New Feature: Verified Stolen Credential Detection

Convex Insurance chose Push to close a gap left by traditional CASB solutions, enabling them to enhance their identity security and gain control of shadow SaaS at the same time.

In summary
  • Convex Insurance, an international specialty insurer, needed a way to secure identities on cloud apps — including apps not on SSO.

  • Push helped Convex get a unified view across both their identity security posture and their estate of third-party apps and OAuth integrations.

  • Convex was able to get reliable data in order to put further weight behind their security policies. The security team was also able to use Push’s automated self-remediation ChatOps workflows to reduce the manual effort of fixing issues.

Business challenge

As a specialty insurer handling complex requirements, Convex Insurance relies on security solutions that provide the flexibility their workforce needs in order to deliver services in areas as diverse as crisis management, marine cargo, renewable energy, and satellite launches in multiple countries and territories.

“At Convex, we embrace the role that our staff play in helping secure the business and we empower them to make good decisions while providing them with the information they need to do that,” says Michael Earl, security operations lead at Convex.

Convex has also welcomed the use of cloud apps to supercharge productivity, with employees using a large number of SaaS apps, from the mundane to the obscure.

However, the widespread use of cloud apps posed a challenge for the Convex security team in getting a unified view across their app estate and identity posture. Existing tools provided a lot of data, but it was a time-consuming process to glean the insights the team needed to effectively enforce security policies.

“If we have a breach at a third party that some of our users are signed up to, we need to immediately understand where we have accounts and data so we can take appropriate steps.”

The potential blindspot of unmanaged apps and identities was a concern and led to hard conversations among the security team.

“If we have a breach at a third party that some of our users are signed up to, we need to immediately understand where we have accounts and data so we can take appropriate steps,” Michael says.

Technical challenge

CASB approach was time-consuming

Early attempts to solve the challenge of getting full visibility of both identity posture and their app estate were time-consuming.

This entailed combing through CASB logs to identify visited URLs and HTTP methods, as well as evidence of POST data and transferred bytes. Then the security team would try to infer if employees were using unsanctioned applications or storing data where it wasn’t approved to go.

“It was quite a manual exercise,” Michael says.

That spotty evidence made it hard for the security team to have informed conversations with end-users.

“When you have a conversation with an employee, you want to make sure you have the proper information on whether they were actually using an app so you don’t put someone on the defensive when they were just doing their job,” Michael says.

Seeking visibility of non-SSO cloud identities

At the same time, the team was looking for additional ways to get the visibility they needed for securing non-SSO cloud identities.

In particular, they were worried about identities that could exist on unmanaged apps.

“In our industry, it is the SaaS apps that are not SSO-integrated that are potentially the biggest danger.”

“In our industry, it is the SaaS apps that are not SSO-integrated that are potentially the biggest danger,” says Alistair McGlinchy, IT security engineer at Convex. “So if a third party has their password database attacked and there has been any password reuse, an attacker can password-spray and get to the point where MFA is the only blocker for somebody trying to authenticate.”

Solution

Convex chose Push initially to help them further secure identities on a large catalog of cloud apps. In learning more about the product, they realized Push would also give them a unique unified view of both identity posture and their third-party apps and OAuth integrations — even unsanctioned or “shadow” apps.

“The product works. It ticks all the boxes, really.”

“Other than you guys, we just didn’t have any awareness of anything in the market that matched the level of intelligence that Push can provide about how our employees use passwords,” Michael says. “And then we learned about all the additional features, like you can see where all of your apps are integrated and what people are doing with them. You’ve got this nice unified view of all of the OAuth scopes and things that people have been granting. The product works. It ticks all the boxes, really.”

Easy deployment

Setting up a proof of concept was a 1-hour video call, Alistair recalls.

“It was one of the more straightforward onboarding and trial experiences that we’ve had, and that’s continued post-procurement as well,” Michael says.

“It was one of the more straightforward onboarding and trial experiences that we’ve had, and that’s continued post-procurement as well.”

The team was able to select a test group and deploy the Push browser extension via MDM. The Convex team also appreciated Push’s support for Google Workspace and alternative identity providers.

Immediate value

During the trial, the security team found high-risk password reuse among their own IT team.

Armed with this information, they could follow up with employees directly — or use Push’s automated self-remediation ChatOps workflows to facilitate that conversation without it feeling awkward for either party.

“As far as we’re concerned, it is better coming from an automated platform,” Michael says. “We’re a small team, so we don’t have a lot of time to manually follow up on every possible issue. We absolutely need tools that both detect and notify about the problem and facilitate the remediation steps.”

“We absolutely need tools that both detect and notify about the problem and facilitate the remediation steps.”

They were also able to identify non-SSO apps with heavy usage and restrict their use, as well as gauge their employees’ use of AI and LLM tools.

Putting more weight behind security policies

With the data provided by the Push platform, the Convex security team now has the evidence they need to be able to reinforce security policies for their cloud estate.

“It gives us all the information that we need to attack the problem and provide even better security for our business,” Michael says.

With Push, suddenly we had the potential of installing something into our estate that would give us even better information to make decisions about our SaaS and identity security posture so we could get a unified picture of the risks.
Michael Earl, security operations lead
The company
Convex Insurance

Convex Insurance is an international specialty insurer founded in 2019 and operating in Bermuda, London, and Luxembourg. Convex provides underwriting for complex specialty risks, including in the areas of energy, commercial property, crisis management, and aerospace.

Location:
Bermuda, London, Luxembourg
Users protected:
1,750
By the numbers
Proof of concept setup
1 hour
Number of apps
1,000+

Convex Insurance chose Push to close a gap left by traditional CASB solutions, enabling them to enhance their identity security and gain control of shadow SaaS at the same time.

