How Reco Leverages Advanced Analytics to Detect Sophisticated SaaS Threats

As organizations adopt an ever-increasing amount of SaaS applications into every part of their operations, they also face a similarly increasing array of threats that exploit the complexities of multi-cloud environments. Legacy security tools and measures are failing to keep up, often focusing on individual accounts rather than the broader identity picture. In order to stay our collective grounds against these threat actors, it’s time to move to a new paradigm that centers instead on identities and their behavior across all platforms.

‍

The Power of Security that's Centered on Identities

‍

The cornerstone of our approach is the enrichment layer. Essentially, this is a sophisticated, identity-focused solution that builds both user and organizational baselines. Once those baselines have been gathered, we can map out these users and their activities across core SaaS applications within an organization by constructing a Temporal Organization Knowledge Graph. 

‍

It’s important to note that this is not just about tracking individual accounts. Instead, it's about consolidating identities—whether they belong to people, services, or apps—across the entire SaaS environment.

‍

Identity Consolidation

‍

To explain this concept, let’s consider a scenario where a user is logged into multiple accounts (Google, Microsoft, Zoom, Salesforce, Slack) from the USA. Suddenly, a single Salesforce account associated with that user is accessed from Russia. On an account-level perspective, this might seem legitimate. After all, if your security tools are monitoring for accounts with valid credentials, this login appears fine. However, from an identity-level perspective, it raises a significant red flag as suspicious behavior since the user’s identity is indicating that the login from Russia is most likely invalid and a threat.

‍

‍

This is why we correlate all identities with their associated accounts across multiple applications and link them with other baseline information such as:

• Their activities
• IPs addresses
• Locations
• Devices
• Third-party apps 
• …and more 

‍

This correlation allows us to build a comprehensive baseline and detect significant deviations over time. 

‍

Advanced Analytics for a New Era of Security

‍

Our advanced analytics system, built on the foundation of ClickHouse, enables real-time detection and response to threats from SaaS applications. In an environment where billions of SaaS events occur—each an action with a timestamp and metadata—our platform processes these events through multiple enrichment steps. These enrichments, developed by separate teams, are then integrated, allowing us to correlate these events with identities in real time. 

‍

By storing this enriched data in a flattened table within ClickHouse, we can run sophisticated queries to uncover threats such as impossible travel—where an identity appears to be in two distant locations within a short time span. This would be impossible to detect if we only looked at individual accounts, but with our approach that is focused on the identity, it becomes a trivial SQL query. 

‍

Adapting to New Attack Vectors

‍

The only thing that never changes about threat actors is that they never stop changing their techniques. That’s why we build the ability to adapt into the core of the platform. Security teams can develop and deploy new queries ad hoc in response to emerging threats. 

‍

By prioritizing and consolidating alerts based on actual event time within the SaaS platforms—rather than just aggregation time—we significantly reduce false positives, allowing security professionals to focus on real threats.

‍

How We Make It Happen: The Technical Backbone

‍

Our SaaS Security system is inherently holistic, with data interconnected across all layers to form a view of your environment that was once an opaque mystery. Our use of ClickHouse plays a pivotal role in enabling this holistic view. 

‍

We store point-in-time events, along with all their enrichments, in ClickHouse. This architecture allows for the creation of metrics at various levels—by IP, user, event, or application—enabling a wide range of analytic capabilities, from outlier detection to anomaly detection. By chaining these interconnected data points at ingestion time, we can gain insights into identity behavior that were previously unattainable.

‍

For example, detecting impossible travel for an identity across different platforms becomes straightforward when we can analyze sliding-window intervals of activity. 

‍

This capability not only enhances security but also empowers our data science team to discover new insights, which are then integrated into our real-time enrichment process.

‍

Conclusion

‍

It’s clear the time for an approach focused on the identity has come. At Reco, we are at the forefront of this shift, leveraging cutting-edge technology like ClickHouse to provide visibility and protection into a complex and fast-changing environment. By focusing on identities and their behaviors across the entire SaaS landscape, we ensure that your organization stays one step ahead of even the most sophisticated threats.

‍

Our system is not just about detecting anomalies—it's about understanding the full context of each identity's behavior, enabling rapid, accurate responses to new and emerging attack vectors. With Reco's advanced analytics, security engineers and CISOs can rest assured that they have the tools they need to protect their organizations in this new era of cybersecurity.

‍

Reco is a full-lifecycle SaaS security solution that empowers organizations with full visibility into every app, identity, and action to prioritize and seamlessly control risks in the SaaS ecosystem. You can request a demo to see the Reco platform in action.