Duo Trust Monitor is a beta feature. Interested Duo Access and Duo Beyond plan customers please contact your Duo account executive or Duo Care customer success manager for access.
Duo Trust Monitor is a threat detection feature focused on surfacing valuable and actionable security events to Duo administrators. To do this, Duo Trust Monitor creates a baseline of normal user and device access behavior by analyzing and modeling Duo authentication data. The feature considers:
Duo scores deviations from this baseline based on their distance from expected behavior. Trust Monitor surfaces highly anomalous access attempts to highlight potentially suspicious activity and aid in investigations around compromised credentials, account takeover, or application access abuse. Visibility into abnormal access attempts enables Duo administrators to detect suspicious activity and tighten access policies.
Duo Trust Monitor analyzes and models authentication telemetry in order to highlight risk as well as adapt its understanding of normal user behavior. Here is a sampling of some of the telemetry Duo Trust Monitor considers:
|Data Type||Definition or Example|
|Timestamp||Current server timestamp in seconds|
|Integration||Cisco AnyConnect VPN, Office 365|
|Factor||Push, SMS, Passcode|
|IP address of access or auth device||The IPv4 address of the user to be authenticated.|
|Access or authentication device characteristics||Various, pending use of Duo Device Insight, Duo Device Health Application, and Trusted Endpoints.|
|Authentication result||Success, Failure, Fraud|
Duo Trust Monitor may leverage up to 180 days worth of historical Duo data to define a baseline. However, organizations don’t need this much data for Duo Trust Monitor to be useful. We recommend customers enable the feature after using Duo in their environment for at least six weeks.
Upon enabling the feature, Duo Trust Monitor will begin evaluating available authentication data immediately and begin to surface Security Events within 24-48 hours. Duo Trust Monitor on average surfaces two events per day. The surfaced events will have the highest anomaly scores of the cohort analyzed.
Duo Trust Monitor operates on Duo usage data only and does not currently ingest any third-party data to create models of behavior; therefore all data analyzed is currently covered under the Cisco Online Privacy Statement and described in the Cisco Duo Privacy Data Sheet.
Duo Trust Monitor uses a variety of tactics to build out a threat model. Duo Trust Monitor evaluates the effect of each component over time and learns which combinations provide the most security value. Here is a sampling of some of the models present within the feature:
|Novelty||Presence of a new variable in the access attempt. This includes a brand new device or location, or an attempt to access an application for the first time.|
|Rarity||Rarity covers the cases where a variable isn’t new, but is exceedingly infrequent, such as a variable present in 1% of access attempts.|
|Attack Pattern||Known patterns in the world of access security, such as unrealistic geovelocity logins and brute force attacks. Duo Trust Monitor surfaces attempts that fit these patterns.|
|Known Signal||Examples of inherently risky signals include a user marking an attempt as fraud or an admin creating an MFA bypass code.|
|Compounding Risk||Access attempts that include more anomalous variables or distinct threat models combine to be more risky than those with fewer.|
|Administrator Designated||Duo Trust Monitor’s Risk Profile enables Duo administrators to set priority assets. These assets are then prioritized in the feature’s risk assessment.|
When first setting up Duo Trust Monitor, administrators should designate their organization’s Risk Profile. The Risk Profile flow enables administrators to select a prioritized set of Duo-protected applications, user groups, and locations/IPs.
By setting and saving the Risk Profile, Duo Trust Monitor will weight Security Events involving these selections as more important than anomalies that don’t include a Risk Profile designation. Risk Profile anomalies appear at the top of the Security Events board and they are also marked with a yellow shield icon. Hovering over the yellow shield icon explains the connection between the event and the Risk Profile.
Setting the Risk Profile is only a prioritization measure, it will not stop Duo Trust Monitor from surfacing events outside the scope of the profile. If an administrator either skips the Risk Profile set-up or selects every application, group, and location, Duo Trust Monitor still functions, but the feature will not prioritize any anomalies specifically over others.
Role required: Owner or Administrator
When creating a Risk Profile, you'll step through selecting applications, user groups, and locations/IPs for inclusion in the profile.
To set up a Risk Profile:
Log into the Duo Admin Panel and navigate to Trust Monitor → Risk Profile.
Click Create Risk Profile.
The first step is selecting applications. Scroll through the list of all applications protected by Duo in your organization’s environment, and select the high-value applications to include in the Risk Profile. We recommend selecting three to five applications.
Once you've selected the applications to include, click Next: User Groups.
