Perhaps you’ve heard about Snowflake’s IPO in the past year. You probably didn’t know about the preparations made by the Snowflake Security staff. To ensure it met the new security policies resulting from the IPO, our corporate security program was subject to a security analysis review. These are some of the lessons we learned while setting up an automated security control validation for our Snowflake security information lake.
Measuring and Learning Regarding Snowflake Security
While ignorance may be bliss for some, it is not for security analysts. Answers to questions like “Do we have visibility over all corporate server activity?” are very useful. The analytics showed us that systems needed attention when we merged event logs with asset inventory in Snowflake.
Visibility gaps can be frustrating, but it isn’t unreasonable to expect everything to be perfect even if measurements are irregular or non-existent. Unexpected results were not pleasant at first, but it allowed us to ask difficult questions and move closer to our goal state.
Defining of the Best Security Policies
Snowflake’s security staff is known for its ability to teach SQL skills. While SQL is the most preferred query language for data analysts all over the globe, cyber security analysts typically use a variety of search syntaxes. Many in the field are unable to put data to work in meaningful ways. This perpetuates a cycle that sees people working in manual labor and leaves them with little time for better analytics or automation.
SQL is very easy to learn and can be used to encode security policies. SQL allows you to hold everyone responsible for the policy definitions in English. We translated key Center for Internet Security benchmarks into SQL, then ran scheduled queries against the most recent asset and configuration details. These results were so time-saving that we quickly repaid the investment in audit preparation and management updates.
Add Context when All Else Fails
Sometimes, our efforts may not have been sufficient to achieve a certain level of control. Contextual data can be used to help you focus your attention on the most important things. Cloud configuration data can be enhanced with information about a user’s company and employment status using HR records.
Automation of Problem Detection
We knew that we couldn’t expand the security team at the same rate as Snowflake, so we turned to automation to solve bandwidth problems. However, automation is not an option until data and analytics provide consistent accurate results. We wanted to notify IT when an employee leaves the company’s corporate network had a user ID.
The results of the security data lake’s initial collection of the details had some bugs. Results included employees who had moved between teams but still needed access to the office Wi Fi. We could lose trust in them if we flagged multiple users to IT. Our notifications would then be sent to the junk folder. Instead, we focused our attention on dashboards that showed detection results. We only set up alerts and ticketing to drive action when everyone was satisfied that the analytics were valid. We could finally relax and allow the insights from our data to drive changes in employee behavior and improve overall security.
Our leaders have extensive experience in public companies and IPOs. We wanted to instill confidence in Snowflake’s security controls. We wanted the data to speak for themselves, and not just our progress through presentations. Executives had direct access to security controls through dashboards and reports, which allowed them to ensure that they received accurate information.
Figure 4 shows that our data-driven approach led to significant gains in key controls. Senior security personnel could interact with live BI reports and see the team’s achievements.