<![CDATA[The Duo Blog]]> Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. en-us info@duosecurity.com (Amy Vazquez) Copyright 2024 3600 <![CDATA[5 Reasons Why It Makes Sense to Step Up to Duo Advantage]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/5-reasons-why-it-makes-sense-to-step-up-to-duo-advantage https://duo.com/blog/5-reasons-why-it-makes-sense-to-step-up-to-duo-advantage Product & Engineering

Stepping up to a better, more feature-rich product or service can seem challenging. In the end though, it’s worth the effort, especially when it addresses areas of need. For example, my TV is 14 years old. Although the picture quality is still excellent and there are some decent capabilities I can use, it’s missing many of today’s modern features that deliver a much better viewing experience than what I have now. So, I’ve got a plan to a get a new model that offers the advanced features I want, and frankly need. And yeah, I’m pretty excited. Figuring out how to set up and use some of the advanced features will be challenging, but I’m up for it. I can see the benefits and the value.

More features, more value with Duo Advantage Edition

For organizations on the Duo Essentials edition, stepping up to Duo Advantage edition offers a slew of modern identity security and user experience features that add value to their Duo investment. Let’s take a look:

  1. Cisco Identity Intelligence (CII) — One half of Duo’s Continuous Identity Security solution, Cisco Identity Intelligence adds a powerful security layer for any identity infrastructure. CII addresses organizations’ need for comprehensive visibility into multi-vendor identity sources and high-fidelity threat protection. It also reduces coverage gaps by providing a broad range of MFA options for all your use cases plus added security layers using device trust and risk-based policies.

  2. Duo Passport — The other half of Continuous Identity Security, Passport enables organizations to provide their workforce with an exceptional user experience by dramatically reducing the number of times users are asked to authenticate. After logging in and authenticating just once on a trusted device, users get uninterrupted access to permitted applications across browsers and thick clients, minimizing repeated authentication requests throughout their workday and increasing productivity.

  3. Device Health Checks — Allowing a device that’s running outdated software — like an operating system, browser or plug-in — to access your network is risky. Duo Desktop, Duo’s native client application for macOS, Windows and Linux endpoints, removes that risk by assessing an endpoint’s health posture at the point of authentication to make sure it complies with your access security policy. Devices that fail a health check are blocked from accessing an application. Fortunately, Duo provides guided self-remediation with step-by-step instructions to help end-users bring a device that fails a security check back into compliance without the need to contact IT so they can immediately access the application from the newly compliant device.

  4. Risk-based Authentication — If you have a mobile workforce or you like to work from a different location every now and then, Risk-based Authentication evaluates risk signals such as location at the time of login and then adjusts the authentication requirements based on risk level. If the risk is low and trust is high, the user can complete a basic Duo Push. However, if trust is low, the user is asked to step up to a more secure authentication method like a Verified Duo Push or passwordless authentication to re-establish trust.

  5. Trust Monitor — If you’ve ever had to sort through mountains of log data to identify anomalous access events that could be threats to your network, you know it’s tedious and time-consuming. Trust Monitor does the work for you by sorting through your organization’s authentication logs and surfacing unusual access and device registration attempts, enabling you to detect and remediate compromised accounts proactively.

  6. More Reasons — I know I said there were five reasons, but I’ll add in a bonus round. Stepping up to Duo Advantage also unlocks more of what you get with Duo Essentials — more adaptive access policies, more customizable reports and more insight into devices connecting to your network. In other words, Duo Advantage “Goes to 11.”

Making the move to Duo Advantage

Moving from Duo Essentials to Duo Advantage might seem like a big step up, but for those that do, the benefits are many. Everything I discussed earlier is included in a Duo Advantage subscription. And when it comes to configuring these features, you don’t need to go it alone. Duo Care Premium Support provides customers with the opportunity to work directly with a dedicated Customer Service team to roll out their Advantage deployment.

If you’re interested in test driving the features in Duo Advantage, contact your local Duo reseller or managed service provider (MSP). You can also sign up for a Free Trial which includes 30 days of Duo Advantage edition.

In addition, we encourage you to see what your peers are saying about Duo. You can read customer reviews on sites such as TrustRadius, which just announced Duo as a Buyer's Trust Award winner in the Authentication category for 2025.

]]>
<![CDATA[3 Reasons Customers Are Loving Duo Passport]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/3-reasons-customers-are-loving-duo-passport https://duo.com/blog/3-reasons-customers-are-loving-duo-passport Product & Engineering

The rise of multi-factor authentication (MFA) has been good for security. The merits of MFA have been so widely accepted that governments recommend it, cyber insurance providers often require it, and companies like Microsoft and Google are now mandating MFA for a variety of login use cases.

However, the rise of MFA has come with a correlated challenge: authentication fatigue.

Employees often struggle to navigate the complex web of passwords, authentication prompts and multi-factor authentication (MFA) requirements, leading to frustration and even bad behavior. Repeatedly entering credentials and performing MFA across multiple applications not only wastes time but can also incentivize employees to subvert authentication controls, eroding their security efficacy.

The problem of authentication fatigue is exactly why we introduced Duo Passport about six months ago. By enabling users to log in just once to their work device and gain secure access to applications throughout the day, Duo Passport eliminates the need for repetitive authentication. This frictionless approach to authentication not only boosts end user productivity, but also ensures strong authentication security is in place across diverse IT environments.

To review, Duo Passport delivers a seamless access experience by making the authentication process invisible to users. Upon login, Duo verifies the user's identity and the trustworthiness of the device, whether it's a corporate-managed device or registered with Duo. Once authenticated, Duo continually verifies trust for every access request based on adaptive and risk-based policies behind the scenes — without re-prompting users for authentication. This eliminates the need for users to constantly prove their identity, reducing authentication fatigue and streamlining their workflows.

Since its introduction, Duo Passport has been adopted by hundreds of customers and garnered positive feedback from users and administrators alike.

Here are the top 3 reasons customers are loving Duo Passport so far:

  1. Simple Setup: Administrators have been pleasantly surprised by the ease of setting up Duo Passport, with only two clicks required. This simplicity translates into reduced administrative burden and faster implementation.

  2. Serious Time Saved: So far, Duo Passport has seamlessly and securely saved users from hundreds of thousands of authentications, equivalent to literal months of time spent authenticating. This time-saving capability demonstrates the significant impact Duo Passport has on user productivity.

  3. Minimal Support Cases: Once Duo Passport is up and rolling, the ongoing care and feeding of the feature is minimal. In the last month, there have been 0 help desk tickets associated with using Duo Passport.

As more MFA mandates are put in place, the importance of using a tool like Duo Passport only increases. By reducing authentication fatigue and providing a frictionless experience, Duo Passport empowers users to focus on their work while maintaining the robust security of MFA. The remarkable adoption rates, time saved and minimal administrative burden highlight the tangible value of implementing Duo Passport.

As organizations strive for a secure and seamless user login experience, Duo Passport emerges as the solution that bridges the gap between security best practice and delightful user experience.

Ready to enhance your organization's security and user experience? Explore Duo Passport today and unlock the power of seamless authentication or reach out to sales to learn more.

]]>
<![CDATA[Why Cybersecurity Strategy Must Start With Identity]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/why-cybersecurity-strategy-must-start-with-identity https://duo.com/blog/why-cybersecurity-strategy-must-start-with-identity Industry News

In today's digital age, the concept of security has evolved far beyond the traditional boundaries of firewalls and antivirus software. With the ongoing movement towards digital transformation, cloud adoption, hybrid work environments and increased business interconnectivity, workforce identity tools have emerged as the new perimeter. This shift has made identity-first security a core component of modern security initiatives, such as zero trust architecture and cloud-first strategies.

The identity crisis: Breaches leveraging employee identity

According to Cisco Talos, 80% of security breaches today leverage compromised employee identities. The trend continued in their most recent quarterly threat trends report which highlighted identity and improper use of MFA as key vectors for attack. These findings are not surprising, given that identity technology, which originated in IT, has become increasingly complex over the past decade. Identity sprawl, where organizations have a diverse array of users, including employees, contractors and partners accessing corporate resources, is a common issue. Managing these diverse sets of users with multiple accounts can be challenging, especially if multiple identity stores and identity providers are involved.

Attackers are exploiting this complexity to gain unauthorized access to company environments, bypassing commonplace security measures.

Traditionally, organizations have relied on strong authentication requirements, such as multi-factor authentication (MFA), to address compromised access. However, attackers have become adept at finding the gaps where MFA is not required or subverting MFA altogether through technical mechanisms like adversary-in-the-middle or even just particularly nuanced social engineering.

The need for a holistic identity security program

To effectively combat identity-based threats, organizations must implement a comprehensive identity security program. The first step in this program is gaining visibility across the entire identity ecosystem. This is a larger ask than may seem apparent — identity infrastructure has many components and the relationships between accounts and access is often hard to parse. But the benefits of investing in cross-platform visibility are tangible and measurable.

To start, this visibility enables proactive measures known as Identity Security Posture Management (ISPM). ISPM initiatives include efforts like ensuring widespread adoption and usage of MFA and cleaning up dormant or inactive digital identities to prevent their exploitation by attackers. According to Cisco Identity Intelligence, 24% of user accounts are inactive or dormant, and 40% of accounts lack strong MFA. Addressing these posture gaps is crucial for strengthening defenses and reducing the risk of breaches.

Identity Threat Detection & Response: Limiting the blast radius

A robust identity security program also includes dedicated Identity Threat Detection & Response (ITDR). The problem with traditional Threat Detection & Response solutions is their generality and primary focus on non-identity infrastructure components. Typically, security operations tools focus on the endpoint or network without the context they need to effectively detect identity threats. Moreover, the detection logic leveraged within these tools often assumes endpoint or network compromise and can miss the patterns associated with identity-based threats.

By implementing threat detection and response that is dedicated to identity as a vector, organizations will limit the blast radius and accelerate remediation actions. ITDR ensures that organizations can quickly detect and respond to identity-based threats, minimizing the impact on their operations.

Moving beyond authentication

In conclusion, the rise of identity security necessitates a shift beyond relying solely on authentication to address compromised identities. Organizations must implement robust and holistic identity security programs that encompass visibility, posture management, and threat detection and response. By doing so, they can effectively protect their digital frontiers and ensure the security of their operations in an increasingly complex and interconnected world.

