Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Product Designer, Amanda Muela to learn about what she does and her experience at Duo. 

Amanda Muela

Employee Name: Amanda Muela

Title / Department / Office Location

Product Designer / Product Design / ATX

How long have you been at Duo, and what do you do here?

Since September 2018. I am a Product Designer, which means I work on the user experience to understand our customers and end users needs and problems. I ensure all designs are easy and pleasurable for our end users. 

What's your day-to-day like at Duo?

My days vary. Some days I am focused on exploring new ideas to solve end-user problems. I am also connecting with several key stakeholders across the company to share these new design ideas. Other days I am coordinating with the user research team to plan and strategize future needs. Some days I am observing users work through these new designs in usability sessions, which is my favorite part. And some days, I share those findings across the company in various meetings to drive what we do next.

 What tools do you use to help you do your job? 

The majority of my job is communicating and sharing what ideas we are trying, what we learned from end-users, and proposing where we can go next. I do this mostly in Slack, posting updates, or jumping on calls with Webex. I also use Invision to share prototypes and collect feedback from the engineering and product team.

 How do you and your team collaborate with other teams within Duo?

As I mentioned earlier, my role is about communicating and connecting several teams across the company. This can mean I am working with Engineering, Product, User Research, Project Management and Customer Success. The teams communicate in Slack, Webex meetings, and use a Wiki to track project timelines and progress.

How did you get your job at Duo?

I came across a posting on Linkedin and was naturally curious because we hear more about security breaches and privacy issues these days. As I researched more about Duo, I learned how the company was founded on the foundation of democratizing security. I then applied online, had a portfolio review, and met the team with an onsite interview. I was delighted to be offered an opportunity to grow with Duo. 

What is the first thing you do when you come into the office?

I'll start with a cup of coffee and catch up on any missed Slack messages or emails. I'll then prioritize my to-do list, make sure I am supporting any team needs and arrange my day as needed.

Any big projects or goals you're currently working on?

I am part of a large project that is working on the most significant UX update Duo has released in its history, which is exciting to be a part of and see our products evolve in innovative ways.

What’s an important lesson you’ve learned while working at Duo?

The most important lesson I've learned is to speak up and share my ideas often. People at Duo are genuinely interested in your thoughts and ideas to push our products forward. Don't be afraid to show up with new ideas, share your rationale, and dig up any data to help the idea move forward. I've found in those moments that's what drives ideas and team excitement.

How is Duo different than other places you've worked?

Duo has the most humble and kind people I have ever worked with. A key pillar of Duo is to be kinder than necessary, which is instilled from leadership and throughout the organization.

How is your role at Duo different than roles you've had with other companies?

In my past roles, part of my job was to navigate politics about UX and Design. Here at Duo, the level of UX maturity is high across the organization. Therefore, teams can move along in the design journey with you, and everyone is an advocate for our customers and users.

What would you tell someone considering a role at Duo?

Go for it! You'll find many ways to grow your career here and be surrounded by the kind culture of Duo.

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Learn more at duo.com/careers

See the video at the blog post.

Change often isn’t easy, even under the best of circumstances. As more people transition to a remote work environment — many for the first time — we wanted to share some of the resources Duo Security can offer to organizations that are rolling out Duo quickly for the first time or are using Duo in new ways.

At Duo, we pride ourselves on our culture of learning together. So we’ve pulled the best advice from our Customer Success teams and our extensive free library of online documentation and troubleshooting and best practices articles to recommend the following tips:

Tip #1: Email templates and videos

Rolling out Duo for the first time or to new parts of your team? Try our end-user email templates to let your users know what to expect.

While Duo is very user-friendly, new technology takes some getting used to. Our No. 1 tip for a quick deployment or expansion of Duo is to let your end users know what Duo is and how to use it.

Our end-user email templates are customizable for your unique situation and will help you include the most important instructions. These templates are available in English, Spanish, German, and French.

A simple end-user education campaign can be effective, especially if you’re pressed for time. 

If you send just one message before rolling out Duo two-factor authentication (2FA), be sure to cover:

1. How you’ll ask your users to enroll in Duo. Including a screenshot of the proposed enrollment email in your message to users can help reduce the likelihood that they ignore the email or report it as spam.
2. How Duo will affect their login experience to protected applications.
3. Guidance for your users to contact your local help desk for troubleshooting support.

