, there was a lot of success with Snowflake.”

Thus, Trip Actions evaluated a security product called Hunters, an open XDR platform, and met all their SIEM requirements by running Hunters on top of Snowflake with lots of integrations.

"Hunters acts as the ETL with all the collectors. Data is normalised, and detection runs on the data as it is streaming through the Hunters pipeline. It’s low latency and the detections are very accurate,” Singer said.

"The security team can see what's happening on a certain system or laptop, or everything that happened for a certain user or environment for all time across all datasets,” he said. “It gives tremendous automation and you don’t have to be an SQL expert.”

Snowflake, Singer explains, remains laser-focused on the data layer. “It’s a full-time job to be the best data platform for security use cases,” he said. “We let our partners bring their expertise to work on top of Snowflake.”

Similarly, Singer explains Dropbox is running Panther on Snowflake, and other organisations are running Securonix on Snowflake.

As well as always having data available - with no such thing as cold storage in Snowflake - Singer says threat hunters love having both Python and SQL available to them now. “It’s very powerful for them to open a Jupyter notebook and find the bad guys,” he says.

While this announcement is big news for customers and for the future of security applications, it’s been in the works at Snowflake since 2018 to manage Snowflake’s own security itself. In fact, that’s when Singer himself came to Snowflake with his mission to protect Snowflake.

"We've never had traditional SIEM at Snowflake because we used Snowflake as the home for our own data,” Singer said. “We had to build the security layer on top. This ecosystem of open solutions is very transformative. This capability came out of our own experience.”

Snowflake is holding its annual Snowflake Summit conference in Las Vegas next week, and this will be the first Summit with a cybersecurity track, featuring a dozen sessions on this topic and this capability.

"This is the future of B2B SaaS," Singer said. "It's the work coming to the data, rather than your data spread across your apps.”

“This is the future. Don't break down silos - instead, avoid silos. Let your apps run on a single source of truth.”

Read 2472 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Hybrid cloud promises to bring together the best of both worlds enabling businesses to combine the scalability and cost-effectiveness of the cloud with the performance and control that you can get from your on-premise infrastructure.

Reducing WAN latency is one of the biggest issues with hybrid cloud performance. Taking advantage of compression and data deduplication can reduce your network latency.

Research firm, Markets and Markets, predicted that the hybrid cloud market size is expected to grow from US$38.27 billion in 2017 to US$97.64 billion by 2023.

Colocation facilities provide many of the benefits of having your servers in the cloud while still maintaining physical control of your systems.

Cloud adjacency provided by colocation facilities can enable you to leverage their low latency high bandwidth connections to the cloud as well as providing a solid connection back to your on-premises corporate network.

Download this white paper to find out what you need to know about enabling the hybrid cloud in your organisation.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News