As identity continues to be the most important perimeter, it is imperative for organizations to stay ahead of attackers by adopting comprehensive identity security strategies. This approach not only enhances security but also improves user experience and delivers significant financial benefits. The time to act is now, and the path forward is clear: Embrace identity security as a cornerstone of your organization's defense strategy.

To learn more about building a comprehensive identity security program, learn more in our ebook Building an Identity Security Program.

]]>
<![CDATA[Duo Named a TrustRadius Buyer’s Choice Award Winner]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/duo-named-a-trustradius-buyers-choice-award-winner https://duo.com/blog/duo-named-a-trustradius-buyers-choice-award-winner Industry News

Winning an award, especially one based on feedback from users of your product or service, is gratifying. It’s validation that you are designing and delivering solutions that address your customers’ needs.

“Cisco Duo winning the TrustRadius Buyer's Choice Award is a testament to their critical role in security for organizations across the globe,” said Allyson Havener, SVP of Marketing & Community at TrustRadius. “This award, based on vetted customer reviews, highlights how Duo makes it simple for businesses to implement strong, reliable multi-factor authentication and safeguard their digital environments. Congrats Cisco Duo for delivering a solution that not only enhances security but also builds deep trust with its users through ease of use and dependability."

Earning the Buyer’s Choice Award is significant because it’s based on peer reviews written by practitioners, consultants, decision-makers and others who have experience using Duo. Reviewers are authenticated and their experience with the product is verified through a multi-step process prior to writing a review on the TrustRadius website. This ensures technology buyers are reading opinions they can trust. According to TrustRadius, "During the review process, we don’t just ask reviewers if they liked or didn’t like the product — we dig deeper. Reviewers are asked if products and their support teams live up to expectations; and if they would buy the product again. These candid answers shape whether or not a product is chosen as ‘best’ in each of the key areas."

Here's what customers who have written a review on the TrustRadius site are saying about Duo.

“Duo Security is a simple low friction way to solve the problem of compromised accounts. At our organization, we had dozens and dozens of these. Users would fall for a phish and surrender their passwords. The hackers would then have access to their accounts to use them for their own purposes. Duo solved that problem.” — IT Analyst, Higher Education

“Cisco Duo also gives us flexibility with how 2FA is set up, whether it be an app push, SMS or telephone call, we can provide a variety of options to our end users. It's a great security option to add into an environment and easy to do so, with great support and online documentation.” — Information Technology Manager, Transportation

“We used Cisco Duo for three years now, and we are very satisfied with this product. Our organization faced brute force attacks, and we really needed a security product to solve that problem.” — Information Technology Manager, Military

This is not the first time Duo has received an award from TrustRadius. The 2025 Buyer’s Trust Award follows on the heels of Duo being named Top Rated for 2024 in three TrustRadius categories.

Visit us online to learn more about how Duo can help your organization protect against identity-based threats while delivering an exceptional user experience with solutions such as Continuous Identity Security. You can also check out Duo reviews on TrustRadius or sign up for a free trial to try Duo for yourself.

]]>
<![CDATA[Supercharging Your Fortinet FortiGate VPN With Duo SSO]]> lgreer@duo.com (Landon Greer) https://duo.com/blog/supercharging-your-fortinet-fortigate-vpn-with-duo-sso https://duo.com/blog/supercharging-your-fortinet-fortigate-vpn-with-duo-sso Product & Engineering

Hey there, Fortinet FortiGate users!

Let's talk about how Duo SSO is revolutionizing FortiGate VPN access.

Picture this: You're securing VPN logins in under an hour, authenticating users in seconds and saying goodbye to those pesky stolen credential risks. Sounds too good to be true? Well, it's not, and thousands of Fortinet firewall customers are already reaping the benefits.

"But wait," you might be thinking, "I'm already using Duo with my FortiGate VPN through RADIUS. Why should I bother switching to SSO?" Great question! While RADIUS has served us well, it's starting to show its age. Plus, why settle for 'good enough' when you can have 'great', at no extra cost?

Why Duo SSO is the superhero your FortiGate VPN needs

Security for superheroes

  • Passwordless authentication: Leverage methods like passkeys and biometrics

  • Verified Duo Push: An extra layer of verification to stop push fatigue attacks

  • Risk-based authentication: Adjust security measures based on contextual risk factors 

Simplicity is the ultimate sophistication

  • Intuitive interface: A redesigned, user-friendly authentication process

  • Self-service capabilities: Empower users to manage their own devices and authentication methods

  • Multi-language support: Cater to your global workforce with localized experiences

Control freak (in a good way)

  • Device trust policies: Easily manage access based on endpoint security posture

  • Advanced security protocols: Move beyond traditional frameworks to more robust solutions

  • Comprehensive accessibility: Ensure strong authentication is available to all users, regardless of ability

Modernize your FortiGate VPN logins with Duo SSO

Setting up Duo SSO with your FortiGate VPN is a breeze. It's like following a recipe, but instead of a delicious meal, you end up with ironclad security (which, let's be honest, is delicious in its own right):

  1. Open your Duo SSO configuration in the Admin Panel.

  2. Connect your FortiGate VPN to Duo SSO using SAML 2.0 (it's like introducing two friends who are destined to become besties).

  3. Sprinkle in some Duo Policy requirements.

  4. Taste-test with a pilot group.

And voilà! You've got yourself a security masterpiece.

Wrapping Things Up

But wait, there's more! Duo Single Sign-On plays well with others. Whether you're juggling Microsoft 365, Salesforce or a smorgasbord of other apps, Duo's got your back!

So, what are you waiting for? It's time to give your FortiGate VPN the upgrade it deserves. Your IT team will thank you for the simplified management, your security folks will sleep better at night and your users? They'll wonder how they ever lived without it.

Ready to join the Duo SSO revolution? Reach out to us today, and let's make your FortiGate VPN the Fort Knox of the digital world — but way easier to get into (for the right people, of course).

]]>
<![CDATA[4 Key Pillars of Building an Identity Security Program]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/4-key-pillars-of-building-an-identity-security-program https://duo.com/blog/4-key-pillars-of-building-an-identity-security-program Industry News

Identity security is more crucial than ever. In a recent survey of IT and security leaders, Cisco found that 65% of them see Identity & Access Management (IAM) as a top priority for the next 2-3 years. This makes sense — as businesses face an increasing array of threats like phishing, social engineering and even MFA bypass, it becomes critical that organizations build a comprehensive identity security program. By developing a dedicated identity security practice, organizations can arm themselves against hackers looking to login with forged, stolen or spoofed credentials — pretending to be the very workers we’d like to protect.

As we discuss in our Identity Security Blueprint, this is where the four pillars of identity security Identify, Detect, Protect and Respond — come into play. When implemented as part of a robust strategy, they offer a strong foundation for securing your organization’s digital environment.

In this blog post, we’ll dive deeper into what those four pillars look like, how you can implement them and how Duo can help you get there.

1. Identify: Know your users and assets

The first step in any identity security program is knowing who your users are and what they have access to. This requires accurate user identification and a clear understanding of each user’s role within the organization. Ensuring that only authorized users have access to sensitive information reduces the risk of unauthorized entry and data breaches.

  • How Duo Helps: Duo’s Identity Intelligence functionality can create an inventory of users and devices. This visibility helps set a baseline for normal access in an environment and enables proactive posture improvement work (i.e., ensuring that everyone is using strong MFA).

2. Detect: Monitor for suspicious behavior

After identifying users, it’s essential to monitor their behavior. Anomalous activity — such as failed login attempts, unusual locations or abnormal behavior patterns — can be a sign of compromised credentials or insider threats. Continuous monitoring helps detect these warning signs before they escalate into major security incidents.

  • How Duo Helps: Duo has a variety of ways to detect anomalous behavior and provide context to security and IT teams. Moreover, Duo’s adaptive authentication can react to risk signals in real-time. If an action is flagged as high risk, Duo can automatically enforce additional authentication steps or block access entirely.

3. Protect: Safeguard against attacks

Prevention is key when it comes to identity security. By putting proactive protections in place, organizations can minimize their exposure to threats. This includes securing endpoints, enforcing strong authentication measures and ensuring the overall health of devices that access the network.

  • How Duo Helps: Duo not only provides MFA but also includes industry-leading Device Trust functionality. Duo can invoke these features in granular access policies, ensuring that all users and devices meet security standards before they access corporate resources.

4. Respond: Take action against threats

Even with the best defenses, no system is 100% immune to attacks. This makes a strong response plan critical. Responding quickly and effectively to incidents helps minimize damage and recover more quickly. This involves having automated responses in place to block compromised accounts and tools to investigate and remediate issues.

  • How Duo Helps: Duo provides real-time insights into login activity, device health and risk levels, allowing IT teams to respond immediately to potential threats. By quickly locking down accounts or enforcing new security measures, organizations can limit the spread of an attack.

Building Your identity security program with Duo

By implementing the four pillars — Identify, Detect, Protect and Respond — into your organization’s identity security strategy, you’re building a comprehensive defense against modern threats. Duo’s portfolio of features supports each of these pillars and forms a unified identity security platform that safeguards your users and keeps your organization secure.

Ready to get started? Read our in-depth look at how to develop a world-class identity security program by downloading our 2024 Identity Security Blueprint.

]]>
<![CDATA[Take the Guesswork Out of Policy Evaluation With Duo’s Policy Calculator]]> anishaa@cisco.com (Anisha Agarwal) https://duo.com/blog/take-the-guesswork-out-of-policy-evaluation-with-duos-policy-calculator https://duo.com/blog/take-the-guesswork-out-of-policy-evaluation-with-duos-policy-calculator Product & Engineering

A brand-new tool has landed in Duo. The policy calculator is here to simplify policy like never before. It’s your new go-to feature for effortless policy management and evaluation.

What is the Policy Calculator all about?

Managing multiple security policies in Duo is a crucial and complex task.  Our rule-based policy engine brings flexibility, but figuring out exactly how all those policies combine can be a real head-scratcher.

That's where the Policy Calculator comes in. This tool is designed to take the guesswork (and stress) out of policy. It allows you to see exactly which policies apply when a user accesses an application, providing a clear, rule-by-rule breakdown of the final policy in effect. Not only does it give you the final calculated policy, but it also shows which specific policy each rule originates from. It's like having X-ray vision for your policies!

How does it work?

Spoiler alert: it's super easy!

