SnowAlert Documentation. Snowflake Security

Similar documents
HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

SQL Server Solutions GETTING STARTED WITH. SQL Secure

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

INSTALLATION GUIDE Spring 2017

CLOUD WORKLOAD SECURITY

USE CASE IN ACTION Splunk + Komand

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Ekran System v Program Overview

2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows,

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Ekran System v Program Overview

Getting Started User s Guide

A company built on security

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Modern Requirements4TFS 2018 Update 1 Release Notes

Soonr Updates to Services, Web UI and Agents October 2013

Cloud FastPath: Highly Secure Data Transfer

Microsoft Architecting Microsoft Azure Solutions.

USER MANUAL. MageMob Admin TABLE OF CONTENTS. Version: 1.0.0

Minfy MS Workloads Use Case

Cyber security tips and self-assessment for business

Minfy MS Workloads Use Case

Welcome to ncrypted Cloud!... 4 Getting Started Register for ncrypted Cloud Getting Started Download ncrypted Cloud...

Without further ado, let s go over and have a look at what I ve come up with.

McAfee Red and Greyscale

How to set up SQL Source Control The short guide for evaluators

Managing Microsoft 365 Identity and Access

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Duration: 5 Days Course Code: M20764 Version: B Delivery Method: Elearning (Self-paced)

TM DevOps Use Case. 2017TechMinfy All Rights Reserved

VMware vcloud Air SOC 1 Control Matrix

Handel-CodePipeline Documentation

Diagnostic Manager Advanced Installation Guide

ISO27001 Preparing your business with Snare

Continuous Data Protection

Security Correlation Server System Deployment and Planning Guide

A Security Admin's Survival Guide to the GDPR.

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Guides SDL Server Documentation Document current as of 04/06/ :35 PM.

StreamSets Control Hub Installation Guide

DreamFactory Security Guide

Log Data: A Source of Value. Nagios Enterprises LLC Nagios Enterprises 2017 Logs: A Source of Value // 1

Course 20764: Administering a SQL Database Infrastructure

Verteego VDS Documentation

Continuous Integration (CI) with Jenkins

ALIENVAULT USM FOR AWS SOLUTION GUIDE

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

Confirmed VPN Privacy Audit and Open Watch Analysis Summary Report and Documentation

EasyCrypt passes an independent security audit

FROM VSTS TO AZURE DEVOPS

Pre-Incident Planning ( PIP )

USER MANUAL TABLE OF CONTENTS. Easy Site Maintenance. Version: 1.0.4

Solutions Business Manager Web Application Security Assessment

20764C: Administering a SQL Database Infrastructure

SDR Guide to Complete the SDR

Security Architecture

Tasktop Sync - Cheat Sheet

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

User Guide. Version R92. English

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Welcome to Database Exporter for SharePoint

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Streaming Analytics Manager Authorization

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Information Security Policy

AWS Security. Staying on Top of the Cloud

IBM BigFix Compliance PCI Add-on Version 9.5. Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM

Administering a SQL Database Infrastructure

Secret Server Demo Outline

ZENworks Reporting System Reference. January 2017

WebLogic Security Top Ten

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

HashiCorp Vault on the AWS Cloud

McAfee Cloud Workload Security Suite Amazon Machine Image Installation Guide

WHITEPAPER. MemSQL Enterprise Feature List

PowerPanel Enterprise

Minfy-Vara Migration Use Case

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Sophos Mobile. startup guide. Product Version: 8.1

Guides SDL Server Documentation Document current as of 05/24/ :13 PM.

Securing ArcGIS Services

User Guide. Version R94. English

Modern Requirements4TFS 2018 Release Notes

Problem: Currently, Procore collects terabytes of user data & analytics. However, none of that important information is visible to the client.

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

12/05/2017. Geneva ServiceNow Custom Application Development

SnapCenter Software 4.0 Concepts Guide

AppSpider Enterprise. Getting Started Guide

Chime for Lync High Availability Setup

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Roles. Ecosystem Flow of Information between Roles Accountability

Creation of Repositories Page 0 of 27

Performing an ObserveIT Upgrade Using the Interactive Installer

Hackproof Your Cloud Responding to 2016 Threats

Question: 1 Which item must be enabled on the client side to allow users to complete certification in offline mode?

