Using SAML with your network and security analysis tools

Standardized Single Sign-On (SSO) is becoming the norm

As organizations add cloud applications as part of their daily workflow, “single sign-on” is necessary to improve security, increase productivity, and reduce IT costs. However, like the move towards containerized deployment, network, security, and packet analysis tools are often missing out on these features.

SAML is an industry standard for single sign-on integration with applications. Used along with your most critical investigation and troubleshooting tools, SAML-based SSO can significantly improve your NOC, SOC, and IT teams’ operational security and performance.

The benefits of SSO

Single sign-on systems allow users to remember a single username and password and use those credentials once, automatically logging into multiple applications as needed without taking the time to authenticate with each one individually or more importantly, remember multiple passwords.

1. Single sign-on is more secure. Every time a user has to input credentials is an opportunity for a lost or stolen password, and each instance presents an additional attack surface for malicious entities to access secure data. Limiting the amount of login activity mitigates this and lets users rely on longer, more secure passwords that only need to be entered once.
2. Single sign-on is faster requires fewer resources. SSO allows users to spend less time managing their logins to multiple applications and reduces the amount of IT support required for lost passwords or other login issues. 
3. Single sign-on is future-proof. SSO lets you manage the integration of new applications and employee onboarding/offboarding workflows more efficiently. Users don’t have to acquire new credentials for every tool you are using, and it reduces the need for shared credentials that need to be updated whenever someone leaves the team.

Using SAML for SSO

While there are many SSO solutions available, the Security Assertion Markup Language (SAML) is an OASIS Open specification that standardizes the communication and format of login information between identity providers and service providers (i.e., applications) for single sign-on. This means that these systems can work together without any further integration.

This has advantages for anyone selecting an identity provider. This identity provider may be a server in your own network, or it may be an external SAML service such as OneLogin, PingOne, Okta, or others. Using SAML-based providers gives confidence that more applications will be able to work with the chosen system. Any enterprise deploying its own identity provider system that uses SAML can add any application that supports SAML for its users.

Applying SAML based SSO to network packet analysis

Many business process applications support SAML, particularly cloud or SaaS solutions. As more and more SIEM automation and managed network products move to the cloud, SAML-based authentication is a significant value-add for organizations.

Of course, network packet capture and analysis are often still done with native software installed on workstations. When such functionality is moved to a cloud (private or otherwise) based solution and integrated with SAML, your network and security analysis workflows become much more efficient. 

For example, let’s say your team works with a cloud-based Security, Orchestration, Automation, and Response (SOAR) solution and manages their Wi-Fi APs and network switches (with native packet capture) via a cloud portal. Let’s also imagine they all use SAML-based SSO. Incorporating a pcap analysis solution that is also cloud-based and uses SAML can streamline the resolution process like this:

CloudShark and SAML

CloudShark supports SAML-based SSO to make the packet capture storage and analysis portion of your DFIR, network ops, and IT processes significantly easier.

Would your organization benefit from having your analysis tools integrated with your single sign-on system? Contact us to learn more!