O'Reilly logo
live online training icon Live Online training

Security Analytics with Snowflake

Identify risks and detect threats in a cloud environment using Snowflake

Topic: Data
Omer Singer

Traditional security information and event management (SIEM) solutions are failing to meet the needs of businesses transitioning to cloud-based computing. Developed for on-premise networks, they are proving to be noisy and prohibitively expensive for the volumes of log data being generated in the cloud. At the same time, cloud providers such as AWS and Azure provide enormously detailed datasets that can enable better threat detection (fewer false negatives) with less noise (fewer false positives). Snowflake's scalability, its separation of storage from compute, and its support for common log formats such as JSON make it an increasingly popular analytics tool for securing large cloud environments. Security teams are now using their company’s Snowflake data warehouse for achieving high-fidelity threat and risk detection. This course includes a number of practical and achievable security analytics use cases for security teams starting to establish a data-driven security program on Snowflake and data professionals who support those security teams.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • Why high-fidelity security analytics are important for protecting cloud-centric organizations.
  • The advantages and disadvantages of using Snowflake for security analytics.
  • The approach taken by cybersecurity teams that have successfully implemented Snowflake for security analytics.

And you’ll be able to:

  • Load security-relevant data into Snowflake including AWS activity logs, asset inventory, and corporate user directory details.
  • Launch a data-driven cybersecurity program on Snowflake.
  • Establish basic metrics for tracking your security posture using a BI tool.

This training course is for you because...

  • You are a security professional protecting cloud infrastructure.
  • You are a security professional turning to data teams for support in translating detection logic from English to SQL.
  • You are a data professional helping a security team to start using Snowflake for security analytics.


  • General cybersecurity experience
  • Basic cloud infrastructure administration (AWS, Azure, or GCP)
  • Basic SQL knowledge is helpful but not required

Recommended preparation:

In order to follow along with the course exercises, it is recommended (but optional and not required) that you create free, trial accounts the week that the course starts for the following:

About your instructor

  • Omer brings over 15 years of hands-on experience in cybersecurity to his role as Senior Director of Security at Snowflake where he protects customer data using Snowflake for security analytics. Prior to Snowflake, Omer was Vice President of Security Operations at a global security services provider and served as an officer in the prestigious IDF Intelligence Corps 8200 Unit. He is passionate about tackling long-standing cybersecurity challenges through innovation.


The timeframes are only estimates and may vary according to how the class is progressing

Security Analytics and Snowflake 101 (60 minutes)

  • Presentation: The State of Cloud Security in 2019
  • Exercise: Guided prioritization of your top cloud security risks
  • Discussion: Risk Ranking Results
  • Presentation: Requirements for a Data-Driven Cloud Security Program
  • Presentation: Snowflake 101
  • Q&A
  • 5 min Break

Data Collection and Analytics (60 minutes)

  • Presentation: The Three Types of Data
  • Exercise: Collecting Data from S3 to Snowflake
  • Presentation: BI for Security Analytics
  • Exercise: SQL Refresher
  • Q&A
  • 5 min Break

Analyzing Risks and Threats (60 minutes)

  • Presentation: Key Metrics for Security Analytics
  • Exercise: Analyzing visibility gaps with real data
  • Exercise: Detecting compromised users
  • Exercise: Creating an executive dashboard
  • Q&A