Snowflake
Snowflake is a cloud-based data platform that provides a data warehouse-as-a-service. In the context of cybersecurity, it is not a security product itself, but a robust data platform that must be secured. The cybersecurity of Snowflake is a shared responsibility between the platform provider and the customer.
Snowflake's Responsibility (Platform Security):
Secure Infrastructure: Snowflake provides the foundational security for the underlying platform, including infrastructure, network, and physical security. It hosts its service on major cloud providers like AWS, Azure, and Google Cloud, inheriting their robust security measures.
Data Encryption: All data in Snowflake is encrypted by default, both in transit (using TLS) and at rest (using AES-256). This is a non-negotiable, always-on feature that protects data from being read if it is intercepted or if the physical storage is accessed.
Access Control Mechanisms: Snowflake provides the tools for customers to implement strong access controls. This includes a robust Role-Based Access Control (RBAC) model, which enables administrators to define fine-grained permissions, ensuring that users can only access the data they are authorized to view.
Certifications and Compliance: Snowflake has achieved numerous industry-standard security certifications, such as SOC 2 Type 2, ISO 27001, HIPAA, and FedRAMP. These certifications provide independent assurance that the company meets strict security and privacy standards.
Customer's Responsibility (Data and Account Security):
Configuration and Access Management: The customer is responsible for properly configuring security settings. This includes enabling Multi-Factor Authentication (MFA) for all users, especially those with administrative privileges. It also involves setting up network policies to restrict access to trusted locations.
Principle of Least Privilege: Customers must use Snowflake's RBAC model to grant users the minimum level of access required to perform their jobs. Over-permissioned accounts can lead to data leaks and constitute a significant security risk.
Data Governance: The customer is responsible for identifying and classifying sensitive data (e.g., PII, PHI) within Snowflake and utilizing features such as Dynamic Data Masking and Row-Level Security to protect it.
Monitoring and Auditing: While Snowflake provides audit logs, it is the customer's responsibility to monitor these logs for suspicious activity and integrate them into their internal security tools for analysis.
Snowflake is a highly secure platform by design; however, its cybersecurity is only as strong as the security practices of its customers. A recent high-profile security incident highlights this shared responsibility, where attackers exploited customer accounts that lacked MFA and strong network policies, not a flaw in Snowflake's core platform.
ThreatNG is a solution designed to provide a comprehensive, outside-in view of an organization's security posture, which complements the internal security controls of a data platform like Snowflake. ThreatNG helps companies that use Snowflake by identifying and assessing potential security risks from an external, unauthenticated perspective, which is how a malicious actor would approach an attack.
External Discovery
ThreatNG performs purely external unauthenticated discovery using no connectors. For a company that uses Snowflake, ThreatNG's Cloud and SaaS Exposure module would identify the specific Snowflake instance as a publicly accessible SaaS application. The discovery process would also uncover other related assets, such as public code repositories, online sharing platforms, and subdomains, to create a complete picture of the company's external attack surface.
Example: ThreatNG would scan the internet and discover
mycompany.snowflakecomputing.comas a sanctioned SaaS application used by the organization.
External Assessment
After discovering the Snowflake instance, ThreatNG would assess its potential vulnerabilities from an attacker's perspective.
Cyber Risk Exposure: ThreatNG's score for cyber risk exposure would look for exposed sensitive ports or misconfigured certificates related to the Snowflake domain. It would also factor in Code Secret Exposure, which discovers code repositories and their exposure level and investigates their contents for the presence of sensitive data. Additionally, the score considers the organization's compromised credentials on the dark web, which increases the risk of successful attacks.
Data Leak Susceptibility: This assessment is derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), and Domain Intelligence. ThreatNG would identify any potential data leaks related to the Snowflake platform, such as leaked credentials or sensitive information exposed in public cloud buckets. For instance, a development team might have accidentally uploaded a Snowflake API key to a public GitHub repository. ThreatNG's Sensitive Code Exposure module would discover this leak.
Supply Chain & Third Party Exposure: Since Snowflake is a third-party vendor, ThreatNG would assess the company's exposure from this relationship. This includes evaluating the technology stack used and identifying cloud and SaaS exposures that could impact the client organization.
