Lets protect your SaaS with Sigma and Okta
Check out the previous posts in our security analytics journey: Adding Security Analytics to your Cloud Security Program with Sigma and Lacework and Building Devops / Secops Dashboards with Sigma Computing and Snowflake.
Passwords passwords passwords, there has been so much talk about passwords out there that I have password discussion fatigue. How long do they have to be, how complex, make sure they are alphanumeric, add special characters, uppercase / lowercase, can’t include your name, can’t have repeating or sequential characters. Then the ever fun discussion around password rotation. Fortunately the industry and standards bodies have started changing their stance in this area by no longer requiring arbitrary rotation times.
We as security professionals can solve this problem for our companies, while improving the user experience and increasing security. Single Sign-on (SSO) solutions give you the ability to federate identity and access to your applications without your users having to remember a password and this is important, as the average 1–100 person company now has around 100 SaaS applications according to Blissfully.
At Sigma Computing we put all of the apps we can behind Okta and then we take that data, analyze it and visualize it. We use those visualizations to create dashboards for our IT and Security teams so they can quickly view that things are normal or so they can quickly spot anomalies to follow up on.
This dashboard gives us a quick look of what is happening in our SSO solution and allow us to quickly spot anomalies. In the first visualization we have a map showing the geo-location of where users login from. This allows us to quickly spot anomalies based on where our employees reside, if we were to see a login from say North Dakota that would be a red flag to investigate. The reason I didn’t use another country as an example is we actually use some of the advanced security features of our SSO solution. Features like block Tor endpoints, block well known public VPN providers, block on velocity (if you were in San Francisco and you try to login from Florida 10 minutes later we should block that) and block countries we don’t expect to login from. This makes it harder (not impossible) for attackers to access your applications through breached credentials. I’m really impressed to see other solutions like 1Password incorporate this type of functionality into their platform.
We round out this dashboard with things like network information to view what networks are hitting Okta and look for any potential shady networks trying to access our instance. Device information shows what users are using to login with and User activity enables us to spot spikes along with the event types. Lastly we have a section around security information that includes what factors (TOTP, Yubikey/Fido, RSA, etc.) people are using, how many logins/failures and how many potential threats have been able to login.
If you want to build a dashboard with Okta you’ll need to go pull against their API because they don’t have the ability to export logs out to an S3 bucket or do a Snowflake share. (Note: If anyone from Okta reads this it would be great if you added this feature) We output those logs to a linux server, upload them to S3, pick them up with Fivetran and load them into Snowflake so we can analyze them.
Lastly, a plea to the many companies who require expensive enterprise plans or add-ons to enable SSO, please rethink this strategy. We at Sigma Computing do not charge extra for SSO because we want our customers to use our service in the most secure way as possible. We actively encourage our customers to use SSO because we want them to manage their on-boarding, off-boarding, password policy and MFA requirements in their central authentication systems. This is a basic feature that should be included in the base plan of any platform.
(Credit to Julie Lemieux for the design and to Don Huang for always helping me with my data and checking my articles)