In follow-up messages, we recommend including additional resources like:

1. How to troubleshoot Duo Push notifications for Duo Mobile for both iOS and Android users.
2. The Duo guide to two-factor authentication for end users.
3. Common troubleshooting tips for end users.

Videos

Videos can also help communicate in a more visual way what users can expect from using Duo 2FA. Check out some Getting Started videos, including one specifically for universities or similar organizations. 

Tip #2: Equip your help desk with the knowledge they’ll need to help your end users

Your help desk team members are the heroes of any technology rollout. Duo provides a Help Desk Guide for helping your support team get confident with Duo.

Some frequently asked questions you might encounter from your help desk team include:

1. What’s the difference between activating a user and enrolling a user?
2. How to manage different 2FA devices.
3. How to make sure enrollment emails get delivered to end users, and other FAQs covered in the Help Desk Guide.

After your rollout, and when your team has some time to learn more about Duo, they can also check out our new customer education platform, Level Up, currently in public beta. Level Up features free interactive courses and online videos designed to help administrators and help desk staff learn to successfully deploy and support Duo.  

Tip #3: Master a few policies to customize your rollout of Duo

Duo’s policy engine, available in the MFA, Access, and Beyond editions, provides a powerful tool to customize your users’ authentication experience and support your organization’s security posture. 

For example, you could use the New User Policy to require enrollment and authentication for any users who are accessing a Duo-protected application for the first time. 

Learn more about in-line self-enrollment, and which applications support this method.

Some resources to support your use of Duo policies include the Duo Policy Guide and our Policy & Control technical documentation.

When you’re ready, we’ll be here with even more resources to support you. 

For now, here’s a link to all the materials from this post as a quick reference:

Resources for End-Users

• End-user education communication templates for email
• How to troubleshoot Push notifications for Duo Mobile for iOS and Android
• Duo Guide to Two-Factor Authentication
• Common troubleshooting tips for end users
• Videos: Introduction to Duo Security and 2FA

Resources for Help Desk Teams

• Help Desk Guide
• What is the difference between activation and enrollment?
• How to manage different 2FA devices
• Level Up customer education platform

Managing Policies in Duo

• Duo Policy Guide
• Policy & Control technical documentation

Public Documentation and Knowledge

• Technical documentation
• Duo Knowledge Base

Do you have best practices to share or want to learn from other Duo administrators? Join the conversation today at community.duo.com. 

**Five Steps to Perimeter-Less Security: Adopting a Zero-Trust Model for Secure Application Access** In this ebook, we’ll examine the zero-trust security model and dig into five key steps to move your organization beyond the perimeter and base application access on user identity and the trustworthiness of devices.

Get the Guide

As we start seeing passwordless login flows in Windows, Google, and even LastPass, it’s time to take a deeper look into biometrics and the new threat landscape they’ll bring. We’re big fans of passwordless authentication, both because scanning a fingerprint or imaging a face is faster and easier than typing a password and also because biometrics in conjunction with security keys can entirely eliminate phishing, credential stuffing, and other password attacks.

However, the biometric landscape is muddied by bad implementations and few sources of meaningful hard data. There are excellent biometric systems in use today, but there are also terrible implementations that are horrendously insecure.

Learn more in this exciting new report The Good and Bad of Biometrics to find out whether logging in by scanning your face is really as (in)secure as you think it is.

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Product Designer, Ryan Williamson-Cardneau to learn about what he does and his experience at Duo. 

Ryan Williamson-Cardneau

Employee Name: Ryan Williamson-Cardneau

Title / Department / Office Location

Sr. UX Engineer / Product Design / Ann Arbor 

How long have you been at Duo, and what do you do here?

For some time, past 4 years now. I work on Duo's design system called Tellaro.

What's your day-to-day like at Duo?

I spend lots of time talking with both engineers and designers to discover opportunities where we are able to create solutions for faster design, or alleviate pain points engineers may have building UI's (user interfaces).

What tools do you use to help you do your job? 

I use Sketch, Abstract, CSS, Javascript, HTML and my caffeine-fueled brain. 

How do you and your team collaborate with other teams within Duo?

