Adding Security Analytics to your Cloud Security Program with Sigma and Lacework

If you haven’t checked out the first part of this series please check it out where we show how to create Devops / Secops dashboards for your Cloudflare data.

Security organizations must become data driven organizations. To accomplish that goal we need detailed data around our environments’ and from our security tools. Luckily our friends at Lacework share our cloud data with us via a Snowflake data share. You can request your Lacework data through the Snowflake Data Exchange, Omer Singer has a good article on it. With our Lacework cloud security and compliance data we can do some amazing security analytics and dashboarding.

So here we have a dashboard that gives us a quick view of a AWS and GCP multi-cloud setup with a few instances. We can quickly see security events, traffic, dns requests, ports/protocols, inventory and compliance.

What this looks like on the backend is we have a Lacework share with a number of tables in it for the different data Lacework collects.

Off of each of these tables we create a worksheet, make our visualizations and then stitch them together with a dashboard. In the above dashboard you can see we are showing where dns requests from the cluster were going. Lacework gives us the FQDN of each request so if there was a request to 0.pool.ntp.org and 1.pool.ntp.org they would show up as two different entries. Luckily in Sigma Computing we can do regex so we put the following in the function box

RegexpExtract([DNS_QUERY_V/FQDN], “([^.]+[.][^.]+)$”, 1)

Which puts the records down to the domain level so we can easily summarize which domains our traffic is going to and it doesn’t change the underlying data in the warehouse. If you want a full list of Sigma’s built-in functions, check out our help article.

As we continue to tell this story think about how this can work for your organization. In the first graphic we show compliance over three days with dummy data but imagine being able to show that for a year or three years. That is the advantage of storing your data in a data warehouse, you can search these large data sets and show long term trends. During a CISO meetup sponsored by the Information Security Leadership Foundation a fellow security person mentioned they had to go back through 18 months of data to investigate a security incident — in the end, they were able to determine that it wasn’t a true incident but a leftover from a red team exercise. Imagine the stress they would have been under if they didn’t have access to that data because they were restricted by their logging solution.

To close out on a high note, apiece of good news, Sigma Computing will be templating some of these dashboards and offering them free of charge to our customers. So if you use Lacework and you use Snowflake you’ll be able to use our dashboard with the click of a button.

If you want to start your data-first security journey please reach out, we are happy to help.

(Credit to Julie Lemieux for the design and to Don Huang for always helping me with my data and checking my articles)