The NCSC has published a series of guidance notes for U.K. enterprises on methods of mitigating cyber security risks. These notes are of significance as they provide support for those defining principles and policies for their cyber security strategy. A budget-battling chief information security officer (CISO) would be well-advised to refer to them as the NCSC advice is cross-referenced by other regulatory organisations, such as the Federation of Communication Services (FCS).

This latest guidance relates to multi-factor authentication (MFA) when using online services. Enterprise users are increasingly becoming “online” users as Digital Transformation programmes result in organisations increasingly adopting cloud-based solutions, bring your own device (BYOD) and remote work. It is safe to assume that MFA will become a common control to enable this change.

The guidance recognises issues with relying on passwords. These can be relatively easily bypassed through a range of methods. These include the use of mass sets of compromised passwords; the use of social engineering attacks such as phishing; or mass attacks such as “password spraying.” During a password-spray attack, an attacker uses a single password against many different accounts, then moves onto a second password. This allows them to remain undetected by avoiding account lockouts.

At Duo, we believe a risk-based approach is required when it comes to implementing MFA. The policies implemented will depend upon firstly, the users being authenticated, and secondly, the level of importance of the service or application being accessed. For example, those with administrator privileges should always be subject to additional controls as they have greater authority over services and applications.

Amongst the advice given is:

• Limit access to services to devices that are managed or trusted
• Use an app on a specific device, including managed or personal devices
• Have a separate physical security key as your second factor, such as a YubiKey

The Duo approach to securing the organisation reflects much of the guidance, focusing on the following:

• Validation that the device has a set level of security implemented. For example, a mobile phone should have an up-to-date operating system, have biometric controls enabled and not be jailbroken.
• Ensuring that an end user is authenticated before accessing services and that the access should be restricted according to the users’ requirements.
• Making security easy for the end user through the adoption of an adaptive authentication capability that enables authentication via multiple means.

Above all, Duo’s solution sets out to make the security controls easy for the end user and simple for the enterprise to implement. Without these characteristics built into a solution, no amount of guidance notes will help reduce the cybersecurity risk an enterprise faces in these times of constant change.

If you would like to read more, download Duo’s Securing the Modern Enterprise ebook. In this guide, you’ll get:

• An overview of how Duo helps modern enterprises with their security challenges
• The benefits of Duo’s trusted access platform to ensure the trust of users and devices for every application
• How Duo offers a scalable, future-proofed solution that can reduce risks for your enterprise organization

Authentication is increasingly becoming an issue for the enterprise CISO (chief information security officer). It is not new. It is well-established as a control. However, the extent to which it is used and its commonality is widening. As a newcomer to the company, one of the factors that attracted me to join was that Duo addresses this with a solution which is characterised by its simplicity in implementation and operation.

About ten years ago, I was speaking on a panel at a conference when the question of encrypting laptops arose. Should it be standard? One of the panel members was quite vociferous about the need to have all endpoints controlled in this way. Now it is standard practice and no one would think of releasing a laptop without encryption into the wild. The same trend is happening with multi-factor authentication (MFA). It is widely used, but will soon become a mandatory part of connecting to networks.

There are a number of drivers for this - the limitations of passwords are now understood. With reams of them available for criminals to buy and try, with technology-matching capabilities increasing and the ever-present issue of users understandably wanting to repeat passwords over the multiple sites with which they interact, the day of the password alone is over.

The broader issue is of identity - Is the person who they say they are? - is a constant riddle that requires solving at every login stage.

There are technical solutions around. However, these introduce complexity or user dependence, such as the ability to keep a token and not lose it. This limits the benefit of the control. The last thing a CISO wants is more complexity and increased technology management overhead. I have yet to hear a CISO complain that their team had nothing to do.

This issue was recently recognised by National Cyber Crime Centre (NCSC) when they embarked on an initiative called Secure by Default to push the use of authentication. The NCSC is, of course, the outward face of the UK’s Government Communications Headquarters (GCHQ). One of their recommendations is to:

“...enforce multi-factor authentication on your externally-reachable authentication endpoints.”

They put out a test and have published some of their case studies. The need for authentication is also recommended by the Information Commissioner's Office. With the ever-present emphasis on General Data Protection Regulation (GDPR), the introduction of the Secure by Design principle as a fundamental requirement is another driver.

Which, of course, gets us to the Duo position. The technology rollout has been proven to be straightforward on many occasions with clients at different levels of complexity and security maturity. No matter how great the solution, if it is resource-heavy at the implementation and operational stages, it becomes a negative weight on the CISO’s shoulders. A solution that brings in control whilst being easy and resource-light makes everyone’s lives a lot easier.

A key advantage is the ease of user enrolment. Intuitively, enabling users to engage themselves rather than have to go through a complicated process will result in greater acceptance of the security control. The nature of an easy push notification option to the mobile phone will bring security home to the user and will change the level of awareness. Providing alternative means of authentication such as SMS, a friendly voice down the line, U2F, a code or a hard token provides the correct level of user flexibility. Adaptive authentication, rather than a one means fits all approach.

Additional characteristics can be introduced to build a better picture of the device and the individual. To misquote Goethe, “Tell me with whom you associate and I will tell you who you are.” That broader picture of a user being more than just a login and a password, but, rather, an association of factors enables us to shed more light on their identity.

So to return to the beginning, if we look at the emphasis on MFA as being best practice and part of Secure by Default, or Secure by Design, we have to assume that it too will be a ubiquitous part of the CISO’s technology controls toolkit. It will provide the greater picture and the increased control needed as passwords fade into history. Provided it is simple.

Summary

• Duo and Sophos are working together to make it easier to gain visibility and control over personal vs. corporate devices, dramatically reducing the risk of BYOD.
• Duo customers can now use Trusted Endpoints with Sophos Mobile as their endpoint management tool to identity managed devices.
• This integration is available for customers using Duo Beyond and Sophos Mobile 8.

The rapid adoption of mobile devices and bring your own device (BYOD) initiatives in corporate environments has allowed employee productivity to flourish – it’s now possible to work from anywhere, anytime. But it has also introduced security complexities that organizations continue to struggle with, even with the adoption of traditional mobile device management (MDM) solutions.

When we talk with our customers, we frequently hear questions about how to design the ideal BYOD security program: “Should we be managing our employees’ personal devices? Should we require them to be enrolled in our corporate MDM? What applications should we make available to them on their personal devices? What applications should we restrict? How do we enforce this?” Every customer, no matter the size or industry, asks these questions.

Duo + Sophos

Today, we are excited to announce an integration with Sophos to help our mutual customers mitigate their BYOD security risks by making it easier to gain visibility and control over personal vs. corporate mobile devices.

You can now use the Trusted Endpoints feature in Duo Beyond to identify and differentiate iOS and Android devices managed by Sophos Mobile from other personal, unmanaged mobile devices. Duo is constantly increasing the coverage of device management tools you can use to identify your managed device fleet and incorporate this information into your access management decisions. Our new integration with Sophos Mobile is a major step in that direction.

How Does It Work?

The Trusted Endpoints feature, which allows you to differentiate between managed and unmanaged devices when enforcing access policies, is currently only available to Duo Beyond customers. You must also be on Sophos Mobile 8 to utilize this new integration.

You can configure the new Sophos Mobile integration from the ‘Trusted Endpoints Configuration’ Tab in the Duo Admin Panel. Click on ‘Add Integration’ and select ‘Sophos Mobile’ under the list of ‘Management Tools.’ Configuration instructions will be available for Android and iOS devices.

Once you are finished configuring the integration between Sophos Mobile and Duo, you can now create access policies based on the management status of any mobile device. Like any other policy, Trusted Endpoints policies can be configured at a global or application-specific level, for both laptops/desktops and mobile devices. We commonly find that customers will require highly-sensitive applications to be accessible from only corporate-managed devices, while lower-risk applications can be accessed from any device.