Your next step is selecting the priority user groups. Highly credentialed power users, contractors, and users in bypass mode are often selected, but the exact configuration will vary by organizational structure. We recommend selecting three to eight groups.
After you've selected priority user groups, click Next: Access Points.
The last step in the Risk Profile configuration is setting trusted IPs or selecting risky countries. Typical selections would be countries where your organizations doesn’t do any business or have any users, meaning an access attempt from those countries would warrant some suspicion. For low-risk IPs, companies may enter corporate network blocks or trusted IP ranges. To reiterate, this tool merely prioritizes anomalies; events from a trusted network or country can still be surfaced in the Security Events dashboard.
Click Next: Review Selections to move on to the final step.
Review your application, group, and location/IP selections. If you need to make corrections you can use the "Back to ..." buttons to revisit each of the selections steps. If everything looks OK, click Apply Configuration.
Once you apply the new Risk Profile, Duo Trust Monitor starts prioritizing events based on your selections and makes them visible on the Security Events board.
Role required: Owner or Administrator
If something within the organization changes, you can always edit your Risk Profile to reflect the change.
To edit the Risk Profile:
Navigate to Trust Monitor in the Duo Admin Panel.
Click the Edit Risk Profile link on the right side of the Security Events board.
Repeat stepping through the application, group, and location/IP selections.
Click Apply Configuration to save your edits to the Risk Profile.
After the edit, Duo Trust Monitor will prioritize and mark events based on the new Risk Profile.
Role required: Owner or Administrator to triage events; Read-only admins may review events.
The Security Events dashboard is where you can review the events surfaced by Duo Trust Monitor. A Security Event is an authentication that surfaced due to its anomaly score and a few other heuristics (e.g. no successful authentication within the same user session, the Risk Profile designation, etc.).
The Security Events dashboard includes a row for each event. The top row represents the highest priority event at any given time, based on both anomalistic nature and Risk Profile weighting.
Each event row includes a variety of columns that can be reviewed at a glance:
Context Icon: By clicking the icon with the boxed arrow, you can drill down on the context of the event. The pop-up window supplies more detailed information regarding the access attempt and a timeline of access events surrounding the anomalistic one.
Priority Icon: If an event has a yellow shield icon to the left of the user column, it is related to a Risk Profile designation. Hovering over the shield will show how the event connects to the Risk Profile.
User: The Duo username.
Time: Time and date of the event.
Access IP: The IP address of the accessing device.
Location: The geographic location of the access device, as determined by the IP address.
Application: The Duo-protected application accessed.
Cause: The reasons for surfacing the event, shows as red bubbles. By scrolling over each bubble, a modal will appear describing the statistics behind the cause. For example, in the case of a new access device, the modal will show the recent devices used in access attempts and their relative frequency - highlighting the rarity or novelty of the device used in the Security Event.
Here is a list of potential causes that could be surfaced by Duo Trust Monitor:
|New Access Device||The user has rarely or never used this device in the last 180 days.|
|New Location||The user has rarely or never accessed from this location in the last 180 days|
|New App||The user has rarely or never access this application in the last 180 days|
|Unusual Time||The user rarely or never accesses applications at this time of day.|
|Unusual 2FA Method||The user rarely or never accesses applications utilizing this 2FA method.|
|Unrealistic Geovelocity||The time and distance between two distinct logins makes it impossible for the user to have made both attempts.|
|User Marked Fraud||The user marked the authentication attempt as fraud.|
The last column is where you choose your response to the anomalous events, clicking either Triage or Mark as Uninteresting.
Click Triage to process Security Events. This opens the "Triage Anomalous Event" form. The optional feedback you provide here helps Duo Trust Monitor improve its model over time. There is also an area where you can leave comments regarding the event, especially in cases where you or another Duo administrator connected with the user regarding the access attempt.
When finished entering your feedback and comments, click Send to Processed to move the event into the "Processed" tab on the Security Events dashboard. Processed event details and comments can be reviewed here in the future.
Note: At this point, Duo Trust Monitor is a self-contained tool and there is no automated workflow to remediate an event outside of the Duo Admin Panel.
Click Mark as Uninteresting to respond to benign or unsuspicious access events surfaced by Duo Trust Monitor. This removes the event from the Security Events board. When you mark an event as uninteresting you'll be able to provide feedback as to why the event was uninteresting, which will help the Duo Trust Monitor model improve going forward. Marking an event as uninteresting helps Duo Trust Monitor improve its precision by adapting its understanding of what constitutes normal behavior for a user.
Duo Trust Monitor Security Events will be exportable via API upon General Availability (estimated July 2020).