BI Dashboards for Security Analytics

My team was helping a customer collect Okta logs using SnowAlert when the inevitable question was popped. “So, how do we see the data?” Built-in data connectors and scheduled rule queries are great but high-fidelity security analytics require a hands-on approach.

Security data in Snowflake is visualized and investigated like any other analytics use case- with the company’s BI tool of choice. This has the benefit of making insights available across the entire business. Insecure AWS configurations, for example, can be identified by Security Engineering before being shared with Compliance and linked to DevOps. Leadership consumes the same insights, at a higher level, to track progress and align resources. This is what data-driven security looks like.

Leverage the existing data stack, gain unified company-wide reporting.. it all sounds too good to be true so what’s the catch? Unlike dedicated security solutions, using your data warehouse for security analytics means having to create your own BI dashboards. This is something that your in-house data team can help with, and all of the BI vendors that we’ve spoken to expressed a willingness to assist. There are also service providers like Hashmap that can translate your requirements to dashboards like those included below. To help start your conversation, here are five dashboards that help us at Snowflake run our security program on Snowflake.

Visibility Status Dashboard

Questions Answered

Security dashboards have a bad reputation because of the eye candy “pew pew” maps that show red and green packets shooting across the globe. That’s what you don’t want. Instead, focus on what questions will be answered by your visualizations. For minimizing blind spots and ensuring visibility, your BI dashboard should answer these questions:

• How well is our cloud environment meeting our visibility requirements?
• How well is the infrastructure team remediating known visibility gaps?
• What are the known visibility gaps?

Actions Expected

The only insights that matter are those that can be acted upon. Ensure that your visibility dashboard supports the following expected actions:

• Security team discusses impact and priority of visibility gap remediation
• Security team engages infrastructure team to address visibility gaps
• Infrastructure team remediates visibility gaps and tracks progress

Visualizations

Effective dashboard visualizations can range from a single number to a colorful chart but what matters is that they answer the questions and enable the actions listed above.

• Percent of accounts meeting visibility requirements
• Percent of servers meeting visibility requirements
• Visibility gap line chart, broken down by visibility gap name
• Line by line individual visibility gaps with details

Filters

BI tools support filters for slicing and dicing the data down to the relevant information.

• Time window
• Account ID
• Server ID

Violations Report Dashboard

Questions Answered

• How well is our cloud environment meeting our security requirements?
• How well is our infrastructure team remediating known vulnerabilities?
• What are the known vulnerabilities?

Actions Expected

• Security team discusses impact and priority of policy violation remediation
• Security team engages infrastructure team to address policy violations
• Infrastructure team remediates policy violations and tracks progress

Visualizations

• Percent of accounts meeting policy requirements
• Percent of servers meeting policy requirements
• Policy violation line chart, broken down by violation name
• Line by line individual violation with details

Filters

• Time window
• Owner
• Account ID
• Server ID

Alerts Dashboard

Questions Answered

• What are the recent alerts we received?
• How is our alert volume trending over time?
• What are our noisy alert rules?

Actions Expected

• Open interesting alerts for investigation
• Identify system outage
• Select alert rules for optimization to reduce false positives

Visualizations

• Line by line individual alerts with details
• Alert line chart, broken down by alert name
• Top alert rules by volume for last seven days

Filters

• Time window
• Alert rule

Cloud Activity Investigation

Questions Answered

• What happened in a specific scope of our cloud environment within a time window?
• What did a specific user do within a time window?

Actions Expected

• Determine if a cloud resource has been compromised
• Determine if incident remediation efforts have been successful

Visualizations

• CloudTrail event details table

Filters

• Time window
• User name
• Account ID
• Action

Executive Summary

Questions Answered

• What is our visibility rate in production environments?
• What is our policy violation rate in production environments?
• Which teams are falling behind on remediating violations?
• Are critical alerts being handled on a timely basis?

Actions Expected

• Encourage violation owners to remediate as needed
• Encourage security analysts to handle critical alerts as needed

Visualizations

• Percent of servers meeting visibility requirements
• Percent of accounts meeting visibility requirements
• Percent of servers without violations
• Percent of accounts without violations
• Violations that are out of SLA, split by rule name and graphed by owner name
• Recent critical alerts, title and link to case ticket

Filters

• Violation owner
• Environment

The dashboards shown above are built in Sigma, the BI tool of choice for Snowflake’s security team. As you collect and analyze security data on Snowflake, you can use the BI tool that your data team has already licensed and that will have the widest reach across the organization.

Cybersecurity is a data problem. As a Snowflake customer, you already have access to the best data analytics platform in the world. Your data team no doubt has a great BI tool you can use on top of it.