You can click here to see detailed instructions for configuring Trusted Endpoints with Sophos Mobile

You can click here to see how to configure access policies based on the management status of a device.

You can also learn more about our work with Sophos by:

• Visiting the Duo-Sophos page
• Reading our press release

Cloud and mobile technologies have accelerated the IT modernization journey for federal agencies. The shift has the government hustling from cloud-first to cloud-everything.

These modern technologies necessitate a modern approach to security - the government needs ways to protect this move to the cloud, especially as the traditional perimeter-based security model continues to erode.

Former U.S. Federal CIO Tony Scott recommends implementing strong authentication for all agencies and all users. Meanwhile, regulations from the National Institute of Standards and Technology (NIST) require federal agencies and contractors to use strong authentication controls to secure access to critical information systems and applications.

To truly leverage cloud and mobility, federal agencies must alter how they allow users to access their devices. It starts with stronger authentication controls, and includes the ability to identify at-risk devices and support every application. This leads to trusted access.

In our new ebook, The Path to IT Modernization: Five Steps to Protecting Government Systems, you’ll learn:

• How cloud and mobile adoption are accelerating IT modernization in federal agencies
• How stronger authentication controls and simplification of smart card access drive modernization efforts forward
• How identifying at-risk devices and using solutions like single sign-on (SSO) can improve security
• How a trusted access framework is a key component in federal IT modernization initiatives

IT modernization for federal agencies is a marathon, not a sprint, but there are steps agencies can take today that will help them move away from legacy solutions and toward modern technologies.

Download The Path to IT Modernization: Five Steps to Protecting Government Systems to get a five-step approach to federal IT modernization that will help agencies secure access to applications in cloud and mobile environments.

Organizations of all sizes are increasingly adopting cloud technologies. While moving to the cloud leads to higher productivity, improved scalability, easier collaboration and more, it also introduces a new set of security challenges.

First, we’ll dive into a few examples of why cloud applications are being targeted. Next, we will go through a few of the different security risks associated with all cloud applications. Then, we explore what security controls can reduce the risks and prevent attacks associated with moving your organization to the cloud.

What Cloud Applications Are Being Targeted and Why?

Different cloud applications come with different types of data collected, processed, stored and transmitted - here's a few of the security risks associated with popular cloud applications used by organizations today.

Microsoft Office 365 and Google Suite

These applications are used to house sensitive information such as intellectual property, trade secrets and company financials. A compromised employee email account can also be used to reset users’ passwords for other systems, which allows attackers to move laterally within an organization to gain access to more applications.

Workday, Netsuite and Other Backend Systems

These systems are frequently successfully targeted for financial gain. Fraud examples include the changing of payment and direct deposit data in efforts to redirect payments and paychecks to attackers’ bank accounts. Other attackers will attempt to gather employee information and sell identities.

AWS, Microsoft Azure, Google Cloud Platform

Often business-critical applications are targeted for financial gain. These include customer services and applications that process personally identifiable information and payment card processing. Attackers may also run unauthorized instances, racking up charges on an organization's account.

Risks Applied to Cloud Technology

Transitioning from on-premises to the cloud means more accessibility. The increased security surface is large, as anyone in the world can attempt to gain remote access to your systems. Limited research is required by hackers to find the attack surface as they can go directly to the login portals for Office 365, Google Suite or Workday and try to log in.

Attacks can also originate from any device, whether it be mobile, laptop or a desktop, attempting access to your cloud services from another country. An organization does not have visibility into all of these different devices. Out-of-date devices that have not been updated to the latest, most secure software are able to connect to high-risk applications, putting the service at risk of compromise and potential malware infection.

Access Security Controls to Reduce Risk for Cloud Applications

To reduce security risks, organizations should start by securing user access, network access and device access.

Secure User Access

• Elevate security policies for privileged applications and users.
• Enable single sign-on (SSO) with multi-factor authentication for all cloud apps.
• Audit user cloud app permissions using the concept of least privilege to provide access only to users who require access.

Secure Network Access

• Deny traffic from known risky networks such as Tor, anonymous, and proxy networks.
• Only allow access to cloud apps based on the geolocation of the users.
• For high-risk cloud applications, require users to be connected to a corporate network.

Secure Device Access

• Gain visibility into devices accessing cloud services.
• Block devices that are out-of-date and at risk of malware.
• Require newer mobile devices that have more advanced security controls such as a hardware security module (HSM), TouchID, FaceID and encryption.
• For high-risk cloud applications, require devices to be corporate-managed by an Enterprise Mobility Management (EMM) solution to ensure only trusted devices are able to access your cloud services.

Adopting and deploying the above security measures will enable your organization to continue on your journey to the cloud without worry or hesitation.

How Duo Beyond Can Help

Duo Beyond provides the granular security controls you need to provide the controlled access to your cloud applications. Learn more about Duo Beyond: https://duo.com/product

Last week Duo attended Apple’s Worldwide Developer Conference, known as WWDC, in sunny San Jose, California to learn about what’s new with Apple’s major annual OS upgrades and to consider what they mean for Duo and our customers once these updates ship to Apple customers later this fall. Check out what’s new in macOS Mojave, iOS 12, and watchOS 5.

The theme of this year’s WWDC was focused on improved performance and increased stability with a big focus on intelligence features, augmented reality and accessibility. We worked with Apple designers and engineers in the labs, attended countless sessions, and even met a handful of awesome Duo fans (who got some awesome swag!).

Duo at WWDC: Taylor McCaslin, Mobile Product Manager and Mike Brown, Lead iOS Engineer

Security Improvements

Below are some of the improvements that our team found interesting and that developers should take note of as they are considering how these new updates impact their applications in the Apple ecosystem:

General Platform Improvements

• Automatic Strong Passwords and Security Code AutoFill - password management workflows within the Apple ecosystem are about to get much more efficient and streamlined.
• Webkit Security Improvements - support for the latest web standards and improvements bringing new security technologies in Webkit
• Safari Intelligent Tracking Prevention 2.0 - increased protections to block tracking users around the web and device fingerprinting.
• Beta Tester Public Links in App Store Connect (Formerly iTunes Connect) - support for the ability to invite users to join TestFlight beta builds of iOS and MacOS apps. We look forward to opening a public beta program for Duo Mobile later this year.
• Apple Business Manager - a new tool for enterprises to configure, deploy, and manage Apple devices.
• Restricted access to user content on macOS Mojave - further protections from applications accessing user data.

iOS-specific Improvements

• Official Depreciation of UIWebView in favor of WKWebView
• ASWebAuthenticationSession API - a new mechanism for creating SSO experiences between native apps and safari.
• Grouped Notifications
• Interactive Notifications - a new feature to make richer more interactive notifications that we will be considering for support in Duo Mobile to streamline Duo Push approval.
• iPhone X-like gestures on iPad - we love the iPhone X and it’s fluid gesture interface, we’re thrilled to see that consistency being brought to iPad.

You can learn more about what’s new on all of Apple’s platforms by checking out these “what’s new” developer pages: iOS 12, macOS 10.13 Mojave, watchOS 5, tvOS 12, Safari 12.

There were some other fantastic WWDC presentations that we really enjoyed watching, and recommend for your viewing:

• Designing Fluid Interfaces - Learn how to design gestures and animations that feel intuitive and natural and will make your app delightful.
• Better Apps Through Better Privacy - Learn how to apply privacy engineering techniques to your apps so you can build trust with users to unlock better experiences and engagement.
• Intentional Design - Learn key techniques for being intentional with your design by choosing appropriate metaphors, making extreme choices, and making every interaction feel more authentic and natural.
• Your Apps and the Future of macOS Security - Learn about new protections for user data, new capabilities with Developer ID, and how you can best secure your apps.

