I didn’t know anything about data lakes when I joined Snowflake in 2018. But it was common sense that a data platform that scales up and down and never runs out of storage would be amazing for cloud-centric security teams. Since then, the intersection of data and cyber has become very exciting.
While at Snowflake, I met with hundreds of security leaders across many industries and from around the world. The conversations were often about flexibility for threat detection and response, especially around an existing Splunk SIEM. Lots of effort had gone into building detections, dashboards, and playbooks. Increasingly, however, new data sources couldn’t be collected. Price and performance constraints were limiting visibility- impacting threat detection and increasing risk.
These customers reached out and asked if Snowflake could help. Using cloud-native storage, and an architecture that does a good job separating that storage from the compute needed for queries, could be enable that missing visibility. We calculated that costs with Snowflake would be 80% lower, so that projects could be self-funded. It would also eliminate the need to rehydrate older data from cold archives. Could users somehow combine their Splunk and their Snowflake?
This is where Anvilogic started popping up - I noticed that the teams using Snowflake together with Splunk are often Anvilogic customers, who also clearly love working with the Anvilogic team. One CISO shared with me that Anvilogic enabled his team to use Snowflake as a data lake for EDR forensic data together with their Splunk. The cost difference between the two data platforms meant that the team avoided over a million dollars in license fees. In a case study, one SOC manager shared that by gaining detection coverage for endpoint security data, an incident was flagged that would otherwise have been missed—highlighting the risk reduction aspect of this hybrid architecture.
The joint solution took off, and a winning partnership was formed. It was also encouraging to see new Snowflake features, like Snowpark for machine learning, get quickly baked into the Anvilogic product.
But I want to share why I chose Anvilogic, and why now.
First, the security data lake went mainstream. Many security programs have started using Snowflake for security analytics. It might be for incident response, threat hunting, or even just to satisfy regulatory requirements, but the idea has taken hold. No longer is the choice for the SOC between loading a source to the SIEM or leaving it behind. Much credit is due to Cribl for opening up the pipeline, and its continued adoption chips away at the lock-in that came with the old monolithic SIEM. At this point, I believe we’re past the tipping point, and most CISOs understand why they should have a security data lake. Now the question is how they can get started.
Also, Snowflake’s product gaps around log search have been largely addressed. When I took on a product management role at Snowflake, customers were facing real challenges with some of the iterative, exploratory searches that incident responders and detection engineers require. The Data Cloud had been designed to crunch terabytes of machine data, but asking for a laptop’s recent DNS lookups might take 20 seconds to return. We needed our battleship to move more like a jet ski.
The engineering team at Snowflake Berlin, in particular, deserves a ton of credit for the innovation and continuous improvement that they shipped for the cybersecurity workload. Improvements to the query engine directly addressed security use cases, with many searches like in the example above going down from twenty seconds to under two seconds. Customers were able to migrate Elasticsearch and Solr workloads to Snowflake—proving that hot retention could be extended from a week to a year without sacrificing responsiveness. Solutions like Anvilogic keep getting faster and better when they run on Snowflake.
Finally, what signaled that we’ve reached the tipping point was Splunk’s decision to join Cisco. The world’s dominant SIEM vendor made a decision that, for better or worse, affects each of its customers. In the face of uncertainty and turbulence, customers prioritize flexibility and optionality. Splunk is not going away, but it will increasingly serve as one log repository among several. The “all in one” approach will be replaced with a SOC architecture that uses the best datastore for each use case.
And unlike anyone else in the space, Anvilogic was designed for this flexibility. The founding team is made up of former Splunkers and hands-on practitioners from Fortune 100 security operations. That combination of SIEM product and SOC operator experience guided them to decouple the security analytics from the data platforms. The founding team recognized that operationalizing a data lake like Snowflake for the SOC is hard, and any approach that requires “rip and replace” will be a non-starter for most large organizations. Many of these also have requirements around where certain data lives, including on-premises for some use cases. Supporting a variety of logging tools and data lakes is the right approach at the right time.
There’s also something of a Netflix moment happening. In an unbundled world, whether it’s happening to cable TV or the monolith SIEM, content is king. Anvilogic has a proven track record at content creation, quickly releasing high-quality detections as new attacks and vulnerabilities emerge. The product has received high marks for its detection engineering workflows, with some Splunk customers using it just for that. High-fidelity content for detection and response will make the biggest impact when applied transparently across multiple data platforms.
So that’s why I’m joining Anvilogic now, and I’m thrilled to help security teams achieve something that everyone loves- freedom. Freedom to choose where security data gets analyzed. Freedom to change that choice when there’s a better option. Freedom fosters creativity, efficiency and even fun—and it’s coming to a SOC near you. Subscribe below for weekly posts that will help you plan, execute and achieve success with your security data lake.