You’ll find the Policy Calculator nestled under Policy in the Duo Admin panel. Input a user and application name, the key details needed to calculate the policy.

And then the magic happens! You'll see the groups the user belongs to and all the policies that apply.

You will also get a detailed, rule-by-rule breakdown of the final policy, complete with the origin of each rule. It's like having a personal policy detective at your fingertips.

Continue exploring by entering different usernames and applications to see how the calculated policy changes.

Wondering when you might use the Policy Calculator?

  • Verify if the policy changes you made are doing what you think they are. The Policy Calculator lets you see how these modifications affect the final policy for a user accessing an application. No more policy surprises!

  • Understand why a user was denied access. See the breakdown of policies leading to the denial, helping you troubleshoot and make necessary adjustments.

  • Got a complicated policy stack? In Duo, group-level policies override application and global-level policies. The Policy Calculator looks at rules from each of these policies and picks the rules from policies with higher precedence for the final policy. It untangles the complexity, so you don’t have to!

Get started today!

The Policy Calculator is now available in your Duo Admin Panel. Start using it today to ensure that your security policies are working exactly as intended. Go ahead, give it a whirl!

]]>
<![CDATA[Secure Identities on Any Device, Anywhere: Introducing Duo Desktop Authentication]]> alexro2@cisco.com (Alex Rodriguez) https://duo.com/blog/introducing-duo-desktop-authentication https://duo.com/blog/introducing-duo-desktop-authentication Product & Engineering

Available now in all paid Duo subscriptions

 

The launch of Duo Mobile in the early 2010s changed how businesses enabled secure authentication. Still, we have always known that there are industries and use cases that cannot rely on smartphones (or hardware tokens, SMS, and phone calls). Enter Duo Desktop authentication, which allows users to authenticate from a single laptop or desktop seamlessly when more secure forms of authentication are not available (restricted sites like clean rooms) or allowed (call centers or manufacturing sites). Duo Desktop authentication can be the solution for your edge use case:

Duo Desktop authentication isn’t a replacement for more secure authentication methods such as passkeys and Duo Verified Push. A secondary authentication device will be more secure, and your organization should always strive for the strongest protection against identity-based attacks. However, Duo Desktop authentication was developed to serve specific use cases such as call centers, manufacturing sites, clean rooms and scenarios where stronger authentication forms are unavailable. In restricted environments, employees often do not have access or cannot have access to devices, landlines, or tokens. Duo Desktop addresses this precise issue by allowing employees to authenticate using their desktops efficiently:

Reduce IT spend

For many organizations, particularly those with strict compliance or regulatory requirements, using personal devices for work is not an option and purchasing a device for every employee to authenticate can be costly. Telephony, SMS and hardware tokens, are either expensive, vulnerable or simply archaic to use across the wide variety of use cases in the market.

Duo Desktop reduces the cost of organizations needing to purchase devices, telephony credits and tokens, across use cases. Duo Desktop also reduces the administrative costs and complexities that physical device management or telephony requires. In restricted sites with high-security measures or in international territories with high shipping costs or logistical challenges, Duo Desktop authentication provides a streamlined solution that reduces administrative overhead and enhances the use case experience.

Reduce credential risk

As mentioned, Duo Desktop authentication is not a replacement for more secure forms of authentication such as passkeys or Duo Verified Push. However, Duo Desktop's registration process does help mitigate the risk of bad actors trying to pass off their own devices as ones with privileges to corporate resources by blocking devices presenting already registered device identifiers.

Duo Desktop authentication can be paired with additional security measures including Duo’s Trusted Endpoints or device health policies with Duo Desktop, which helps to bolster the security of authenticating from the desktop. This streamlined identity security approach ensures minimal disruption to operations while maximizing security and efficiency to help mitigate compromised credential attacks for the edge case where a more secure form of authentication cannot be used. It also enables administrators to implement Duo Desktop authentication quickly, empowering employees to authenticate securely without delays.

Reduce user friction

Duo Desktop authentication also serves as an efficiency driver for your organization’s edge use cases. Imagine supporting a critical service or role such as a call center for a hospital network, where authenticating faster allows critical issues to be resolved more efficiently. In this scenario, you need to limit the user friction by reducing the time to log in. By authenticating at the endpoint instead of an external authentication device like a phone call, SMS code or token OTP, Duo Desktop drives efficiency for your edge use case.

This flexibility is a plus for scenarios where traditional multi-factor authentication (MFA) methods fall short and organizations struggle with time-to-login issues during the sign-in process. Duo Desktop authentication helps Duo embody the principle of securing identities on any device, from anywhere and we are excited to hear feedback during public preview.

Experience Duo Desktop authentication today

Duo Desktop authentication is a step forward in secure access, providing organizations with a secure authentication method for use cases that are typically challenging to deploy, maintain and support. By offering a solution that eliminates the need for smartphones or tokens, Duo addresses the need of organizations across industries including security, compliance, cost management and operational efficiency.

Duo Desktop authentication is available now in all paid Duo subscriptions. You can test by deploying the Duo Desktop app and enabling Duo Desktop authentication in your Duo Policy stack to your preferred applications and identities. Review more on how to use Duo Desktop authentication on the Duo Docs page and reach out to your Duo contact to learn more today!

]]>
<![CDATA[SMS MFA Misses the Medal: Choosing the Real Auth Champions]]> jensmit@cisco.com (Jen Gerhart) https://duo.com/blog/sms-mfa-misses-medal-choosing-real-auth-champions https://duo.com/blog/sms-mfa-misses-medal-choosing-real-auth-champions Product & Engineering

In the high-stakes arena of cybersecurity, multi-factor authentication (MFA) is the gold medal of safeguarding our online accounts. Just as Olympic champions need the latest technology and rigorous training to excel, our digital defenses require more advanced methods to fend off today’s sophisticated threats.

SMS–based MFA leverages text messages (SMS) as one of the authentication factors to verify a user’s identity when attempting to log into a system. SMS-based MFA is like a sprinter who lost a step: Once a reliable performer, it now struggles and it’s no match for the evolving competition.

Vulnerability to SIM Swapping: In a relay race, the baton is our SMS. In a SIM (Subscriber Identity Module — a smart card used in mobile devices to store information) swapping attack, the baton is stolen by an opponent who tricks your mobile carrier into transferring your phone number to a new SIM card. Once the baton is in their hands, the attacker can cross the finish line with your authentication codes, leaving your accounts vulnerable. Just as a stolen baton can jeopardize a race, a hijacked phone number can compromise your security.

Message Interception: Unlike the secure lanes of a well-organized race, SMS messages travel through a more exposed route where anyone with a clear view can intercept them. Attackers with the right tools can effectively “watch the track” and snatch your messages as they pass by. Without the barriers and safeguards of a secure relay race, these messages are left vulnerable to interception.

Phishing Risks: Phishing scams are like devious obstacles on your course. Even the most alert runners may stumble over these obstacles, which are disguising themselves as valid communications. Like how a hurdle could make a sprinter falter and fall, smishing attacks trick you into giving over your MFA codes. Attackers will have an easier time disrupting your security race if you use SMS-based MFA because there is a greater chance that you will run into these false obstacles.

Dependence on Mobile Network Reliability: MFA is a race where the starting pistol is fired by the reliability of your mobile network. If the network is down or you’re in an area with poor signal, it's just like a false start that delays your run. You might not receive your authentication codes, causing frustrating interruptions and potentially locking you out of your accounts. In the security race, relying on a network’s unpredictability can leave you off-balance.

An elite squad of auth methods

To stay ahead in this race, it’s essential to upgrade to more secure, agile methods that can sprint past these security obstacles with ease.

Duo Security offers more secure alternatives to SMS-based MFA, addressing many of the vulnerabilities associated with traditional methods:

Push Notifications: Duo Push is the high-performance sprinter in your security team. When you attempt to log in, Duo Push sends a notification to your mobile device. With a single tap, you can instantly approve or deny the login attempt. Offering a seamless and responsive experience, much like a runner who reacts with lightning speed. It combines convenience with robust security, ensuring that your authentication process is both swift and secure.

Time-Based One-Time Passwords (TOTP): Duo Mobile app with time-based one-time passwords (TOTP) are the precision tools in your security toolkit. The app generates a new code every 30 seconds, providing a time-sensitive layer of security. This method is like an athlete using specialized equipment to fine-tune their performance.

Hardware Tokens and Biometric Authentication: Duo also supports hardware tokens for those who prefer a physical security device. These tokens generate one-time passcodes, like a runner relying on specialized gear to enhance their performance. They provide an extra layer of security that’s resistant to phishing and other attacks, ensuring your authentication remains robust and dependable.

Comprehensive Security Monitoring: Duo’s advanced monitoring and reporting features are the vigilant security team analyzing every runner’s performance in real-time. This feature allows organizations to track authentication attempts and detect suspicious activities. The added layer of oversight helps prevent and respond to potential security threats more effectively.

Going for Gold

As the race to secure digital authentication continues, SMS-based multi-factor authentication is losing ground to other methods in the fight against cyberattacks.

Adopting advanced MFA methods such as Duo Push, Duo Mobile with TOTP, Duo Hardware Tokens, and Duo’s Comprehensive Security Monitoring, you’re ensuring your security team is prepared for the toughest challenges. With these cutting-edge tools, you can cross the finish line with confidence, knowing your digital identity is well-protected.

Resources

For more information on choosing strong MFA authentication methods, reach out to your dedicated Cisco team or check out the resources below!

]]>
<![CDATA[Harmonizing Access Control With Routing Rules]]> cmedfisch@duo.com (Colin Medfisch) jpringle@duo.com (Jamie Pringle) https://duo.com/blog/harmonizing-access-control-with-routing-rules https://duo.com/blog/harmonizing-access-control-with-routing-rules Product & Engineering

Available now in Public Preview for all paid Duo subscriptions

  • Seamlessly connect multiple identity providers to Duo

  • Orchestrate secure access for multi-domain environments

“Routing Rules just make sense, and it is great to see all of our users under one single Duo tenant.” — Head of IT, Biotechnology Organization

Today, we are proud to announce the launch of Routing Rules for Duo Single Sign-On (SSO) into Public Preview.