We are still digging into everything Apple announced at WWDC and will be considering how that will impact our product. I can say, however, that we will have support for iOS 12 in Duo Mobile on day one when it is released to the public later this fall. We will also be ensuring that our Mac Logon solution is compatible with macOS Mojave.

At Duo, we attend these industry developer focused events to learn what’s new and how it might impact our products and our customers. We investigate and explore these new technologies to consider how they might improve our product in the future and to ensure we’re bringing our customers the latest capabilities for greater security and better usability. Be sure to keep an eye on our blog for future announcements of support for these new technologies once they are released to consumers this fall.

We’ve been hard at work improving our reporting capabilities in the Duo Admin Panel, which we introduced in May. We’ve talked about some of the technical aspects of building the data visualizations as well as how we improved our data pipeline to make the visualizations possible.

Now that we’ve talked about the tech, let’s talk about how we decided what to build in the first place from the Product Design perspective. I’ll give you a glimpse into how the teams at Duo work together and the process that we go through to solve customer problems.

How It All Began

It all started with the initial goal of making the dashboard useful. We hadn’t updated the dashboard to reflect our new features in quite some time - the metrics at the top were stagnant numbers and we frequently heard that the World Map was pretty to look at, but not very valuable for day-to-day administration and monitoring.

Like with all of our design projects at Duo, I started with the Discovery and Research phases. The goal during these phases is to gather as much information and context surrounding the project as we could.

I started the Discovery phase by collecting examples of data visualizations and dashboards from a variety of industries. When searching for inspiration, it’s helpful to look outside of industry competitors. In addition to security dashboards, I looked at examples from sports, banking, marketing, social media and even our own users’ custom dashboards.

Next, we worked on the Research phase, where the goal is to uncover customer problems. My engineering lead, product manager and I interviewed a dozen of our customers to understand what we could do to make the Duo Admin Panel dashboard more useful. At the mention of the word “dashboard,” many were kind enough to share their custom Excel charts and Splunk dashboards they’d made in lieu of Duo’s lack of robust reporting.

Tip of the Iceberg

It quickly became clear that Duo’s dashboard was the tip of the iceberg. One of the guiding principles of the Duo Product Design team is to “Make data actionable.” The more customers we talked to, the more it became obvious that making data actionable went much, much deeper than the front page.

Not only that, every event or object in the Duo Admin Panel is inherently related to one another, which meant that when an admin investigates an issue with one, they want to figure out if it’s part of a larger trend. Authentications are created by users who are using devices to get into applications.

If we wanted to make the dashboard more useful, we’d need to start a level lower by looking at the overall reporting capabilities of the Admin Panel. So, we massively increased the scope of the project. I was lucky enough to have an extremely supportive product manager and engineering team who told me, “Shoot for the sky, Lulu, and we’ll catch up.”

Synthesis and Ideation

Upon realizing the much larger scope of the problem, I did what every stereotypical designer does. I broke out the (virtual) sticky notes.

I worked with another designer to take all the findings we had gathered from our interviews and started clustering everything into themes. These groupings helped us break down the problem into discrete, smaller problems that we could tackle.

After understanding these themes, we started sketching and putting together wireframes. We worked closely with the developers to review the ideas, so they could build the right supporting data structures and we could design something technically feasible.

But there was a bit of a problem. Engineering knew we would have to make a huge move to a new database structure (thus extending the timeline), and Product knew that customers needed better reporting very soon (thus shrinking the timeline). This resulted in the perfect storm of “Important” vs. “Urgent” work.

So we put a plan together to provide value to customers based on existing technical constraints, as the overall engineering team was working on figuring out the right database to build and migrate toward to support our long-term aspirations.

As a designer, part of my job is to take the constraints given by my partnering teams and make designs that fit those, while delivering value to the user. So, what could be done?

Start Simple and Build Up

Looking at all the wireframes and themes and sketches, our team started with what we could do right now, while still building toward the final vision. This allowed us to lay down the groundwork for more sophisticated reporting, all while providing incremental value and testing our designs to see if we were on the right track.

We started by giving the Authentication Logs (shortened to Authlogs) a seemingly simple facelift to increase the readability and comprehension of the data. Under the surface, we were actually setting up the page on React to build the foundation for future reports.

Along with these visual updates, we added “Admin Accelerators” throughout the Admin Panel. These were snippets of aggregated data that made the user’s job more efficient.

Things like:

• Surfacing the number of users in Bypass or Locked - Out status (Users page)
• Showing how many licenses were left (Dashboard)
• Showing how many bypass codes existed, who made them and pointing out the riskier ones (Bypass Codes page)

Although these seem like small features, we were solving real customer problems incrementally, and each step helped to build our technology stack to support the larger vision for reporting.

Data is Served!

When the new database engine was ready to use, design was ready and raring to go. We had been sitting on all these amazing insights about the most impactful data our customers wanted. I immediately wanted to jump into designing reports that showed suspicious authentications, blocked activity, and bypass risks! But slow and steady wins the race, and the best method was to continue delivering incremental value to build up to the bigger picture.

First, we addressed our customer’s biggest challenge with our Authlogs by building robust filters - based on time, type and events. This was a huge win for our customers that relied on the GUI reporting to investigate errors or suspicious events.

At the same time, we began building our first report: the Authentication Summary Report, which shows a higher level view of a customer’s environment. After that, we built the Deployment Progress Report, which shows the progression of customer’s adoption of Duo. Following that, we created the Denied Authentications Report, which dug deeper into just the adverse actions like denied authentications and why users were failing to authenticate. You can read more about these reports in this overview blog post.

Each report required a little bit more functionality to be added on top of the infrastructure we built, but we were able to release them incrementally and provide value to customers instead of waiting until all parts were complete. As the reports were being released, we continued to interview our customers about their value and usability. These continuing interviews helped us adjust the designs and also informed our future roadmap for reporting.

Back to the Beginning

Finally, like a heroine arriving home after a long, long journey, we returned to the start: Duo’s dashboard. In truth, the dashboard didn’t get a giant facelift or a big bundle of new features. We rebuilt the dashboard on top of the new structures and swapped out some of the metrics for new, more meaningful ones. The cherry on top of a brand new beginning.

In conclusion, this was a huge, huge team effort. There were lots of other designers, developers, product managers, managers and customers involved. We hired a lot of people throughout the process and even spun up two new teams, Data Engineering and Data Science, to work specifically with data, and even hired a product manager just for this function. Looking to the future, we’re continuing the journey by building more reporting capabilities, improving the existing ones, and leveraging our data to further help customers secure their users. Thanks for sticking along for the ride!

One of our core values at Duo is “Engineer the Business.” Just as we engineer, iterate on, and improve our product, we apply that same mentality to the processes, systems, and tools that power our organization.

Since I joined Duo in February 2015, we’ve had a ladder for software engineers to follow as they progress in their career. We use the ladder as a tool to evaluate promotion readiness, overall job performance, and hiring placement. As we’ve grown from $10M to $100M+ in ARR and scaled our Engineering department from 20 to 100+ employees, our ladder has gone through a number of iterations.

We recently released a new major iteration of the ladder that we’re publishing here today. Our goal in sharing the ladder is to provide another example to the tech community of how effective career pathing can be done. We’re not claiming to have all the right answers, but we’ve reflected on our past successes and failures to arrive here.

This is our third major iteration of our software engineer ladder. Each revision has been effected by our Engineering department reaching a new challenge of scale. The rest of this post outlines the principles that have formed our new ladder.

