How Panther turns Snowflake into a SIEM

If Snowflake could be used as a SIEM, security teams would enjoy cheap unlimited storage, zero maintenance overhead, scalable query power for investigations, and all the other reasons why customers love the data platform.

But that’s a big if.

Snowflake is not a SIEM

That’s because Snowflake is missing critical SIEM features:

  • No log collection: Snowflake doesn’t come with parsers to extract and normalize key fields from log events.
  • No real-time monitoring: Snowflake queries can run on a schedule but some threats warrant instant reaction.
  • No off-the-shelf threat detection: Snowflake doesn’t come with rules to catch common attack techniques.
  • No notifications and SOAR integrations: Snowflake can’t send you a Slack message, open a ticket, or run a playbook.

Most security orgs don’t have the bandwidth to build these features themselves. Cloud-native storage for log data (list price: $23/TB/month) remains out of reach.

Introducing Panther

The company recently released Panther as a cloud-native SIEM for log analysis and cloud security. Using only virtual building blocks like AWS S3 and Lambda is a departure from SIEMs that run decade-old applications on servers in the cloud. The potential savings are enormous.

While Panther was initially designed to use AWS Athena for historical search, the team has now added Snowflake support for enterprise customers. With the customer’s Snowflake as its backend, the joint Panther-Snowflake solution can be an alternative to traditional SIEMs.

Snowflake becomes a SIEM

  • Log collection: Panther can parse and normalize common sources like Windows events, Linux logs, network captures and syslog.
  • Real-time monitoring: Panther uses Lambda functions to analyze streaming log data with sub-minute latency.
  • Off-the-shelf threat detection: Panther Labs maintains an open source repository for detection rules written in Python. They currently cover mainly cloud, Linux and Mac attack techniques.
  • Notification integrations: Panther can send alerts to Slack, Jira, PagerDuty and other destinations for triage and response.
Pre-built log parsers are a key feature for SIEM

What’s next?

I’ve since spoken with many security teams that recognize how important data and analytics are to our industry. Snowflake needs to focus on fast and cost-effective analytics, while teaming up with innovative cybersecurity companies. Partners like Panther Labs are bridging the gap between Snowflake’s data platform capabilities and the domain-specific requirements of security teams.

I believe that better data is the key to better security. These are personal posts that don’t represent Snowflake.