A yellow arrow pointing to the right.
Rahul Gupta
Head of Information Security & GRC
Terence Wilson
Senior Security Engineer
Kelsey Hammock
Partner Engineer
Nick Nieves
Security Architect Field CTO, Snowflake
June 13, 2024

Unlock Your Data Potential: How to Transform Security Analytics with Sigma and Snowflake

June 13, 2024
Unlock Your Data Potential: How to Transform Security Analytics with Sigma and Snowflake


Legacy platforms once dictated security architectures, but the rapidly evolving data landscape presents new challenges, outpacing traditional tools and creating a risk of unusable data. As businesses generate more data than ever, cyber engineers face the daunting task of developing a unified tool to meet their organization’s security needs that minimizes friction, can be deployed quickly, and offers comprehensive visibility. But the complexity of these tools coupled with data scattered across multiple locations makes them difficult to navigate and use effectively.

By combining the power of a dynamic and highly customizable analytics platform with the structure and reliability of a data lake, Sigma and Snowflake provide the foundation for robust security analytics against the vast amounts of security data organizations collect.

Sigma and Snowflake have already released the Snowflake Security Monitoring Template in Sigma, which allows Snowflake and Sigma customers to monitor the security of their Snowflake environment including login events, privileged object changes, stale passwords, and more. .. This asset is a great out of the box option for monitoring Snowflake security through Sigma, but by leveraging the two technologies together, security teams can build custom solutions to dive deeper into more robust security workloads across the organization.

Why Snowflake for Data Lake

What is a data lake and why should I use it? A data lake is a single source of truth where data from multiple sources comes together and can be normalized. Snowflake provides storage that enables analysts access to data that is always hot — removing any manual rehydration process for data stored in various stages of ‘cold’ archive. Snowflake’s ability to instantly scale compute resources removes any resource contention issues, and data processing that allows one to pipe data to a single location while also transforming and organizing the data in whatever way will be most useful at nearly unlimited scale. This comes with the added security of being in control of your data from the point it is created to the point it is used for analysis, taking advantage of Snowflake’s powerful native governance features including role based access control and data masking policies

Isolated data silos hinder comprehensive security strategies, making integrated solutions crucial. The single source of truth provided by a security data lake is essential for accurate analysis, quick decision-making, and effective threat detection. By unifying data across the organization, we can equip security teams to better protect against evolving threats.

Why Sigma for Security Insights & Dynamic Analytics

Sigma has long been considered a Business Analytics (BI) tool for data analytics for cloud data warehouses like Snowflake with build-in code free connections and visualizations. Expanding from primary data analytics use cases; Sigma with Snowflake’s Data Lake provides an efficient and cost effective way to build different Cyber Security and Operations use cases.

A computer screen with graphs and numbers on it.

Defensive security relies heavily on the quality of insights derived from your data. Traditional security tools often limit users to a narrow and specific data set but with Sigma, the scope expands to include everything in the data lake for a comprehensive view. Sigma provides a wide range of security analysis models, enhancing meaningful insights and strengthening defenses.

A screen with a graph showing the average and high and low values.

Vulnerability management (VM)

Maintaining individual vulnerability management (VM) tools has historically been a pain point for security teams. Combining Sigma with Snowflake’s Data Lake eliminates the need for specific VM tools and lets organizations combine data from multiple sources like internal ticketing systems, Cloud Security Posture Management (CSPM), Data Security Posture Management (DSPM), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Containers, and External/Internal VM tools, while customizing to fit their needs. With the power of Sigma and Snowflake’s Data Lake, teams can track, prioritize, analyze, and create reports on any vulnerability that may be discovered. This gives teams time to prioritize and resolve issues, while removing the need to constantly refer to the individual tools themselves, saving an organization time and money.

A computer screen displaying a list of information.

Security Analyst Investigations

Sigma, powered by Snowflake’s Data Lake, offers a seamless solution for security investigations. With data from various sources like Identity Providers, Cloud IaaS Providers, Email Gateway, System Audit logs, End-point Detection and Remediation (EDR), Mobile Device Management (MDM) etc. Security teams can conduct a range of investigations within a single Sigma workbook. This provides a comprehensive view of an organization’s data with the ability to take immediate action, from a single, consolidated view. In addition, Mobilizing this security data allows for better reporting and visibility of progress to leadership teams, overall alignment in the security organization of common goals, and better insights into areas of improvement. These insights allow for actionable goals and tracking of performance over time.

A black screen with a message that says

Organizations can leverage Sigma and Snowflake’s Data Lake for many types of investigations, including:

  • Initial Investigation: Combines data using inline functions and multiple critical data sources to provide an instant look at a user’s recent activity.
  • Authentication Breach and Investigation: Correlates data from Identity Providers (IDP), Secure Access Service Edge (SASE), and Password manager to create insightful visualizations and logs, expediting investigations.
  • Social Engineering: Combines data from IDP, Password manager, and Email Security to detect any successful or attempted user compromises.
  • Cloud Activity: Integrate audit logs from multiple Cloud platforms,Network platform, IDP and System logs, Sigma can help to build identification for suspicious or unauthorized activities in the cloud.

Getting Started

Built in Sigma and in collaboration with Snowflake’s security team, the Snowflake Security Monitoring Template helps you answer questions about your Snowflake security, like what authentication methods are being used, who the account admins are, when users last changed their passwords and more. Try it out for yourself!

In a continuation of this blog series, next we will discuss how the Snowflake Data Platform and Sigma can enable Security leaders to alleviate common hurdles in forming data-driven strategies to protect their data and structure processes with governance, risk management and compliance practices.

To learn more about Sigma and Snowflake for specific security workloads, continue to follow us here as we expand this series and dive deeper into Snowflake and Sigma for Security, Risk and Compliance workloads.

WATCH THE PRODUCT LAUNCH