Released but Not Finished

While we're considering this new ladder “released” for Duo engineers, we recognize that there may be remaining bugs to work out. We plan to iterate on the ladder going forward; eliminating bugs, adding enhancements and more examples over time. Just like our product, our work in creating clarity around employee career paths is never complete.

Standing on the Shoulders of Giants

We use the work of many open source software projects as engineers at Duo. Similarly, we’re proud to build on the work of others in designing an engineering organization.

Google “Engineering Career Ladder” and you’ll find a myriad of results. We studied the ladders of many best-in-class tech companies to help inform our new ladder.

In particular, we found that the approach of the ladders from Rent the Runway and the Rands Leadership Slack closely resonated with how we were already evaluating our engineers in their careers. Comparing their ladders, you may find numerous phrases that are exact matches in ours - we give credit where credit is due.

Fewer With Focus

Our previous ladder featured over a dozen categories that we used to determine engineering levels. Instead of creating clarity, this level of granularity sometimes created a rigid list of things to be checked and behaviors that were applicable to only some domains.

Now, instead of dozens, there are just three total categories of behaviors:

• Technical
• Communication
• Leadership

These are the three areas where we evaluate our engineers in practice.

Real Examples

We believe the example bank is our unique contribution to the compendium of engineering ladders. We provide real examples of Duo behaviors and results that we want our engineers to emulate. In our public ladder, we’ve changed names and some project specifics. In our internal ladder, we link to specific documents that were the output of the engineer’s work.

The goal of the examples section isn't to put a single engineer on a pedestal or forever cement them at a level. Rather, we want to highlight actions that accurately reflect that level. Using real behaviors allows other engineers to dig into the project worked on or talk to the individual who completed it. Examples lead to richer career conversations between an engineer and their manager. Here’s an example from the technical category:

Level V
Technical Example

• B.R. researched storage solutions to replace MySQL as a general event log store at Duo, presented them to an Architecture Review Board to attain organizational buy-in and then led the implementation of the system.

The bank of examples is designed to grow over time as managers add to it. It enables the last result below.

Less Domain Specific

Our old ladder was heavily skewed towards full-stack developers, the primary type of developer we employed at its creation. The descriptions in the new ladder are flexible enough to be applicable to our growing diversity of technical foci: Mobile, Cloud, Windows, SDET, Production Engineering. The example bank mentioned above allows us to highlight specifics for every domain.

Summary

Engineering the business is core to who we are at Duo. Our new software engineer ladder meets the needs of where we are now and where we’re going over the next phase of building an enduring organization. We’ve modeled it after other best-in-class tech organizations.

Our goals were to focus on fewer categories to simplify how we evaluate engineers, provide examples of real behaviors that we want others to emulate, and create a ladder flexible enough for our diverse engineering domains.

You can review the ladder here, and feel free to copy and modify it for your own organization. Happy career pathing!

Recently, we showed you how we enhanced the Duo Dashboard and introduced several new and exciting reports. We've also presented some details about how we've built some of the new visualization tools that power these reports.

Let's dive a bit deeper into the data-driven systems that help make these new reports possible.

Where We Started

Historically, Duo has kept all of the data you see in the Admin Panel reports in a MySQL database. As a relational database, MySQL does a wonderful job of handling our customers' entity data, and helps us answer questions about the current state, like: What is the name of the customer with ID 12345? Or, what are all the devices associated with the user with ID 23456?

However, we were also using MySQL to store our event data, which is used to help answer questions about what happened, like: How many distinct users authenticated on February 16th? Or, how many users failed to authenticate because their devices were out of date in the month of March?

The Authentication Log

Our largest customer data set is called the Authentication Log ("Authlog" for short). At the time of this writing, there are over six billion records in the Authlog across all of Duo! While the Authlog is spread out among many MySQL databases, this is still no small amount of data.

It's important for both Duo and our customers that we have a complete history of every time a user authenticates, so we do not allow an authentication to proceed until we know that we have saved a record of it.

It's also important to Duo and our customers that users can authenticate as quickly as possible. These two factors pose a big challenge when it comes to both capturing new Authlog data as well as indexing existing Authlog data to provide compelling reports.

These challenges continued to compound as the number of records in the Authlog continued to grow exponentially.

First Pass With Elasticsearch

Over time, there was a growing need for Duo to provide better reporting facilities in the Admin Panel, as we were failing to answer even basic questions about our customers' event data due to the lack of strong indexing of the Authlog.

We decided that MySQL was no longer the right tool to store event data, and so we set out to build a new data storage system that would better suit the use cases for us and for our customers.

We chose a database called Elasticsearch, which is designed with searching and data aggregation in mind, and can scale to the amount of data we need to index, with room to spare.

Our first pass at this system introduced Elasticsearch into our production systems, with a process that every so often would pull the newest Authlog records out of MySQL and write them to Elasticsearch.

This preserved the write performance we had with MySQL, but still gave us a way to highly index our Authlog data and give our Admin Panel a flexible system for searching and aggregating Authlog data.

The tradeoff was reduced consistency, as there would be a short delay (usually a few minutes) before a new Authlog record would appear in the Admin Panel, which we felt was acceptable.

Second Pass with Apache Kafka

With Elasticsearch, we were able to generate new and informative reports in the Admin Panel. But the process we built for getting data from MySQL into Elasticsearch was very specific to these systems and specific to authlog data. Ultimately, we need to connect customer event data to many places in near real-time.

We needed a system that stores event data and then, in turn, streams it to many subscribers. We chose Apache Kafka to fill this need.

Kafka has several properties that made it an attractive choice for us. Kafka is a distributed application, meaning it runs on more than one machine, allowing it to replicate data to several different places at once and protect itself against hardware or software faults. Being a distributed application also allows us to add more machines into a cluster as our needs continue to grow. Finally, plenty of other companies use Kafka, giving us more confidence in it as a stable technology.

Beyond

With Elasticsearch and Kafka in place, we have the foundation of a new and exciting Data Pipeline service. In the future, we plan to connect new systems and databases, like machine learning pipelines or webhook mechanism, to the firehose of customer event data. This will enable us to provide new insights to our customers and identify new ways to protect them from breaches.

The latest federal agency cybersecurity risk assessment report reveals that 74 percent of agencies are at risk or high risk. Released in May of this year by the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS), the report uses the following schema to categorize and define risk:

• High Risk: Key, fundamental cybersecurity policies, processes, and tools are either not in place or not deployed sufficiently.
• At Risk: Some essential policies, processes, and tools are in place to mitigate overall cybersecurity risk, but significant gaps remain.
• Managing Risk: The agency institutes required cybersecurity policies, procedures, and tools and actively manages their cybersecurity risks.

Lacking in Situational Awareness

The OMB, DHS and NSA (National Security Agency) found that federal agencies weren't able to identify the attack vector in 38 percent of security incidents.

In efforts to improve situational awareness across agencies, the Office of the Director of National Intelligence has created a Cyber Threat Framework to help standardize how agencies communicate about cyber threats.

This common language categorizes different stages of the threat lifecycle - including:

• Preparation - Reconnaissance or collecting information to help inform an attack
• Engagement - Initial contact with a target, vulnerability exploitation or malware delivery
• Presence - Establishing control, evading detection and establishing persistence
• Effect/Consequence - Denying target's access, extracting, altering or destroying data, etc.

According to the report, the framework aligns with the NIST framework functions and other NIST Special Publications. The Cybersecurity Threat Framework closely maps to the same steps in NIST SP 800-37, Risk Management Framework to Federal Information Systems.

MFA Progress, But Access Management Needs Work

Other findings from the risk assessment include the significant progress in enforcing the use of multi-factor authentication through the use of Personal Identity Verification (PIV) cards. Agencies have now enforced the use of this control among 93 percent of their privileged users, which the report defines as having access to sensitive agency and citizen data.

