How PennyMac Created a Best-in-Class Stack By Building Its Security Program on Snowflake
- Jul 17, 2024
- By Molly Conway
- 3 minutes to read
This blog is the first in a series looking at how companies are using Hunters and Snowflake to adopt a security data lake and implement a modern SIEM.
Taking a best-in-class approach to creating their security architecture was a key factor in PennyMac’s decision to center its security program around Snowflake. PennyMac Chief Information Security Officer, Cyrus Tibbs, found that large security vendors sell platforms that claim to do everything. In reality, those companies have multiple security tools and are integrating security data from them on the backend.
“With Snowflake, we could have the best data classifier, the best EDR, the best NDR, whatever we needed,” he said at the 2024 Snowflake Summit. Picking and choosing the tools that PennyMac uses and handling data integration themselves lets the mortgage company easily integrate a wide variety of vendor solutions into its data lake for analysis.
PennyMac uses Hunters and Snowflake to create a modern SIEM that leverages a security data lake.
“We then feed all that data into Hunters. They built all of the prioritization and detection engineering and they drop all of that data in a raw format into our Snowflake data lake. We then build our own analytics for our differentiated business use cases. I'm spending less time trying to build the same cyber signal that everybody in the cloud needs and more of my time on solving specific challenges at PennyMac,” Tibbs said.
At PennyMac, using a security data lake instead of a legacy SIEM also helps with cybersecurity talent shortage. “Legacy SIEM platforms often use proprietary technology that’s known by a limited number of people,” Tibbs said. “Detection engineering was beyond the skill set of junior analysts and required escalating an incident to an engineering team specializing in that SIEM. With a Snowflake security data lake, SOC teams query the data in SQL, which “is very accessible.”
“Now we have level-one analysts and other people on our team saying, ‘This is accessible to me now.’ Anybody in cybersecurity knows our biggest challenge is not having enough people. If you’re able to democratize your SIEM platform by turning into a data lake, you get a ton of value because now you’re not so dependent on one or two people in detection engineering,” he said.
Tibbs also mentioned greater cost transparency as a benefit of using Snowflake. A more predictable cost structure motivates him to store more data.
“One thing I’m excited about that I didn’t think would ever excite me was adding more data into my data lake because typically that comes with big cost implications. It gives you the right motivation to want to add data,” Tibbs said.
Since the scope of incidents SOC teams face, their data needs change as well. In many cases, SOCs operate on data from the past few days. But on some occasions, SOC teams need access to all of their data.
“Once in a while you feel like you’re in the Super Bowl and you need everything. Having a model where you have clear visibility into the cost of storing data and then you’re paying only for consumption — that’s a huge benefit. I’m in a situation now where I want to add more and more data because there’s so much proportional value in the Hunters and Snowflake cost model,” he said.