Scroll Top
400 S El Camino Real Suite 1050, San Mateo, CA 94402
Lessons Learnt from the Snowflake Breaches

The ongoing stream of data breach claims and disclosures involving Snowflake and its customers underscores an uncomfortable truth: data remains the primary target for cybercriminals, and identity is often the only control that matters.

Snowflake has been clear that no vulnerability was found in their core platform, but the incidents highlight systemic data security challenges facing every enterprise. Despite all the FUD surrounding Shadow Data, data lakes (like those enabled by Snowflake) are in fact easily discoverable, concentrated pools of highly valuable information created by the forces of data gravity. Inadequate data access controls and monitoring of even a single account literally open the door to devastating breaches and extortion attempts.

As data becomes more critical to business operations and decision-making, securing data access and usage has become as paramount as securing infrastructure and applications. Here are 5 essential actions organizations must take to ramp up data security across not just Snowflake, but their entire modern data stack:

1. Offboard Identities with Access to Data Completely

Also Known As: Least Privileged Data Access, Dormant Identities Deletion

There are multiple aspects to the Snowflake breaches, but it highlights how compromised identities, if overly privileged or not properly off-boarded, can provide superhighways for cybercriminals to access sensitive data. Snowflake confirmed that credentials of a single former employee had been compromised and used to access demo accounts. 

Regardless of the sensitivity of the data in these accounts, the lack of promptly deactivating or removing the former employee’s credentials in these non-production environments upon their departure provided an attack vector that was exploited.  Organizations frequently grant temporary access to systems directly to consultants for projects, vendors for supporting systems/applications, and partners for integration purposes – bypassing the controls in their IDP platforms. When these relationships end, there is often a lack of robust processes to immediately revoke the third-party’s access rights and disable their accounts. Similarly, defined employee offboarding workflows that notify security teams are critical to ensure departing employees have their access promptly removed, or in this instance demo accounts or non-billable cloud workloads.

Our Advice:

Incomplete off-boarding of former employees, contractors, vendors, and other third-parties allows terminated identities to linger unnecessarily. While there are systemic business process issues that need to be addressed long-term, Organizations should determine whether they have any dormant identities that retain unnecessary access to data, and run a risk-based clean-up exercise immediately. 

Symmetry Systems can help by providing a prioritized list of the riskiest dormant identities—those with access to sensitive or production data. Our tool, Symmetry DataGuard, offers evidence and detailed analysis of these identities, including whether MFA is enabled, the reach of the identity, the sensitivity of the data they can access, and any risky combinations of access. It also details what operations these identities can perform and the associated risks.

2. Defensible Deletion of Data and Data Stores

Also Known As: Enforce Your Data Retention Policy, Dormant Data Cleanup

Ensuring that data is appropriately deleted when no longer needed is clearly a crucial part of maintaining a strong data security posture, on the back of this incident. As highlighted, a single former employee credentials were used to access several demo accounts with clearly identifiable customer names. Threat actors likely identified and targeted these environments specifically because of Snowflake’s naming patterns implying it contained customer data, when in reality it was just a demo instance.

Had the demo accounts and their associated data been properly deleted after the employee’s departure, the attack vector would have been eliminated, and the significant brand damage to Snowflake avoided.

While it is unclear how long it had been since the employee left, and how old the demo accounts were, this is indicative of a broader challenge in the growth in dormant data, where organizations are retaining data far longer than they need to or have any use for. This reinforces Symmetry’s 2024 State of Data+AI Security Report finding that on average Organizations have 5x more dormant data than they had 12 months ago.  

Our Advice:

Organizations must define robust data retention policies that outline circumstances where data can be deleted in a legally defensible manner (i.e. to avoid legal implications). They should ensure that data is regularly reviewed, access increasingly tightened when it is no longer used and finally deleted, when no longer needed in accordance with the policies.

Symmetry Systems can help by providing a prioritized list of the dormant data stores – focusing on those with longest dormancy that contain sensitive or production data, and accessible by a large number of identities.

With this information, organizations can define and enforce a policy for managing dormant data stores that outlines when permissions should be offboarded and whether the data store should be moved to cold storage, deleted, or backed up. This policy should be informed by the value of the data to the organization, the identities that have access to it, and the overall attack surface.

3. Enforce Multi-Factor Authentication for Everyone 

Also Known As: Zero Trust for Data

Multi-Factor Authentication (MFA) is a critical layer of security that ensures even if credentials are compromised, unauthorized access can still be prevented. The trailing litany of compromised Snowflake  customer instances highlights further the importance of phishing resistant MFA. It is disheartening, but unsurprising that Mandiant confirmed that “affected customer instances did not require multi-factor authentication.” 