But when it comes to access management, agencies have not matured. The risk assessments found that identity, credential and access management (ICAM) processes need to improve by establishing attribute or role-based access controls for users.

A decentralized and fragmented IT landscape has led to ICAM problems, including too many different solutions and user directories that prevent agencies from getting a comprehensive view of their users and their access to government networks and sensitive government information.

Only 55 percent of agencies limit access based on user attributes and roles, while another 57 percent review and track administrative privileges.

Other notable findings from the report include:

• 27% of agencies have the ability to detect and investigate attempts to access large volumes of data
• 30% of agencies have predictable, enterprise-wide incident response processes in place
• 16% of agencies achieved the government-wide target for encrypting data at rest

Comprehensive Access Visibility & Control

One way to get that enterprise-wide view of who is on agency networks is by using a comprehensive access security solution that easily integrates into your existing directories and access management technology.

With Duo, you can:

• Verify user trust with adaptive, risk-based authentication via mobile app or Universal 2nd Factor (U2F)
• Get insight into every user and device that authenticates into your applications and networks through one centralized dashboard
• Identify between corporate-managed and user-owned devices
• Get the ability to customize policies and controls based on user, device and application attributes
• Enforce policies to limit user access to certain applications

Learn more about Duo’s platform.

Complexity can mean a lot of different things in the security industry, from granular (the complexity of deploying, implementing and managing one singular security technology) to large-scale (the complexity of managing hundreds of different vendors and solutions, and making sure they play well together).

But security needs to complement existing tech. IT complexity within an enterprise organization extends to every aspect across people, processes and technology. It might result in a lot of legacy infrastructure and dependencies that make security patching and updates challenging, if not impossible to do without rendering systems inoperable.

As for people, as you grow, your user base and the diversity of it does, too. Somehow, your technology and security platforms need to support many different users:

• A remote, distributed/global workforce
• Contract, temporary, third-party providers
• Executives and sales employees that travel often

With all of these different work use cases come different devices, applications, permissions and data.

• Human Resources (HR) needs access to employee data applications that house payroll, W2s, benefits, etc.
• Engineers need SSH access to production servers to push proprietary code
• Sales employees need access to customer relationship management (CRM) applications to access personally identifiable business data on prospects and customers

Different levels of access for different types of user groups range from limited, specific access for contractors to higher levels of access to more sensitive parts of a system for a variety of administrators.

To further complicate matters, employee-owned phones, tablets and laptops used to log into work applications come with many potential risks:

• They might be slower to run updates with critical security patches
• They might be jailbroken or rooted
• They might not be encrypted or passcode-protected

I think you get the point. Complexity in all of its forms breeds many challenges for security (not to mention specific needs to meet different compliance requirements), including:

• Falling into the expense-in-depth trap, "the multilayered approach to ensuring minimal return on investment." You’re spending a lot, but is your security approach actually effective?
• Too many alerts and false positives can result in too much data, too much noise - how do you make sense of what’s important in order to inform and strengthen your security posture?
• More code, more problems - at least, a larger attack surface. Sometimes security software can contain vulnerabilities within its very own code, as Mudge found years ago in his DARPA research: about 29% of all vulnerabilities tracked across 100,000 networks were found within security software.
• Lost productivity due to time/resource-wasting implementations, and time spent managing solutions that could be better spent elsewhere

Organizations may be struggling to do it all - including managing the complexity of your IT environment, needs of your users, meeting compliance and actually securing their company against a potential compromise or data leak.

Reducing overall organizational complexity requires solutions that do the work of many (known as ‘force multipliers’), allowing you to scale as you grow. They also need to be flexible enough to adapt to the needs of your different users, supporting different use cases and scenarios. And they need to effectively protect against threats today.

Duo can help secure more complex IT environments in a few ways:

• Verify user identities with many different methods of two-factor authentication (2FA) to fit different login scenarios
• Get global visibility into users’ devices from a single dashboard, including managed and unmanaged devices across different platforms, without installing mobile device management (MDM) agents
• Unifying useful, at-a-glance data with policies that let you limit access by employee-owned, unmanaged devices and/or devices that fail to meet your security requirements
• Simplifying and enabling the login experience with single sign-on - no virtual private networks (VPNs) required - while giving admins control over which applications certain users can access

By examining and consolidating your security solutions and vendors, you can achieve reduced complexity and enhanced business productivity, all while balancing usability with security.

Summary

• Enterprise customers desire greater administrative controls
• Admin Units delegates management of Duo across different departments
• Admin Single Sign-On (SSO) helps mitigate risk by reducing use of local credentials
• Both features available for Duo MFA, Duo Access and Duo Beyond

We've seen tremendous adoption of Duo Beyond, our zero-trust security platform, by customers of all sizes - especially in enterprise and education. Both environments bring two shared attributes: large user populations and a desire to delegate management of tools. As such, these customers came to us with a desire for more granular administrator controls: specifically for delegated administration and federated login.

Delegating Administration

In large organizations, responsibilities for IT are delegated broadly to distinct teams. For example, the networking team will take ownership over virtual private networks (VPNs) and firewalls, the endpoints team will manage endpoint asset management software and Windows/Mac clients, and the infrastructure team will manage Windows and Unix servers.

Similarly, support teams may be distributed across multiple locations or business units, often supporting specific groups of users. For example, the San Francisco office help desk may be responsible for users in the primary engineering office in San Francisco and the Bay Area; however, the New York office help desk is responsible for sales and marketing employees up and down the East Coast.

The reason customers separate administration across different groups is to reduce risk, especially with critical applications and information about full-time employees.

Back in 2015, we added Administrative Roles, which controls the “powers” of an administrator, such as managing users or editing policies. However, our customers came to us with a desire for greater granularity. Dividing up administrative responsibilities by applications or user groups.

So we worked together with a team of customers on a solution to introduce the idea of “scope” to our administrators. Six months ago, our team began working on a feature titled Administrative Units to fill this gap.

Introducing Administrative Units

Administrative Units allows customers to assign specific user groups or applications to individual or multiple administrators.

If Administrative Roles are the X-axis of "what can an administrator do" (e.g. add/delete users, create applications), then Administrative Units are the Y-axis of "which applications or user groups can an administrator see."

We want to thank the group of twelve customers that worked together with us to provide input and feedback as we developed this feature. In fact, we have to thank customers directly for the name of this feature. The term “administrative units” came about as most of our customers thought about federating administrative controls by “business units,” a common turn of phrase in enterprise.

Administrative Units is generally available today and documentation can be found here.

Federating Logins

We also have an increasing number of customers utilizing SSO, whether it’s through federation services like Azure AD or ADFS or our own solution, Duo’s secure SSO. Customers deploy single sign-on for not only convenience, but also security. It’s convenient for users as they don’t have to memorize passwords for every single service.

Why security? Single sign-on allows customers to federate access to applications without managing separate passwords for each application, which often leads to shared passwords for each service.

Our administrators came to us asking, “How come I can federate logins with users but not administrators?”

And that leads us to Administrative SSO.

Introducing Administrative SSO

We’re pleased to announce the general availability of single sign-on (SSO) for the Administrators. Customers can now utilize SAML Identity Providers (IdP) including Azure AD, ADFS, Duo SSO, and Shibboleth to federate access to the Duo Admin Panel.

In order to support this feature, we are also making an update to admin.duo.com - a persistent single sign-on button similar to what you’ve seen on other cloud applications.

Administrative SSO is also generally available today, and documentation can be found here.