Historically, Duo Single Sign-On (Duo SSO) only supported one SAML Identity Provider (IdP) per account, which caused issues for multi-domain environment use cases. With the introduction of Routing Rules, Duo SSO now adds support for simultaneously authenticating users to multiple SAML identity providers and multiple Active Directory (AD) sources. Routing Rules also improves the well-adopted support for multiple Active Directory (AD) sources by allowing for more targeted requests to the proper AD environment. This ensures Duo SSO is prepared for all your users and can deliver a better user experience while reducing the load on your existing Duo Authentication Proxy infrastructure.

“With the introduction of Routing Rules, Duo SSO now adds support for simultaneously authenticating users to multiple SAML identity providers and multiple Active Directory (AD) sources.”

With organizational growth and diversification come more intricate authentication needs. A good example are mergers and acquisitions, which frequently require support for multi-domain use cases. This innovative solution is crafted to synchronize your identity access control, much like a maestro orchestrates a symphony, ensuring every authentication is delivered to the right authentication source at the right moment.

Modern organizations often rely on multiple identity providers to meet their diverse needs. With Routing Rules, you can configure detailed access rules based on conditions. For example, when an identity accesses an application, the email domain, network space, and application itself can be assessed in the Routing Rules profile to intelligently route the user to the correct downstream identity provider. This flexibility ensures access is granted under exact conditions, especially when combined with the rest of Duo’s amazing policy stack, enhancing the overall security posture of growing organizations.

One of the standout features of Duo is that rather than just being a delegated authentication event, Duo retrieves the most up-to-date attribute set from the Active Directory or SAML source in real time, enabling both Duo as well as the applications being logged into to perform more secure authorization checks.

Let’s walk through a use case example

Acme Corp. acquired Globex and the acquisition is closing faster than expected. Each organization has their own infrastructure, including different domains (multi-domain), multiple identity providers, applications, security tools and resources. With the acquisition closing, an administrator needs to be able to route traffic intelligently for the two unique profiles to ensure members have the correct experience and authenticate with the right downstream identity provider.

  • The acquired Globex domain users will need to authenticate with Okta for Workday and Google for Acme’s Salesforce.

  • The existing Acme domain users will need to still authenticate with Active Directory for Workday.

In Duo, the Routing Rules configuration would look like the screenshot below:

As you see in the diagram, if the Globex user accesses Workday, Duo will orchestrate access to the Okta authentication source. However, if the Globex user accesses Salesforce or any other application, the user will need to authenticate with Google Workspace. Lastly, the Acme user will authenticate strictly with Active Directory for all applications in this example scenario.

Experience Duo Routing Rules today!

Routing Rules is solution for various use cases across sectors including organizations dealing with mergers and acquisitions, multi-domain, multiple IdP, multi-national corporations and any business looking to secure access to applications with different IdPs based on routing conditions. On that note, we’re excited to see what symphonies Duo administrators orchestrate with Routing Rules.

Head over to the Duo docs page to learn more!

]]>
<![CDATA[Protect Your Personal Apps With Duo MFA]]> mrotar@cisco.com (Mike Rotar) https://duo.com/blog/protect-your-personal-apps-with-duo-mfa https://duo.com/blog/protect-your-personal-apps-with-duo-mfa Industry News

October is Cybersecurity Awareness Month. So, is there a better time to think about securing your personal life?

With cyber threats becoming more sophisticated, it's essential to safeguard your personal information. One of the easiest and most effective ways to do that is by using Duo Mobile, a mobile security app designed to keep your online accounts safe. In this blog, we’ll walk you through installing Duo on your mobile device, even if you aren’t very tech-savvy. Let’s make sure you stay safe online!

What is Duo?

Duo is a multi-factor authentication (MFA) tool. It helps protect your accounts by requiring a second form of authentication and password. This makes it much harder for anyone to access your information without your permission. With Duo, even if someone knows your password, they won’t be able to get into your account without access to your phone.

Why you need Duo Mobile

This is “need to know” information: Using a password alone isn’t enough anymore. Data breaches and hacking attempts happen all the time. Duo adds an extra layer of security to your accounts, allowing peace of mind that your sensitive information is protected.

“Using a password alone isn’t enough anymore.”

Installing Duo on your mobile device

Step 1: Download the Duo Mobile app

Whether you have an iPhone or Android, the first step is to download the app.

  1. Open the App Store (for iPhone users) or Google Play Store (for Android users).

  2. In the search bar, type “Duo Mobile”.

  3. Look for the official app, developed by Duo Security LLC (it’s usually the first one that appears).

  4. Tap Download or Install. The app will begin downloading to your phone.

The Duo Mobile app in the App Store

Step 2: Open the app and get started

Once it’s installed, tap on the Duo Mobile app icon to open it.

Step 3: Link your accounts to Duo

Now that Duo is installed, it's time to link it to your online accounts, like social media, email or banking apps.

  1. Open the website or app for the service you want to protect (for example, Gmail, Facebook or your bank).

  2. Go to the Security or Account Settings section.

  3. Look for an option that says Enable Two-Factor Authentication or Add a Second Layer of Security.

  4. When prompted, select Duo Mobile as your 2FA method.

  5. The website will show you a QR code (it looks like a black and white square).

  6. In the Duo Mobile app, tap the + button in the top right corner.

  7. Use your phone to scan the QR code.

That’s it! Your account is now connected to Duo.

Step 4: Authenticate when you log in

Whenever you log into your protected account, Duo will ask you to confirm your identity. Here’s how it works:

  1. Enter your username and password as usual.

  2. Open the Duo Mobile app.

  3. Enter the generated code in the login screen of the application you are logging into.

This tells Duo that it’s really you trying to log in, adding an extra layer of protection to keep your account safe.

Tips to Keep in Mind

  • Keep your phone secure: Since Duo works through your mobile device, it’s essential to lock your phone with a password, PIN, or fingerprint.

  • Save your online account recovery codes: If you get a new phone, you’ll need to reinstall Duo. Make sure you have backup codes from your online accounts in case you lose access to Duo.

  • Backup your Duo account: Turn on backup of your third-party accounts in Duo Mobile from the Settings menu in the app. You'll need to set a password that you'll use if you have to restore Duo Mobile accounts to a new phone.

  • Use Duo for more than one account: You can link Duo to multiple accounts, including email, banking apps and social media.

Security Made Simple

You don’t have to be a tech expert to protect yourself online. Installing Duo on your mobile device is a simple yet powerful way to stay safe. As we celebrate Cybersecurity Awareness Month, now is the perfect time to take control of your digital security. In just a few minutes, you can drastically reduce your risk of being hacked and enjoy peace of mind knowing your personal information is secure.

Stay safe out there!

]]>
<![CDATA[Identity-Based Breaches: Navigating the Aftermath]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/identity-based-breaches-navigating-the-aftermath https://duo.com/blog/identity-based-breaches-navigating-the-aftermath Industry News

According to Cisco Talos, 80% of breaches involved identity as a key component. As organizations continue to rely on digital identities for access control and authentication, the risk of identity compromise grows. These breaches can have severe consequences, affecting not only the organization but also its customers, partners and overall reputation. Therefore, it is crucial to have proper mitigation controls in place. However, even with the best defenses, breaches can still occur. When they do, it's essential to have a robust response plan to limit the damage and recover swiftly.

The serious consequences of a breach

There is really no need to reiterate the serious consequences of a breach. Breaches are bad! They pose significant risks to an organization's operations, reputation and stakeholders. They can expose sensitive data, instigate operational disruption and lead to serious financial liability in both direct and indirect ways. The key point here is that limiting the blast radius of a breach is of the utmost importance — and having a plan to quickly remediate and bounce back from a breach is integral.

Mitigation controls: A proactive approach

To be clear, Duo often sits as a primary mitigation mechanism against breaches. By providing strong and flexible multi-factor authentication (MFA), enforcing granular, risk-based access policies, and ensuring that only trusted devices get access to sensitive resources, Duo helps our customers defend against breaches in a variety of key ways.

With the introduction of our Identity Intelligence functionality, Duo has even more tools to proactively help organizations improve their identity posture and make sure their defenses are optimized.

Responding to an identity-based breach: Best practices

However, despite having strong defenses in place, sometimes breaches can still occur. When they do, it's important to remember that the game is not over. Here are some best practices to put in place after an identity breach occurs:

Short-term best practices

Identify and Remediate Affected Accounts: Conduct a thorough investigation to identify all compromised accounts. Understanding the scope of the breach is crucial for effective remediation and preventing further unauthorized access.

Re-establish Trust and Secure Accounts: Though it may be painful, it's important to re-establish trust with the affected accounts. This means running them through an identity verification process to know that the account is associated with the correct user. Then, consider strengthening MFA requirements. For example, if SMS was still allowed as an MFA factor, maybe move up to Verified Push. Re-establishing trust and adding stronger MFA can help prevent attackers from regaining access using stolen credentials.

Rotate Passwords for All Users: Require all users to change their passwords, even if their accounts were not directly affected. This precaution helps mitigate the risk of undetected compromised accounts and enhances overall security.

Enhance Monitoring and Detection Capabilities: Implement or upgrade security monitoring tools to detect suspicious activities and potential breaches in real-time. One way to do this is by leveraging Duo’s new Identity Intelligence functionality, which provides dedicated Identity Threat Detection & Response capabilities. Improved monitoring allows for quicker detection and response to security incidents, minimizing potential damage.

Long-term best practices

Conduct a Post-Breach Security Audit: Perform a comprehensive security audit to identify vulnerabilities and gaps in the current security infrastructure. An audit helps in understanding how the breach occurred and what measures can be taken to prevent similar incidents in the future. Again, Duo’s new Identity Intelligence is a great mechanism to use during such an audit. In particular, the new Identity Security Posture score can help highlight areas of weakness and gives recommended actions for improvement.

Implement Stronger Identity Security Controls: Review and improve identity security controls, such as implementing tighter access policies, enforcing device trust and improving the deployment and adoption of MFA. Stronger controls reduce the likelihood of future breaches and improve the organization's security posture.

Educate and Train Employees: Conduct security awareness training for employees to recognize phishing attempts and other common attack vectors. Educated employees are less likely to fall victim to social engineering attacks, reducing the risk of future breaches.

Communicate Transparently with Stakeholders: Inform affected individuals, regulatory bodies and other stakeholders about the breach and the steps being taken to address it. Transparent communication helps maintain trust and ensures compliance with legal and regulatory requirements.

