As security data lakes become established as best practice and The Great Splunkbundling accelerates, what will be the role of data platforms like Snowflake? The new security stack won’t look like the vertically integrated SIEMs of the past. The data platform will play a humble but essential role supporting specialized solutions in an ecosystem that delivers better security, lower costs and more automation.

Centralization is a Big Data Problem

A number of trends have pushed security architectures to extreme fragmentation. The shift to cloud infrastructure, which is highly instrumented and generates logs for every little thing, results in a ten-fold increase in machine data. The move…


Image for post
Image for post

Last January, I predicted that 2020 would be The Year of the Security Platform. Did that end up happening? And what should we expect for 2021?

2020: Many integrations, few actual platforms

The year was packed with partnership announcements aimed at consolidating security solutions into a cohesive stack. For example, Obsidian announced that CrowdStrike alerts would be available natively in its solution for combined visibility across SaaS and endpoints.

AWS, probably the most influential tech platform, showed what the future of observability platforms might look like with their Managed Service for Grafana. Unlike its hostile hosting of Elasticsearch (with Elastic screaming bloody murder), AWS took a…


Security data lake projects are taking flight but they’re a strange bird. The folks typically responsible for creating and managing the data lake are on the data analytics team but they’re new to concepts like incident response and the abomination that is the Windows Event Log. The security team, meanwhile, is new to concepts like ETL/ELT and materialized views.

This post provides an overview of an implementation strategy that is working at Snowflake customers where data and security teams combine forces to roll out a security data lake.

Like Building a Cathedral

Creating a unified, scalable and cost-effective datastore for cybersecurity is an extensive…


If Snowflake could be used as a SIEM, security teams would enjoy cheap unlimited storage, zero maintenance overhead, scalable query power for investigations, and all the other reasons why customers love the data platform.

But that’s a big if.

Snowflake is not a SIEM

Some of Snowflake’s largest customers already use it for SIEM workloads but they’ve devoted entire teams to make that possible.

That’s because Snowflake is missing critical SIEM features:

  • No log collection: Snowflake doesn’t come with parsers to extract and normalize key fields from log events.
  • No real-time monitoring: Snowflake queries can run on a schedule but some threats warrant instant reaction.


The most powerful tool for creating actionable security metrics is the SLA. Unfortunately, most vendors don’t provide an SLA status feature. As a result, security teams fail to align cross-organizational efforts and continue to manually review risk findings.

Let’s change that! With live vendor data accessible on Snowflake Data Exchange, you can quickly create a layer of SLA insights on top of your security reports. Improved clarity and security posture are bound to follow.

Image for post
Image for post
Certain cloud configurations need urgent attention

Why SLAs provide clarity

Cloud infrastructure changes quickly and is inevitably affected by configuration drift. Misconfigurations put the company at risk so security teams use a variety of solutions to…


This is a great time to launch a self-service initiative as a way to improve your security program without making costly new commitments. Especially with team members working remotely, freer access to data can improve efficiencies and speed up remediation of risks like cloud misconfigurations and visibility gaps. If you take advantage of this crazy time to squeeze more value from your security data, that’s a silver lining to this gloomy cloud.

What is Data Democratization?

Popular data science author Bernard Marr put it well when he wrote:

Data democratization means that everybody has access to data and there are no gatekeepers that create…


So you’ve decided to build a security data lake. You’re probably looking forward to the scale and price performance of storing security data in cloud storage. $23 a month per terabyte is sweet! But that’s just storage.. how will you collect and analyze the data so that you’re cutting spending without cutting corners?

Snowflake Data Exchange

Security teams that are building their data lake on Snowflake can take advantage of data shared on the Data Exchange. This is a new marketplace where vendors share live data with the community or to individual customers.

For example, Zillow makes its Zillow Home Value Index (ZHVI)…


Marc Benioff could sense the tension when he walked into a Salesforce meeting in the summer of 2000, wearing a button on his shirt with the word software crossed out in a red circle. As he describes in an excerpt from “Behind the Cloud”,

The End of Software mission and the NO SOFTWARE logo effectively conveyed how we were different. I put the logo on all our communications materials and policed it to make sure no one removed it. (They did so anyway.) I wore a NO SOFTWARE button every day and asked our employees to as well. …


Image for post
Image for post

Sometimes the best inspiration for your cybersecurity strategy can come from other fields. Take marketing for example. Marketing has played a big role in the success of companies like Nike, which has grown its stock over 70% since June 2017, with revenues topping $10 billion a quarter and digital profits up a “staggering 42%” according to Footwear News. How did they Just Do It?

Nike’s personalized insights at scale

In the Footwear News article “How Nike’s Direct-to-Consumer Plan Is Crushing the Competition” Nike COO Eric Sprunk described the company’s data-driven strategy:

Nike’s technology investments and acquisitions in the data science field will support Nike’s ability…


Image for post
Image for post

If you’re like me, you’ve heard some buzz about a concept called “edge computing” but are skeptical about another fluffy term in cybersecurity. Is this a trend worth our attention?

Read on for an application of edge computing that is addressing one of the key concerns for security data lakes.

The dark side of fast alerting on limited volumes

The growing popularity of security data lakes can be traced back to the exploding volume of machine data. As shown in “Data Platforms Will Eat the SIEM”, traditional log analytics are breaking down in the face of relentless machine data growth.

Omer Singer

I believe that better data is the key to better security. These are personal posts that don’t represent Snowflake.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store