We would also like to thank our beta customers for Admin SSO. This turned into our largest beta in Duo history, and we couldn’t have delivered this solution without your support. And just a few weeks into release, we already have 400 customers utilizing this feature, so it’s great to see the demand for this feature.

We recently described how user and entity behavior analytics (UEBA) is changing the way organizations detect threats. Today Duo announces a beta program for its UEBA capabilities, which give customers analytics-based threat detection to assess the security of their user and endpoint activity.

Organizations of all sizes struggle with threat detection. Security and IT departments are always spread thin - trying to find ways to do more with less. Many organizations look to Security Information and Event Management systems (SIEMs) to automate some detection with customizable alert rules, but SIEMs are resource intensive to fully stand up and have a long time-to-value. Furthermore, organizations routinely experience changes in projects, personnel, and vendors, and configuring and maintaining alert setups is tedious and drives up the total cost of ownership of a monitoring and detection system. Because of this, alerts are frequently set up reactively after a security issue has occurred rather than configured in an effort to be proactive.

Duo customers can soon use Duo's UEBA-based threat detection, which employs machine learning techniques to analyze behavior data and detect anomalous and potentially malicious activities. While traditional threat detection systems can often be prohibitively expensive to set up and maintain, Duo’s system requires no setup. It runs on data Duo is already handling as a part its standard offering and is more scalable than traditional, strictly rules-based alerting systems because it learns and adapts over time.

Credential theft and account takeover are more prevalent than ever, as highlighted in the 2018 Verizon Data Breach Investigations Report (DBIR), which identified stolen credentials and phishing as two of the top three most common means of breach. But attackers who compromise a user's credentials will find it very difficult to also simulate that user's behavior. For example, Duo can find inconsistencies in how a user is attempting to access an application. Duo’s models rely on a number of signals to decide whether an authentication is suspicious. Those signals are built on top of data handled as part of Duo’s authentication process, such as time of day, application accessed, properties of the access and two-factor devices, and network of origin. Duo’s models are intelligent and learn over time, meaning every incoming authentication builds a deeper understanding of normal and anomalous behavior patterns.

The machine learning models UEBA uses are built by Duo's Data Science team, who come from such institutions as CERT and Carnegie Mellon to University of California. Data Science uses multiple models, both unsupervised and supervised, to pinpoint anomalous behavior. All models constantly learn from new data as it is observed.

Duo continues to improve its threat detection capabilities with a focus on reducing the investigative burden on IT and security, as well as build its UEBA functionality deeper into the authentication experience. The beta program for UEBA-based threat detection is open to existing Duo Security customers. To learn more about Duo’s work in UEBA and to join the beta program, please contact your account representative.

A few weeks ago, Duo traveled to sunny Mountain View, California to explore everything new at Google’s annual developer conference, Google I/O. Engineers from our Mobile and Labs teams joined me and we spent the week evaluating all of the new technologies and features Google announced at I/O, including: the next major version of its Mobile Operating system Android P, advancements in cloud and on-device machine learning and much, much more.

Duo Mobile was also featured in the ‘What’s New in Android Security’ session as an early partner working with a new security API in Android P called Android Protected Confirmation.

Duo at Google I/O

Duo has been working with Google since late last year on the Android Protected Confirmation API, helping provide Google with early feedback as part of Google’s early technology preview program. We’ve prototyped an integration with this new security API in Duo Mobile to evaluate its capabilities and for potential inclusion in our product later this year when Android P and compatible hardware is released to the public. We’re also happy to announce we’ll have support for Android P when it is released later this year.

Android Protected Confirmation helps app developers ensure that a human is interacting with a phone to confirm sensitive transactions like: approving a Duo Push, sending money, or triggering a medical action like an insulin injection. This new security API provides cryptographic assurance of human presence and prevents on-screen prompts from being hijacked or clicked by malicious applications or man-in-the-middle attacks. Our Duo Labs and Engineering teams have written a technical blog post explaining how Android Protected Confirmations work in depth.

This collaboration with Google to preview early features is an example of Duo’s commitment to innovation and evaluating new security technologies, all while sharing our learnings with the wider security industry.

Other Security Improvements

Google announced many other security improvements that we are looking forward to working with, including:

• Better privacy protections with apps in the background losing access to Android sensor data
• Improvements to the Android Biometric Prompt, which will bring a more consistent experience for biometric auth on Android
• New secure hardware keystore module called strongbox, which corroborates a key's integrity with the Trusted Execution Environment (TEE)
• Security improvements that requires the Android screen to be unlocked before allowing decryption of any in-flight or stored data using the specified key.

These are just a few of the many things Google announced at I/O this year, checkout this Google blog post for a list of 100 things they announced at Google I/O.

What’s Next

Similar to our attendance at Google I/O, in early June, members of our mobile team and myself will be present at Apple’s Worldwide Developer Conference (WWDC) in San Jose, California. Be sure to check our blog in a few weeks for a write-up of what we’re excited about Apple releasing, and let us know if you’ll be at WWDC, we might just have some Duo swag for you.

Regardless if you attend these developer events or not, know that Duo has your back. We’re always keeping up with the latest features and improvements from platform developers like Google, Apple and Microsoft. We evaluate these new technologies for inclusion in our future product releases to ensure we’re providing you with the best security experience on these major platforms. Keep an eye on our blog for future feature announcements.

By the time you finish reading this you’ll have been hacked, phished, DDoSed and your data will be held for ransom. And all your logins will have been stolen - kiss your savings, your identity and your credit score goodbye. The bad guys win again. Game over. Thanks for playing.

Ok, no, that’s not true. But read most security publications or vendor accounts and you’d think the sky was falling and that every breach, vulnerability or exposure is going to send the world spiraling into a Mad Max-style dystopia - even Imperator Furiosa won’t be able to save you.

It’s a common tactic. One that’s been graced the moniker of “FUD,” or fear, uncertainty and doubt. It paints the security world as a scary place in hopes that you’ll buy more security solutions so you don’t become the next company or individual in the headlines. It’s a gambit as old as the internet itself. It gives security a bad name - and makes security seem reactive.

As an industry, we must move beyond FUD.

Removing FUD

At Duo, we strive to eliminate FUD. We talk about security in ways that are fresh, authentic and inclusive.

We don’t prey on fear. Instead, we seek to inform and enlighten. We want to make a positive impact on the world and on the industry. Yes, we sell security products. And, yes, we want you to buy them. But we don’t want to earn customers through fright. We don’t want to scare you into submission. We want to show you how security can help you work and succeed without fear. We aim for security that’s easy to use, yet effective and efficient. Security that removes the element of fear.

For example, Duo Beyond, our zero-trust security platform, gives you the ability to base application access decisions on the trust established in user identities and the trustworthiness of their devices, instead of the networks from where access originates. This lets you secure your applications without fearing what’s coming in from the outside. Instead of locking everything down out of fear and putting everything behind a perimeter, you can be confident in who has access to your systems and on what devices.

It’s security based on trust, not fear. If something isn’t right - a device’s operating system (OS) is determined to be out of date, or a user can’t properly authenticate, then access isn’t granted. What’s more, you set the policies to determine what gets in and what doesn’t - you’re not constantly startled by warnings and alerts.

It’s a way to manage security proactively. It’s an intelligent way to minimize risk.

Security Without Fear

Our belief in cutting through the FUD and getting to what really matters also led us to build and launch Decipher.sc, a site that aspires to publish “security news that informs and inspires.”

The name says it all: Decipher’s mission is to decipher what’s happening in security. Decipher doesn’t cover the breach du-jour. It doesn’t use sensational headlines to inspire fear (and illicit clicks). And it doesn’t set out to paint security as a scary place riddled with hoodie-clad hackers.

Decipher’s team of journalists and editors examines areas where security makes a difference; analyses trends; interviews the people and teams that drive the industry forward; and casts security in a positive light, not a dark shadow.

