Snowflake reported a potential compromise of certain customer accounts on May 31st. This incident involved a targeted threat campaign leveraging credentials obtained through infostealing malware, specifically targeting users with single-factor authentication in demo/non-production environments. Snowflake’s investigation, supported by CrowdStrike and Mandiant,  revealed no vulnerabilities in their platform but highlighted the importance of robust security measures. For detailed information, please refer to Snowflake's advisory.

Security Observations and Recommendations

While Snowflake’s security measures are exemplary, the recent incident is a critical reminder of the importance of robust security practices across all platforms and environments. Below are our insights and recommendations to ensure enhanced security.

The Imperative of Phishing-Resistant MFA

Phishing-resistant Multi-Factor Authentication (MFA) is paramount in mitigating risks associated with unauthorized access. Beyond Identity’s platform exemplifies this by ensuring that authentication is anchored in unphishable factors and that device security hygiene is continuously evaluated. This approach secures user identities and fortifies the entire authentication process, making it resilient against various attack vectors.

Recommendations for Strengthening Security

1. Enforce Multi-Factor Authentication: 

Ensure MFA is mandatory for all user accounts, including those perceived as low-risk, such as demo or test accounts. Implementing phishing-resistant MFA that is passwordless and does not require a secondary device substantially improves user experience. This eliminates the friction sometimes used to justify incomplete MFA implementations. With no usability drawbacks, organizations must protect all accounts with phishing-resistant MFA, significantly reducing the risk of credential theft and unauthorized access.

2. Secure Unmanaged Devices and Work-From-Home (WFH) Environments:

Unmanaged and BYOD endpoints pose significant risks due to their lack of consistent security controls. Implement device trust mechanisms that verify specific security hygiene, including patching cadence, to ensure that only compliant devices can access corporate resources. These checks should be tied to application authentication or access decisions without requiring invasive and unenforceable Mobile Device Management (MDM). This approach balances security and user privacy while maintaining robust protection.

3. Configure Application Access Policies:

Configure application access and authentication to restrict usage from unsafe locations. Ensure that high-security applications are accessed exclusively from strictly controlled managed devices equipped with a robust modern endpoint security stack and a compulsory software patching cadence. This practice guarantees that only secure and compliant devices can access sensitive applications, significantly reducing the risk of breaches.

4. Implement Continuous Authentication:

Continuous post-authentication policy checks should be performed using real-time risk signals to maintain ongoing security. This ensures that device security posture and user behavior remain within acceptable parameters throughout the session.

5. Utilize Immutable Audit Logs:

Maintain comprehensive, immutable logs of all authentication and access events. These logs are indispensable for forensic analysis and compliance, providing a non-repudiable record of activities.

6. Use Access360 for Security Assessment:

Utilize Access360 to quickly assess weak authentication configurations, lack of MFA, or misconfigured user policies in an existing SSO or identity stack. Access360 can aggregate and review logs from identity systems, extracting Security Insights and Risk Analytics events that conclusively determine whether an environment was compromised. This tool provides comprehensive visibility into authentication practices and helps identify areas needing improvement to strengthen security posture.

Conclusion

Snowflake’s swift handling of this incident underscores the necessity of robust security measures. Organizations must adopt a zero-trust approach to authentication, leveraging device-bound cryptographic credentials and continuous security posture evaluations. Beyond Identity’s solution is designed to meet these needs, offering phishing-resistant, passwordless MFA that integrates seamlessly with existing infrastructure.

By prioritizing the deployment of phishing-resistant MFA and ensuring robust security configurations, organizations can significantly enhance their resilience against cyber threats. This proactive stance protects sensitive data and upholds the integrity and trustworthiness of the enterprise and its customers in an increasingly hostile digital landscape.

Should you have any concerns or questions regarding this matter, please do not hesitate to contact our support team at support@beyondidentity.com. Additionally, we will be hosting a LinkedIn Live event titled "Live Advisory - Mitigating risk in light of Snowflake’s recent security incident" tomorrow at 5 pm ET. During this event, we will provide more information on how to minimize impact and harden access management using phish-resistant MFA, as well as answer any questions you may have.

References

• Detecting and Preventing Unauthorized User Access
• Snowflake forums: Detecting and Preventing Unauthorized User Access
• Knowledge Base Articles: Detecting and Preventing Unauthorized User Access
• Access360
• Linkedin Live Event: Mitigating risk in light of the latest MFA-related Security incidents

‍