Snowflake + Panther Webinar1. © 2020 Snowflake Inc. All Rights Reserved
TURN YOUR
SNOWFLAKE
INTO A CLOUD-
NATIVE SIEM
WITH PANTHER
JUNE 18, 2020
2. © 2020 Snowflake Inc. All Rights Reserved
AGENDA
2
1. INTRODUCTIONS
2. CHALLENGES
3. SNOWFLAKE PLATFORM
4. PANTHER PLATFORM
5. DEMO
6. SUMMARY
7. Q & A
3. © 2020 Snowflake Inc. All Rights Reserved
TODAY’S SPEAKERS
3
Jack is a cloud security expert with 8+ years
experience leading detection and response at
companies like Airbnb and Yahoo. Prior to
Panther, Jack co-created StreamAlert, an
open source data analysis framework widely
adopted by the security community.
Omer Singer brings over 15 years of hands-on
experience to his role as Head of Cyber
Security Strategy at Snowflake. Prior to
Snowflake, Omer served as an IDF intelligence
officer and was Vice President of Security
Operations at a global security services
provider.
Jack Naglieri
Founder & CEO, Panther Labs
Omer Singer
Head of Cyber Security Strategy, Snowflake
5. © 2020 Snowflake Inc. All Rights Reserved
SECURITY TEAMS FACE BIG CHALLENGES
TIME TO IDENTIFY
AND CONTAIN A
BREACH
GROWTH OF THE
DATA IN 24 MONTHS
$4mm 279 days 10x
AVERAGE COST OF
SECURITY BREACH
6. © 2020 Snowflake Inc. All Rights Reserved 6
STUDY:
90%
OF ALL DATA
WAS CREATED IN THE
PAST TWO YEARS
Source: IBM “10 Key Marketing Trends for 2017”
7. © 2020 Snowflake Inc. All Rights Reserved Source: https://splunkonbigdata.com/2020/02/10/bucket-rolling-criteria-in-splunk/
10. © 2020 Snowflake Inc. All Rights Reserved
SNOWFLAKE CLOUD DATA PLATFORM
10
DATA
SOURCES
OLTP DATABASES
ENTERPRISE
APPLICATIONS
THIRD-PARTY
WEB/LOG DATA
IoT
DATA
CONSUMERS
DATA MONETIZATION
OPERATIONAL
REPORTING
AD HOC ANALYSIS
REAL-TIME ANALYTICS
12. © 2020 Snowflake Inc. All Rights Reserved
COMPANY BACKGROUND
Founded in
August 2018
Headquartered in
San Francisco
AWS & Airbnb
security alumni
Our mission is to stop security breaches by
providing a cloud-scale visibility platform.
13. © 2020 Snowflake Inc. All Rights Reserved
END-TO-END VISIBILITY
Incident Management
Orchestration
Real-TimeMonitoring
Parse Normalize Detect
Data Sources
(Cloud & On-Prem)
+ more
Security Data Lake
HuntInvestigate
Business Intelligence
14. © 2020 Snowflake Inc. All Rights Reserved
PANTHER PRIMITIVES
Real-time
Detections
Extreme
Scalability
Detections as
Code
Turnkey Security
Data Lake
15. © 2020 Snowflake Inc. All Rights Reserved
CLOUD SAAS CLOUD-PREM
PANTHER
DEPLOYMENT MODELS
Single-tenant hosted,
zero administration
Self-hosted for
complete privacy
17. © 2020 Snowflake Inc. All Rights Reserved
SCENARIO
AWS access
key is leaked
on the
Internet
Attacker gets
the key
Attacker
enumerates
and steals
data
Acmecorp
Manufactures custom facemasks
Runs their workload on AWS
Detect w/ Panther
Investigate w/ Snowflake
18. © 2020 Snowflake Inc. All Rights Reserved
Baseline detections
with CIS.
Attacker tactics and
techniques.
PREPARE
Detection Packs for:
200 + Pre-built Rules & Policies
CloudTrail
S3
Guard Duty
CloudFormation
Cisco Umbrella
Okta
Box
Osquery
GCP
+more
19. © 2020 Snowflake Inc. All Rights Reserved
DETECT
# service/event patterns to detect
RECON_ACTIONS = {
'dynamodb': ['List*', 'Describe*', 'Get*'],
'ec2': ['Describe*', 'Get*'],
'iam': ['List*', 'Get*'],
's3': ['List*', 'Get*'],
'rds': ['Describe*', 'List*'],
}
def rule(event):
...
Panther Rule Snippet
$ ./enumerate_aws_permissions.py
[INFO]: Starting permission scanner
[INFO]: Testing Dynamodb
[INFO]: **ListTables: Found**
[INFO]: Testing S3
[INFO]: **ListBuckets: Found**
...
[INFO]: Found the following permissions:
{
"dynamodb": {
"ListTables": {
"TableNames": [
"acmecorp-orders-100"
]
}
},
"s3": {
"ListBuckets": {
"Buckets": [
{
"Name": "acmecorp-financial-data-100",
"CreationDate": "2019-03-14 21:15:19+00:00"
},
{
"Name": "acmecorp-processed-customer-data-100",
"CreationDate": "2019-02-13 17:16:36+00:00"
}
]
}
}
}
Attacker Console
Panther Alert
21. © 2020 Snowflake Inc. All Rights Reserved
INVESTIGATE
Querying Panther data in the Snowflake UI
22. © 2020 Snowflake Inc. All Rights Reserved
CONTAINMENT
Remediate by revoking the key or deleting the user
24. © 2020 Snowflake Inc. All Rights Reserved
RECAP
Use built-in Panther rules to detect attacker behavior
Pivot to Snowflake to answer all questions about the breach
Extract IOCs and correlate activity across all of our logs
Revoke the stolen key and detect a repeat intrusion
Keep our company safe
26. © 2020 Snowflake Inc. All Rights Reserved
BETTER TOGETHER
● Cost-efficient long-term storage for all of your data
● Zero maintenance overhead
● A normalized data lake to power threat investigations
Snowflake & Panther give you best-of-breed solutions for
threat detection and response at cloud-scale.
27. © 2020 Snowflake Inc. All Rights Reserved
"LET’S TALK"
Email sales@runpanther.io
to schedule a 14-day free trial.