NEW! Get Behavioral Security Analytics with Duo Trust Monitor (Beta)
Duo verifies the trust of workforce access by evaluating every access attempt against several controls. First, Duo’s market leading multi-factor authentication solution protects customers against credential theft, the most common modern attack vector, by verifying the user’s identity. Next, Duo evaluates the access device’s security posture to establish that the endpoint meets security hygiene standards. Following this, Duo verifies authorization through its flexible and granular access policy engine, which enables Least Privilege access to critical corporate resources. To further extend these layers of trust controls into the behavioral realm, Duo is announcing the public beta of Duo Trust Monitor.
What is Duo Trust Monitor?
Duo Trust Monitor is a security analytics feature that identifies and surfaces risky, potentially insecure user behavior in a customer’s Duo deployment. When the feature is enabled, Duo Trust Monitor will model all historical Duo activity and telemetry to create a baseline profile of workforce and device behavior. The feature evaluates each new access attempt in light of user, cohort, and organization’s behavioral norms. If a user significantly deviates from their individualized behavioral profile, Duo Trust Monitor will surface the case as behaviourally anomalous.
Anomalous behavior may include novel IPs or devices, unusual authentication factors or times of day, access attempts by high risk users or against high risk applications, recognized patterns such unrealistic geo-velocity or brute force attacks, and much more.
To illustrate the point, here are two typical explanatory modals that might be displayed within Duo Trust Monitor:
Not only does Duo Trust Monitor highlight behavioral novelties (i.e. login from a new geography or device), but it will also detect highly unusual access attempts (i.e. this happens less than 1% of the time). Additionally, security insight will be used in conjunction with unusual access to label events. For example, Duo Trust Monitor can group certain location and time anomalies into the impossible geo velocity category for easy triage. In the circumstance that a case that Duo Trust Monitor has identified is unimportant, the feature learns from customer feedback and will avoid surfacing events with similar detection characteristics.
How does this improve security?
Duo Trust Monitor has several value propositions:
1. Environment Visibility & Policy Hardening
By creating a historical baseline of user behavior and surfacing unusual access attempts, organizations get deep insight into their environment. Duo Trust Monitor does the heavy lifting of identifying strange access and contextualizing its security meaning. For example, Duo Trust Monitor might uncover a software engineer that is attempting access to a financial application for the first time, which an organization may not yet have an internal security policy built around. Such a situation may not be malicious, but might warrant a change to access policy.
2. Informed Risk Detection & Prevention
In enabling Duo Trust Monitor, organizations can designate high-priority, high-privilege applications and user groups. When these applications are accessed atypically or credentials associated with powerful users act anomalously, understanding the story behind the anomaly can provide key security insight. For example, if credentials belonging to a CXO abnormally “down factor” (i.e. move from a more secure second factor like a push to a less secure one like an SMS), the corresponding Duo Trust Monitor-identified security event might represent an instance of spear-phishing and account takeover. Teams can prioritize and respond efficiently by checking in with the executive, quarantining the device, and potentially updating the user group’s access policy set to require more secure forms of MFA
3. Security Investigation Efficiency
Before Duo Trust Monitor, collecting context during a security investigation involved scrolling through raw log data and templated reports across Duo and other tools. With Duo Trust Monitor, potentially risky access attempts are highlighted and surfaced. The feature contextualizes the anomalous behavior in a variety of easy to consume explanatory visualization.
Furthermore, relevant access history is provided with each anomaly so that security teams can easily drill down to learn more about activity leading up to event - providing a simple-to-use workflow for any security professional.
Should a team prefer that Duo Trust Monitor insights be exported in raw or into a modern SIEM, various export options will also be available.
Join the Public Beta
Duo Trust Monitor will be available in both Duo Access and Duo Beyond editions at no additional cost. If you are a customer currently on either edition, and are interested in joining the the public beta of Duo Trust Monitor, please reach out to your account representative.
