SE Labs awards Cisco its AAA Rating in Universal ZTNA identity testing
As security’s new front line of defense, user identities must be fully protected at all times. That’s why after rigorous, first-of-its-kind identity testing, SE Labs® awarded Universal Zero Trust Network Access (UZTNA) from Cisco its highest AAA rating for “Advanced Security IAM Protection.”
Universal ZTNA combines multiple products to deliver zero trust authentication and protection against identity-based attacks:
Cisco Duo
Cisco Secure Access
Cisco Identity Intelligence (CII)
The solution achieved 100% detection and 100% protection against cyber threats, identifying and blocking every attempt to compromise security defenses. The report reads:
UZTNA detected and responded to every malicious access attempt without relying on traditional exploit signatures or simple traffic heuristics. As such, the combined solution achieves the SE Labs AAA award.
Testing mimics real-world attacks on identity
"Hackers don’t always need exploits, but they do always need access,” SE Labs Founder and CEO Simon Edwards points out, noting modern attackers target identity to break into critical cloud environments like Microsoft 365.
"Identity is a primary attack surface in modern enterprise environments, especially with cloud-based platforms like Microsoft 365. It is crucial to assess how well defenses handle threats that are subtle, persistent, and increasingly effective."
SE Labs
SE Labs security experts subjected Universal ZTNA to a rigorous round of attacks that proved Duo and the other offerings could handle a range of common threat actor tactics. Testing took place in a real network environment, targeting a Microsoft 365 deployment with privileged and non-privileged accounts. Security experts played the role of attackers, probing for weaknesses and adapting to security controls to see how systems would respond.
SE Labs’ landmark analysis mimicked techniques used recently by prominent threat groups like Scattered Spider, APT29, and APT28. Testing featured 30 attacks across three attack vectors:
12 attempts involved stolen credentials using valid, but compromised, usernames and passwords to gain access
8 tried to bypass MFA using techniques like MFA fatigue and credential stuffing
10 attacks attempted to hijack active user sessions without needing credentials of MFA
Variations ranged from attempting to log in from different geographic locations and devices at unusual hours to MFA flooding, a Scattered Spider go-to tactic and using stolen session cookies to impersonate users and compromise assets without re-authenticating.
The new Duo: End-to-end, security-first IAM
SE Labs recognizes that not all MFA is created equal. Edwards writes, “While many people think multi-factor authentication is a silver bullet. It isn’t.” Enter the “new Duo” with a comprehensive solution that combines:
MFA shuts down stolen credentials: Duo MFA routinely blocks attacks that attempt to leverage stolen credentials by requiring users to confirm their identity using additional factors like their mobile phone or thumbprint.
Proximity Verification prevents MFA bypass: Businesses roll out MFA to stop phishing, but hackers attempt to bypass it with phishing and ‘MFA fatigue’ attacks that flood authentication systems with repeat login requests. Duo Proximity Verification leverages the user’s mobile phone to confirm the authentication device is physically close to the device they’re asking to access (e.g., their laptop). It’s a simple, seamless, and highly secure approach to detect and intercept attempts to bypass MFA without requiring expensive hardware tokens or complex configurations.
Session Hijacking Prevention protects mid-session: As part of its enhanced end-to-end phishing resistance capabilities, Duo now includes session theft prevention to stop one of the three tactics employed by the SE Labs testing of UZTNA. The report describes session hijacking as:
An attack in which an attacker takes control of a user’s active session, often by stealing a session token or ID. Attackers may exploit insecure cookies, public Wi-Fi networks and browser vulnerabilities. Once hijacked, the attacker can impersonate the user, access sensitive data and perform unauthorized actions. This threat bypasses normal authentication and is hard to detect.
Threat actors attempt to steal “Remember Me” session cookies used to keep people authenticated during active sessions. Duo removes these cookies and applies patent-pending technology to prevent session hijacking behind the scenes. Duo secures entire user sessions — without inconveniencing people to authenticate again and again.
"We replayed captured session tokens to hijack authenticated connections, bypassing normal login checks and gaining access without credentials."
SE Labs
Universal ZTNA didn't miss a trick
“Attackers today have choices in overcoming perimeter controls,” Edwards says. “Cisco UZTNA is to be congratulated for its flawless performance at rebuffing our attacks in what is now a very complex environment.”
Duo delivers trong security and a world-class user experience
The SE Labs writeup notes, “Data needs to be accessible, at high speeds, but using strong security. And this security needs to be managed simply. and other modern staples of strong security and a rewarding user experience.”
Along with easy-to-use MFA, Duo features options like single sign-on (SSO), a user directory with lifecycle management (Duo Directory), device trust, and complete passwordless to raise the bar on flexibility, simplicity, and user satisfaction.
View the SE Labs report
“Zero Trust Network Access is key to protecting organizations today, and we’re delighted that our first-of-its-kind Universal ZTNA from Cisco has been awarded the top accolade from SE Labs,” says Raj Chopra, SVP, CPO Cisco Security. “This rigorous benchmark underscores how Cisco’s unique integration of identity security and SASE delivers a true universal Zero Trust solution, providing unmatched protection for the workforce against the diverse and sophisticated attacks organizations face today.”
For more details about the tests and findings, download the full report.
Take the next step in your IAM journey
Discover how Cisco Universal ZTNA and Cisco Duo can transform your organization’s security posture. Visit the following resources to explore our innovative approach:
Product Page — Universal ZTNA from Cisco
Product Page — Cisco Duo
Product Page — Cisco Secure Access
Product Page — Cisco Identity Intelligence
Product Page — Cisco User Protection Suite
Additional resources
Website — SE Labs