Why Security Teams Are Adopting Security Data Lakes As Part Of A SIEM Strategy
- Dec 5, 2023
- By Hunters
- 5 minutes to read
Security data lakes are being seen as key elements of a modern SIEM strategy. Concerns over data storage costs and in search of a scalable, flexible way to handle ever-increasing amounts of data, security professionals are looking into cloud-based storage solutions. To help others considering a move to modern SIEM centered around a security data lake, Hunters spoke to security professionals on their decision to store their data in the Snowflake Data Cloud and run analytics on top of that data using Hunters.
If your SIEM modernization strategy uses Snowflake as your security data lake, read why Snowflake named Hunters as a SIEM leader in the Next Generation of Cybersecurity Applications Report.
Spotnana: Achieving scalable security management
Spotnana, a Travel-as-a-Service Platform based in New York, wanted a platform that could ingest data from multiple sources, including SentinelOne, Sysdig, CloudFlare, Jira, G-Suite, into their Snowflake Data Cloud. Scalability was also key since the security team, which consisted of three technical engineers and a CISO, no longer wanted to manage complex and costly infrastructure.
“We use Hunters as a single pane of glass for security monitoring, with Snowflake as our data lake. This way we don’t need to worry about scalability or building the data pipelines, storage or infrastructure,” said Gabriel-Alexandru Necula, Senior Security Engineer, at Spotnana.
As a small team, doing more with less was important for Spotnana. Limited on time and resources, they lacked the capacity to develop their own rules and playbooks using a legacy SIEM. They needed a solution that could provide pre-built detectors and logic for their existing toolset, so the team could focus on the unique use cases of their organization.
“We didn’t have the time or resources to build the rules ourselves on a SIEM. With minimal work we could connect the data sources into Hunters and start getting value from day one with its pre-built detectors and embedded logic,” Necula said.
Solaris Group: Ditching Manual Rules and Focusing on Automated Threat Detection
Solaris Group is a leader in Banking-as-a-Service, offering services to companies in the digital and financial services industries.
As a growing company, Solaris’ data volumes grew faster than their legacy SIEM solution could support. Unable to integrate the necessary data into their SIEM, the Solaris security team encountered blind spots and reduced visibility into their environment. Other SIEM solutions involved costly proprietary data storage models instead of utilizing Solaris’ Snowflake Data Cloud instance, adding unnecessary expenses and complexity. Additionally, overworked security engineers were drowning in false positives, detection rule writing, and manual investigation work, leading to burnout and inefficiencies.
For Pranav Vattaparambil, former Vice President of cybersecurity at Solaris, making the lives of his engineers and analysts was a top priority when he joined the team. To achieve this, he looked for a tool that would enable his team to leverage Solaris’ Snowflake Data Cloud while automating manual labor for their analysts and engineers. With the ability to ingest data directly from Snowflake using Partner Connect and built-in detectors Vattaparambil found what he and his team needed in Hunters.
Read the Snowflake report The Next Generation of Cybersecurity Applications
Not only has Hunters’ approach of letting customers utilize their own Snowflake instance and providing always up-to-date detection rules “improved our overall security posture, it has also allowed my engineers to enjoy a streamlined, more enjoyable work life. The use of Hunters has enabled us to accelerate our response to potential threats, and this has allowed us to stay ahead of the game when it comes to cybersecurity,” Vattaparambil said.
With Hunters, Solaris was able to replicate their previous SIEM's use cases and rule sets, easily ingest their data into their security data lake, and generate investigation timelines, enabling the financial services organization “to make a considerable impact in reducing mean time to detect, dwell time, and mean time to respond,” Vattaparambil said.
Upwork: Breaking down data silos for increased visibility
Upwork is a SaaS platform that allows people to find freelance work in any industry. They specialize in connecting clients with freelancers and provide talented freelancers work opportunities.
Running a global freelancing platform generates a lot of data, and the high data storage costs of their previous solution resulted in siloed data, poor visibility, and inefficiencies within the security team. Reducing the cost of data storage and historical log retention was key for Upwork.
To achieve their goals around data storage costs, Upwork began using Snowflake as a security data lake. Using Snowflake also helped reduce the data silos and provide the analysts who work in Upworks’ Cyber Fusion Center with greater visibility. Upwork also began running Hunters on top of its security data lake to introduce automation into the threat detection investigation, and response workflow, centralizing security operations into a single platform for reduced alert fatigue and a better analyst experience.
"Because of Hunters, Upwork has been able to remain threat focused. We've been able to pull away from being alert-focused, going through the daily repetitive task of looking at alerts, doing repetitive investigations. Generally speaking, it transformed the way that we do investigations,” said Shawn Chakravarty, Director, Cyber Fusion Center.