Throughout my career as a security engineer at both Yahoo and Airbnb, the ability to effectively detect and respond to security incidents was encumbered by slow queries and operational overhead.
When you’re under the gun to quickly respond to security alerts, spending time scaling your SIEM and waiting for queries to complete heavily impacts the ability to perform your job. For security teams, every second counts, and you must be focused on stopping attacks, not managing infrastructure. These challenges directly inspired me to found Panther, a security analytics platform for teams that need to detect attackers quickly and scale to adapt with the fast-growing organizations you support.
To make Panther, and consequently, security teams successful at handling huge amounts of log data at scale, we make use of serverless cloud technology, namely Snowflake. I’m especially proud that Panther was recently named “Snowflake’s Cybersecurity Partner of the Year”, and in this blog, I’ll share why investing in Snowflake is truly a game-changer for the future of security analytics. In addition, I’ll highlight how Snowflake enables the next generation of data warehousing for security teams and how Panther’s customers can gain these benefits.
Why We Chose Snowflake
Panther is designed to meet the needs of organizations of all scales. We invested in using Snowflake for several important reasons, but primarily to improve the life of security engineers. Snowflake is a critical component in our architecture that directly results in the ability to store and query terabytes of data in seconds to answer critical security questions. The platform also provides an incredible query scale, flexible compute sizing, strong security controls, a growing ecosystem, and quickly evolving platform features.
Panther does the heavy lifting of transforming unstructured log data, also known as performing ETL, into a collection of structured database tables, powered by Snowflake, and provides real-time alerting, threat hunting, and more. Instead of being forced into a domain-specific language, teams can standardize on an extended version of SQL that provides even more powerful analytical capabilities on security data.
Security teams can take advantage of these features, and more, to consume and analyze Petabytes of security data for detecting and investigating breaches. Here are the 5 primary reasons we chose Snowflake as the data platform for Panther:
- SaaS & cloud-agnostic: Snowflake is a fully cloud-native solution built for, and located in AWS, amongst other clouds such as Azure and GCP. Snowflake warehouses can be spun up within minutes, and the service takes care of all provisioning, upgrades, and management, allowing security teams to focus on gathering and analyzing security data, not provisioning infrastructure. Teams also save money by paying only for the resources used, with the Snowflake warehouse going idle in between searches. Finally, due to the agnostic nature of its cloud offering, a single interface to data can be maintained across clouds, removing the need to maintain multiple types of data layers.
- Scalability: To enable blazing-fast queries at any scale, Snowflake’s architecture separates storage (where the data lives) with compute (how the data is loaded and queried). This implementation enables huge amounts of security data to be loaded without the need to linearly scale compute resources. Thanks to the elastic nature of the cloud, customers can load data faster and effortlessly scale up as the need for gathering more data rises.
- High-performance: An additional benefit of Snowflake’s architecture is the ability to resize compute resources on the fly to handle large-scale searches over petabytes of data. This is an indispensable feature for security investigations that span back months in time. The segmentation of virtual resources also guarantees that one customer’s query will not impact another, which can be a common problem in other architectures.
- Strong security controls: Snowflake’s data infrastructure is also a highly secure environment with many controls for security best practices. This includes the common suspects, such as MFA, TLS, and isolation of resources within a VPC. Additional row-level data security can be applied to encrypt data, mask sensitive values, and enforce role-based access control to effectively limit access to sensitive data. Furthermore, Snowflake is SOC II, HIPAA, and PCI compliant. The bottom line, Snowflake takes security and compliance seriously.
- Data Sharing: The final benefit is that Snowflake comes with a built-in, zero-copy data sharing feature, enabling Panther customers to enrich data without moving it. During investigations, customers can easily enrich Snowflake data with threat intelligence, HR data, and other valuable feeds and data sources to conduct more effective and contextualized security investigations.
How Our Partnership Helps Snowflake Customers
If you are a current user of Snowflake and need to build a security program, Panther can take full advantage of your current paradigms with our “Bring your own Snowflake” model. With this option, Panther’s single-tenant SaaS environment can plug directly into your Snowflake account to begin normalizing security data into your warehouse.
Snowflake’s customers can easily turn a Snowflake implementation into a next-generation cloud security logging and analytics platform with real-time alerting and hundreds of pre-built detection rules. In an era of vendor consolidation and the need for greater simplicity, the possibility of adding a cutting-edge security solution on top of an existing cloud data warehouse reduces complexity and the need to learn to use additional solutions.
A Winning Combination
With this partnership, Snowflake can expand their go-to-market and offer cutting-edge security capabilities to both new and existing customers. Panther and Snowflake share the same core mantra of enabling teams to collect and understand data at a huge scale without worrying about operations and overhead. The combination of Panther and Snowflake creates a groundbreaking, cloud-first approach to cybersecurity and security analytics that is disrupting the legacy SIEM market and removing the pain felt by security teams. The allure, and reality, of a real-time security analytics solution in the cloud with speed, scale, and flexibility in mind is long overdue.
This is the first time security practitioners have had all of the security data available, no matter the scale, for effective investigations, incident response, and threat hunting. We are excited about the joint solution we have created with Snowflake and are looking forward to continuing our trajectory together. Thank you Snowflake for bestowing this tremendous honor upon us and for being a great partner through the journey.