Guild is an education platform that provides courses to help organizations attract, retain, and upskill their employees. Julie Chickillo, Head of Security at Guild Education, joined a Snowflake webinar and shared how security leaders can design, and benefit from, a security data lake architecture that overcomes the limitations of traditional security information and event management (SIEM) tools.
Chickillo was brought in to revamp the cybersecurity program at Guild. Prior to her arrival, the cybersecurity team was using a legacy technology stack that limited the types and amount of data sources they could use for threat detection and response. Guild’s cybersecurity team needed access to logs from cloud environments, but with the legacy SIEM that was deployed, getting data into the system in a clean manner was difficult. The Guild team relied heavily on professional services to manually clean up the data before they could utilize it for analysis. This was a huge blocker for the team and often slowed threat detection and response times.
Guild’s cybersecurity team would see only a few alerts at a time because only a limited number of clean data sources were available for analysis. This signaled to Chickillo that Guild’s current technology stack was unable to provide a comprehensive view into which systems were secure and which ones were not.
In addition, the team could not use the small amount of data they could store in their SIEM in order to correlate it with other data sets for deeper analysis. According to Chickillo, “In my career, I’ve been asking to correlate data across many different areas, and the answer I always got was that it couldn’t be done.”
“With the tools we had at hand, there wasn’t a way to get information out of one tool and easily correlate with another to get answers we were looking for.”Julie Chickillo, VP, Head of Security at Guild Education
Migrating from a legacy security stack to a modern security data lake
Guild searched high and low for a solution that could allow the team to ingest, store, and analyze its security logs easily, without the additional management overhead and expensive costs. The company wanted to understand how to build a scalable security data lake that would expand with its business needs, without data ingestion barriers and data retention limits. Guild turned to a Snowflake security data lake on AWS as its modern solution.
“Many security tool licenses are based on per ingested gig, leading to costs spinning out of control. This puts the security team in a sticky situation where security leaders have to choose which data sets are collected, because they can’t get everything. It’s too expensive. The Snowflake security data lake effectively removes that limiting factor.”Julie Chickillo, VP, Head of Security at Guild Education
With Snowflake, Chickillo and her security team enjoy the flexibility of ingesting various types of logs without limitations. They’re able to store enriched data for near-unlimited time; search against that data at any time, with query results coming back in seconds; and join nontraditional data sets such as HR data with traditional security logs for additional context. Long gone are the days of being restricted by data ingestion and retention periods, or relying on professional services to parse, normalize, and enrich the data.
After migrating off of legacy solutions and onto Snowflake, Guild projected 30-50% savings. Now that the company can seamlessly ingest data in a cost-effective manner, Chickillo says it will dramatically increase the variety and amount of data ingested into its Snowflake security data lake.
Remove manual processes with automated compliance check on terminated users
For example, with centralized logging, the Guild team can test for terminated users across a number of their SaaS platforms. The team can set up a Snowflake task to automatically check for terminated users, send a Slack message, and create a ticket on any abnormal activity. This helps remove manual processes from the security compliance team.
Automate control validation and compliance reporting
Curated dashboards with high-level metrics are not just for security operations teams. Compliance and risk teams often need to provide reports on how the security program is adhering to regulations. Chickillo urged her compliance team to start automating control validation so they could get a near real-time look at where Guild stands against its compliance controls on a daily basis. The compliance team leveraged Sigma, a connected application, on top of Snowflake to provide all the data for dashboard visualizations. This project helped the team maintain good compliance without having to spend too much time with manual testing or setting up dashboards.
Grew the security team by 4x with a focus on Python talent
Once Guild started building its security data lake on Snowflake, it quickly onboarded Panther as the SIEM that runs on Snowflake. With Panther, Chickillo was able to use security engineers and leverage their SQL and Python skills to build custom detections. Over time, she began to hire more talent with a focus on Python skills to leverage Panther’s detections-as-code capability. Guild also loved the off-the-shelf capabilities and content that Panther provided, which helped the team get started as soon as logs were stored in Snowflake. One year later, Chickillo’s team grew by 4x with a focus on Python talent. She is no longer limited to hiring experts on a specific vendor.
“We started with two people working with our SIEM. Now we have six and expect more to join very soon. They’re able to work with all the tools we now have at Guild.”Julie Chickillo, VP, Head of Security at Guild Education
Gain IT and data team support
Having security logs and other company data in Snowflake, Guild found it easier for its IT and data teams to share and analyze data. This collaboration has allowed the Guild security team to lean on the data teams to help build models and SQL queries to understand more sophisticated questions. Moreover, data teams can easily help the security team build data visualizations and reports, as well as share those real-time dashboards across teams and stakeholders.
Guild expects to onboard more data sources to build its security data lake for additional cybersecurity use cases, such as DevSecOps oversight, control testing, and risk and privacy.
The team hopes to spin up more consumable real-time dashboards for key stakeholders, leadership, and adjacent teams to provide a clear line of sight into Guild’s risk posture at any given time. Similarly, the team hopes to provide clarity to organization leaders on where certain teams may not be meeting compliance requirements. These dashboards will help drive prioritization and focus for the entire organization across security operations and compliance requirements.