NHI (Non-Human Identity) Exposure: ThreatNG's Non-Human Identity (NHI) Exposure score uncovers and evaluates a company's susceptibility to risks associated with non-human identities like API keys, service accounts, and system accounts. The score is based on several key investigation areas, including identifying DNS vendors, the technology stack, and exposed SaaS applications to map out a company's digital footprint. It also looks for compromised non-human identities and secrets by analyzing sensitive code exposure in repositories and mobile apps, discovering exposed APIs, and finding NHI-specific email addresses.
Investigation Modules
ThreatNG provides several detailed investigation modules to analyze findings, including:
Sensitive Code Exposure: This module identifies public code repositories and mobile applications, then examines them for sensitive data.
Example: ThreatNG could find a public repository on GitHub where a developer accidentally hard-coded a Snowflake API key or an administrative password. An attacker could use this to gain unauthorized access to the company's data warehouse and the sensitive business data it contains.
Search Engine Exploitation: This module helps users investigate a company's susceptibility to exposing information via search engines.
Example: ThreatNG could find a link to a publicly accessible Snowflake dashboard that was accidentally indexed by a search engine, exposing sensitive business insights.
Cloud and SaaS Exposure: This module lists explicitly the Snowflake instance and its associated digital risks. It also identifies unsanctioned cloud services or services that impersonate Snowflake.
NHI Email Exposure: This feature groups discovered emails identified as
admin,support, orsystem. This helps identify and secure administrative accounts that might have privileged access to Snowflake.
Intelligence Repositories
ThreatNG's intelligence repositories, branded as DarCache, provide continuously updated information to power its assessments.
DarCache Rupture (Compromised Credentials): This repository would be checked for any compromised user or non-human credentials associated with the company that could be used to log into the Snowflake platform.
DarCache Dark Web: This repository would be scanned for mentions of the company or its use of Snowflake, including discussions about potential exploits or leaked data.
DarCache Vulnerability: This repository provides critical context on known vulnerabilities. It includes data from NVD, EPSS, and KEV.
Example: ThreatNG's DarCache Vulnerability repository would provide information on any known vulnerabilities in the Snowflake SDKs or APIs, including their technical characteristics, potential impact, and likelihood of being exploited in the near future. It would also link to Verified Proof-of-Concept (PoC) Exploits on platforms like GitHub, which helps a security team understand how a vulnerability can be exploited and how to develop effective mitigation strategies.
Reporting and Continuous Monitoring
ThreatNG offers comprehensive reporting, including executive, technical, and prioritized reports. These reports would detail the findings related to the company's use of Snowflake, providing risk levels, reasoning, and recommendations to help the organization prioritize its security efforts and mitigate risks. ThreatNG also offers continuous monitoring of the external attack surface and security ratings, ensuring that any new risks or exposures related to Snowflake are detected promptly.
Complementary Solutions
ThreatNG's external, unauthenticated approach complements internal security tools, creating a more comprehensive security program.
Security Information and Event Management (SIEM): A SIEM solution, like Splunk, collects and analyzes log data from internal systems. ThreatNG's findings, such as compromised credentials on the dark web or an exposed API key found in a code repository, can be fed into the SIEM. Then, suppose the SIEM detects a suspicious login attempt to Snowflake. In that case, it can correlate that event with the intelligence from ThreatNG, providing the security team with a clearer picture of the threat.
Vulnerability Management Solutions: Internal vulnerability management tools, such as Tenable or Qualys, scan for vulnerabilities inside a company's network. ThreatNG's DarCache Vulnerability intelligence, especially its KEV data, can be utilized to inform these tools, enabling the security team to prioritize which vulnerabilities to patch first on their Snowflake-related infrastructure.
Identity and Access Management (IAM): If ThreatNG discovers a compromised non-human identity, such as an exposed Snowflake API key, this information can be used to revoke that credential in the IAM system immediately.
Data Loss Prevention (DLP): A DLP solution monitors for data exfiltration within a company's network. Suppose ThreatNG identifies a public-facing asset that contains sensitive data (e.g., a dashboard accidentally exposed to the internet). In that case, this intelligence can be used to inform the DLP solution to identify similar data patterns, thereby helping to prevent future leaks.
