This blog is the second in a series looking at how companies are using Hunters and Snowflake to adopt a security data lake and implement a modern SIEM. Learn how PennyMac is also using a security data lake.
Cybersecurity programs can contribute to business efforts to increase revenue, doing more with less and providing customers, regulators, and investors with more meaningful information. Achieving these aims requires rethinking how a security program is architected because legacy approaches can’t provide the edge businesses need.
“Cybersecurity can be a differentiator and an advantage inside a business. The complication was our architecture. Our methods haven't been adequate. We realized we were not likely to satisfy the outcomes that the business needs if we didn't make changes,” said Xactly CISO Matt Sharp at the 2024 Snowflake Summit.
At Xactly, this meant rebuilding its program around a Snowflake security data lake. For its SIEM, Xactly took a modern approach by using Hunters. Hunters automatically correlates and enriches the security data that Xactly stores in Snowflake and provides attack stories that show the full context of an incident.
“Our security program is based on top of a security data lake as opposed to some of the legacy approaches that have been considered in the past. Traditionally, cybersecurity teams are focused on getting a bunch of tech, feeding the data into a SIEM and hoping for the best,” Sharp said.
The business case for using a security data lake
Xactly provides tools for sales performance management, sales forecasting and sales planning. The company decided to recenter their security program around a data lake to achieve cost savings, expand the company’s talent pool and use data in a way that helps Xactly achieve business outcomes. Moving to Snowflake meant more automated infrastructure, which would save money, Sharp said. And since Snowflake allows users to query data in SQL, Sharp “doesn’t have to focus on finding someone who’s familiar with a very specific query language so it expands my access to a broader talent pool.”
Using Snowflake also meant being able to build a best-of-breed security stack that allows Xactly to control their data and swap out underperforming vendors. In addition to Hunters, Lacework, Dassana and Spera are in Xactly’s new architecture.
“The larger players are getting larger and larger and consolidating. And you see percent of wallet going to the Palo Altos. Palo comes to mind because they have an answer for everything and their stuff all works together really well but you might not want to be totally married to that single provider,” he said.
Putting the data to use
After using a security data lake for a year, Xactly is entering a phase where its security data can start driving business outcomes. To operationalize the data, Sharp uses a framework from the book The Metrics Manifesto: Confronting Security with Data that involves quantifying and qualifying the data, collaborating with executives and advocating for change.
Quantify: Xactly’s data initially showed that 20 percent of their IT systems were nearing the end of their life. Further investigation revealed that that data included virtual machines that had been powered down, skewing the metrics and overstating the problem. “The first thing is let's get the data right. If I'm trying to solve a problem that doesn't exist or I have overstated the problem then nothing else matters.”
Qualify: This step answers questions like are we getting better or worse in areas of security or are we scaling our program? Sharp recommended asking these questions in the context of how the security program can help the company meet their business goals.
Collaborate: Security teams are agents of influence and change in a company and can’t push through a major security initiative on their own. The idea is to “not be a metrics cop and drive cultural change by aligning with other stakeholders and have them championing security requests.”
Advocate: Standing on a soap box and shouting about the need to patch more or let security approve all tools isn’t going to work. Security leaders need to use other executives as their advocates. “If I can get my CTO and CFO aligned, I might get some additional resources and that will help me satisfy whatever it is we’re advocating for.”
How to align security to business
Aligning security to business means being able to talk about how “investments made in cybersecurity are connected to the revenue that you’re driving to,” Sharp said. That requires determining how a business makes money. For public companies with multiple business units, he suggested reviewing annual reports to see what segments a business operates (for example, AWS and Whole Foods are segments of Amazon) and determining if “the investments made in securing these segments is appropriate and aligned with what future business could look like.” He also recommended getting the board’s perspective on what delivers value for a business.
Figuring out the key source of revenue is also important when determining how much security to allocate. Security teams have scarce resources and “you can’t do all things for all people all the time. The reality is that some stuff isn’t going to get done.” Knowing what your “crown jewels” are helps determine where to allocate security resources.
“If we’re intelligent about choosing what stuff isn’t getting done, then we can optimize costs, reduce risk and protect our competitive advantage in the marketplace,” he said.
Interested in adopting a security data lake and modern SIEM like Xactly? With Hunters you can bring your own data lake or leverage Hunters' embedded one. Contact us to learn more.