How Panther turns Snowflake into a SIEM

If Snowflake could be used as a SIEM, security teams would enjoy cheap unlimited storage, zero maintenance overhead, scalable query power for investigations, and all the other reasons why customers love the data platform.

But that’s a big if.

Snowflake is not a SIEM

Some of Snowflake’s largest customers already use it for SIEM workloads but they’ve devoted entire teams to make that possible.

That’s because Snowflake is missing critical SIEM features:

  • No log collection: Snowflake doesn’t come with parsers to extract and normalize key fields from log events.

Most security orgs don’t have the bandwidth to build these features themselves. Cloud-native storage for log data (list price: $23/TB/month) remains out of reach.

Introducing Panther

Panther Labs is a startup founded by security engineers that built internal log analytics solutions at Airbnb and AWS. They took what worked at mega-enterprise scale and built a company around it.

The company recently released Panther as a cloud-native SIEM for log analysis and cloud security. Using only virtual building blocks like AWS S3 and Lambda is a departure from SIEMs that run decade-old applications on servers in the cloud. The potential savings are enormous.

While Panther was initially designed to use AWS Athena for historical search, the team has now added Snowflake support for enterprise customers. With the customer’s Snowflake as its backend, the joint Panther-Snowflake solution can be an alternative to traditional SIEMs.

Snowflake becomes a SIEM

Panther’s capabilities and content fill in the gaps that held Snowflake back from being an easy SIEM replacement.

  • Log collection: Panther can parse and normalize common sources like Windows events, Linux logs, network captures and syslog.
Pre-built log parsers are a key feature for SIEM

What’s next?

At the beginning of the year, I wrote about 2020 being the year of the security platform. Most of these platforms started from a security function (firewall, endpoint protection) and added data platform capabilities to support the broader security mission of their customers. Snowflake’s approach is the opposite: attract an ecosystem of infosec capabilities and content to its insanely popular data platform.

I’ve since spoken with many security teams that recognize how important data and analytics are to our industry. Snowflake needs to focus on fast and cost-effective analytics, while teaming up with innovative cybersecurity companies. Partners like Panther Labs are bridging the gap between Snowflake’s data platform capabilities and the domain-specific requirements of security teams.

I believe that better data is the key to better security. These are personal posts that don’t represent Snowflake.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store