Snowflake and the Continuing Identity Threat Detection Gap Across SaaS and Cloud

Cyber Observations from a CISO Village Elder

March 7, 2023

Interview with Charles Blauner

Charles Blauner’s passion for the topic of cyber intel sharing goes back to the late 1990s when he was part of the small group of banking CISOs who helped create the Financial Services Information Sharing and Analysis Center (FS-ISAC), the first global, cyber intelligence-sharing community solely focused on financial services.

Charles is a true believer that, without making collective defense a true business imperative, CISOs and the organizations they defend “don’t stand a chance.” As a strategic advisor, mentor and true CISO village elder, he shares his vision and vast experience with companies large and small. Charles recently sat down with RevealSecurity for a discussion about insider risk.

Adoption of new cyber tech

From personal experience, Charles knows that banks maintain formal programs that are always looking for cutting-edge technologies, so they tend to be early adopters. He points out several reasons. First, due to their regulatory expectations, banks tend to have well-funded security programs enabling them to research and try out different types of security. Second, they have a direct way to appreciate the implications of bad events—money theft is easy to understand and quantify. Third, banks (and other financial institutions) are major attack targets, forcing them to always be on guard with as much protection as possible.

The next wave of adopters includes healthcare, energy, and the defense-industrial base. These industries are subject to regulatory pressures and critical safety issues so they also invest heavily in cyber risk reduction.

Beyond these, other industries might lay back and wait for technologies to mature before making investments. Eventually, the successful cyber security technologies will be adopted more broadly because, in the end, they are solving a generic business problem.

Protecting business services

Charles recognizes that the primary issue that RevealSecurity addresses is “insider threat.” He sees two variations of this term. The first where the insider is an actual insider—a trusted employee who has decided to do something damaging to the organization. The second is where an insider’s identity has been compromised and is being used by an external bad actor.

The conversation quickly moved to the business risks associated with applications, whether commercial SaaS or custom-built. Charles stresses that applications are where the business actually takes place. For example, in a bank, that’s where the money is moved. For a healthcare company, health information is vital and protecting personal health information (PHI) is a primary concern. “What I like about Reveal,” states Charles, “is that it addresses business services and not just the data where others seem to focus.”

Uniqueness of RevealSecurity’s technology?

“There are two major elements that RevealSecurity brings into the discussion about traditional threat that are really critical,” Charles states.

The first element is the focus on the application layer.

Historically, most of the tools in this space were either infrastructure-oriented, or they centered around data-leakage events. “None of the legacy products in this space ever really thought about business applications,” Charles says. “They were focusing on operating systems and infrastructure.”

The second element is the concept of the user journey.

Other insider threat solutions tend to have rudimentary ways to define good and bad behavior. “As a result, you have systems with high false-positive and false-negative rates, which means that they are creating a lot of work for the SecOps.”

Charles differentiates RevealSecurity’s technology. “By thinking in a more sophisticated, analytical way about what constitutes good behavior and anomalous behavior, you get a much higher fidelity of alerts.” RevealSecurity points the SOC team to the right things instead of wasting all their energy chasing false positives.

High fidelity is necessary for automation

A critical element in breaches is the Mean Time To Detection (MTTD), the time between when the bad guy gets into the environment and the time they get detected. Charles says, “If you catch him in the first hours or days odds are that the cost is close to zero. If you get to months, it’s a whole different story.”

Sharing his experience, Charles added, “When I was an operational CISO, within my SOC, I had a whole team dedicated to figuring out how to create higher fidelity data going into the SOC.” If security tools could present higher-fidelity data, that team wouldn’t need to exist. Furthermore, if the tools integrate well with the SOC, automated processes can be created around them. We can automate the response and take a huge burden off the SOC teams if we can get to the point where we say, “If I see this kind of alert, I know with absolute certainty that it is legitimate.”

UEBA as a solution for insider risk

UEBA’s job is to help us understand when human beings inside our organization, either in their own persona or in their captured persona, are behaving badly. Legacy UEBA solutions failed because they are too limited in scope of what it looked at and because it creates a high false positive rate. The work it creates often outweighs the value it generates. Charles says, “UEBA has started to fade away; Gartner describes it as just a feature in the SOC.”

Insider threat protection should be one of the critical feeds into a SOC, but that depends on the quality of the data. “Reveal allows you, for the first time, to re-think the insider threat space with a much higher likelihood of success with a much lower negative impact on your operations. With the higher fidelity reporting, a much higher value is delivered because what you are finding is legitimate bad activity that is putting your company at risk.”

Transactions flow through applications

Thinking about the broad scope and operations of a large SecOps team, Charles places RevealSecurity among internal data science and threat hunters. “When I was in my last role,” he recounts, “I had a whole data team who looked at all the information coming into the data lakes. We were pulling in logs from everywhere. They were developing their own methodologies to work through all this data to try to improve detection capabilities.” Charles is a believer in buying solutions if you can find them, rather than building your own.

How should Security teams think of RevealSecurity? Charles has a ready answer: “Their most important assets are the business transactions that flow through their applications. Reveal is the first solution that has come to market that addresses that most critical part of the environment.”