How Panther turns Snowflake into a SIEM

Omer Singer
3 min readMay 4, 2020

--

If Snowflake could be used as a SIEM, security teams would enjoy cheap unlimited storage, zero maintenance overhead, scalable query power for investigations, and all the other reasons why customers love the data platform.

But that’s a big if.

Snowflake is not a SIEM

Some of Snowflake’s largest customers already use it for SIEM workloads but they’ve devoted entire teams to make that possible.

That’s because Snowflake is missing critical SIEM features:

  • No log collection: Snowflake doesn’t come with parsers to extract and normalize key fields from log events.
  • No real-time monitoring: Snowflake queries can run on a schedule but some threats warrant instant reaction.
  • No off-the-shelf threat detection: Snowflake doesn’t come with rules to catch common attack techniques.
  • No notifications and SOAR integrations: Snowflake can’t send you a Slack message, open a ticket, or run a playbook.

Most security orgs don’t have the bandwidth to build these features themselves. Cloud-native storage for log data (list price: $23/TB/month) remains out of reach.

Introducing Panther

Panther Labs is a startup founded by security engineers that built internal log analytics solutions at Airbnb and AWS. They took what worked at mega-enterprise scale and built a company around it.

The company recently released Panther as a cloud-native SIEM for log analysis and cloud security. Using only virtual building blocks like AWS S3 and Lambda is a departure from SIEMs that run decade-old applications on servers in the cloud. The potential savings are enormous.

While Panther was initially designed to use AWS Athena for historical search, the team has now added Snowflake support for enterprise customers. With the customer’s Snowflake as its backend, the joint Panther-Snowflake solution can be an alternative to traditional SIEMs.

Snowflake becomes a SIEM

Panther’s capabilities and content fill in the gaps that held Snowflake back from being an easy SIEM replacement.

  • Log collection: Panther can parse and normalize common sources like Windows events, Linux logs, network captures and syslog.
  • Real-time monitoring: Panther uses Lambda functions to analyze streaming log data with sub-minute latency.
  • Off-the-shelf threat detection: Panther Labs maintains an open source repository for detection rules written in Python. They currently cover mainly cloud, Linux and Mac attack techniques.
  • Notification integrations: Panther can send alerts to Slack, Jira, PagerDuty and other destinations for triage and response.
Pre-built log parsers are a key feature for SIEM

What’s next?

At the beginning of the year, I wrote about 2020 being the year of the security platform. Most of these platforms started from a security function (firewall, endpoint protection) and added data platform capabilities to support the broader security mission of their customers. Snowflake’s approach is the opposite: attract an ecosystem of infosec capabilities and content to its insanely popular data platform.

I’ve since spoken with many security teams that recognize how important data and analytics are to our industry. Snowflake needs to focus on fast and cost-effective analytics, while teaming up with innovative cybersecurity companies. Partners like Panther Labs are bridging the gap between Snowflake’s data platform capabilities and the domain-specific requirements of security teams.

--

--

Omer Singer

I believe that better data is the key to better security. These are personal posts that don’t represent Snowflake.