We mostly listen to our users. Listening is probably our strongest superpower to make sure that what we invest our time in is actually useful and solving a real problem for our users. 

How did you get your job at Duo?

I reached out and bugged our head of product design Sally Carson. A LOT. There's actually a longer story to this, but the short of it is that Sally took a chance hiring me and gave me the opportunity to grow systems thinking in design at Duo.

What is the first thing you do when you come into the office?

Coffee. Maybe lights if I can't see the coffee machine yet. Lol. 

Any big projects or goals you're currently working on?

We are currently focused on driving adoption of our design system Tellaro, as well as curating content for it. We've been exploring new ways that we can leverage collaboration with other engineering teams to promote component-driven development.

What’s an important lesson you’ve learned while working at Duo?

Never be afraid to reach out and ask for help. We're incredibly fortunate at Duo in this regard. There's never been a moment where someone hasn't taken the time or effort to really try and help out when I've had a problem or a question.

How is Duo different than other places you've worked?

Everyone is very supportive. Basically this place is an amazing intersection of not only crazy smart people, but crazy nice people.

How is your role at Duo different from roles you've had with other companies?

Autonomy + Trust. In short, there's been amazing opportunities to take skills I've used in the past at agencies; dog food them and grow them. Coming into my role at Duo we had no other role like it, no real plan for how the role would grow but over time with trust and the autonomy to explore what designers and engineers have needed, we've been able to grow a team focused on this intersection and begin to tackle some really wicked problems. 

What would you tell someone considering a role at Duo?

Do it. Especially if you don't come from a security background. If you have passion and care about people there will always be opportunities and room to grow at Duo.

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Learn more at duo.com/careers

When I started my journey here at Duo I was incredibly excited. At the same time, I was a little overwhelmed.

You see, my role was going to be 90% remote – and I had never worked like that before. I was accustomed to the routine and predictability of going into an office every day and logging in to my corporate machine, which was connected to everything I needed to do my job.

Secure Remote Worker Responsibilities

During my orientation, the IT department handed me my corporate laptop and then started the rundown of all the security controls I would need to follow to integrate into the security culture. I quickly realized that this was not going to be effortless. I was suddenly responsible for things like protecting my own user account, making sure my system was patched and up to date and that it was going to meet security requirements. If I had any hope of connecting to the systems that I needed to execute my day-to-day tasks, those security requirements had to become part of my workflow.

I consider myself fairly technical, however, I will admit that things like making sure my browser was up to date, my OS had the latest version installed, that I was on a secured network connection, had firewalls and encryption in place, had antivirus updated and running, etc…. well, these were just not necessarily things that were top of mind for me. And I certainly wasn’t very concerned with those things on my personal computer, which I used mostly for gaming, streaming, and social media.

Now I was expected to become a security agent. I was responsible for protecting not just my own account, but the corporate data I was working with. Luckily, the IT team made things super easy, even if I was a little resistant at first to following all the rules.

Remote Worker Tips

To adapt to this new security-focused remote work situation, I incorporated a few key security practices (and they’re not just for work, but for personal use as well).

1. Keep work stuff and personal stuff separate

This is important not just for security reasons, but for your sanity. It is incredibly tempting to log into your social platforms, check your bank account, or have your twitch stream running in the background while you work.

Why, you may ask? Well there is the saying don’t mix business with pleasure, this is not just for your productivity and mental health, but for security reasons as well. Nothing kills productivity more than if you accidentally introduce malware or ransomware to your work machine, social sites have less controls in place than corporate applications and introduce an uncontrolled risk element.

If you have a separate laptop for work, keep that designated for work activities. If you don’t, then try using separate profiles on your computer to keep things separate.

2. Protect your accounts - MFA all the things!

When you are a remote worker, protecting your identity is paramount! This means diligence around where and when you input your username and password. It can be so tempting to click on links in your email; but make sure you recognize the sender and the site you are being taken to.

You have to look out for phishing, a method through which bad actors attempt to wreak havoc and steal your company’s information by getting users to enter credentials (usernames and passwords) into sites that look legitimate. I don’t think you want to be responsible for your company hitting the news because of a data breach, so be mindful of what you click on.

