Stream x Snowflake: Extending Detection to DBaaS

Snowflake is a widely used cloud data warehouse platform, enabling organizations worldwide to centralize and analyze large volumes of business and customer data. For modern enterprises and organizations, this often includes sensitive information such as employee and customer PII (Personally Identifiable Information), operational data, and proprietary workflows.

A Lucrative Target for Threat Actors

In recent years, this central role has made Snowflake a high-value target for attackers seeking to access and monetize sensitive data. Attackers see the sensitive data residing within Snowflake as a powerful means to extort organizations, leveraging the PII for identity theft, phishing campaigns, or financial benefit. These threat actors often abuse phone numbers for BEC (Business Email Compromise) scams, using exposed emails to brute force their way into corporate environments.

The 2024 Snowflake data breach serves as a stark reminder of these risks. Two threat actors abused credentials stolen via info-stealer malware to access over 165 Snowflake accounts lacking MFA, exfiltrating sensitive data from major companies including AT&T, Ticketmaster, Santander, and Neiman Marcus. AT&T confirmed the theft of metadata for 109 million customer calls and texts, although reports suggest that approximately 50 billion customer call and text records were exfiltrated. The attackers extorted victims for millions in cryptocurrency, and, in some cases, re-extorted victims who had already paid. Stolen data from other companies was advertised on underground forums, underscoring the far-reaching consequences of poor cloud access hygiene and lack of visibility into Snowflake account activity.

Since then, Snowflake has enforced MFA for all human-user interactions with the Snowflake UI as a means to reduce the risk of unauthorized access to Snowflake accounts.

However, as threat actors continue to grow more sophisticated, this measure alone is not enough. An additional layer of security is needed to protect sensitive data and detect malicious access or exfiltration attempts in real time.

Why Snowflake Needs to Be Part of a Unified Cloud Detection Surface

Cloud environments never operate in isolation, and are constantly interacting with SaaS platforms including DBaaS (Database as a Service) tools. For many organizations, Snowflake sits at the center of this ecosystem, acting as the final destination where sensitive business data converges. Attackers know this, and they actively exploit blind spots between SaaS and cloud to escalate privileges or pull data through legitimate-looking queries.

That’s why Stream now integrates Snowflake audit logs directly into our SaaS and cloud detection framework. By including Snowflake activity as part of SaaS-sourced signals, we give SecOps teams complete visibility into how threats unfold across the chain of services connected to the cloud. This unified view closes the gaps that attackers target to ensure Snowflake is protected not just in isolation, but as part of the bigger cloud story.

Stream Threat Detection for Snowflake

Our Snowflake Audit Logs integration is designed to tackle the rising risks of misuse and exploitation within Snowflake environments. The comprehensive detection framework for Snowflake enable spotting suspicious or malicious activity in real time.

Diverse Detection Approaches

We designed multiple layers of detection to match the unique threat landscape of Snowflake:

Behavioral & Machine Learning-Based Detection

Stream’s machine learning engine continuously profiles Snowflake activity to establish a baseline of “normal” behavior. It then surfaces deviations from this baseline and anomalous activities, such as:

• Previously unseen activity patterns
• Sudden, unusual spikes in query or event volume
• Access from unexpected geolocations or during abnormal hours

Threat Intelligence Enrichment

Audit events are automatically enriched with external threat intel. We correlate the activity against known malicious IPs, TOR exit nodes, and other IOC sources, to enable proactive detection of high-risk connections and IOCs.

Out-of-the-Box Snowflake Detection Rules

Based on extensive research into Snowflake attack techniques, we provide ready-to-use detection rules, including:

• Snowflake Database Deletion Detected
• Snowflake Table Copied Into External Stage
• Snowflake Programmatic Access Token Created for a User
• Snowflake Network Policy Disabled or Deleted
• Snowflake User Granted Admin Role

BYOD - Bring Your Own Detection

Alongside our built-in detections, you can also create your own detection strategy against Snowflake threats. Create custom rules based on your organization’s Snowflake workflows and usage routine. Whether you want to fine-tune the ML engine or write specific logic for your environment, our platform supports:

• Custom rule creation tailored to your environment
• Exclusion logic for tuning false positives and fine-tune alerts
• Flexibility to match your operational needs

Investigating Snowflake Alerts

When an alert is triggered, you can dive into related Snowflake events and alerts, review enriched IOC context, and cross-correlate findings with other cloud signals.

To accelerate and focus your triage and investigation, Stream’s AI Copilot assists directly in the platform. It is trained to automatically enrich the alert, investigate its context, highlight potential root causes, and provide actionable mitigation steps to help you respond quickly and effectively.

Closing the Visibility Gap

Snowflake has become one of the most valuable assets in the modern cloud ecosystem and, by extension, one of the most attractive targets for attackers. The 2024 breach underscored that traditional access controls and point-in-time defenses are not enough to protect sensitive data at scale. What organizations need is continuous, contextual detection that understands how Snowflake activity fits into the bigger cloud story.

With Stream’s Snowflake Audit Logs integration, SecOps teams gain that missing layer of visibility and real-time detection. By combining machine learning, threat intelligence, prebuilt rules, and customizable detections with AI-driven investigation, we deliver a unified approach that closes blind spots and accelerates response.

‍

Ready to see it in action?

Request a demo to see how Stream.Security helps you stay ahead of database threats in real-time.

Ready to get started?

To learn more about how you can begin securing Snowflake with Stream, reach out to your CSM.

‍