Gem builds a real-time threat detection and response platform

The scale and complexity of telemetry in the cloud overwhelms traditional security solutions. Discover how Gem built a context-aware threat response platform on Snowflake’s Data Cloud to offer its clients real-time detection and response in a single dashboard. 

As cloud environments become ever more complex, the risk of sophisticated security breaches increases, too—particularly for organizations operating in sensitive industries, such as financial services. 

This is where New York- and Tel Aviv-based cybersecurity company, Gem, comes in. What started as a venture by three seasoned cybersecurity and cloud professionals—with support from venture group Team8—now offers an end-to-end infrastructure security solution combining data analytics with domain-specific cybersecurity expertise. 

Gem’s cybersecurity platform plugs into its clients’ cloud infrastructure to constantly analyze activity logs, classify suspected attacks based on contextual sensitivity, contain threats in real time, and help responders move quickly. 

And as Ron Konigsberg, Co-Founder and CTO at Gem, explained, previous experience building secure, scalable, and performant environments meant that he had high expectations for their data platform: “When we started Gem, we knew we needed to move fast in a cost-efficient way, and create a tool that could scale as the business grows and our needs develop. I was already very aware of Snowflake’s capabilities from my previous company, which is why it was a natural choice.”

As the team at Gem set about constructing its platform, it also took advantage of additional Snowflake resources to help ensure a fast and accurate build. With engineering and go-to-market support from the Snowflake for Startups and Snowflake Powered By programs, Gem benefited from build assistance and transparency into upcoming feature releases that could help the platform evolve further. 

Gem also worked closely with Snowflake’s cybersecurity experts to discover potential development and architectural gaps, including activity-driven development support from a trusted industry source. 

“We’re built on Snowflake, and we use the platform to ingest a wide range of information from multiple vendors, such as AWS, Azure, and GCP,” said Konigsberg. “This includes everything from control plane logs like AWS CloudTrail and Azure Activity logs, network logs like flow logs, and service-level logs from databases, object stores, load balancers, or firewalls.”

Architecture designed to empower more clients 

Gem’s cybersecurity platform starts with raw data ingestion from its clients’ cloud environments. Gem uses the fully-managed Snowpipe service, allowing it to stream and process source data in near-real time. Loading data in micro batches means that the system can rapidly identify malicious activity at scale with an optimized balance of cost and performance. 

As Konigsberg explained, this action can be performed across multiple data streams and several types of data analysis, including real-time and aggregative: “One of the biggest advantages of being built on Snowflake’s Data Cloud is that it allows us to seamlessly and securely connect with our customers who also use Snowflake’s platform. It means we can run data streams through their environments rather than ours, so they can take ownership of whatever data they want—we just plug into their instance. Empowering our clients to decide who takes ownership of the data and how it’s ingested makes us relevant to a bigger range of clients.” 

Konigsberg added: “Data ingestion is a notoriously time-consuming and costly exercise. Data streaming in Snowflake’s Data Cloud is a huge benefit because Snowflake manages the staging for us. Pushing and scaling are super smooth. Without Snowflake, it would have all moved much slower and been much more difficult.”

The way Gem has designed its architecture on Snowflake also means it’s an ideal solution for heavily regulated markets like financial services where complete data traceability and ownership is critical. By analyzing security data within the customer’s Snowflake environment, Gem supports clients owning the data pipeline in a way that traditional tools could not. This puts Gem’s clients in control and reduces infrastructure overheads for Gem. 

Automation and scale for advanced data analysis that’s cost-effective to boot

While Gem’s platform is mostly automated, its cyber analysts use its data to continuously create new features for the company’s pipeline, helping the company stay one step ahead of the latest threats and industry developments. 

Snowflake’s Data Cloud also allows Gem’s team to partition and filter data using timestamps or by customer and create point lookups using the Search Optimization Service. 

“We’ve built a platform for scale,” said Adi Foksheneanu, VP Business Development at Gem. “Our tool actively identifies countless points of security concern in our clients’ data every day using advanced analysis. The fact our client base continues to grow is a testament to the unique cybersecurity insights we share with them. Snowflake is an enabler for us—it’s a long-term solution that we know will scale with us as we grow.”

For security teams relying on several disparate systems and lacking a centralized security repository, Gem’s platform fills a critical gap in their capabilities. It now provides an additional layer of protection to help them respond to breaches quickly using the latest real-time data streams—empowering teams to be more effective in their roles. 

From proof of concept to live environment in just eight months 

Thanks to the company’s internal expertise and capabilities, combined with on-tap support from Snowflake’s cybersecurity experts, Gem built its solution in just eight months, with several clients relying on its insights from day one. 

With our ability to empower modern cloud data teams, we’re growing at pace,” said Konigsberg. “As our client feedback continues to drive our development team, we expect our solution to become much broader over time. Our ultimate goal is to empower security professionals and help them understand the power of an automated security data lake working in real time.”

Source