Conclusion

While we hope to have strong enough defenses in place to prevent breaches, we must not ignore the possibility that a breach will happen to us. If it does, having a strong playbook ready can help limit the blast radius, remediate the situation quickly and improve our security posture moving forward. By following best practices and learning from each incident, we can build a more resilient organization capable of withstanding the evolving threat landscape. Remember, the key to effective breach response is preparation, swift action, and continuous improvement.

If you’d like to learn more about building a playbook for breach response, check out our eBook: Building an Identity Security Program.

]]>
<![CDATA[Watching the Watchmen: Securing Identity Administrators]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/watching-the-watchmen-securing-identity-administrators https://duo.com/blog/watching-the-watchmen-securing-identity-administrators Industry News

Administrators of identity tools hold the skeleton keys to the kingdom now that identity is the new perimeter. To be clear, all administrator accounts — regardless of use case — represent accounts with elevated levels of power and access and should be a focus of heightened security controls. However, in recent months, administrators of identity infrastructure and tooling have come under specific attack.

Therefore, understanding who your identity administrators are, what they do, and how to monitor their activities is crucial for maintaining a secure environment. In this blog, we will explore the importance of securing identity admins, highlight the risks of poorly managed admin accounts and provide best practices to mitigate these risks.

What is an identity administrator?

Identity administrator accounts have elevated permissions to deploy, configure, and modify relevant identity systems. In many enterprises, this includes administrators for tools like on-premises and cloud directories, single sign-on (SSO) solutions and multi-factor authentication (MFA) providers.

These administrators are essential for configuring key workflows for identity and access management (IAM) within organizations. For example, they often define and configure the lifecycle of employee identity accounts, provision application access for user groups, set access policies for these groups, and determine authentication requirements for various policies. Identity admins play a large role in defining and setting access policy and requirements, making these accounts attractive targets for cyber attackers.

The risks of poorly managed administrator accounts

Poorly managed identity administrator accounts can lead to significant security risks. Excessive privileges, lack of visibility, and undetected anomalous activity can all contribute to security breaches. To illustrate the risk, let’s use the notable example of the Scattered Spider attacker group, which has been known to exploit administrator accounts to gain control of identity systems.

Case study: Scattered Spider

Scattered Spider is the name of an attacker group associated with several major identity-based breaches. Their techniques have been outlined in this helpful briefing from CISA. They famously use a variety of social engineering techniques (e.g., calling the help desk and asking for password and MFA resets) to gain initial access to environments.

Once they obtain initial compromise of a user's account, Scattered Spider threat actors register their own MFA tokens to establish persistence. This is where they begin targeting and performing identity administrator accounts and administrative actions. They will change the access policy so that it no longer requires MFA or even go so far as to create and link new identity provider instances.

For example, they have been documented adding a federated identity provider to the victim's SSO tenant and activating automatic account linking, enabling them to sign into any account using a matching SSO account attribute. This allows them to perform privilege escalation and maintain access even when passwords are changed.

The key takeaway is that gaining administrative control of identity systems can have devastating consequences. However, with the right tools and practices, organizations can detect and respond to such activities early, reducing the potential impact.

Monitoring identity administrators with Cisco Identity Intelligence

Cisco Identity Intelligence offers powerful capabilities to evaluate and monitor administrator accounts and activities. By providing necessary visibility into the number of identity admins and their interactions with the environment, Cisco Identity Intelligence helps ensure proper use of privileges and alerts on anomalous activity.

Key features of Cisco Identity Intelligence for Administrator Security

Dashboards:

  • Administrators per source

  • Administrator logins

Checks:

  • Admin filter on weak or no MFA

  • Admin activity anomaly

  • Admin role assigned to user

  • Login to admin console

  • Admin impersonation

  • New IdP created

These features enable organizations to detect and respond to risky admin activity, reducing the likelihood of security breaches.

Best practices for securing identity administrators

To enhance the security of identity admins, organizations should implement the following best practices:

1. Limit the number of admins

Restrict the number of admin accounts to the minimum needed to function effectively. This reduces the attack surface and makes it easier to monitor and manage these accounts.

2. Limit privileges and access

Grant admin accounts only the privileges and access necessary for their roles. Implement the principle of least privilege to minimize the potential impact of a compromised account.

3. Enforce strong multi-factor authentication (MFA)

Require strong forms of MFA for admin access. When we say strong MFA, we mean disabling weaker forms of MFA like SMS and requiring phishing-resistant MFA via passwordless or combining traditional MFA with a trusted device requirement.

4. Implement monitoring and detection

Continuously monitor admin accounts and implement detection logic for high-risk activity. Use tools like Cisco Identity Intelligence to gain visibility into admin activities and detect risky activity.

5. Establish a response workflow

Develop and implement a response workflow for various levels of administrator risk. This ensures that your security team can quickly and effectively respond to potential threats.

Keep an eye on your identity watchmen

If we revisit the case of Scattered Spider after having implemented these controls, the picture is much rosier. It’s unfair and unwise to say that all breaches would be prevented or detected. But by proactively limiting the attack surface and putting in place detection logic to alert on strange admin activity (e.g., creating a new tenant or connecting a new SSO), organizations will be much better off.

To assess the security of your identity administrator accounts, consider the asking the following questions of your own environment:

  1. How many identity administrators do you have in your environment?

  2. Is strong MFA required for all identity administrators in every case?

  3. Do you have good visibility into normal admin activity?

  4. How do you detect anomalous admin activity?

  5. What is the response workflow when risky admin activity is detected?

If you’re interested to learn more about building a robust Identity Security program to handle identity admin security and much more, check out our ebook: Building an Identity Security Program. Talk with someone about how Cisco Identity Intelligence and Duo can help bolster your organization’s identity defenses by contacting us.

]]>
<![CDATA[Turning Microsoft’s MFA Requirement for Azure Into an Epic Security Win With Duo]]> canderson@duo.com (Chris Anderson) https://duo.com/blog/turning-microsoft-mfa-requirement-for-azure-into-epic-security-win-with-duo https://duo.com/blog/turning-microsoft-mfa-requirement-for-azure-into-epic-security-win-with-duo Industry News

We are less than two months away, are you ready?

Starting next month, Microsoft announced that they will begin rolling out mandatory multi-factor authentication (MFA) sign-in for Azure (also known as Microsoft Entra ID) resources.

It is no secret that identity-based breaches are on the rise, so we applaud Microsoft by taking the first step towards better protecting Azure resources! As Microsoft points out in their announcement, MFA “can block more than 99.2% of account compromise attacks.”

MFA “can block more than 99.2% of account compromise attacks.”

Not only do we applaud them, but at Duo we have been partnering with Microsoft for years to provide seamless integrations that make any Microsoft deployment more secure. Most recently, Duo became the first approved vendor in Microsoft’s new External Authentication Methods framework.

To illustrate the depth of our integration, you can satisfy Microsoft’s mandatory MFA requirement through any one of the following Duo configurations:

  1. Duo Single Sign-On for Microsoft 365 supports Microsoft’s mandate out of the box

  2. Duo two-factor authentication for Microsoft Entra ID External Authentication Methods (EAM) supports Microsoft’s mandate out of the box

  3. If you are using Duo with Active Directory Federated Service (AD FS), you will need to ensure you are sending the Authentication Methods Reference (AMR) in the AD FS custom claim to support Microsoft's mandate

However, while MFA has shown to help stop attacks, authentication alone is not the answer. The security industry has diligently battled compromised credentials. We have evolved from passwords to multi-factor authentication (MFA) to phishing-resistant passwordless — our most secure form of authentication to date. Duo has been at the forefront of passwordless development and fully supports passwordless authentication as a component of an identity security program.  

Despite these advancements, we still see many identity-based breaches year over year. This is why we released Continuous Identity Security earlier this year. Continuous Identity Security is built on the premise that we need to enhance our traditional access management controls. It combines Duo’s current authentication capabilities like MFA, Passwordless and SSO with powerful security insights into identity and device risk. It also  provides mechanisms to maintain and revoke trust based on these insights.

For example, Continuous Identity Security includes an Identity Intelligence layer that provides visibility and context into identities across multiple data sources such as EntraID, Duo, Okta, Workday, Google and Salesforce. This context can be used to proactively improve identity security posture by doing things like finding and removing dormant accounts. But, it can also be used to inform an identity threat detection & response (ITDR) practice that seamlessly responds to identity threats.

In addition to Identity Intelligence, Continuous Identity Security includes functionality like Duo Passport which securely brokers trust across disparate authentication scenarios, reducing the number of times a user is asked to log in. Just like SSO before it, Duo Passport eases the burden of performing authentication on an end user, making them much less susceptible to frustration-based attacks like Push Bombing.

With Continuous Identity Security, not only can you satisfy Microsoft’s mandatory MFA requirement, but you are able to protect yourself against the sharp rise in identity-based attacks — all while maintaining a seamless access experience for your end users. Security is better because you now have deep visibility across all your identity environments enabling ISPM and ITDR. Yet, user experience is also improved because Passport and continuous analysis means trust can be shared between authentication checkpoints, reducing authentication frustration.

If you’re interested to learn more about how Duo and Microsoft can help secure your organization, check out this eBook that highlights how we work together to enable Zero Trust.

If you’d like to learn more about how to implement Continuous Identity Security at your company, you can read more on our product page or reach out to sales for a quick discussion.

]]>
<![CDATA[Uncovering & Remediating Dormant Account Risk]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/uncovering-remediating-dormant-account-risk https://duo.com/blog/uncovering-remediating-dormant-account-risk Industry News

The importance of gaining visibility into identity data

Over the last two years, the security of an organization's identity ecosystem has become paramount. Before diving into the specifics of dormant accounts, it's important to take a step back and discuss a prerequisite: gaining cross-platform visibility into identity and access management data. This visibility is the cornerstone of any robust identity security program.

You cannot protect what you can't see. Identifying what to protect is the first step in an organization’s identity security program. To achieve this, building an accurate user inventory is necessary. If you don’t trust us, the Center for Internet Security (CIS) also recommends maintaining an accurate inventory of devices and users to ensure that only authorized users have access to the system. Without an accurate user inventory, it becomes difficult to identify and mitigate security risks.

Challenges facing organizations trying to gain identity visibility

However, organizations often face several challenges when trying to gain visibility into their identity ecosystem. To start, identity providers store data in different formats with varied attributes and schemas, making it hard to map and reconcile data between systems, especially HR directories and identity providers. Additionally, data quality varies, with HR directories often having more accurate and up-to-date data compared to cloud-based identity providers. This creates inconsistencies when forming a unified view of user identities. And finally, individual users often have multiple accounts (Gmail, Yahoo, etc.) with access to company data. These accounts should be linked to a singular corporate entity.

