How Duo Blocks Vulnerable Endpoints From Accessing Applications
This is the second of a four-part blog series on how Duo helps organizations in verifying device trust. Gartner predicts that, through 2020, 99% of vulnerabilities exploited will continue to be the same ones known for at least one year by security and IT professionals. In this blog, we will take a look at why it is difficult to patch known OS vulnerabilities.
While users may know that it is important to keep our devices up-to-date and patched, many procrastinate updating the operating systems on phones and laptops because it could be time consuming, or worse, slow down the devices. From an IT security perspective, not updating the device poses a significant cyber risk for the organization because those OS updates may include critical security patches. Just last month both Microsoft and Apple released security updates. On Jan 14, 2020, Microsoft released a patch to address a critical Windows 10 vulnerability discovered by NSA. And on Jan 28, 2020, Apple released a security update for iOS and MacOS platforms to address.
Naturally, IT security teams would want to ensure that any device accessing corporate resources are patched and compliant with their corporate security policies. To get this level of visibility and achieve this goal, organizations have deployed MDMs, configuration management systems and patch management solutions. This may work for corporate managed devices but challenges exist for both end users and administrators.
What Are the Device Challenges for IT Security?
Administrative Overhead: The process to get all the users’ devices patched can be a laborious task for administrators, involving manual follow ups and taking weeks if not months. This is a significant exposure window. Without an actual enforcement point, administrators could be allowing vulnerable devices into an organization’s network.
User Experience: For managed devices, one way to ensure policy compliance is by forcing an update to gain access. This takes away the control from the users of when they want to install the updates. If the updates are forced when the user is in the middle of a customer presentation or a meeting, it hampers both business productivity and user experience.
BYOD and 3rd-Party Devices: And then there are the devices that are beyond the IT department’s control. These are personal and contractor or partner devices that are not enrolled in any device management solutions, but require access to cloud applications such as Office 365 or Dropbox. IT teams lack the visibility into these devices and the ability verify their health status before granting access to data.
Not Today, Zero Day
Duo Device Health application was built to solve these challenges. It is a lightweight application that runs in the background on platforms such as Windows 10 or MacOS 10.13 or later. The application is designed to collect only the information required to assess the security status of the device. End users have complete control of the application and can easily install it when they need to access Duo protected application.
Duo Device Health application performs security checks at the time of authentication to help ensure secure application access. These checks include OS version and the patch level, status of host firewall, system password and disk encryption. The application can also verify that endpoints have one of the following antivirus or anti-malware solutions in place before accessing an application:
Cisco AMP for Endpoints,
CrowdStrike Falcon Sensor,
Symantec Endpoint Protection
“The Duo Device Health application allows us to seamlessly enforce our company policy at the most important point in time: when users connect to our sensitive applications. We're able to ensure that the devices connecting to our applications are company owned, up to date, encrypted, password protected, firewalled, and running our company AV/EDR. Relying on the Device Health application as an enforcement point takes pressure off of the IT team to constantly chase down assets that may be out of compliance.”
— Jason Waits, Cyber Security Risk Officer, Inductive Automation
Customer Story: Inductive Automation
Empowering IT Department and End Users with Better Security
When the vulnerabilities were announced, Duo Device Health application made it easy for our IT security team to ensure that devices are patched, up-to-date and secure before granting application access. Minimizing the risk exposure by getting the devices updated within a day was as simple as:
Configuring a policy on the Duo Admin panel to allow devices with the latest patch.
Sending an email to the entire organization informing about the vulnerability and how long the users had to install the security updates and maintain access to applications.
Enabling self-remediation for end users. The application also informs the users on what action is required and how to complete that action. They can continue to work and finish any tasks, but will not be able to access the application after the stipulated deadline. Users have complete control to plan and install the updates.
This way our IT security team confidently ensured that the devices accessing corporate applications have the required security updates installed.
Now isn't that security made easy? What was your experience in getting the recent security updates? And if you are a security professional, are you confident that the endpoints accessing your organization’s applications have the recent security updates installed?
Device Health application is just one of the ways that Duo can verify the trustworthiness of a device at the time of access. Try it for free by signing up for a 30-day trial.
Stay tuned for the next blog of the Device Trust series where you can learn how Duo can stop a compromised endpoint from accessing an application.