Take a look. You’ll find that Decipher is a fresh take on security news.

In the security industry, there will always be FUD. But at Duo we see it as our mission to not use scare tactics. We are the most loved company in security, not the scariest.

What does work look like today - and what are the security risks? That's the question we wanted to answer when our Duo Labs research & development team dove into our vast amount of data to analyze user behavior and device health, resulting in our latest report, The 2018 Duo Trusted Access Report: The State of Enterprise Remote Access.

About 11 million users completed nearly half a billion authentications per month, using 10.7 million devices to securely log into 800,000 enterprise applications and services.

Download Now

User Behavior

When it comes to remote access, users are increasingly logging into work applications from non-office networks. This is unsurprising, given the global trend toward a more distributed workforce.

In Gallup's poll, State of the American Workplace,* 43 percent of employed Americans spent at least some time working remotely in 2016, a four percent increase since 2012. Plus, these employees are working remotely, for longer periods of time - the share that reported working remotely at least four or five days a week rose to 31 percent from 24 percent.

A Harvard Business Review article found that productivity increased when employees worked from home, attributing a third of the reason for higher productivity to working from a quieter environment; citing offices as extremely distracting places. The other two-thirds was attributed to working longer hours due to working from a more comfortable environment.

Remote work is up - whether it’s working from home or potentially other places, like coffee shops, airports, hotel rooms, planes, trains, etc. And that means your users need to be able to access work resources remotely to do their jobs - luckily, the cloud-centric model of applications means they can log in wherever they have a web browser and internet.

With that convenience comes potential risks that anyone can remotely access your company’s applications and data, if they’re able to steal or guess a user’s password (and if your systems aren’t protected by multi-factor authentication).

And this can be easily achieved via phishing attempts - the second part of user behavior that Duo Labs uncovered by analyzing 7,483 phishing simulation campaigns conducted from mid 2017 to April 2018 on more than 230,000 recipients via the Duo Admin Panel and free Duo Insight tool.

Check out the full report to find out how many people, on average, opened, clicked on links, entered credentials, or had out-of-date devices in the phishing simulations. Plus, find out how many people work from several different networks a week, and the latest per-industry trends around remote access.

Device Health

Our data shows that macOS/iOS devices are trending upwards, as Windows declines slightly - but the good news is, more devices than ever are finally running Windows 10, the latest version of the Microsoft operating system (OS). The full report has metrics on these trends, as well as which industries are the quickest at adopting Windows 10, and which ones are the slowest to make the leap.

Unfortunately, although improving, there’s still a hefty percentage of enterprise devices are still running Windows 7, originally released in 2009. Almost all WannaCry victims were running Windows 7 - roughly 98 percent were running some version of the OS, according to data from Kaspersky Lab.

#WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64. The Windows XP count is insignificant. pic.twitter.com/5GhORWPQij

— Costin Raiu (@craiu) May 19, 2017

The WannaCry ransomware epidemic that hit the globe in May of last year moved like a worm, quickly spreading across computer networks, encrypting files, denying access, demanding ransom for decryption, and generally wreaking havoc on major healthcare systems, gas and electric companies, telecom businesses and many others.

Not to be overly dramatic or anything, but the ransomware did put the lives and health of people at risk - all because it was able to infect and cripple computer systems running on an out-of-date version of OS. More specifically, the ransomware was spread via a vulnerability that affects the Windows implementation of the Server Message Block (SMB) protocol found in many older versions of Windows. The critical patch for this vulnerability was released in March 2017, meaning many systems were unpatched at the time of the attack.

Check out the full report for even more statistics on Android patching, which browser is most out of date, how many browsers still have Flash installed, and much more.

Zero-Trust Security

Given all of the risks that phishing and malware present to remote access to applications used in the enterprise, the industry is seeing a shift to identity-based controls that verify both the identity of a user and security health of their device.

Known as a zero-trust security model, this framework assures no traffic within an enterprise's network is any more trustworthy than traffic coming from outside the network.

The first steps toward this model include establishing trust in your users’ identities with two-factor authentication, and gaining visibility and trust in their devices. The report lists out each step of the zero-trust maturity model with more information about each.

Incidentally, Duo Beyond does just this, helping organizations of all sizes secure access to all applications, for any user, from any device, and from anywhere. Learn more about Duo Beyond and download The 2018 Duo Trusted Access Report.

*Sample size: More than 195,600 U.S. employees via the Gallup Panel and Gallup Daily tracking in 2015 and 2016, and more than 31 million respondents through Gallup's Q12 Client Database.

Moving beyond the perimeter is about shifting the security focus from network-based to more identity-based (users and devices). At login, the identity of a user and the security posture of their device is verified before access is granted.

This concept is explained in the infosec industry a couple different ways - from a zero-trust security model to the software-defined perimeter. The two major reasons for this shift can be explained by the effectiveness and user experience of this security approach.

Security Effectiveness

Identity-based attacks target user and device access; two aspects not protected by perimeter-based defenses. Earlier this year, a US-CERT (United States Computer Emergency Readiness Team) alert about attacks against organizations in the energy, nuclear, water aviation and critical manufacturing sectors revealed how threat actors bypassed these defenses.

Initially, threat actors used compromised credentials to access the networks of energy organizations not protected by multi-factor authentication - then a series of steps followed:

• Once they gained remote access, they used scripts to create new local admin accounts.
• Then, they were able to disable the firewall and open up a port for persistent RDP (Remote Desktop Protocol) access.
• They also stole even more credentials by leveraging Microsoft’s Server Message Block (SMB) authentication process.

As a result of bypassing the firewall and stealing the keys to proving user identity (passwords), they were able to access system files, virtual profiles and configuration information on how to access industrial control systems on the network.

These types of attacks are not unusual for any type of industry - showing a clear need for enhanced security that is actually effective. Moving beyond traditional perimeter-based controls, Duo Beyond addresses threats that can bypass the firewall, including stolen passwords, policy gaps, vulnerable endpoints and more.

Weak authentication can result in compromises via phishing attacks, while the threat of malware infection is increased when your users are accessing your networks with out-of-date and personal devices that you don’t have any insight into or control over.

To prevent these types of threats, Duo Beyond focuses on the combination of an authenticated user and a secure, healthy device. With risk-based, adaptive two-factor authentication, you can both verify the identities of your users and apply stronger user access policies at login. Duo Beyond also checks the security posture of their devices to ensure they meet your security requirements, and whether or not they’re a trusted device, with the presence of a company-issued certificate.

Security Experience

Security is only as effective as it is usable. More people than ever are working remotely from different locations, using different devices. While technology has quickly evolved to accommodate this new working and consumer model, security also needs to integrate with this technology and work with users, not against them.

That might mean finding a secure access solution that doesn't require clunky clients or software that is either unsupported on mobile devices or inelegant in use. Virtual private networks (VPNs) encrypt data sent over the internet, but may not always support all types of remote users and their devices.

This is the mission behind Google's BeyondCorp security model - to design an internal framework that allows “every Google employee to work successfully from untrusted networks without use of a VPN.”

Similarly, Duo Beyond is designed to give your users access with ease via secure single sign-on (SSO), accessible over any web browser with internet access. By logging in once, they can securely access certain applications deemed appropriate by administrators, after completing two-factor authentication to verify their identity and passing device security checks by the system.

Moving beyond the perimeter into this new era of remote access requires the combination of effective security and a smooth user experience - make sure your security technology can deliver.