EasyLobby Database Setup EasyLobby Family of Products Version 10.0

BusinessObjects LifeCycle Manager User's Guide

Security White Paper. Midaxo Platform Krutarth Vasavada

Transcription:

Snowflake Security Nov 02, 2018

Contents 1 About SnowAlert 3 1.1 Overview................................................. 3 1.2 How It Works............................................... 3 2 Getting Started 5 2.1 tl;dr Usage................................................ 5 2.2 Requirements............................................... 5 2.3 Downloading............................................... 6 2.4 Installing................................................. 6 2.5 Results.................................................. 6 2.6 Feedback................................................. 7 3 Managing Alerts 9 3.1 Alert Configuration Files......................................... 9 3.2 Creating New Alert Queries....................................... 9 3.3 Viewing Alert Results.......................................... 9 3.4 Adding Suppressions........................................... 10 3.5 SnowAlert Query Packs......................................... 10 3.6 SnowAlert Violations.......................................... 10 i

ii

SnowAlert is a security analytics framework that uses the Snowflake data warehouse for identifying security incidents across diverse data sources and time ranges. Contents 1

2 Contents

CHAPTER 1 About SnowAlert SnowAlert is a security analytics framework that uses the Snowflake data warehouse for identifying security incidents across diverse data sources and time ranges. 1.1 Overview As Snowflake s security team, we need to know quickly and reliably when we re under attack. We use the Snowflake data warehouse to store system, network and application logs and we analyze those logs for indications of active threats. Some very large enterprise teams have developed in-house security analytics solutions on top of Snowflake but we want to make it easier for any team to use Snowflake for their security analytics. That s where SnowAlert comes in. SnowAlert is how we run scheduled queries on machine data in Snowflake and use the results to drive action on the part of the security team. We built it to be easy to use and extend, without any servers required and Snowflake as the only data store. 1.2 How It Works SnowAlert queries Snowflake data on a regular schedule. We provide a Docker container so you can deploy it anywhere: on a server in the closet, with AWS Fargate, or even on your laptop. The queries that drive the alerts are all defined as views that get stored in Snowflake; if you can write SQL, you can write queries for SnowAlert. We also provide some prebuilt packs of queries to help you get started and to serve as a model for what informative alerts should look like. Alerts are generated when queries match data in your warehouse, and they are saved to Snowflake as well. We use a Python script to create incident tickets from alerts but the same code can be extended to message or page your incident responders. 3

SnowAlert can also manage Violations, which are like alerts that require a less immediate response: a server not following best practices, a user without MFA enabled, and so on. These gets stored in a table similar to alerts, but are intended to be visualized with a tool like Sigma or Looker for ease of processing. 4 Chapter 1. About SnowAlert

CHAPTER 2 Getting Started 2.1 tl;dr Usage The SnowAlert Docker container exposes two commands docker run -it -v$home/.aws:/root/.aws -v$home/.snowsql:/root/.snowsql snowsec/ snowalert./install which configures your database, and docker run --env-file snowalert-{account}.envs snowsec/snowalert./run which runs the SnowAlert functions. 2.2 Requirements To use SnowAlert, you will need 1. Administrator access to a Snowflake account to create a snowalert user that reads alert definitions and manages security events 2. A way to run alert creation and processing functions, e.g. a server on which the SnowAlert docker container can be scheduled to run 3. A way to handle alerts, e.g. Jira repository and user with permission to create tickets Sigma Computing account to create and manage dashboards Additionally, if you would like to use KMS as an extra layer of encryption and audit, please run the installer with AWS credentials that are allowed to manage and/or use KMS keys, e.g. 5

{ } "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:createkey", "kms:encrypt", "kms:decrypt" ], "Resource": "*" } ] 2.3 Downloading The installer and runner both are distributed via DockerHub. To download it, run: docker pull snowsec/snowalert You can also use git to download the code that builds this container by running: git clone git@github.com:snowflakedb/snowalert.git cd SnowAlert docker build -t snowsec/snowalert. 2.4 Installing Snowflake provides an installer script in the home dir of the docker container, as well as the git repository, which will configure your Snowflake workspace and use KMS to encrypt secrets in the runner s environment: If you have ~/.aws and ~/.showcli credentials in your environment, you can run it with: docker run -it \ --mount type=bind,source="$home/.aws",target=/root/.aws \ --mount type=bind,source="$home/.snowsql",target=/root/.snowsql \ snowsec/snowalert./install For a simpler installation which skips the KMS encryption layer, you can run: $ docker run -it snowsec/snowalert./install 2.5 Results During the installation, the installer will create: 1. A warehouse, user, role, database, and schema in your Snowflake instance that SA will use to manage alerts. 2. A private key with an optional passphrase for authenticating to Snowflake as the SA user. This passphrase can be stored as an environment variable and can be optionally encrypted via Amazon KMS. 6 Chapter 2. Getting Started