Even better – as annoying as it may seem –use multi-factor authentication (MFA). MFA protects your applications by using a second source of validation, like a phone or a token, to verify a user’s identity before granting access. Think of it as something you know (your username and password) and something you have (your phone).

Many organizations have implemented MFA, much to the chagrin of users like you and me (or so I thought). I quickly learned that MFA isn’t just another annoying security control; it actually protects my identity. So if I accidentally click on something I shouldn’t, which I will neither confirm or deny I may have done, and my credentials get compromised, there is a security layer in place protecting my identity and I am able to work with my security team to change my password….again. Plus, it’s pretty satisfying to click deny on a log-in request on my MFA app when I didn’t initiate the login...so I have heard.

I now also use my MFA to protect my personal social accounts as well, and have been quite shocked by how many unauthorized attempts have happened against them - and with MFA I’ve been protected every time.

3. Keep devices up to date

I used to hate keeping on top of all the patches and updates to my web browsers and operating systems. They took forever to be installed half the time and afterwards my systems were always slowed down. Really it was a hassle that I never saw the benefit to. I was annoyed when I learned that corporate policy was to install the updates within a week of them being released for non-critical updates, and the first time I was blocked for not having a critical update in place, I may have been a little vocal.

Then, there was a critical vulnerability on a web browser that a family member had their personal information stolen through, and another instance where they ended up having to re-image their entire system because they got hit with ransomware. Meanwhile, because I had been trained to keep things up to date, so not only was my work computer ok, but my personal computer was fine as well.

Guess those security guys actually do know what they are talking about. Now everything is updated, maybe not immediately, but I have a schedule on all systems that runs nightly looking for and installing updates, so I don’t have to wait when I go to log in for everything to run.

4. Use a secured network

Remember those college/university days when you revelled when there was an open wi-fi connection? It felt like hitting the jackpot. I was always so annoyed when I had to log-in to connect to the internet – the internet is there, I should just be able to connect to it! This all changed when I started paying for my own internet, which was long before I got into security. I made the rookie mistake of not securing my network, and couldn’t figure out why my bandwidth sucked. Well….there was an enterprising group of college kids next door who were piggy-backing on my network. I had to quickly learn all about WPA/WPA2 encryption and locking down my network.

So when I started working remotely, I figured I already had this in the bag. Then they told me I had to connect to corporate resources using a secured company portal. Unsecured connections (endpoints)are yet another way that bad actors can piggy-back into an environment and cause damage. So not only did I need to have a secured network at home but had to use corporate tools like a VPN to create secured tunnels into the network. 

The extra step seemed unnecessary, but I realized there are applications and systems that still live behind the corporate network that I couldn’t get to if I didn’t create the secure tunnel in. When you go into the office, everything is protected behind the corporate firewall – the remote connection tools keep all of that secure and controlled, and keeps track of who does what. So it protects the company and me. With that logging in place I can’t be blamed for accessing something I shouldn’t.

5. Don’t be shy - ask for help

When you are in an office, it’s easier to stroll up to the help-desk and ask an off-the-record, off-the-cuff question. There is no log, no record, no ticket. Being remote, well, it becomes pretty tricky to get fly-by answers from the IT team, so it can be tempting to just try and figure things out yourself. I urge you not to do this.

When something goes wrong on your work system and you are remote, it is advantageous to ask for help and reach out. Why, you may ask. Well, if there is something wrong with your system, chances are it isn’t going to fix itself. Trying to fix it yourself can result in the issue getting worse, impacting your productivity and potentially your security. Chances are you're not the first person to have an issue and your IT team will be able to get you sorted quickly.

It’s not like with your personal systems, where you can either take it to a computer technician (which then usually means you are without your machine for a while), or if you are an enterprising do-it-yourselfer, you may just reinstall/restore your own system. Most corporate computers are locked down with controls, and it really is best to let your remote support team resolve the issue rather than trying to sort it out yourself. Asking for help means everyone stays happy and secure, and you can get your work done.

My Summary of Remote Worker Tips

Working remotely initially seemed pretty overwhelming with all the new security protocols I had to follow, but I’ve actually found it to be pretty easy, and it’s improved my security practice in my personal life as well.