The Snowflake breaches serve as a reminder that MFA is non-negotiable for all human identities with access to data. Non-human identities, such as service accounts, APIs, and automation tools, also require robust authentication methods. These identities should use machine-to-machine authentication mechanisms such as OAuth tokens, mutual TLS (mTLS), or API keys with stringent access controls and regular rotation policies.

Our Advice:

Implementing MFA for everyone is essential to preventing unauthorized access, even if credentials are compromised. Organizations must ensure that MFA is enforced for all human identities and robust authentication for all non-human identities that have access to data. Regular audits should be conducted to confirm MFA is enabled and functioning correctly.

Symmetry Systems can assist by identifying human and non-human identities that lack MFA and providing a prioritized action list. Symmetry offers detailed analysis of identities, including MFA status, the reach of the identity, the sensitivity of the data they can access, and any risky combinations of access. Ensuring MFA is enabled everywhere is a straightforward yet powerful step to enhance your data security posture and protect sensitive information.

4. Keep Eyes on Your Data

Also Known As: Data Detection & Response, Data Activity Monitoring

We face a sobering reality: Organizations are often reliant solely on identity controls to protect their data. In all the Snowflake breaches to data, it has been reported that compromised credentials lacking Multi-Factor Authentication (MFA) were the only but ineffective barrier against potential large-scale data breaches, underscoring the relative ineffectiveness of application, network, and endpoint controls in modern data stacks. 

To effectively safeguard your data, it’s crucial to implement fine-grained data activity monitoring in addition to basic logging and auditing practices. By leveraging data source activity logs and frameworks such as MITRE ATT&CK, organizations can proactively identify reconnaissance behaviors, lateral movements, unusual query patterns, and potential indicators of data exfiltration.

Our Advice:

It is essential to have continuous monitoring of data activity with machine learning-based anomaly detection to stand a chance against attacks like this. This enables organizations to track and analyze data queries, access activities, failed attempts, privilege escalations, and other critical events across their entire data estate in real-time. 

Symmetry Systems provides advanced data activity monitoring tools or data detection & response tools (equipped with AI and machine learning capabilities as needed). These tools enable fine-grained data activity monitoring and real-time anomaly detection, helping organizations detect anomalies and deviations from normal behavior patterns within their data environment. By leveraging Symmetry’s solutions, organizations can set risk-based alerting thresholds and automate investigation and response workflows, swiftly mitigating potential threats and minimizing the impact of security incidents. Fine-grained data activity monitoring not only enhances security posture but also ensures proactive defense against evolving cyber threats.

5. Minimize Third Party Access to Data

Also Known As: Reduce Attack Surface

Managing supply chain risks, especially those posed by contractors and third parties, is crucial in maintaining robust cybersecurity defenses. Many high-profile breaches have occurred due to vulnerabilities introduced through third-party connections. For example, the SolarWinds supply chain attack in 2020 exploited a software update from a trusted vendor to infiltrate numerous organizations. This highlighted the interconnected nature of cybersecurity risks, where vulnerabilities in external vendors or service providers can impact the security posture of entire ecosystems. Data Security is no different.

Recent data indicates that the Snowflake customer breaches may have been exacerbated by a compromise of a third party contractor. The incident underscores the critical need for organizations to extend their security protocols beyond internal systems and include robust supply chain risk management practices.

Our Advice:

Our solutions empower organizations to precisely identify which third parties have access to specific data and rigorously monitor their activities. By implementing robust data detection and response mechanisms, organizations can proactively prevent unauthorized access and potential data breaches. This approach ensures enhanced visibility and control over third-party interactions, safeguarding sensitive information and fortifying overall cybersecurity resilience.

Additionally, organizations should proactively reduce permissions and delete unused accounts to minimize exposure to potential breaches. A recent blog (showcasing the positive efforts by Axonius) highlights the importance of these practices in mitigating security risks associated with third-party access and ensuring effective data management. By regularly auditing and adjusting permissions based on business needs and promptly removing unused accounts, organizations can significantly reduce their attack surface and enhance their security posture.

Conclusion

The Snowflake saga demonstrates that data and identity are the new frontier for cyber attacks. Its high value, often poor visibility, and inconsistent identity controls create an ideal target. Securing data access and usage is now as critical as securing infrastructure and applications. Organizations must take these actions to ramp up their data security posture and stay ahead of evolving threats to their most precious digital assets.

Leave a comment

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.