Finally, the installer will provide you with a list of environment variables which must be given to the Docker container in order to run SnowAlert functions. The functions should be run regularly (we recommend at least once an hour). If you need help setting up a framework for scheduling the functions, email snowalert@snowflake.com and we will help you get the automation set up properly. The installer will also provide you with commands that will let you run a sample alert and violation definition SnowAlert immediately. Since the SnowAlert user authenticated to Snowflake during installation and does not have MFA configured, it will result in an alert appearing in your alerts table. If Jira is configured, then the Jira alert handler will run, creating a ticket in the Jira project for the alert. 2.6 Feedback Any issues? Please reach out to us at snowalert@snowflake.com. 2.6. Feedback 7

8 Chapter 2. Getting Started

CHAPTER 3 Managing Alerts An Alert is created when a query matches data in your database. The queries are defined in a series of views defined in SNOWALERT.RULES ending in ALERT_QUERY. 3.1 Alert Configuration Files Before creating new alerts, take a look at the alert configuration file sample_rules/sample_query.sql where a sample alert query is defined. Each alert query has a set of fields that can be assigned static values or dynamic values that will contain data from the query result. The test query can be used to verify that the SnowAlert deployment was successful. 3.2 Creating New Alert Queries A query is simply a view over data in Snowflake. As such, queries can be managed by writing SQL statements to create those views and grant the SnowAlert user SELECT privileges on them. Those statements can be saved in a.sql file and either pasted into the SnowFlake worksheet UI or executed via snowsql. A single.sql file can contain multiple rules. 3.3 Viewing Alert Results When alert queries return data from your warehouse, the results will be added to the alerts table in your SnowAlert database. You can select them in the database to confirm that they are being generated as expected. If you ve configured the alert handler to notify you on alerts, for example through JIRA, you can expect to see those notifications as soon as the container finishes executing all three Python scripts. 9

3.4 Adding Suppressions SnowAlert supports suppression queries to prevent false positives from creating alerts. Suppression queries are configured similarly to alert queries, within.sql files in the alerts/suppressions folder. Suppressions should be targeted for specific queries, and a suppression for AWS_ACCESS_DENIED_ALERT_QUERY should be called AWS_ACCESS_DENIED_ALERT_SUPPRESSION. Suppressions are views over the Alerts table, just like how queries are views over log data, and can be managed in the same way as queries: by writing.sql files with statements to create the view and make the appropriate grants. When the suppression function runs, it marks new alerts as suppressed or not. Only alerts that have been assessed by the suppression function are then processed by the alert handler. The suppression_wrapper.py function is what flags alerts as unsuppressed; you should ensure that suppression_wrapper.py runs even if there are no suppression queries. 3.5 SnowAlert Query Packs SnowAlert is shipped with some sample queries, categorized by the type of monitoring it provides and grouped into query packs. To enable a query pack, copy the query pack file from packs/ into the Snowflake Worksheet UI and run the SQL statements to create the appropriate views and enable the appropriate grants. The current query packs and the queries are documented below: Snowflake Query Pack 1. Snowflake Admin Role Grants - This query generates an alert whenever a new user or role is granted the SECURITYADMIN or ACCOUNTADMIN role. 2. Snowflake Authorization Failures - This query generates an alert whenever a user runs a query that returns an authorization error, indicating that the user does not have the appropriate grants to query the data. 3. Snowflake Authentication Failures - This query generates an alert whenever a user fails to authenticate with Snowflake, indicating misconfigured scripts attempting to authenticate to your Snowflake account or potentially malicious brute force attempts. Note: Using the Snowflake query pack will require you to grant imported privileges on the snowflake database to the SnowAlert role in your Snowflake account. 3.6 SnowAlert Violations Sometimes there are events you want to track and resolve, but which don t require immediate action; for example, if you want all of your Snowflake users to require MFA before authenticating, you want to know about a user who doesn t have that turned on, but it s not something that requires your Security team to track down the offending user that instant. For cases like this, SnowAlert can manage violations, which are similar to alerts but can run less often (for example. daily instead of hourly). Violation queries are managed and suppressed identically to to Alert queries (so you might have USER_NO_MFA_VIOLATION_QUERY and USER_NO_MFA_VIOLATION_SUPPRESSION), but the results are stored in a Violations table, which you can visualize and process using a BI tool like Sigma, Looker, or Superset. 10 Chapter 3. Managing Alerts

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback