Skip navigation
Duo Blog
Admin Login

Categories & Archive

A set of well-functioning gears represents how Duo's UEBA beta program assesses the security of user and endpoint activity.
Product & Engineering
Rahul HiraniStefano Meschiari

Automate Threat Detection With Duo’s UEBA

We recently described how user and entity behavior analytics (UEBA) is changing the way organizations detect threats. Today Duo announces a beta program for its UEBA capabilities, which give customers analytics-based threat detection to assess the security of their user and endpoint activity.

Organizations of all sizes struggle with threat detection. Security and IT departments are always spread thin - trying to find ways to do more with less. Many organizations look to Security Information and Event Management systems (SIEMs) to automate some detection with customizable alert rules, but SIEMs are resource intensive to fully stand up and have a long time-to-value. Furthermore, organizations routinely experience changes in projects, personnel, and vendors, and configuring and maintaining alert setups is tedious and drives up the total cost of ownership of a monitoring and detection system. Because of this, alerts are frequently set up reactively after a security issue has occurred rather than configured in an effort to be proactive.

Duo customers can soon use Duo's UEBA-based threat detection, which employs machine learning techniques to analyze behavior data and detect anomalous and potentially malicious activities. While traditional threat detection systems can often be prohibitively expensive to set up and maintain, Duo’s system requires no setup. It runs on data Duo is already handling as a part its standard offering and is more scalable than traditional, strictly rules-based alerting systems because it learns and adapts over time.

UEBA Security Events

Credential theft and account takeover are more prevalent than ever, as highlighted in the 2018 Verizon Data Breach Investigations Report (DBIR), which identified stolen credentials and phishing as two of the top three most common means of breach. But attackers who compromise a user's credentials will find it very difficult to also simulate that user's behavior. For example, Duo can find inconsistencies in how a user is attempting to access an application. Duo’s models rely on a number of signals to decide whether an authentication is suspicious. Those signals are built on top of data handled as part of Duo’s authentication process, such as time of day, application accessed, properties of the access and two-factor devices, and network of origin. Duo’s models are intelligent and learn over time, meaning every incoming authentication builds a deeper understanding of normal and anomalous behavior patterns.

The machine learning models UEBA uses are built by Duo's Data Science team, who come from such institutions as CERT and Carnegie Mellon to University of California. Data Science uses multiple models, both unsupervised and supervised, to pinpoint anomalous behavior. All models constantly learn from new data as it is observed.

Duo continues to improve its threat detection capabilities with a focus on reducing the investigative burden on IT and security, as well as build its UEBA functionality deeper into the authentication experience. The beta program for UEBA-based threat detection is open to existing Duo Security customers. To learn more about Duo’s work in UEBA and to join the beta program, please contact your account representative.