By leveraging Cisco Identity Intelligence, organizations can easily overcome these challenges to gain powerful visibility into their identity ecosystem. One of the key functions of Cisco Identity Intelligence is creating an identity graph that is a mapping of accounts and access within an organization.

Visibility unlocks identity security posture management (ISPM)

Once an organization gains visibility, they can start getting proactive by implementing an identity security posture management (ISPM) initiative. But what exactly is ISPM?

Identity security posture management (ISPM) is the idea that an organization has a certain level of posture when it comes to the defense of the identity environment. This posture is affected by different levels of security hygiene and control in place both for individual users and for the organization more broadly. ISPM involves continuously monitoring and analyzing identities, access rights and authentication processes across your entire ecosystem to inform the current identity security posture. This gives you insights into your identity risk profile and guidance on how to remove that risk.

To get concrete, here are some examples of use cases or insights that would fall under the category of ISPM:

  • Uncover dormant or inactive accounts

  • Ensure widespread coverage and proper usage of strong MFA

  • Evaluate administrator accounts for risky activity

  • Monitor guest, contractor or service accounts for proper use

Deep dive into dealing with dormant accounts

So, what are dormant or inactive accounts? The definition can vary from organization to organization, but this usually refers to a licensed and provisioned account that has not performed any activity for an extended period of time.

Why are dormant accounts a risk?

Dormant accounts pose a significant security risk. The Cybersecurity and Infrastructure Security Agency (CISA) recently highlighted that attackers are now targeting these accounts as an initial entry point into organizational environments. According to a CISA report: "Attackers have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system."

The report also highlights that attackers can time their activities to align with a breach or incident at the company. For example, it is often the case that during an incident, employees across an organization are forced to do a password reset. CISA noted that attackers have “also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities."

In either case, dormant accounts are providing a viable entry point for attackers looking to gain access into company environments.

How Cisco Identity Intelligence helps identify dormant accounts

After ingesting data from identity data sources, Cisco Identity Intelligence analyzes the data and offers a variety of checks that highlight potentially inactive or dormant account risks. These checks can be used individually or in combination to zero in on dormant accounts and abnormal activity associated with dormant accounts. To illustrate the how Cisco Identity Intelligence does this, here are some of the checks that run inside the tool:

  • Inactive Users: Detects users who are enabled (Active status) and who have not successfully authenticated for more than 30 days.

  • Inactive Account Probing: Detects users with a sudden spike in failed login attempts after a long period of inactivity, which may be an account takeover attempt.

  • Never Logged In: Detects accounts that were created but never successfully logged in. These accounts appeal to attackers, as they may be able to register their own MFA factors.

  • Access from Dormant Account: Adversaries often target dormant accounts that belong to users who no longer work at a victim organization, but whose accounts still have access to the system.

  • Unused Application for a User: Detects applications unused by a user. Users will fail this check if they have not used an application within 30 days.

Once the dormant accounts have been identified, it’s straightforward to limit or cut off access where necessary.

What is the benefit of remediating dormant or inactive accounts?

Security Benefit: By leaving standing entitlements in place that are not needed or not used on a regular basis, attackers may be able to use a dormant account to gain access to sensitive systems and data. By removing these entry points, the attack surface is made smaller and harder for attackers to penetrate.

Economic Benefit: Dormant accounts may consume license costs without using them. By remediating dormant accounts, the organization can save money on these unused licenses by removing them.

Interested in learning more?

By addressing the risk of dormant accounts, organizations can significantly enhance their security posture and reduce unnecessary costs. With Cisco Identity Intelligence, gaining visibility and managing identity security has never been easier.

Be sure to download our free ebook — Building an Identity Security Program — to learn more about building and maintaining an identity security program that actually works.

To learn more about how Duo can help you on your ISPM journey, check out our Duo and Cisco Identity Intelligence page. Or, start a free trial of Duo to try out this functionality for yourself.

]]>
<![CDATA[Now Available: Duo Federal Edition Integration With Microsoft Entra ID]]> harsheik@cisco.com (Haroon Sheikh) https://duo.com/blog/duo-federal-integration-with-microsoft-entra-id https://duo.com/blog/duo-federal-integration-with-microsoft-entra-id Product & Engineering

In the June D292 Duo D-release, the Duo Federal edition integration with Microsoft Entra ID Conditional Access policies became available.

This Duo integration with Microsoft Entra ID (formerly Azure Active Directory) Conditional Access policies adds 2FA to Entra ID logons, offers inline user enrollment and supports a variety of authentication methods — such as Duo Push, Verified Duo Push, passkeys and security keys in the Universal Prompt. 

Microsoft Entra ID Conditional Access allows you to set policies that evaluate Entra ID user access attempts to applications and grant access only when the access request satisfies specified requirements e.g. user group memberships, geolocation of the access device, or successful multifaceted authentication.

Duo’s custom control for Microsoft Entra ID Conditional Access provides strong secondary authentication to Entra ID logons along with Duo’s granular access policies and controls complement and extend the access controls in Entra ID. It is important to note that this integration only works with Commercial Entra ID tenants and does not work for Entra ID GCC or GCC-High.

This is one of the first major updates since the Duo Federal edition since its FedRAMP Authorization.

Duo Federal MFA & Duo Federal Access

Both the Duo Federal MFA and Duo Federal Access editions will be undergoing an upcoming update to the edition names similar to what the Duo Commercial edition had back in May 2023. These changes align with the Cisco Security Portfolio and reflect our comprehensive solutions and rich feature-set.

For the Duo Federal editions, Duo MFA will be renamed to Duo Essentials and Duo Access will be renamed to Duo Advantage. Regardless of the name change, they will continue to be federally compliant and FedRAMP authorized. Learn more about Duo’s Federal editions.

These Duo Federal editions support Authentication Assurance Level 2 (AAL2) with Duo Push or Duo Mobile Passcode for both Android and iOS devices by default out-of-the-box with no additional configuration required. Duo also supports AAL3 authenticators such as FIPS YubiKey from Yubico.

Duo Care Premium Support available for Duo Federal

The Duo Care premium support program is available for our customers utilizing the Duo Federal editions.

This offering provides a dedicated team of Customer Success experts that will ensure your deployment is smooth and work with you through the lifecycle of your subscription to make sure you are maximizing the value of your Duo investment as your organization and business needs evolve.

In addition to the team of dedicated trusted advisors that serve as your strategic point of contact and technical experts - the Duo Care premium support program also includes extended support services such as: 24x7 phone availability, priority ticket SLA, VIP support line and more!

Download the Duo Care Information Sheet.

Get started with a free trial of Duo’s Federal Editions

Duo Federal MFA and Duo Federal Access editions are listed on FedRAMP Marketplace, and can be purchased via DHS’ CDM or by visiting our Federal editions page. If you would like to get started with a free trial of Duo’s Federal MFA and Federal Access editions, sign up through our Federal editions page and we’ll reach out to get you started!

]]>
<![CDATA[TOTP vs. HOTP: Which Option Provides Better Passcode Protection]]> dwakanda@cisco.com (Derrick Sison) https://duo.com/blog/totp-vs-hotp https://duo.com/blog/totp-vs-hotp Product & Engineering

OTP (one-time password) started off in the early 1980s specifically to be used as a cryptographic hash function for an authentication system. Fast forward to today, nothing new here and many companies have since patented their own delivery system on how they generate and deliver these OTP codes. With this much time lapse into a technology, comes many attackers trying to compromise this technology through diverse ways and behaviors. In recent years, we have seen attackers continue to try to compromise MFA by circumventing it or by going through it with phishing attacks.

While we still stand on recommending security keys or Duo Push with Verified Push over other auth method options when feasible, we do still recognize that certain organizations, their environments, and where they are with their security journey still requires the ease and flexibility of OTP passcodes. We want to meet you where you are and in doing so, provide you with the most secure option possible. In this case, it is with TOTP.

What is HOTP, what is TOTP & what is the big difference?

There are two options when it comes to OTP. Hash-based Message Authentication Code (HMAC) based One-Time Password or HOTP for short and Time-based One-Time Password or TOTP for short. HOTP uses an event-based OTP algorithm which executes and invalidates during an event counter once a user uses the code. TOTP uses a time-based OTP algorithm which executes and invalidates from a specific time counter, once the countdown of time-to-use hits zero. Duo now has both options available for users, with our recommendation to move strictly to TOTP once your organization can (we will discuss how to achieve this below).

Why use TOTP instead of HOTP?

Given how each option operates, HOTP becomes more susceptible to successful compromise if an attacker can phish and harvest these codes from a user. Combining this with a compromised primary credential and the attacker can take their time to plan out an attack or even use it for monetary gain. TOTP can impede and stop these types of attacks even if a previous OTP code was harvested or phished from a user. The TOTP code will get invalidated after 30 seconds even if the user never used the code to begin with.

This raises the bar significantly from HOTP for organizations who do still need to rely on the OTP method. We know that it is still a very preventative measure in the three types of attacks from the study above; bot attacks, bulk phishing attacks, and targeted attacks. Primary credentials alone are still incredibly more vulnerable with 99.9% of accounts that are compromised do not have MFA and 50% of those are the cause of breaches.

How Duo Mobile TOTP settings are configured & things you should know

To find the settings, navigate to your Settings section in your Duo Admin Panel left menu bar. From here click on Duo Mobile App and locate the Passcodes section. You will have three options to prepare your migration to TOTP with a final option to permanently disable HOTP.

  1. Do not generate TOTP codes in Duo Mobile.

  2. Generate TOTP codes in Duo Mobile for specific groups.

Generate TOTP codes in Duo Mobile for all users. With an option to “Discontinue HOTP support permanently” when your organization is ready.

Prerequisite:

Mobile devices with Duo Mobile 4.49.0 or newer will generate TOTP codes when enabled in the setting above. Older versions of Duo Mobile will generate only HOTP codes.

Frequently asked questions:

I do not see the “Passcodes” setting at all in my Duo Admin Panel?

For customers who sign up a new Duo account after May 2024, these tenants will automatically be defaulted to utilize TOTP codes only. You will not see the “Passcodes” settings section shown below as this default is not interchangeable. This applies to both Users and Administrators.

What about my Administrators accounts?

