Comcast launched DataBee today, which is a cloud-native security data fabric that brings together disparate security data from various data sources and security tools. The platform was originally created for Comcast’s internal use and operated on Snowflake’s Data Cloud and other data lakes.

The company’s CISO, security operations center, threat hunter and governance risk and compliance teams have been using the platform since it was developed around three years ago. “It was so successful at improving speed, time to detection, efficiency, enabling our threat hunters to hunt for bad actors much more quickly, helping us to produce compliance reports much faster,” Nicole Bucala, VP and GM at Comcast Technology Solutions (CTS), Cybersecurity told SDxCentral.

As part of Comcast, CTS is dedicated to “the mission of taking what Comcast develops internally and bringing it to the world,” she said, spanning from advertising, telecom, media and entertaining products, to the latest one — cybersecurity.

Bucala noted many other Fortune 100 companies including those in the financial, telecom and pharmaceutical industries face the same problem as Comcast — too much data in the cloud and on premises, and the data storage costs are too high.

“Essentially, DataBee is kind of the glue, it's the fusion between the customers' data sources wherever they may reside and the customers’ data lake,” she said.

“By having this glue, they can consolidate at the data layer so that they have a unified view,” added Omer Singer, head of cybersecurity strategy at Snowflake.

DataBee gathers different security data from a range of sources and transforms it into a single fabric, making it easier for users to monitor, analyze and report on security threats. The platform offers a range of use cases, including advanced threat detection, threat hunting, continuous controls assurance, security information and event management (SIEM) decoupling, and behavioral analysis, Comcast claims.

Comcast internally operates the platform on Snowflake’s security data lake and initially recommends customers deploy DataBee as a connected application with Snowflake, and the company plans to expand it to other data lakes as well, according to Bucala.

“What Snowflake is solving here is the ability to scale up to multiple petabytes in a way that is both cost-effective and doesn't place a tremendous operational burden on the security team,” Singer said, adding that data analytics, normalization and automation for threat detection and response “require having the data in one place not siloed not in different tiers in different archives stages, but available hot ready to use and to be cost effective.”

Comcast internally uses DataBee for 60-70 use cases, which shows its flexibility, Bucala said.

For example, the platform can be used for endpoint detection and response (EDR) control assurance, to make sure the EDR is properly deployed and working. DataBee takes data from EDR, data sources that contain organizations’ chart hierarchy such as Microsoft Azure Active Directory (AD) and SAP SuccessFactors, and asset management tools, then “show you where all the gaps are, what assets the gaps are on and which team those gaps are on,” she said.

The other sample use cases are for VPN mismatch and zero-trust deployment, in which DataBee collects data from VPN and zero-trust solutions, asset management tools and a virtual desktop infrastructure (VDI) to detect a VPN or asset login mismatch.

DataBee is designed to augment SIEM and other users’ existing security tools, as Comcast internally uses this security data fabric and SIEM together.

“It's something that we get asked a lot from security leaders of Snowflake customers, how can I use Snowflake in addition to my SIEM to augment my SIEM because there are very significant datasets that are just not being collected to the SIM and others … only available there for a short amount of time,” Singer said.

This is because the traditional SIEM architecture is tightly coupled with storage and compute, which is very expensive, especially at scale. Plus, operationalizing the cloud data platforms or cloud storage for use cases such as threat hunting and incident response requires large amounts of data and going back a year or more. Snowflake addresses this issue by offering off-the-shelf data lake capabilities, he added.

And DataBee also offers the business context to generate more actionable insights and reports with a minimum number of data sources, Bucala said.

“So it's that enrichment with business context that can drive the actions that can drive the efficiencies and the users really like being able to query that and have that final information coming out of Snowflake where the data lake puts all the enriched data,” she added.