Imagine this scenario: you’re a CISO for a multi-billion-dollar retailer or manufacturer. Data has become critical to how your business is run. So much so that you have one thousand-plus users accessing data from Snowflake, and you have a data analysis team of 40. Early one morning an analyst appears to run a query that would return more than 7 million rows of PII data.
What happens next? Does he get the data, or do you stop him?
It all depends on the choices you’ve made up to that point…
Plot your data observability and security path
Before you get to this juncture, there are a few critical steps you can take to ensure you have the right information and options available to you.
1. Everything starts with Observability – ALTR’s integration with Snowflake provides complete observability over any sensitive data you tell ALTR to watch. This ensures that every request for, and usage of, this data is recorded and available to you as soon as it’s added to ALTR.
2. Next comes data consumption patterns - The next step is patterning data consumption so you can begin to understand what normal consumption looks like. The easiest way to do this is by setting up a scaled set of “alert and log” signals in ALTR, which can be streamed to your Snowflake Security Data Lake. This will allow you to group access records by tiered amounts and give you additional context into which roles and users access what types of data and in what quantities. A sample tier of Alerts could include logging any users and/or roles which request:
- 100 values (alert & log)
- 1,000 values (alert & log)
- 10,000 values (alert & log)
- 100,000 values (alert & log)
- 1,000,000 values (alert & log)
3. Seeing what "normal" looks like - After just a week, data usage alerts in your SIEM or in your Snowflake Security Data Lake can easily be visualized into a curve that represents your normal data consumption pattern. For example, the details below demonstrate that 99.5% of data consumption is made through requests for 10,000 or fewer records, while 81.4% occurred through requests for 1,000 records or less.
- (368) 100 value alerts = 28.5%
- (685) 1,000 value alerts = 53%
- (234) 10,000 value alerts =18.1%
- (6) 100,000 value alerts = .5%
- (0) 1,000,000 alerts = 0%
4. Reducing the risk - Understanding how various users and roles across the business consume data to perform their functions allows you to optimize your access, alerting and blocking polices based on normal and necessary usage. You can set consumption polices just outside of what your alert patterns show you represents normal consumption and, over time, you can refine these consumption limits on an ongoing basis to continually the reduce risk posed by credentialed access threats.
Credentialed access threat detected and data loss halted
Let’s go back to our CISO and the analyst’s early morning access request. With ALTR and Snowflake Security Data Lake in place, the CISO will receive a real-time alert triggering a blocked access for the specific analyst (with no other analyst or data users affected). The CISO asks his team to take a look at the security data lake to investigate. They find that over the past 120 days:
99.7% of all queries run by any role on the analyst team returned 100,000 rows or less
68.4% of queries returned 10,000 rows or less
32.6% returned 1,000 or less
12.7% returned 100 or less
For Analyst II role (this user), the largest query to date returned 1.2 million records
Since his hire, this analyst has averaged 18,788 PII records a day
Daily and hourly details of PII consumption for every user and role:
- Analyst I – average usage is 430 records per hour
- Analyst II – average usage is 2,349 records per hour
- 96.5 % of consumption occurs on M-F between 8am and 6pm CT
With this historical visibility available, it’s obvious this request is completely abnormal. The CISO calls the Director of the analysis team to inform her that the analyst is blocked and that a security event is being investigated. The Director lets the CISO know that this particular analyst is on PTO today. The CISO can then take the step of de-authorizing the analyst’s access to all systems enterprise-wide due to the threat that his credentials have been compromised. A security incident is created, and an investigation is launched.
Choose your own adventure
Credentialed access threats continue to be one of the top drivers of sensitive data breaches according to both the Verizon Data Breach Investigation Report and the IBM Cost of a Data Breach Report. They’re possible to stop, but it’s not as simple as turning on a firewall. It requires preparation and diligence to get ahead of the risk, to first understand what normal data consumption looks like so you can quickly spot abnormal access.
It’s up to you: would you rather be prepared or caught flat footed? Your choice will determine what happens when a credentialed access threat crosses your path.
