How BigID Accelerated Threat Detection and Response, with Reco

BigID is a cloud-first, remote-first company. We don’t have on-premise infrastructure and we rely heavily on cloud technologies. We use IaaS and PaaS for our cloud-native development and SaaS for our collaboration and business workflows.

‍

My SaaS security journey started two years ago. At the time, I was the Senior Manager of Cloud Security, responsible for leading the Cloud Security team, shaping the security strategy, and overseeing the implementation of security and compliance controls across our cloud environments. 

‍

The definition of cloud is evolving. Most enterprises these days have a Cloud Security team, but you don’t see many with a SaaS Security team. SaaS apps account for a lot of business critical operations and they generate and store enormous amounts of sensitive and business data. My team and I quickly realized that SaaS security was a gap for us. The Reco CEO, Ofer Klein, calls this the “Oh shit” moment.

‍

In the Beginning: Manual Processes

‍

The main SaaS apps we needed to protect were Google Workspaces, MongoDB, and Salesforce –  with Okta, Jira, and Confluence being our second line of critical apps. Initially, our goal with SaaS security was twofold:

1. Configuration management. We needed to make sure SaaS apps were locked down from a configuration and access management standpoint.
2. Threat detection. We wanted to give our Security Operations team as much insight as possible about what’s going on in our SaaS space.

As a Security company, security is always top of mind for BigID. We buy best in breed tools, and we build when it makes sense. But when it came to our SaaS apps, it quickly became clear that the old way wasn’t working for a few reasons.

‍

Configuration Sprawl

‍

With the diversity of SaaS, there is an incredible amount of nuance in how each one is configured. Each provider offers different controls. There’s no single person who is a master at configuring them all. Plus, SaaS apps are constantly changing and being updated. We had no visibility into this.

‍

Event Overload

‍

We were working on developing a threat detection library, but doing this manually was a tedious process. Sorting through millions of SaaS events, analyzing the data, and identifying what could be considered normal versus abnormal activity in order to create one threat detection was an exhaustive process. It took several days to create one threat detection. 

‍

Log Management Complexities

‍

We needed to send logs from our SaaS apps to our SIEM so that we could investigate and resolve security incidents through the Security Operations Center (SOC). But this was challenging for a few reasons:

• Integration issues: Some SaaS apps have no native integration to the SIEM and require custom work
• Upgrade requirements: Some SaaS apps demand costly upgrades to generate logs
• Lack of standardization: Each SaaS app has different ways of producing logs

As a result, we had limited visibility into our SaaS space since we could only see data coming out of a few apps. The use cases for a specialized SaaS security tool kept extending further and further, so we decided it was time to invest.

‍

The Solution: Dynamic SaaS Security from Reco

‍

We did a bakeoff between several leading SaaS security providers. We ultimately chose Reco because we found the information it provided to be direct and actionable. Reco gives you the information in a simple, digestible way, without extra noise. With other providers, we had alerts firing everywhere, but upon digging deeper, 20 alerts could've been one alert.

‍

The AppFactory™ was also a big selling point. A lot of providers in the space, if you request an integration they’ll say, “We’ll put it on our roadmap” for the next quarter or even next year. But Reco can create new integrations in days. 

‍

Reco + BigID for Holistic Data Security Across SaaS

‍

We use our own BigID data security platform to discover sensitive information in our SaaS apps. It helps us identify what should be shared versus what should not be shared, flag high risk environments and files, and classify our data for compliance and reporting purposes.

‍

When we use Reco and BigID together, it tells a powerful story. We get the full picture of where sensitive data is flowing, how it’s being shared, and what actions people are taking on what types of data. We can send this info to our SOC to give them full security context for investigations.

‍

The Benefits: Integrating SaaS with the SOC

‍

Since implementing Reco, we’ve seen big changes across our security operations, compliance, configuration management, and threat detection programs. Here are some of the results.

‍

Accelerated Threat Detection Program

‍

Reco saved us months of work we would’ve spent building threat detections. Instead of building them manually, Reco comes out-the-box with hundreds of pre-built threat detections. It’s been an enabler for us to expand our threat detection capabilities so we can spend more time responding to threats and less time trying to identify them.

‍

Enhanced the SOC with Automation

‍

With Reco, we save time responding to security issues. We can rapidly assess, triage, remediate, and recover the whole security event through automation with just one click. The automations are triggered by Reco alerts which push to our SIEM through Torq, our SOC automation tool. Security engineers get all the info they need quickly, reducing their time to remediation and freeing them to focus on work that matters most to them.

‍

Elevated Insider Threat Posture

‍

Insider threats are always trending, but they can be difficult to spot. With BigID and Reco working together, we can immediately spot potential insider threats that would otherwise remain hidden in the noise. For example, Reco will flag when an employee shares a file with their personal email, which is something native monitoring can’t do. Then, the BigID platform can tell us what's actually in that file: Is it personally identifiable information? Proprietary IP? This complete context flows directly to our SIEM, enabling our SOC team to make informed decisions and respond appropriately.

‍

Consolidated Configuration Management

‍

Reco simplifies configuration management across the diverse array of SaaS apps in our ecosystem. No need to be an expert on each one. Reco does a great job of saying, here are the risks in order of priority, and here are the steps to clean that up. And that’s all. Just one click, and you know exactly what you need to do. Every app, all in one place.

‍

Improved Change Management Processes

‍

When we deployed Reco, a big “Aha” for us was all the residual identities in SaaS. Things like stale identities and dormant accounts can accumulate over the years. We realized we didn’t have processes for addressing change management and Reco was the catalyst that pushed us to fill in those gaps and validate our progress within the platform.

‍

The Aftermath

‍

Today, I’m the VP of Security at BigID, overseeing our application security, cloud security, security architecture, and our GRC function. I’ve come a long way since my days as a Cloud Security Manager, and Reco’s been an important part of my journey driving change at the organization. 

‍

I always recommend Reco to anyone looking to build a comprehensive SaaS security program that’s fully integrated with the SOC. And of course, I also recommend BigID for data security. If you want to learn more about BigID check out our site. Or connect with me on LinkedIn.

‍

You can read the full case study here.

‍