Challenge: Full visibility without roadblocks
As a tech industry leader, Snowflake needed to preserve their collaborative culture that made them such a stand-out organization while also keeping their critical IP safe. They needed to build an Insider Risk Management program that gave them visibility into data movement, without putting up productivity roadblocks.
The Snowflake security team knew traditional data protection tools, like DLP and CASB, were too cumbersome and not effective at providing them the visibility they needed. “We didn’t have a good story on the endpoint,” says Mario. “I can see that you connected, I can see you downloaded something, but after that, I don’t know what you did with it. It’s like attempting to wrestle somebody with one hand tied behind your back.”
The search for a solution
Mario and his team started testing DLP and CASB solutions to protect their data and gain visibility over their environment, but found them severely lacking and slowed down their machines.
Mario elaborates, “the things that made us pause our deployments of traditional DLPs and CASBs is that they tend to approach things like ‘we are going to control data.’ To me, that approach was like, ‘the 90s called, they want their DLP back.’”
After ruling out rules-based data loss prevention, Mario looked for a solution that could provide full visibility to data risk instead. He started by asking his peers: “I belong to a forum of security leaders and I said ‘I hate DLP and CASBs are terrible; I want nothing to do with them, but I need to figure out how to protect our critical data.’ And it was like a Christmas tree lighting up with responses heavily recommending Code42 Incydr,” says Mario.
Achieving visibility and looking ahead with Incydr
As they deployed Incydr and began integrating it with the rest of their security stack, Mario and his team saw value right away. He explains, “we have always prided ourselves on having pretty strong telemetry from our SaaS applications and in our own Snowflake services as well. With Incydr, we bring all that telemetry into the Data Cloud and we contextualize it with other applications to get a much more complete collage of what’s happening in the environment.”
That integrated approach and the level of detail Incydr provides has allowed Mario’s team to notice and address patterns that indicate potential insider incidents. For example, shortly after deploying Incydr, Mario’s team found an employee had recently updated their LinkedIn profile and had also uploaded source code to their personal cloud storage – a common pattern that might indicate an exfiltration vulnerability. The team quickly responded by talking directly to the employee, determining the upload was unintentional and removing the code from the unsanctioned cloud storage. Mario says, “Without Incydr, we just wouldn’t have known. We could have had some signals they were using iCloud, but not that complete picture. The ability to make those connections, it just wasn’t there.”
As Mario looks ahead to the future of his team and security at Snowflake, he views Incydr as a critical piece of their evolution. “Without hesitation, Incydr, and how it fits into our overall strategy, is central to our security program,” he says. “Using Incydr, we see particular patterns and behaviors that suggest a potential insider moving data to untrusted systems. Anticipating rather than reacting – that’s where we want to go with Incydr.”