Panther and Snowflake have partnered to help organizations replace legacy SIEMs and cut costs. Learn how you can achieve end-to-end security visibility and affordable long-term data retention with Snowflake and Panther.

1. © 2020 Snowflake Inc. All Rights Reserved
TURN YOUR
SNOWFLAKE
INTO A CLOUD-
NATIVE SIEM
WITH PANTHER
JUNE 18, 2020

2. © 2020 Snowflake Inc. All Rights Reserved
AGENDA
2
1. INTRODUCTIONS
2. CHALLENGES
3. SNOWFLAKE PLATFORM
4. PANTHER PLATFORM
5. DEMO
6. SUMMARY
7. Q & A

3. © 2020 Snowflake Inc. All Rights Reserved
TODAY’S SPEAKERS
3
Jack is a cloud security expert with 8+ years
experience leading detection and response at
companies like Airbnb and Yahoo. Prior to
Panther, Jack co-created StreamAlert, an
open source data analysis framework widely
adopted by the security community.
Omer Singer brings over 15 years of hands-on
experience to his role as Head of Cyber
Security Strategy at Snowflake. Prior to
Snowflake, Omer served as an IDF intelligence
officer and was Vice President of Security
Operations at a global security services
provider.
Jack Naglieri
Founder & CEO, Panther Labs
Omer Singer
Head of Cyber Security Strategy, Snowflake

4. © 2020 Snowflake Inc. All Rights Reserved
CHALLENGES

5. © 2020 Snowflake Inc. All Rights Reserved
SECURITY TEAMS FACE BIG CHALLENGES
TIME TO IDENTIFY
AND CONTAIN A
BREACH
GROWTH OF THE
DATA IN 24 MONTHS
$4mm 279 days 10x
AVERAGE COST OF
SECURITY BREACH

6. © 2020 Snowflake Inc. All Rights Reserved 6
STUDY:
90%
OF ALL DATA
WAS CREATED IN THE
PAST TWO YEARS
Source: IBM “10 Key Marketing Trends for 2017”

7. © 2020 Snowflake Inc. All Rights Reserved Source: https://splunkonbigdata.com/2020/02/10/bucket-rolling-criteria-in-splunk/

8. © 2020 Snowflake Inc. All Rights Reserved
SNOWFLAKE
PLATFORM

9. © 2020 Snowflake Inc. All Rights Reserved
SNOWFLAKE ARCHITECTURE
9

10. © 2020 Snowflake Inc. All Rights Reserved
SNOWFLAKE CLOUD DATA PLATFORM
10
DATA
SOURCES
OLTP DATABASES
ENTERPRISE
APPLICATIONS
THIRD-PARTY
WEB/LOG DATA
IoT
DATA
CONSUMERS
DATA MONETIZATION
OPERATIONAL
REPORTING
AD HOC ANALYSIS
REAL-TIME ANALYTICS

11. © 2020 Snowflake Inc. All Rights Reserved
PANTHER
PLATFORM

12. © 2020 Snowflake Inc. All Rights Reserved
COMPANY BACKGROUND
Founded in
August 2018
Headquartered in
San Francisco
AWS & Airbnb
security alumni
Our mission is to stop security breaches by
providing a cloud-scale visibility platform.

13. © 2020 Snowflake Inc. All Rights Reserved
END-TO-END VISIBILITY
Incident Management
Orchestration
Real-TimeMonitoring
Parse Normalize Detect
Data Sources
(Cloud & On-Prem)
+ more
Security Data Lake
HuntInvestigate
Business Intelligence

14. © 2020 Snowflake Inc. All Rights Reserved
PANTHER PRIMITIVES
Real-time
Detections
Extreme
Scalability
Detections as
Code
Turnkey Security
Data Lake

15. © 2020 Snowflake Inc. All Rights Reserved
CLOUD SAAS CLOUD-PREM
PANTHER
DEPLOYMENT MODELS
Single-tenant hosted,
zero administration
Self-hosted for
complete privacy

16. © 2020 Snowflake Inc. All Rights Reserved
DEMO

17. © 2020 Snowflake Inc. All Rights Reserved
SCENARIO
AWS access
key is leaked
on the
Internet
Attacker gets
the key
Attacker
enumerates
and steals
data
Acmecorp
Manufactures custom facemasks
Runs their workload on AWS
Detect w/ Panther
Investigate w/ Snowflake

18. © 2020 Snowflake Inc. All Rights Reserved
Baseline detections
with CIS.
Attacker tactics and
techniques.
PREPARE
Detection Packs for:
200 + Pre-built Rules & Policies
CloudTrail
S3
Guard Duty
CloudFormation
Cisco Umbrella
Okta
Box
Osquery
GCP
+more

19. © 2020 Snowflake Inc. All Rights Reserved
DETECT
# service/event patterns to detect
RECON_ACTIONS = {
'dynamodb': ['List*', 'Describe*', 'Get*'],
'ec2': ['Describe*', 'Get*'],
'iam': ['List*', 'Get*'],
's3': ['List*', 'Get*'],
'rds': ['Describe*', 'List*'],
}
def rule(event):
...
Panther Rule Snippet
$ ./enumerate_aws_permissions.py
[INFO]: Starting permission scanner
[INFO]: Testing Dynamodb
[INFO]: **ListTables: Found**
[INFO]: Testing S3
[INFO]: **ListBuckets: Found**
...
[INFO]: Found the following permissions:
{
"dynamodb": {
"ListTables": {
"TableNames": [
"acmecorp-orders-100"
]
}
},
"s3": {
"ListBuckets": {
"Buckets": [
{
"Name": "acmecorp-financial-data-100",
"CreationDate": "2019-03-14 21:15:19+00:00"
},
{
"Name": "acmecorp-processed-customer-data-100",
"CreationDate": "2019-02-13 17:16:36+00:00"
}
]
}
}
}
Attacker Console
Panther Alert

20. © 2020 Snowflake Inc. All Rights Reserved
RESPOND

21. © 2020 Snowflake Inc. All Rights Reserved
INVESTIGATE
Querying Panther data in the Snowflake UI

22. © 2020 Snowflake Inc. All Rights Reserved
CONTAINMENT
Remediate by revoking the key or deleting the user

23. © 2020 Snowflake Inc. All Rights Reserved
POST-INCIDENT

24. © 2020 Snowflake Inc. All Rights Reserved
RECAP
Use built-in Panther rules to detect attacker behavior
Pivot to Snowflake to answer all questions about the breach
Extract IOCs and correlate activity across all of our logs
Revoke the stolen key and detect a repeat intrusion
Keep our company safe

25. © 2020 Snowflake Inc. All Rights Reserved
Summary

26. © 2020 Snowflake Inc. All Rights Reserved
BETTER TOGETHER
● Cost-efficient long-term storage for all of your data
● Zero maintenance overhead
● A normalized data lake to power threat investigations
Snowflake & Panther give you best-of-breed solutions for
threat detection and response at cloud-scale.

27. © 2020 Snowflake Inc. All Rights Reserved
"LET’S TALK"
Email sales@runpanther.io
to schedule a 14-day free trial.

28. © 2020 Snowflake Inc. All Rights Reserved
THANK YOU