For a startup in hyper-growth mode like Figma, scaling up its cybersecurity defenses as quickly as other companies has become a major concern.
To accomplish that task, the company relied on Snowflake, a company known for its cloud data lake and data warehouse technology, but much less for what it brings to the table for cybersecurity. As it turns out, however, “the same reason others use Snowflake and find its capabilities so powerful also applies to security,” said Devdatta Akhawe, head of security at Figma.
Snowflake’s technology is primarily used for cloud-based data analytics and data science, but it’s now looking to prove it has a lot to offer when it comes to cybersecurity, which is increasingly recognized as a data problem at its core.
Figma — which offers browser-based, collaboration-oriented design software, and is on tap to be acquired by Adobe for $20 billion — believes Snowflake has arrived in the cybersecurity market because of its unique ability to combine Security feeds data from other parts of the business. Having a single data lake for the entire company allowed for the analysis of cybersecurity data in a broader context, enabling a better understanding of security risks, according to Akhawe .
“The ability to interact with a large number of disparate data sources is what makes a strong security program,” he said.
Snowflake executives told Protocol that while cybersecurity is just one of the cloud data opportunities the company is pursuing today, it’s clearly among the biggest. The company’s emphasis on the space comes amid intensifying cyberthreats facing businesses and growing priorities placed on cybersecurity in the C-suite and boardroom.
Snowflake’s relevance for security teams is “the best-kept secret in cybersecurity,” said Omer Singer, the company’s head of cybersecurity strategy.
Many of the early customers using Snowflake for cybersecurity — which include Dropbox, DoorDash, TripActions, and CSAA Insurance Group — “have been using Snowflake for a long time, but the cybersecurity team has not,” Singer said. “What’s changed is, now the cybersecurity team uses it as part of their overall strategy.”
Associating threats
Founded in 2012 by two Oracle veterans — Benoit Dageville (now president of product) and Thierry Cruanes (now CTO) — Snowflake has been in cybersecurity for three years since Frank Slootman joined as CEO, Christian said. Kleinerman, senior vice president of product at Snowflake.
Early on in Snowflake, Slootman, who was the former CEO of ServiceNow, had a decisive meeting with a customer, according to Kleinerman. “The customer was telling him, ‘We’re doing cybersecurity at Snowflake — why aren’t you saying this?'”
In June, Snowflake announced its new cybersecurity category, which aims to offer an easier way for customers to combine their security data with other business and contextual data.
Doing so could enable better informed threat detection and breach investigation, according to Snowflake executives. For example, correlating human resources data with email forwarding events to external parties can help determine if an employee is trying to leak sensitive information.
The more signals you have, the more patterns you will see.
Meanwhile, combining data feeds from code repository GitHub and identity platform Okta can provide a view of who is logging into privileged accounts, what they’re doing, and whether permissions violations are occurring, according to Snowflake executives. Often, however, suspicious developer behavior is missed, as GitHub data is not typically used by operational security tools or staff members.
“The more signals you have, the more patterns you can see,” Kleinerman said.
However, that’s not something you can easily do with traditional data storage technology. For one thing, cybersecurity differs from other parts of a business because it generates more data — a nonstop stream of logs and events. For customers, storing security data for any period of time is often costly and requires difficult choices about what to keep.
Snowflake’s separation of pricing between storage and compute, however, “works very well for security,” said Uri May, co-founder and CEO of cybersecurity vendor Hunters. With security, you want to store a lot of data for potential analysis later, he said, but you probably don’t need to have access to all your data all the time.
With Snowflake, however, an organization only pays for computing time on its security data when an incident actually occurs and the stored data needs to be queried, May said. The rest of the time, you’re just paying a “relatively low” price for the storage itself.
In contrast, customers trying to store security data using a cloud-first system — which doesn’t separate storage from compute, and doesn’t use a cloud-native storage architecture — will be forced to be selective about what data they collect and how long they keep it, Singer said.
That’s not good for security, says Figma’s Akhawe. As was the case with the widely publicized SolarWinds attack, many high-impact breaches were discovered only nine months to a year after the initial initiation, he said.
Deleting security data after a few months “is not reasonable. You are flying blind when the actual breach is disclosed,” Akhawe said. Snowflake, on the other hand, “gives us the ability to scale to massive amounts of [security] data.”
Bringing apps to data
Snowflake executives said the company is encouraging third-party software vendors to provide security features around its data platform. “Instead of bringing data to applications, let’s bring applications to data,” Kleinerman said.
Vendor partners include Hunters, which provides security and correlation analytics for Snowflake data; Immuta, which offers access control and privacy management; and Lacework, which focuses on enabling threat detection, security investigation and measurement, and compliance posture.
Giving customers a way to put all their data in one place “gives them a holistic view of what’s going on in their business, with security becoming more and more important to every business, ” said David Hatfield, co-CEO at Lacework, which received investment from Snowflake and was incubated with the same private equity firm, Sutter Hill Ventures.
In Dropbox’s case, the company moved from using a traditional platform for information security and event management to using a cloud-native SIEM from Panther Labs. “They’ve completely done away with their traditional SIEM,” Singer said.
Snowflake’s use for cybersecurity is just beginning to move from early adopters to more mainstream use, executives said. Cybersecurity is one of eight categories currently being promoted for the platform, but it’s the first to target a specific audience within an enterprise.
Two other new categories, planned to be announced in 2023, will similarly target a more specific audience, though details are not being disclosed at this time, Singer said. Previously, Snowflake categories were more general, targeting uses such as data science and data engineering.
‘What a great opportunity’
In terms of the cybersecurity push, “I think our opportunity to do something meaningful in this space is enormous,” Kleinerman said.
Snowflake’s evolving focus on security comes up in his discussions with customers on a weekly basis, he said. “I can tell you, it’s a conversation changer.”
Undoubtedly, it will be easier for younger companies that may be starting fresh in their data architecture, such as Figma, to adopt Snowflake for their cybersecurity needs, Akhawe said.
“I think for a lot of other companies with legacy architecture, it’s harder to transition,” he said.
But while it will take time for companies to make the change, Akhawe believes that 10 years from now, most will have moved to this type of architecture for their data security.
“We know that attacks are becoming more sophisticated and more complex. And often, they take longer than three or four months to detect,” he said. As a result, with a massive cloud-based data lake “where you don’t have to worry about data being deleted — I think that’s going to be the default.”