Duo Administrators have been updated to support TOTP by default if they are on Duo Mobile 4.49.0 and later.

What if some Administrators still have an older version of Duo Mobile?

We will also support HOTP codes for Duo Administrators who have older Duo Mobile App versions until you change your Passcodes settings to “Discontinue HOTP support permanently” in your Admin settings. This is the only setting in the “Passcodes” configuration section that applies to both end users and administrators.

Best Practices for migration from Duo Mobile HOTP to TOTP

Given that this will be a change to the OTP method, we have implemented options in the settings to allow your organization to migrate to TOTP as slowly or quickly as feasible for your users. Note, the delivery, end users' usage, and experience does not change at all and will be seamless from an end user perspective. The main difference in experience will be the time allotted for the end user to input the code before it expires and the visible countdown on the end users Duo Mobile App screen once TOTP is enabled.

Disabling HOTP Codes in Duo Mobile App Permanently.

In both cases, we recommend waiting for a set period to review and monitor your users' authentications before completing the ultimate step of Discontinuing HOTP support permanently for Duo Mobile App. Two important notes:

  1. This setting is only for Duo Mobile App and will not affect your OTP Hardware Tokens.

  2. This setting is permanent once you save the discontinued use of HOTP codes. We cannot reverse this action with the main goal of all accounts utilizing a more secure option in TOTP for your Duo-protected apps.

Easily monitor & keep track of your migration with Duo’s robust logging & reporting

You administrators will have complete visibility during testing, migration, and finally disabling HOTP codes through Duo’s authentication logs. From Duo’s authentication logs, you will see a clear distinction between users who use HOTP and TOTP codes to help your organization through the process of migrating to TOTP in the various stages as shown in the example below. To get to your logs, you can gather them directly in your Duo Admin Panel by navigating to Reports → Authentication Log and through Duo’s Admin API (application programming interfaces) for a customized view.

While TOTP is not a “one solution to rule them all” to stop all phishing attacks it is a step forward to dramatically increase the prevention of this attack vector that HOTP brings to the table. Making it more difficult to compromise users' accounts. In your journey to a Zero Trust architecture and hardening your security posture with all the old and new ways attackers try to compromise your environment, Duo has all the tools you need to make a big dent in the progress to thwarting cyber criminals and increasing your security.

 On top of TOTP, you can layer additional security features to add to your arsenal with Duo like Risk-Based Authentication with novel IP detection for codes and impossible travel, Trusted Endpoints to only allow access to a Trusted machine deemed by your organization, passwordless authentication, and Single Sign-On to name a few.

For interested customers who would like to continue the conversation with a trusted advisor and further strategize a customized plan for your migration and best practices, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

Additional resources

]]>
<![CDATA[Revolutionizing Palo Alto VPN Access With Duo SSO]]> lgreer@duo.com (Landon Greer) https://duo.com/blog/revolutionizing-palo-alto-vpn-access-with-duo-sso https://duo.com/blog/revolutionizing-palo-alto-vpn-access-with-duo-sso Product & Engineering

Join the thousands of Palo Alto firewall customers who take advantage of protecting Palo Alto VPN logins with Duo Single Sign-On via SAML 2.0 to help prevent unwanted access and streamline the user experience. Duo is a leading identity security platform that protects access to all applications, for any user and device, from anywhere. It is designed to be easy to use, administer, and deploy while providing complete endpoint visibility and control.

Duo SSO simplifies the authentication process for users by providing a single point of access to multiple applications. When paired with Palo Alto’s GlobalProtect VPN, it creates a fortified security perimeter that not only safeguards sensitive data but also ensures compliance with regulatory requirements. You may be asking yourself, ‘I already have Duo protecting my Palo Alto GlobalProtect VPN via RADIUS with the Duo Authentication Proxy, why would I modernize to Duo SSO?’ and to this we could talk about the security implications that come along with RADIUS as a protocol, as it further ages but instead, I think it is best that we talk about that as well as the further enhancements that you will receive without any change in your Duo licensing costs.

Reasons to move to Duo SSO with Palo Alto VPN

All of the following functionality is only available for Palo Alto VPNs using the Duo Universal Prompt and protecting Palo Alto Firewalls with SAML 2.0. Duo will continue to invest in our focused security principles through the Duo Universal Prompt, so be sure to keep an eye out for new policy improvements.

Secure:

Duo's Verified Push multi-factor authentication (MFA) and passwordless biometric FIDO2 MFA options protect against phishing attacks by delivering a secure and frictionless user experience no matter if on mobile, laptop or using a security key. Duo's contextual access policies adapt to factors like unknown or untrusted devices, location, risk correlation, artificial intelligence and user behavior analytics to continuously verify identity and authorize access.

Simplify:

Duo’s simply easier for all. Easier for admins to configure, deploy and manage, while being easier for users to enroll, authenticate, self-remediate and self-service. It’s also easier for the help desk team to solve problems with Duo’s simple to use troubleshooting tools and detailed event logs. Last, it’s easier for security operations analysts to review and analyze threat data to resolve risk faster.

Control:

Duo's platform provides robust, integrated ITDR and ISPM capabilities powered by Cisco Identity Intelligence, which provides identity security visibility from posture risk to advanced security threats with analysis from across your identity stack. This comprehensive set of tools allows visibility into all identities and devices accessing corporate applications, enabling zero trust security for any user on any device and quickly mitigating risk.

How to protect & modernize Palo Alto GlobalProtect VPN logins with Duo

Integrating Duo SSO with Palo Alto’s GlobalProtect VPN is a straightforward process that involves a few key steps:

  1. Configure Duo SSO within the Duo Admin Panel, adding users and defining authentication methods.

  2. Connect Palo Alto’s GlobalProtect VPN via SAML 2.0 to Duo SSO.

  3. Create Duo Policy requirements for Palo Alto by application or group.

  4. Validate the sign-in experience and test with a pilot group.

More detailed instructions can be found on Duo Docs.

Modernize security without sacrificing productivity

Duo SSO quickly connects to your identity provider of choice and integrates with any SAML or OIDC application with dedicated integrations for:

With Cisco Duo Single Sign-On, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.

]]>
<![CDATA[UX: Your Passport to Better Security]]> gdikeako@cisco.com (George Dikeakos) https://duo.com/blog/ux-your-passport-to-better-security https://duo.com/blog/ux-your-passport-to-better-security Product & Engineering

Imagine a bustling city. Each day, its citizens follow a rhythm: waking up, commuting to work, engaging in their tasks, and returning home. In macroeconomics, analyzing such behaviors helps predict broader economic trends. How are they commuting to work? What are most people spending their money on? Similarly, in cybersecurity, considering the user as a whole entity—both as an employee and in their daily routines—yields significant insights. What applications are they authenticating to? What are the risks associated with this authentication?

In the realm of cybersecurity, user experience (UX) plays a crucial role in ensuring effective security measures. Just as understanding daily behaviors in a city can lead to better urban planning, focusing on UX in cybersecurity can lead to more secure and user-friendly environments.

Onboarding and Offboarding

Traditionally, onboarding and offboarding are associated with the beginning and end of an employee's tenure. Much like the daily rhythm of a city, it's equally important to think about these processes daily. Just as an employee starts their day by logging into various systems and ends it by logging off, each session can be considered a micro-onboarding and offboarding event. This daily cycle is crucial for maintaining security without compromising user experience.

Now imagine Lee, an end user. He starts his day by logging into his computer and accessing various applications. Each login represents a potential security risk if not managed properly. Duo simplifies this process. By thinking of onboarding and offboarding as daily events, we can ensure that Lee's interactions with their work environment are both secure and efficient.

Duo Passport

Lee’s day improves significantly with Duo Passport. Without it, they would need to repeatedly log into different applications, a process that is not only time-consuming but also increases the risk of security lapses. Duo Passport simplifies application access and reduces logon fatigue by sharing remembered device sessions between applications, whether accessed from a browser or a desktop client. With Passport, Lee logs in once, and their authentication status is maintained across all applications, both in the browser and on the desktop. This seamless experience means that Lee can focus on their work without constant interruptions for re-authentication.

For more information on Duo Passport, and how it plays a larger role in Continuous Identity Security, check out this blog post.

How does it work?

Duo Passport leverages Duo Desktop, which shares trusted session information across browsers and desktop applications. This integration allows Lee to maintain their authenticated state, reducing the need to repeatedly enter credentials throughout the day.

For instance, when Lee logs into a web application and opts to remember their device during the authentication flow, that trust session extends to desktop applications as well. This seamless experience means that logging into one service can authenticate access to others, streamlining Lee's daily workflow without compromising security.

To truly appreciate the benefits of Duo Passport, let's walk through a typical day for Lee.

Morning: Let’s get this day started

Lee begins the day by logging into their Windows computer. They complete the Cisco Duo authentication process, selecting the option to remember the device. With Passport, this initial authentication carries over to other applications. As Lee opens their email client, they don't need to log in again. The trust session established during the Windows login extends to the email application, saving time and reducing frustration.

Midday: I’m on a roll

Throughout the day, Lee moves between various applications—project management tools, internal chat systems, and cloud-based storage solutions. With Passport, each transition is smooth. When Lee switches from the browser to a desktop application, the trusted session persists. Lee can access the resources needed without repeatedly entering credentials.

Afternoon: I need a change of scenery

As the day progresses, Lee decides to work from a different location. They move to a conference room for a meeting. Duo Passport adapts to this change. If the system detects a significant security event, such as an unusual login location, it prompts Lee to re-authenticate. This ensures that security remains robust even as the user environment changes.

Evening: Oops, I forgot to submit my timesheet!

At the end of the day, Lee logs off their computer. The trust session established by Passport remains in effect until it expires according to the configured policy. This means that if Lee logs back in later that evening to check on a project, they won't need to re-authenticate every application. The balance between convenience and security remains intact.

Think about an organization with hundreds of employees like Lee. If every employee saves just a few minutes each day by not having to log into applications repeatedly, the overall time savings are significant. More importantly, reducing the hassle associated with security protocols makes it more likely that employees will follow them, which strengthens the organization's security.

Conclusion

In cybersecurity, the importance of a seamless user experience is often underestimated. Yet, it’s crucial for the adoption and effectiveness of security products. Cisco Duo shows how focusing on user experience can boost security by increasing user adoption. Viewing onboarding and offboarding as daily events rather than just at the start and end of employment can create a more secure and efficient work environment.