• Keeping work and personal separate means I have less distractions throughout the day and I am more productive
• Protecting my user accounts and keeping my systems up to date means I have peace of mind that my work and personal accounts and systems can’t be compromised
• Using secure connections keeps my bandwidth for what I want to use it for, and means I can access systems in the office from my home.
• Asking for help means that I don’t have to try and figure out how to fix things on my own, or pay expensive technician bills

Best of luck to anyone else who finds themselves in a situation where they need to work remotely. Just remember that while the security rules put in place to allow remote work may seem jarring at first, they are there for a reason. And you might just find that you can adopt them in your personal life.

Let’s face it, in today's digital world where everything is connected, having a little security in place to protect yourself probably isn’t a bad thing.

**Phishing is a low-effort, successful method for attackers seeking access to your organization’s data.** This guide gives you a detailed look into how phishing has evolved and the new tactics used to fool users, with statistics on the personas and industries phishers are targeting.

Get the Free Guide

Welcome back to the Plaintext Podcast with your host Dave Lewis, Global Advisory CISO for Duo Security (now part of Cisco).

See the video at the blog post.

In this installment I have the honour of interviewing a friend who also wrote the book The Pragmatic CSO.

In this second episode I chat with Mike Rothman. We discuss how he got to where he is in his career. He is now the president of two companies: DisruptOps and Securosis. Thanks to Mike for joining me for this episode!

If you the listeners have suggestions as to who you'd like to see join me on the show email me hacker @ duo dot com.

And in case you missed it, check out episode 1 of the Plaintext Podcast featuring Thom Langford.

Introducing Duo-Hosted SSO

Cloud applications can create more flexibility and accessibility for organizations, but they can also create more passwords to manage. Your users are human and can (understandably) take security shortcuts like reusing passwords or making them simple and easy to remember. Unfortunately, that can also make it easier for passwords to be compromised. Luckily, there are solutions to mitigate these risks, and Duo-hosted SSO is here to help!  

Included at no additional cost in our MFA, Access and Beyond editions, our Duo-hosted SSO is a new cloud service that makes it easy for you to set up and protect users and applications. Your users will be able to access multiple applications with one username and password. 

Combined with our strong multi-factor authentication, device trust and access controls, you will have an easy way to secure application access and enable the flexibility users need. 

Duo’s SSO is designed from a security-first perspective and allows you to configure access policies that can differ by application, depending on the sensitivity of its data, the privileges of the user and the device being used. This approach allows you to reduce user friction while protecting your most important assets. 

The Duo-hosted SSO beta will roll out to US deployments over the next few weeks (the set-up option will appear in your admin panel when available). 

You can learn more about Duo-hosted SSO and check to see if your account is eligible by visiting our documentation.  

In the coming months, be on the lookout for more great features like Duo Central, which will allow users to launch applications and more from a central location. 

If you would like to help us shape the future of Duo’s SSO please let us know.

**Five Steps to Perimeter-Less Security: Adopting a Zero-Trust Model for Secure Application Access** In this ebook, we'll take you through five steps to help you move beyond perimeter security and grant access to applications based on user identity and the trustworthiness of devices.

Get the Free Guide

The CISO Benchmark Study: Securing What's Now and What's Next

The 6th annual CISO Benchmark Study just dropped and it is chock full of valuable information gathered from 2,800 cybersecurity IT decision makers from 13 countries to deep dive into their thoughts, feelings and concerns around their current security solutions. The report complies a top 20 list of considerations for CISOs you can share with other members of your C-suite, or your board of directors, to make concrete recommendations for improving your organization’s security posture. A 20/20 vision for the future awaits you.

According to the World Economic Forum, cyberattacks are perceived as the #2 global risk of concern to business leaders in advanced economies, second only to fiscal crises.

In this report you will discover some key takeaways like:

1. The best way to allocate spend is through income-based objectives 

2. Exactly how critical are unpatched vulnerabilities?

3. How challenging is it to protect the mobile workforce?

We asked our survey respondents to tell us how difficult it is to protect various aspects of their infrastructure due to remote access or BYOD devices. More than half (52%) told us that mobile devices are now very or extremely challenging to defend. They’ve overtaken user behavior, which was the biggest challenge from last year’s report .

With a zero-trust framework, you can identify and verify every person and device trying to access your infrastructure. Zero trust is a pragmatic and future-proof framework that can help bring effective security across your architecture – spanning the workforce, workload, and workplace .

A zero-trust framework achieves these three success metrics, among others:

• The user is known and authenticated
• The device is checked and found to be adequate
• The user is limited to where they can go within your environment Having zero trust in place removes much of the guesswork in protecting your infrastructure from all potential threats, including mobile devices .        

4. Can vendor consolidation prevent alert burnout?

Our data showed that, for the organizations who are suffering from cyber fatigue, they are far more likely to find a multi-vendor environment challenging. Alongside having to respond to too many alerts and struggling with vendor complexity, we found that having a more impactful breach (in terms of the number of hours of downtime) also increases cyber fatigue. But with over 96% of fatigue sufferers saying that managing a multi-vendor environment is challenging, complexity appears to be one of the main causes of burnout. 

The trend to reduce complexity through vendor consolidation continues, holding steady with 86% of organizations using between 1 and 20 vendors, and only 13% using over 20 (Figure 7) .

Read the Complete List, Get the Free Report

Download the CISO Benchmark Report today.

What does it mean to democratize something? : to make (a country or organization) more democratic. formal: to make (something) available to all people: to make it possible for all people to understand (something)

What Does It Mean To Democratize Cybersecurity?

The industry is still building security based on an outdated model. Where enterprises used to purchase, issue and manage the means of computing, now we need to distribute security to mobile users globally. How do we adapt? We have to change hearts and minds as well as technologies. Democratizing security means thinking differently about the people we serve. Users are not “the weakest link”; they are powerful industry drivers. We have to give up the beliefs and control we once held as unquestioned. It’s time for radical change.

Watch Wendy Nather Explain Why Accessible Security Protects Us All 

See the video at the blog post.

Watch Wendy's Inspiring Keynote at RSA: We The People | Democratizing Security

See the video at the blog post.

Then check out our free security toolkit! 

When security is on your mind, we got you! 

Sign up for your free trial of Duo today. 

“To improve is to change; to be perfect is to change often.”

                                                      — Winston Churchill

The security function in any organisation is under constant pressure to change. It is in the unenviable position of being caught between forces that are uncontrollable. The major force of change occurring is in the way and the extent in which technology is delivered to organisations. Fear of business failure caused by competitors moving faster haunts CEOs. 

There is a relentless pressure to meet new business demands for faster and cheaper technology. 

On the other side of the rock and the hard place, is the external threat coming from the attacker. Often portrayed on television with the inevitable B-roll clip as a “Hacker in a Hoodie”  the truth is more often than not the “hacker is in a highly dynamic business operation or a well-resourced nation state.

How Adopting Zero Trust Framework Simplifies Security

CISOs need to navigate through these competing business demands and are looking for help. This is where the concept of Zero Trust comes into play. It provides a framework upon which change to meet increasingly complex security demands can be crafted. 

Often when discussing the topic with CISOs there is an intuitive understanding of Zero Trust and the benefits it can bring. Zero trust mitigates risk by requiring identity and user access management through a variety of factors (like multi-factor authentication or 2FA ) and extends protection for an organization outside of the confines of the corporate perimeter to any device, managed or managed on any OS.  

The question, however, becomes: "Where and how do we start?" The answer can be as simple as: "Wherever it is appropriate." Which is a bit vague.

Adopting Zero Trust is not a one-off event. It is a continuum of constant change. It goes to the fundamental way an organisation designs its security; it changes the way in which users interact with the resources they need to complete their jobs; how partners and BYOD contractors will be controlled when working with the organisation; how we view the organisation’s assets whether they are owned or not. Selecting a starting point needs some consideration.

Choosing the Right Zero Trust Framework Starting Point

At Duo, we focus on the point of access by the end user as one particular starting point.

Securing the access point addresses one of the most vulnerable and attacked ways for a breach to occur – compromised credentials. Protection at the access point also helps to change the security culture of the organisation by including the end user into the security process.

Duo’s 5 Step Approach to Zero Trust Security

To ensure that change can be managed, and controlled Duo developed a five-step approach.  This enables a clear set of steps that can be defined and measured. It is not a one off programme but is a series of iterative loops.  

