Ask any Frenchman and they’ll tell you that Champagne Only Comes From Champagne. Everything else is just sparkling wine. In cybersecurity, unfortunately, we don’t have nearly as much clarity on our definitions.

Case in point is XDR, possibly the hottest category in cyber. Vendors across the industry are adopting the XDR label, with Barracuda being the latest shop announcing that they’ve entered the XDR market via acquisition. So what is XDR?

Oliver Rochford from Securonix recently pointed out that there are multiple definitions for eXtended Detection and Response floating around. Many are conflicting, causing confusion with buyers and eye-rolling with…

Here’s a term that cybersecurity practitioners should adopt from the analytics industry: “data silo”. That’s anywhere that data is left behind and not collected to a central source of truth. Silos make it hard to mine data for insights and busting them is a big part of data engineering. Increasingly, security teams are facing data silos caused by cloud migration and work-from-home outpacing traditional Security Information Event Management (SIEM).

Why are SIEM solutions responsible for creating data silos? Many SIEM solutions charge by daily ingest volume, a model that doesn’t align with the massive amount of logs generated by public…

This month’s Snowflake Summit conference was a “before and after” watershed moment for Snowflake’s role in cybersecurity. Across several recorded sessions, technical features with impressive performance metrics were demonstrated on security log data. That’s no coincidence. We are already seeing a wave of solutions re-platforming to Snowflake to simplify their backend and deliver more value to users.

If you’re building a cybersecurity product and didn’t attend the event, don’t worry: the sessions were recorded and I took notes.

What’s New: Performance and Core Engine Improvements in Snowflake

Recording link

This session featured members of Snowflake product leadership and the SVP of Engineering at HUMAN (formerly WhiteOps). First, Snowflake listed…

As security data lakes become established as best practice and The Great Splunkbundling accelerates, what will be the role of data platforms like Snowflake? The new security stack won’t look like the vertically integrated SIEMs of the past. The data platform will play a humble but essential role supporting specialized solutions in an ecosystem that delivers better security, lower costs and more automation.

Centralization is a Big Data Problem

A number of trends have pushed security architectures to extreme fragmentation. The shift to cloud infrastructure, which is highly instrumented and generates logs for every little thing, results in a ten-fold increase in machine data. The move…

Last January, I predicted that 2020 would be The Year of the Security Platform. Did that end up happening? And what should we expect for 2021?

2020: Many integrations, few actual platforms

The year was packed with partnership announcements aimed at consolidating security solutions into a cohesive stack. For example, Obsidian announced that CrowdStrike alerts would be available natively in its solution for combined visibility across SaaS and endpoints.

AWS, probably the most influential tech platform, showed what the future of observability platforms might look like with their Managed Service for Grafana. Unlike its hostile hosting of Elasticsearch (with Elastic screaming bloody murder), AWS took a…

Security data lake projects are taking flight but they’re a strange bird. The folks typically responsible for creating and managing the data lake are on the data analytics team but they’re new to concepts like incident response and the abomination that is the Windows Event Log. The security team, meanwhile, is new to concepts like ETL/ELT and materialized views.

This post provides an overview of an implementation strategy that is working at Snowflake customers where data and security teams combine forces to roll out a security data lake.

Like Building a Cathedral

Creating a unified, scalable and cost-effective datastore for cybersecurity is an extensive…

If Snowflake could be used as a SIEM, security teams would enjoy cheap unlimited storage, zero maintenance overhead, scalable query power for investigations, and all the other reasons why customers love the data platform.

But that’s a big if.

Some of Snowflake’s largest customers already use it for SIEM workloads but they’ve devoted entire teams to make that possible.

That’s because Snowflake is missing critical SIEM features:

  • No log collection: Snowflake doesn’t come with parsers to extract and normalize key fields from log events.
  • No real-time monitoring: Snowflake queries can run on a schedule but some threats warrant instant reaction.

The most powerful tool for creating actionable security metrics is the SLA. Unfortunately, most vendors don’t provide an SLA status feature. As a result, security teams fail to align cross-organizational efforts and continue to manually review risk findings.

Let’s change that! With live vendor data accessible on Snowflake Data Exchange, you can quickly create a layer of SLA insights on top of your security reports. Improved clarity and security posture are bound to follow.

Certain cloud configurations need urgent attention

Cloud infrastructure changes quickly and is inevitably affected by configuration drift. Misconfigurations put the company at risk so security teams use a variety of solutions to…

This is a great time to launch a self-service initiative as a way to improve your security program without making costly new commitments. Especially with team members working remotely, freer access to data can improve efficiencies and speed up remediation of risks like cloud misconfigurations and visibility gaps. If you take advantage of this crazy time to squeeze more value from your security data, that’s a silver lining to this gloomy cloud.

What is Data Democratization?

Popular data science author Bernard Marr put it well when he wrote:

Data democratization means that everybody has access to data and there are no gatekeepers that create…

So you’ve decided to build a security data lake. You’re probably looking forward to the scale and price performance of storing security data in cloud storage. $23 a month per terabyte is sweet! But that’s just storage.. how will you collect and analyze the data so that you’re cutting spending without cutting corners?

Snowflake Data Exchange

Security teams that are building their data lake on Snowflake can take advantage of data shared on the Data Exchange. This is a new marketplace where vendors share live data with the community or to individual customers.

For example, Zillow makes its Zillow Home Value Index (ZHVI)…

Omer Singer

I believe that better data is the key to better security. These are personal posts that don’t represent Snowflake.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store