Snowflake and the Continuing Identity Threat Detection Gap Across SaaS and Cloud

Analyst Reports, One Pagers and FAQs

TrackerIQ detects malicious activities executed by insiders and imposters in enterprise applications. TrackerIQ is application agnostic, analyzing sequences of user activities in and between different types of applications - SaaS, cloud and custom-built applications.

The business problem TrackerIQ solves is a need to detect business process attacks in a way that scales across multiple different types of applications. This is a growing need due to a market-wide shift to SaaS and the cloud, which has expanded the attack surface for malicious activities by impostors and trusted users.

The technology challenge TrackerIQ solves relates to how it detects malicious activities. Current detection solutions of malicious activities in the application layer are based on rules. However, rule-based solutions detect only known attack patterns, and they generate a high number of false alerts, requiring constant investment and maintenance.

TrackerIQ does not rely on application-specific rules, and is instead powered by user journey analytics, combined with a unique clustering engine to accurately detect abnormal journeys.

TrackerIQ offers disruptive accuracy of insider threat detection for business applications - the solution's low signal to noise ratio generates 1-2 alerts per week.

TrackerIQ is also agnostic to applications and can therefore be implemented on any custom-built and SaaS application.

TrackerIQ has created a new category of Application Detection and Response. There are no competitors offering a ubiquitous solution for application detection, one which works across different types of applications, including custom-built applications.

Rule engine solutions are TrackerIQ’s biggest competitors in terms of market share. We also see some solutions which are application specific, but not one like TrackerIQ that provides a single detection and investigation solution across custom-built, SaaS and cloud applications.

RevealSecurity’s technology differentiates it from competitors:

  • Detection is based on user journey analytics, which means no need to learn application logic or develop rules.
  • The automatic learning of multiple user journey profiles per application/s is based on a patent pending clustering engine.
  • The main criteria in a detection solution is accuracy: the number of false positives and number of false negatives.
  • TrackerIQ improves accuracy with context, by analyzing the sequence an activity is part of.
  • Investigation tools include a unique option to analyze sessions.

TrackerIQ provides a field-proven solution for the detection of malicious insider threat challenges in business applications, which doesn’t require the development of rules, and with extremely high detection accuracy.
Three main technological messages:

  • Tracking user journeys enables a new level of application activity analysis, one which is far more accurate and
    comprehensive than older rule-based solutions. Analyzing the activity sequence, instead of focusing on each individual
    activity, enables TrackerIQ to detect abnormal sessions much more accurately.
  • TrackerIQ’s clustering engine and unsupervised machine learning algorithm learn each user’s profiles and group them
    into similar sessions. It is much more difficult for an impersonator to imitate a user’s normal profiles, and insiders looking to misuse or abuse an application will eventually deviate from their normal profiles.
  • Our model is agnostic to the meaning of an application’s operation, so that it can be applied to any application. This is
    fundamental to TrackerIQ's detection, as each application has a different format flow and a different set of operations.

Three months. We often start with historical data.

Deployment of TrackerIQ’s detection for a SaaS application takes about 15 minutes. Deployment for a custombuilt application takes a month.

Insider Threats
Inside users taking advantage of their rights in corporate enterprise applications to perform malicious operations in business processes:

  • Careless employees misusing internal business assets
  • Internal fraud / embezzlement in custom-built business applications
  • An insider agent stealing information on behalf of outsiders
  • An employee accessing data not meant for them (different accounts, branches, countries)
  • Data modification, changes or malicious acts by a disgruntled employee
  • Detecting anomalies for 3rd parties via APIs


  • Attackers impersonating legitimate users and performing malicious activities
    » Stolen credentials or credential stuffing
    » Bypassing MFA is complex but happens
  • Attackers are focused on privileged users for cloud platforms and SaaS applications
    » Corporate SaaS applications - attackers impersonate an employee/administrator
    » Customer facing portals - attackers impersonate a customer or partner

Featured Videos

CISO Talks Podcast

One of us had been socially engineered… We tried to investigate with the insurance company, but they said there’s nothing they can do if somebody, by mistake gives his credentials to an imposter.

The Needle in the Haystack

The invention of this new clustering algorithm, the ability to truly identify with a great signal-to-noise ratio that is truly lacking false positives, really promises to be revolutionary.

Behavioral vs. User Journey

You now have an opportunity to go back and rethink this insider threat space, but with a much higher likelihood of success, and much higher value being delivered with the higher fidelity of reporting.