Curative Achieves Advanced Risk Reporting With Snowflake

With Snowflake’s security data lake, this healthcare services leader now centralizes and enriches its data for greater collaboration, better risk mitigation and a stronger security posture. 

Doctor working on a computer
Curative Logo
Austin, TX

Reengineering health insurance

Curative is a leading healthcare services company that created and launched the first-of-its-kind employer-based health insurance plan. Founded in 2020, Curative reengineered health insurance by providing unmatched simplicity, enhanced engagement and cost transparency with a competitive monthly premium and zero additional costs.    

Story Highlights
  • Enrichment and contextualization:  Snowflake's security data lake enables the team to combine and enrich data from various sources.

  • Greater collaboration:  The data team assists the security team in data ingestion, enrichment and integration, which saves time for security analysts and enhances their focus on critical tasks.

  • Tailored analysis:  The unified workflow allows for more in-depth analysis and investigation. Data scientists can use familiar tools like Notebooks and Snowpark to query the data, build custom analyses and generate visualizations.

Burdened by rigid workflows and limited solutions

Curative’s security program was previously limited by the rigidity of their existing workflow and the limitations of their previous solutions. In their previous workflow, they would identify a problem, collect data specific to that problem, choose a specific tool and connect it to a tailored solution. This approach was very purpose-built and required significant effort to maintain. They often found that the tools they used were not comprehensive enough for in-depth analysis, which led them to export data to Excel or other formats for further enrichment.

In addition, the team faced challenges in managing and making sense of the massive volume of security data they collected from various sources. They needed a way to efficiently process and analyze the data to extract meaningful insights. According to Michael Panico, VP of Information Security at Curative, “We needed the ability to add additional context and enrichment to our data so that we could boost our investigation speed and effectively respond to alerts.”

It was also a challenge communicating security risks and priorities to stakeholders, including the C-suite, because of the lack of a unified and easily understandable view of the organization's security posture. “Our understanding of what our risk posture looks like and how we are mitigating risks needs to be metricized to measure the successfulness of our program over time.”

Greater collaboration strengthens risk analysis

Curative’s security team holds themselves to two pillars when it comes to risk reporting. First, they need to maintain the overall health of the environment and understand the KPIs for their risk posture. Secondly, their quality of service is determined by how quickly they’re able to mitigate risks. 

Curative uses Snowflake for security analytics by implementing a unified workflow that aggregates operational and cybersecurity data in one place, creating a security data lake for deeper analysis and enrichment. The security team is now able to cross-contextualize data from all their infosec tools with additional outside data sources like inventory management—all ingested into their Snowflake security data lake. “This helps us prioritize a remediation strategy around areas that we think are the highest risk,” says Panico.

With our greater understanding of our security data through Snowflake, we’ve been able to develop risk posture KPIs and keep tabs on department level score risks and speed to patch. This has been critical to communicating to company leadership where the risks are and where we should be prioritizing.”

Michael Panico
VP of Information Security, Curative

The collaboration between the data and security teams ensures a holistic approach to risk analysis. According to Mitch Roznik, Director of Data at Curative, “The real objective is to reduce our time to value and increase our impact. Our team can handle the data ingestion and build out visualization for the security team, who can then take it for deeper analysis and decision-making.” 

Data scientists can assist the security team without needing to learn specialized tools. Instead, they can use familiar tools like BI tools, Notebooks and Snowpark for Python to query the data, build custom analyses and generate visualizations. With this collaboration, Curative security teams are now empowered to develop forecasts, conduct trend analysis, report enterprise risk posture and more.

Mitigating endpoint vulnerabilities

 “Endpoint management is a pillar to any security organization. If we don’t track this, endpoints, such as a laptop, could become a huge vulnerability that an attacker can leverage as an entry point to access sensitive data,” says Panico. “Snowflake enables us to cut out the manual work and easily create dashboards to monitor.” 

For example, the security team prioritizes updating employees who are on the older versions of the Chrome browser since they’re exposed to the most vulnerabilities. This report centralizes data from multiple data sets that wouldn’t have been available in one security tool. Curative can now actively manage endpoint vulnerabilities from Chrome, thanks to everything from the mobile data management solution, to employee records that are stored in Snowflake and enriched and contextualized with vulnerability data from Chrome.

Endpoint management of Chrome browser vulnerabilities using fictional data.

Figure 1. Endpoint management of Chrome browser vulnerabilities using fictional data.

In this graph, the Chrome browser is continually updating and patching known vulnerabilities. Figure 1 shows a histogram where the bars represent the number of employees who are on that particular Chrome version, and on the Y-axis, the cumulative vulnerabilities are shown by the red line across the versions shown on the X-axis.

Before, we were doing this manually. In partnering with the data team, we can see the whole environment and add our own bespoke queries. Now, it’s updated every day and we can see the bars shift, telling us we’re mitigating risks and trending in the right direction.”

Michael Panico
VP of Information Security, Curative

Adding context and visibility to identify bad actors

This sand key diagram shows the traffic from two virtual private clouds (VPCs) and where data packets are landing. Some bad actors are potentially within these known IPs, and the Curative security team can track this in near real time through their BI tool and alerting.

VPC traffic example using fictional data.

Figure 2. VPC traffic example using fictional data.

“Although many security tools may have this ability out of the box, what matters for us is the ability to dig into the data deeper,” says Roznik. Curative can pull up profiles, such as a former consultant that had access, and see their access history to get more context. “VPC flows are typically not user friendly. Adding in all the context is critical, or else it means nothing to us,” says Panico.

Continued collaboration with the data team

Curative’s security team continues to rely on the Snowflake security data lake to ingest logs for retention, complex parsing and correlation tasks that they’re unable to do within a SIEM. “There can be limitations to how bespoke queries can be in a SIEM. It may require hiring a specialist,” says Panico. “Instead, with a security data lake and collaboration with an excellent data team, we can do things that go above and beyond what any traditional SIEM is capable of doing. We can focus on just asking the right questions and continue enhancing our security posture.”

Start your 30-DayFree Trial

Try Snowflake free for 30 days and experience the Data Cloud that helps eliminate the complexity, cost and constraints inherent with other solutions.