Threat detection is one of the most difficult problems in security. Enterprise companies with dedicated InfoSec teams and security operations centers (SOCs) dig through an average of 2.7 billion events each month to detect an average of just 23 true positive threats, ranging from compromised accounts to insider threats, according to Skyhigh Networks’ Cloud Computing Trends 2017 report. From monitoring to alerting to investigation, it takes all of their resourcing to detect and lock down those threats.

Yet despite that resourcing and effort, we know attackers still manage to get through as evidenced by the proliferation of high profile hacks across all industries. The security industry has attributed this to a rise in “advanced persistent threats” (APTs), a term which describes a strategic attacker using sophisticated evasion and intrusion techniques, like social engineering, to avoid tripping alerts.

What can your organization do within your resource constraints to detect these seemingly invisible threats?

As a trusted security advisor to over 10,000 customers across 100 countries in industries ranging from healthcare and technology to financial services and government, we at Duo have a unique vantage point from which we watch the field of threat detection evolve. The most security forward organizations we work with have adopted a new detection paradigm to hunt down these APTs: user and entity behavior analytics (UEBA).

For context, the standard for threat detection today is rule-based, deterministic detection. Let’s say you are particularly sensitive to what time of day your users are accessing a critical asset like your contract management system, so you communicate a policy to your users that no one is to access the system after business hours. To detect any attacks on this critical asset, you set up an alert rule that informs you of any access attempts after 5 p.m. Your rule in some way expresses this if/then statement: if a user accesses the contract management system after business hours, then alert me. The result looks like this:

You may add some more alert rules that trigger in the case that the user exceeds some threshold of failed authentication attempts within 60 seconds, attempts to access the asset from an unmanaged device, or originates from a blacklisted IP. This is a good start. But unless the scope of your environment is so narrow that you already know all possible situations you will encounter, this alert setup is unfortunately far from sufficient.

Let’s now say you have multiple salespeople, and one of them is frequently working late or traveling and wants to record new sales contracts. And you also have multiple offices, which your salespeople frequently travel between. What timezone do you map your organization’s business hours to? How do you adapt access policies in a way that they do not impede business operations? Security teams relying on rules-based alerts run into problems as their environment gets more complex, and security holes begin to form in this conventional model of threat detection.

UEBA embodies a different approach. It involves using data to model what “normal” behavior is for each individual user. Based on our model of what is normal, we can trigger alerts when something abnormal is observed.

As opposed to a rule-based alerting system, which is deterministic, this system is probabilistic; it measures risk rather than right and wrong. A sophisticated UEBA system models multiple dimensions at once and learns from its success and failures to get better over time. You don’t need to setup and manage a heavy list of alert trigger - all you need is activity data. Instead of reacting to problems by creating new rules, this approach allows security teams to be proactive by investigating unusual behavior on the individual level.

Stay tuned in the coming weeks to learn about how to use analytics-based threat detection with Duo.

Each month, our partner Yubico hosts YubiChat, a Twitter conversation where tech companies talk shop about an information security-related topic. When we learned this month's topic — The Passwordless Future is Here: Are You Ready? — you know Duo was eager to get involved. Here's how it went:

What are some pressing pain points that organizations and consumers face when using the standard username and password login?
One of the biggest challenges with passwords is the burden of choosing strong, unique passwords for each site, and then remembering them. Using a password manager can help, but many of these cost money and can be cumbersome to use for non-technical people. Also, passwords rely on sharing a secret with the site, which can be stolen. The industry needs a standard way for people to securely log in without passwords.

What other costs or resources are associated with issuing and managing employee credentials?
Managing employee passwords is an ever-present challenge. For example, enforcing password strength requirements is an area that many organizations struggle with. They try to balance the support costs of resetting passwords with security, which can be tough. Also, many organizations force users to change passwords frequently, which is counterproductive to good password hygiene.

What systems or processes are companies currently using to correct poor password hygiene among employees, and to what extent are they successful?
Recently, the practice of checking passwords against known breached credential lists has become more common, due in part to updated authentication guidance from NIST. This helps to prevent password reuse with known breached credentials. Although effective, this can have privacy and security implications, especially if the password or password hash is sent to a third-party.

What specific use cases or industries could benefit from the simplicity of a secure, #passwordless login experience?
Just about every use case or industry that we can think of! If there’s a site or app that uses passwords now, they could benefit from offering a secure, passwordless login experience.

Which online services and applications would you like to see support the #FIDO2 standard for strong authentication?
Any site that allows users to log in or sign up for an account.

How would you like the see the future of #passwordless login evolve?
We’d like to see more sites begin to support passwordless login via WebAuthn and FIDO2 in the coming months. It will take time to get users to switch and feel comfortable with the new login experience, but eventually we’ll dramatically reduce the use of passwords on the web.

Bring your own device (BYOD) is the new normal.

Employees demand access from anywhere, any time. And many use personal mobile devices – iOS and Android – to access corporate applications, whether that’s work email, calendar, contacts or other sensitive data.

As more enterprise applications enable mobile workflows, employee reliance on using personal devices for work will continue to increase.

At Duo, we have seen this trend for years. Recently, our research of nearly half a billion authentication events shows an upward trend in enterprise application access from non-office networks. Our data shows the number of unique networks customers and enterprise organizations authenticate from grew 10 percent, increasing from 2017 to 2018.

For more than a decade, security practitioners have turned to mobile device management (MDM) solutions to secure remote and personal mobile devices. MDM solutions, however, introduce several challenges. For one, users are skeptical about installing MDM on their personal devices; they are concerned that admins can glean personal information and could control how they use their devices. Users fear admins could block camera access, prevent copy and paste, or limit other functionality. Yet when users do not install MDM on their devices, admins do not get visibility into the security posture of those devices. It’s a vicious cycle that stalls BYOD security programs, while increasing the risk exposure for organizations.

We launched an alternative to MDM, Duo Beyond, last year that our customers use to secure their employees’ personal, non-corporate managed devices in a user friendly way. A year later, we are happy to report hundreds of customers take advantage of this functionality.

Our approach does not rely on collecting personal information about users or their devices. Rather, we only check the security status associated with devices, such as passcode, biometrics, encryption, OS version, etc. Users can easily review what information is checked. Users embrace this approach, which enables admins to quickly deploy to thousands of users within days.

Let’s review a few use cases and customer stories that illustrates how customers use Duo to secure BYOD:

First, our customers want an easy way to gather visibility into all devices – managed and unmanaged – accessing their environment. Duo offers Unified Endpoint Visibility, which provides a single dashboard view of all device platforms – iOS, Android, Windows, macOS and ChromeOS. Furthermore, admins can generate device reports and logs with a few clicks to help them meet audit and compliance requirements. To learn more about Unified Endpoint Visibility, check out our blog. One of our customers, Proquest, deployed Duo and immediately discovered more than 1,000 user-owned devices had been accessing their environment. Learn more about how Proquest uses Duo.

Along with visibility, a real win for our customers is to prevent risky devices from accessing sensitive company data. Duo offers a policy framework that allows admins to set up custom security policies for each application. One of our customers, Zenefits, an HR management company, uses Duo to check if a user’s personal mobile device meets the corporate security criterion everytime that device is used to access a sensitive app. If mobile devices do not meet security requirements, users are asked to enable specific security controls, such as a passcode, or they are blocked from accessing their work applications. With Duo, Zenefits can meet HIPAA and SOC 2 compliance requirements easily and without additional user burden. Read more about Zenefits here.

Furthermore, we have customers who want to preserve their existing investment in MDMs. For these customers, we offer integrations with leading MDM vendors such as AirWatch, MobileIron, Sophos and more. Through these integrations, when a user tries to access an application, Duo checks for the presence of a management agent. If the device does not have MDM installed, Duo informs the user to enroll in the enterprise MDM or block access.

For more information on alternatives to MDM, speak with your account executive or start at free trial at duo.com.