Spot the Difference Between Suspicious & Legitimate Authentications With Duo Trust Monitor
If you’ve ever worked a long day (and we all have at some point), you’ve probably taken a pause to give your brain a break. Some of us prefer to do nothing, while others like to keep their mind engaged and play a game. One of the more popular games over the years not named Wordle has been Spot the Difference. For the uninitiated, Spot the Difference is a puzzle game that presents you with two similar images, one of which has been altered slightly, and challenges you to identify the differences between the two. Finding the differences can be a real test of one’s patience and ability to concentrate on details.
As fun as that sounds, if you’re a Cybersecurity Analyst, you may be doing something similar; searching through mountains of log data to find something different that could be a potential threat to your organization. This can be tedious and time-consuming. To illustrate the point, we’ll focus on a particular type of event that generates logs: user authentications (aka “logins”). Every time one of your employees logs into the network or an application, an auth log is created. Depending on the size of your organization this could result in thousands of new logs each day. There goes your break time.
Identifying “different” authentications
Searching through auth logs to identify a login that looks suspicious is one thing. But how do you know if it’s truly different and poses a threat? To understand that, you need visibility into both normal and anomalous authentications. If you don’t know what a normal, or “expected,” login looks like, it’s hard to spot the difference between them. This requires creating a baseline authentication profile against which other logins are compared. Doing so will help you spot the difference(s) between the two and identify suspicious auths that could spell trouble.
But what happens if you don’t have the time to search through log data for atypical access attempts? Well, bad things possibly. One is account takeover using compromised credentials where the cybercriminal has stolen someone’s username and password. Based on responses in the IBM Security Cost of a Data Breach Report 2022, stolen or compromised credentials are the most common vector for a data breach, responsible for 19% of breaches with an average cost of US $4.5M.
Another is insider access abuse, or privilege misuse. Findings from the Verizon 2022 Data Breach Investigations Report indicate the attacker is typically an employee who uses their legitimate credentials to access a privileged account to steal data, often for financial gain. While this doesn’t paint a pretty picture, the signs for identifying anomalous logins that could lead to a data breach are there. You just need the right tool to surface them.
See the signs with Duo Trust Monitor
So, what are the signs to look for? Here are a few along with some questions to consider:
The User – Is the person a current employee? Are they part of a group with privileged access?
The Auth Location – Do we have employees working in this country?
The Auth Time – Do we expect people to be accessing data or applications at 3:00am?
The Device – Is the authentication from a Windows device but our employees use Macs?
The Application – Does the user need access to this app to do their job?
Duo provides a tool to help you see the signs and “spot the difference” between authentication attempts. Duo Trust Monitor is an advanced anomaly detection feature that does all the work of searching for risky authentications for you. It ingests all the authentication logs in your environment and runs them through proprietary machine learning algorithms.
The algorithms set a baseline of normal user and device activity. Using this baseline, Trust Monitor compares future authentication attempts against it and highlights anomalous or risky login attempts in the form of a security event. With just a few clicks, administrators can create a Risk Profile for the organization that prioritizes and surfaces security events that match profile elements. For example, you may want to keep a closer eye on authentications related to certain Duo-protected apps, specific user groups or countries. Security events that deviate from the Risk Profile are given more weight and appear at the top of the Security Events board with a yellow shield designation that provides an explanation of the connection between the event and the Risk Profile.
Can I get some context here please?
I’ve touched a bit on the “What” and “How” of Trust Monitor and its ability to surface atypical logins, but let’s take a closer look at the “Why.” Why is a particular authentication considered anomalous? The answer has to do with context. While there are other risk analytics tools on the market, many focus on a single model like novelty which looks for a variable that’s new such as a new device or application that’s being accessed for the first time. This approach is simplistic and doesn’t offer much context into the access attempt. Basing a decision on just one model alone can lead to an increase in false positives.
Trust Monitor on the other hand takes a more holistic view of each authentication using contextual analysis. By analyzing historical login data across multiple models and variables, Trust Monitor is able to provide a much richer picture of the access attempt, enabling administrators to make a more informed decision as to whether it is legitimate or suspicious and requires action. Let’s take a look at some examples:
Security Event: The VP of Sales is accessing the company’s CRM app at 4:00 a.m.
Analysis: In this case Trust Monitor analyzes the application being accessed and the timestamp. Is it unusual for the VP of Sales to access customer information? No. Is the timing unexpected? Hopefully. A solution focused on Rarity would flag this event as risky.
Security Event: Someone is requesting access to a sensitive app from a Windows device using an unusual multifactor authentication method (SMS).
Analysis: Here we have three variables flagged. The organization uses macOS devices, not Windows. Also, the user has not accessed the app for six months and a push notification is their preferred authentication method, not an SMS text. These three together are a strong indication that this is a fraudulent authentication attempt.
Security Event: A Marketing manager is traveling to an event in another country and needs to access email.
Analysis: Without the right context, this access attempt could be marked as suspicious based on location, timestamp and a new device IP. However we know there is a big event happening overseas so it’s not unusual to see these three variables associated with this user and therefore we can dismiss the event.
The goal of any risk analytics tool is to surface potential threats so that organizations can step up or step down their security policies to shore up any gaps. By providing contextual analysis, Duo Trust Monitor helps you spot the difference between legitimate and fraudulent access attempts while limiting false positives. Trust Monitor is included in our Access and Beyond edition subscriptions. It’s also integrated into the Cisco SecureX ecosystem so that you can access Trust Monitor telemetry data from the SecureX dashboard for enhanced threat intelligence. And, if you already have a SIEM (Security Incident and Event Management) solution, you can export Trust Monitor security event data directly to your favorite SIEM via API.
If you’d like to try Trust Monitor and experience how Duo can help you spot the difference between legitimate and suspicious access events that could be potential threats, sign up for a free 30-day trial.