By integrating Duo Passport, companies can provide their users with a smooth, secure, and efficient workday. This balance between user experience and security not only makes the workday easier for employees but also enhances overall productivity and security, highlighting the thoughtful design of Cisco Duo.

When you think about it, the parallels to macroeconomics are clear: just as an economy prospers when its citizens can go about their daily lives smoothly, an organization thrives when its employees can navigate their digital workspaces effortlessly. Cisco Duo, with its Passport feature, creates this seamless experience, proving that great user experience and strong security can work hand in hand to drive organizational success.

Start a Free Trial with Duo today to see Duo Passport in action!

]]>
<![CDATA[Understanding Identity Acronyms: What Are ISPM & ITDR?]]> mrotar@cisco.com (Mike Rotar) https://duo.com/blog/what-are-ispm-itdr https://duo.com/blog/what-are-ispm-itdr Industry News

The challenge: Limited visibility

Not all new software categories are created equal.

Cisco Talos reported in February that three of the top five MITRE ATT@CK techniques used in 2023 were identity-based, so identity needed some focused security attention.

Why? Access and identity sprawl is creating new security challenges for organizations of all sizes:

More likely than not, your organization has hundreds of applications across different departments and roles. The applications could be sensitive, privileged access, or not, and may be on-premises, SaaS-based cloud, self-hosted cloud or some combination. The identities (usually people, but sometimes service or machine identities) accessing the apps are likely working from anywhere, at any time, and maybe even from a work or personal device. They could be staff, but maybe there’s also temporary contractors or third parties who need controlled access.

The trouble with access policies

Access management policies control access to applications are complex and typically unique per organizational role. They must be individually assessed frequently to ensure consistent enforcement of the organization's security strategy (hopefully, a zero trust security strategy). Given the complexity of policy, even the most advanced teams struggle to deploy, maintain and assess a strong access management policy posture standard that helps mitigate threats while also supporting a productive business. In 2022, Gartner saw this as a large enough security issue to create a new security software category called Identity Threat Detection and Response (ITDR).

Later in 2022 CISA bolstered this claim and posted an urgent cybersecurity advisory stating that “Weak Security Controls and Practices Routinely Exploited for Initial Access”, which is CISA’s polite way of saying “your access management policy is weak and will get hacked”. Access policies are inherently complex as human behavior pushes new work boundaries and can be expensive to deploy, support and update securely while maintaining productivity across users and the IT and security teams supporting the infrastructure.

There are likely multiple departments across IT with ownership to compliance and security teams, and identity and other miscellaneous IT teams. In some scenarios, endless products cover parallel and competing use cases as well. This leaves organizations with a scenario where vulnerable access policies are deployed to avoid friction across various stakeholders, teams and leadership.

ITDR & ISPM introduced

Around the time of the CISA advisory, former startups like Oort (acquired by Cisco in 2023, now Cisco Identity Intelligence) and Spera Security (acquired by Okta in 2023) began to gain traction with thought leadership around identity security. Regardless, bad actors were already planning large-scale user identity-based attacks, such as the 2023 casino breaches, or the recent Snowflake breach, which prove social engineering’s getting easier, faster and cheaper with the advancement of artificial intelligence (AI) automated attack toolkits and services.

With the aggressive growth of identity-focused attacks, it's critical that organizations have a resource that ensures they have minimized their identity posture and threat risks so that bad actors cannot capitalize on hidden vulnerabilities across an organization's multi-vendor identity security posture — such as policy misconfiguration, poor security strategy, poor end-user posture/hygiene and more — and as a result, align with the requirements of compliance auditors as well. We’ll do our best to define the emerging categories of Identity Threat Detection and Response (ITDR) and Identity Security Posture Management (ISPM) in the following post below and what you should look for in a solution.

What is ITDR, or Identity Threat Detection & Response?

ITDR, or Identity Threat Detection and Response, is an emerging security software category coined by Gartner. ITDR helps organizations detect and mitigate identity risk by surfacing identity posture and security threats from across your environment. ITDR evaluates risk by analyzing existing identity providers, human resources information systems and other enterprise apps simultaneously while detecting risk with policies, permissions, user authentication logs, security events and additional third-party telemetry. Once gathered, ITDR solutions can correlate data from across all source tools and will typically surface the most critical vulnerabilities first or provide an ability to sort based on severity, compliance frameworks, security architecture guidelines, application source and more. This data is often capable of being sent to an external target, such as an XDR, SIEM, instant messaging applications, admin email distribution lists and more.

ITDR and ISPM solutions should also facilitate access management policies with a stronger, more reliable posture and threat signal for real-time risk assessment at the point of login or during an existing login session with correlation across identity providers, HRIS systems and enterprise apps.

What is ISPM, or Identity Security Posture Management?

ISPM, or Identity Security Posture Management, is a sub-category of ITDR focused on proactive identity posture assessment (not advanced security threat mitigation). This category is still emerging from ITDR, but some ISPM solutions have differentiated themselves by providing deeper posture mitigation than offered by standard ITDR solutions (such as user remediations).

Similar to ITDR solutions, ISPM solutions can correlate gathered data from across all source tools and will typically surface the most critical posture and hygiene risk first or provide an ability to sort based on severity, compliance frameworks, security architecture guidelines, application source and more. This data is often capable of being sent to an external target, such as an XDR, SIEM, instant messaging applications, admin email distribution lists and more. ITDR and ISPM providers should also facilitate access management policies with a stronger, more reliable posture and threat signal for real-time risk assessment at the point of login or during an existing login session with correlation across identity providers, HRIS systems and enterprise apps. 

The Cisco Identity Intelligence team has a list of 50+ examples of posture risks and security threats for you to review which can help disambiguate between posture and threat risk.

Why is ITDR & ISPM important?

Identity and access management (IAM) policies are complex, unique per organization and are frequently poorly configured. ITDR (Identity Threat Detection and Response) and ISPM (Identity Security Posture Management) solutions are important because they provide visibility and control over your organization's identity posture (ISPM) issues and security threats (ITDR) in a single, comprehensive interface with correlation from across your identity stack — including identity providers (IdP), enterprise applications and human resource information systems (HRIS) — so your administrators can put in place stronger access management policies and strengthen access requirements. In the future, ITDR and ISPM will continue to be developed into a risk signal for identity and access management (IAM) policy for a stronger, proactive security response.

What should I look for in an ITDR & ISPM solution?

An ITDR, or Identity Threat Detection and Response solution, and ISPM, or Identity Security Posture Management should:

  • Connect and protect a multi-source list of connected target identity providers, human resources information systems (HRIS) and critical enterprise applications.

  • Control and visualize with a robust list of security and posture alerts that are based on a strong multi-source collection of security threat and posture hygiene signals and support advanced report filtering such as compliance frameworks, regulatory standards, and more.

  • Alert and remediate with live or retro event data to IAM solutions, ITSM solutions, SIEM solutions, email or chat/messaging notification solutions or mitigation remediation solutions.

Connect & Protect

ITDR and ISPM should support the ability to connect and protect a multi-source list of connected target identity providers, human resources information systems (HRIS) and critical enterprise applications with the same level of integration and focus, or have roadmap plans to support in the future. This may include identity providers such as Microsoft, Okta, Google, Auth0, or Ping, HRIS systems such as WorkDay or SAP, and enterprise applications such as Salesforce.

Control & Visualize

ITDR and ISPM should allow the ability to control and visualize with a robust list of security and posture alerts based on a strong multi-source collection of security threat and posture hygiene signals. The collection of signals should come from reliable sources including the target identity providers, human resources, enterprise applications, access devices, access telemetry, threat feeds, security solution integrations and more to understand the full impact of each posture or risk alert. 

An ITDR and ISPM should also support advanced report filtering such as:

  • Identity hygiene view/filter that identifies posture-based risk such as identity hygiene, no/weak MFA, dormant accounts, over-privileged users and more

  • Identity threats view/filter that identifies active identity-based threats to your organization based on signals provided from geo-location, device telemetry, external identity or security sources, anomaly detections, impossible travel and more

  • A compliance, regulatory and security framework monitoring view/filter that identifies alignment across CIS, CMMC, MITRE, NIST, PCI and SOX standards

·       An Idle license insight view/filter that allows the ability to review identity licensing usage across connected target identities, human resources and enterprise applications

Alert & Remediate

The ITDR and ISPM solution should make it simple to act with alert and remediation options natively, or to your external target of choice including Identity and Access Management solutions (such as Microsoft and Duo) to influence access policy, SIEM (such as Splunk) or XDR (such as Cisco XDR) to correlate with other threat events, ITSM (such as Service Now or Jira) to submit new requests or tickets, and urgent email notifications or instant messaging notifications to your platforms of choice such as Google, Microsoft 365, Cisco Webex, Slack and Microsoft Teams. The event stream should support the format of the preferred target solution and provide clear, actionable logs with correlated data points.

The ITDR & ISPM Solution Checklist

Based on Duo research, we put together a simple three-step ITDR and ISPM: Solution Checklist that may help your journey:

  1. Can you connect and protect a multi-source list of your target identity providers, human resources information systems (HRIS) and critical enterprise applications?

  2. Can you control and visualize a robust list of security and posture alerts based on a strong multi-source collection of security threat and posture hygiene signals?  Can you support your advanced report filtering needs such as compliance frameworks, regulatory standards and more?

  3. Can you alert and remediate with live or retro event data to your target IAM solutions, SIEM solutions, ITSM solutions, email or chat/messaging notification system or additional remediation solutions?

We hope this helps you on your identity security journey.

Does Cisco Duo have an ITDR or ISPM?

Yes, Cisco Identity Intelligence is Cisco's ITDR and ISPM solution. Cisco Identity Intelligence is available now to all Duo Advantage and Premier customers at no additional cost. Existing solutions in the market today are either too noisy with false positives, hyper-focused on legacy infrastructure or tailored for one specific identity solution. Current solutions lack the immediate, cross-platform enhanced visibility and value that customers seek. Cisco Identity Intelligence provides customers with unmatched visibility across their identity ecosystem in a single, comprehensive interface with low-noise insights based on a strong risk signal.

To learn more about creating a strong identity security strategy, be sure to watch our on-demand webinar Identity Under Siege: Strategies for Enhancing Security in a Zero Trust World.

Curious about your identity security hygiene? Schedule a Cisco Identity Security Assessment today!

]]>