Snowflake enables every organization to mobilize their data with Snowflake’s Data Cloud. Customers use the Data Cloud to unite siloed data, discover and securely share data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single data experience that spans multiple clouds and geographies. Thousands of customers across many industries, including 543 of the 2022 Forbes Global 2000 (G2K) as of October 31, 2022, use the Snowflake Data Cloud to power their businesses.
Snowflake’s incident response team looked to automation to manage the growing volume of alerts across their environments. With Tines, the team created an internal case management system powered by Tines and Snowflake.
As a result, Snowflake reduced manual alert correlation by 91.4% and saved ~10 human hours per day. Alex Windle, an analyst on Snowflake’s incident response team, talks through how they built their end solution and the results.
Snowflake is a large and growing organization, and therefore identifying, analyzing, and remediating threats was super cumbersome as the volume of alerts grew with the number of employees and systems they needed to protect. Snowflake’s internal security data lake contains all the relevant information to investigate security alerts, but connecting the relevant data was manual.
The Snowflake team needed an automation solution that could tie everything together to reduce:
Time to triage
“It’s ironic because I was dead-set on a competitor of Tines before I met with your CEO, Eoin Hinchy,” Alex admits. “Our whole team was convinced of Tines, and I came in rooting for this other solution. But then Eoin talked me through it and I haven’t looked back.”
The main reason why Snowflake chose Tines was the simplicity. Most other automation platforms take days of learning and support hours to get started, but with Tines, junior team members can create meaningful automations in hours. Since Snowflake is a fast growing company, the Snowflake Incident Response team needs a SOAR that new hires can use quickly with little assistance, and Tines provides that.
Ultimately, Alex and Snowflake’s Incident Response team not only built a full case management solution running on Snowflake with Tines as a core component, but also have built dozens of other automations. One example is how the Incident Response team uses Tines to ingest Indicators of Compromise (“IOCs”) into Snowflake’s internal Threat Intelligence data sets.
Tines is used to validate that the IOC has not already been added and ensures it is used in future detections. Another way the Snowflake Incident Response team utilizes Tines is to create Slack channels and populate parts of reports during the initial stages of a potential security incident. These tasks used to be done manually, taking valuable time away from incident responders, but were also error prone. Through Tines, Snowflake’s Incident Response team has been able to reduce time to response and increase accuracy of necessary administrative tasks.
“Tines automates the enrichment of alerts by correlating the data from across our systems. As a result, the alerts our analysts work are consistent and analysts can respond faster,” Alex continues, “We’ve calculated that we’ve saved about 10 hours per day with alert correlation and enrichment.”
An added, unexpected benefit, is their ability to onboard junior colleagues faster than before. They can run queries across a vast amount of data.
"It’s great for both our experienced coders and non-coders, which is a huge value driver. Beyond the product and product teams’ agility and speed, the level of support from Tines is the benchmark we hold all of our vendors to. Across the team, we love the consistency in communication and response times. That it’s never "submit a ticket" and always "let’s figure out what’s going on here."
Incident Response Analyst, Snowflake
Snowflake is continuing to push the capabilities of Tines, and their next step is leveraging Tines apps to walk junior analysts through the investigation and response process of common security alerts like phishing email reports. Ultimately, this will create a cohesive end-to-end experience for both the end user and the other security teams.
“We’re most excited to spend less time documenting response actions and repeating manual analysis steps and spend more time building,” says Alex.