With Push, suddenly we had the potential of installing something into our estate that would give us even better information to make decisions about our SaaS and identity security posture so we could get a unified picture of the risks.
Michael Earl, security operations lead
The company
Convex Insurance

Convex Insurance is an international specialty insurer founded in 2019 and operating in Bermuda, London, and Luxembourg. Convex provides underwriting for complex specialty risks, including in the areas of energy, commercial property, crisis management, and aerospace.

Location:
Bermuda, London, Luxembourg
Users protected:
1,750
By the numbers
Proof of concept setup
1 hour
Number of apps
1,000+
In summary
  • Convex Insurance, an international specialty insurer, needed a way to secure identities on cloud apps — including apps not on SSO.

  • Push helped Convex get a unified view across both their identity security posture and their estate of third-party apps and OAuth integrations.

  • Convex was able to get reliable data in order to put further weight behind their security policies. The security team was also able to use Push’s automated self-remediation ChatOps workflows to reduce the manual effort of fixing issues.

Business challenge

As a specialty insurer handling complex requirements, Convex Insurance relies on security solutions that provide the flexibility their workforce needs in order to deliver services in areas as diverse as crisis management, marine cargo, renewable energy, and satellite launches in multiple countries and territories.

“At Convex, we embrace the role that our staff play in helping secure the business and we empower them to make good decisions while providing them with the information they need to do that,” says Michael Earl, security operations lead at Convex.

Convex has also welcomed the use of cloud apps to supercharge productivity, with employees using a large number of SaaS apps, from the mundane to the obscure.

However, the widespread use of cloud apps posed a challenge for the Convex security team in getting a unified view across their app estate and identity posture. Existing tools provided a lot of data, but it was a time-consuming process to glean the insights the team needed to effectively enforce security policies.

“If we have a breach at a third party that some of our users are signed up to, we need to immediately understand where we have accounts and data so we can take appropriate steps.”

The potential blindspot of unmanaged apps and identities was a concern and led to hard conversations among the security team.

“If we have a breach at a third party that some of our users are signed up to, we need to immediately understand where we have accounts and data so we can take appropriate steps,” Michael says.

Technical challenge

CASB approach was time-consuming

Early attempts to solve the challenge of getting full visibility of both identity posture and their app estate were time-consuming.

This entailed combing through CASB logs to identify visited URLs and HTTP methods, as well as evidence of POST data and transferred bytes. Then the security team would try to infer if employees were using unsanctioned applications or storing data where it wasn’t approved to go.

“It was quite a manual exercise,” Michael says.

That spotty evidence made it hard for the security team to have informed conversations with end-users.

“When you have a conversation with an employee, you want to make sure you have the proper information on whether they were actually using an app so you don’t put someone on the defensive when they were just doing their job,” Michael says.

Seeking visibility of non-SSO cloud identities

At the same time, the team was looking for additional ways to get the visibility they needed for securing non-SSO cloud identities.

In particular, they were worried about identities that could exist on unmanaged apps.

“In our industry, it is the SaaS apps that are not SSO-integrated that are potentially the biggest danger.”

“In our industry, it is the SaaS apps that are not SSO-integrated that are potentially the biggest danger,” says Alistair McGlinchy, IT security engineer at Convex. “So if a third party has their password database attacked and there has been any password reuse, an attacker can password-spray and get to the point where MFA is the only blocker for somebody trying to authenticate.”

Solution

Convex chose Push initially to help them further secure identities on a large catalog of cloud apps. In learning more about the product, they realized Push would also give them a unique unified view of both identity posture and their third-party apps and OAuth integrations — even unsanctioned or “shadow” apps.

“The product works. It ticks all the boxes, really.”

“Other than you guys, we just didn’t have any awareness of anything in the market that matched the level of intelligence that Push can provide about how our employees use passwords,” Michael says. “And then we learned about all the additional features, like you can see where all of your apps are integrated and what people are doing with them. You’ve got this nice unified view of all of the OAuth scopes and things that people have been granting. The product works. It ticks all the boxes, really.”

Easy deployment

Setting up a proof of concept was a 1-hour video call, Alistair recalls.

“It was one of the more straightforward onboarding and trial experiences that we’ve had, and that’s continued post-procurement as well,” Michael says.

“It was one of the more straightforward onboarding and trial experiences that we’ve had, and that’s continued post-procurement as well.”

The team was able to select a test group and deploy the Push browser extension via MDM. The Convex team also appreciated Push’s support for Google Workspace and alternative identity providers.

Immediate value

During the trial, the security team found high-risk password reuse among their own IT team.

Armed with this information, they could follow up with employees directly — or use Push’s automated self-remediation ChatOps workflows to facilitate that conversation without it feeling awkward for either party.

“As far as we’re concerned, it is better coming from an automated platform,” Michael says. “We’re a small team, so we don’t have a lot of time to manually follow up on every possible issue. We absolutely need tools that both detect and notify about the problem and facilitate the remediation steps.”

“We absolutely need tools that both detect and notify about the problem and facilitate the remediation steps.”

They were also able to identify non-SSO apps with heavy usage and restrict their use, as well as gauge their employees’ use of AI and LLM tools.

Putting more weight behind security policies

With the data provided by the Push platform, the Convex security team now has the evidence they need to be able to reinforce security policies for their cloud estate.

“It gives us all the information that we need to attack the problem and provide even better security for our business,” Michael says.

Ready to take Push for a spin?
You've got 10 free licenses and nothing to lose