Step 1: Enable User Trust

Start with a specific application and a set of users. Implement the initial MFA solution,  then identify the assets used before finally implementing adaptive policies.  Often we have heard a CISO argue that they should start with the most critical asset. But perhaps it is best to start with a control group on a non-critical application, and learn the initial lessons before starting on applications critical to the business.  

Step 2: Device Activity & Visibility 

Duo’s two-factor authentication (2FA) dashboard gives IT complete device visibility. Duo works as a standalone frictionless solution, but is also software agnostic and can be deployed to work with legacy on-prem and cloud solutions. Coupled with Cisco SecureX end-to-end protection, the best integrated security in the world is easy to attain. 

Step 3: Device Trust

Knowing what devices are accessing your network and their “device trustworthiness” (regardless of the platform like Apple’s iOS, Microsoft, Android) is another key layer to adopting a zero-trust security framework. 

Duo’s Device Health application offers new product capability that helps control which laptop and desktop devices can access corporate applications based on device trust. It helps organizations adapt to a zero-trust security model providing IT security teams with the ability to:

• Validate the health of a device at the time of authentication
• Enable end users to proactively fix device security risks
• Extend visibility and control for unmanaged / BYOD devices

Step 4: Adoptive Policies

Duo lets you reduce risks by enforcing precise policies and controls. Enable your team to define and enforce rules on who can access what applications — under what conditions. Define access policies by user group and per application to increase security without compromising end-user experience. Access policies are a central component of zero trust security because they allow an org granular control over who gets access to what application, when and where. 

Step 5: Securing Users with Zero Trust

To achieve a zero trust security framework across the workforce, simply follow steps 1 through to 4 – then repeat.  

Develop a set of KPIs that will not only show progress but also benefit.  One of the first benefits often identified in discussions with CISOs is gaining greater visibility over users and assets. Creating a process to link the output from the programme to an inventory or asset register benefits the whole organisation especially the European IT teams.  

Being able to block logins if a device is not up to a set patch level can be useful to any incident response team. Having access to logs can be valuable for forensic investigations. Understanding these benefits and creating the links to other parts of the security team, as well as IT, drives greater value but requires more change.

To successfully drive change, a structured repeatable process is required. The 5-step approach provides the basis for a zero-trust framework. We may never get perfect security and any such promise should be viewed with scepticism. But we can drive constant change in the hope we get somewhere near there. 

How do you eat an elephant? One bite at a time. The trick is to get started. 

See the video at the blog post.

Welcome to our inaugural podcast! Our Duo CISO Advisory team members are legends in their fields. They have seen it all, and they are ready to share their insights with you!

If two crows are an attempted murder, then a group of Advisory CISOs surely make up a Murder Board. Nope, no one is getting whacked. A Murder Board is a group of people that are pulled together to provide critical review. The idea is to prepare someone for a difficult situation such as a presentation, or for our meaning, your career in security.

This podcast will start out as a monthly endeavor. The hosts are Dave Lewis, plus Richard Archdeacon, Sean Frazier and Wolf Goerlich.

The Duo CISO Advisors will be discussing security issues that pertain to the business of running a security practice, living life as a CISO and current events of the day packed with humor, knowledge and grace.

Learn more at Duo.com

Check out our free security toolkit! 

And if you like this podcast, you might enjoy Duo's "Plain Text" podcast where CISO Advisor Dave Lewis speaks to another CISO about his personal career journey and experience. 

                          Meet the Duo CISOs

See the video at the blog post.

“Well, I can see, what you mean
It just takes me longer
And I can feel, what you feel
It just makes you stronger
You can take me for a little while
You can take me, you can make me smile in the end"
             — “In The End” by Rush

This one hit me hard. If you don’t want to hear my sobbing at the loss of the legend and a gentleman, Neil Peart, the drummer and lyricist for one of my favorite bands, Rush, then skip ahead.

As I said, this one hit me hard. A lot harder than I even realized when I first heard the news that “the professor” had left his mortal coil. My exposure to Rush was early. When I was in grade school I had sent away for the Columbia House 10 records for a penny offer. For the younger folks who don’t remember (and probably don’t remember records) Columbia House had this scheme where you’d pick 10 records and all you had to pay was a penny that you would tape to the offer card with the list of records. The rub was that you had to buy 10 more records, at full retail price (actually a bit higher than if you went to the record store) over the course of the next year. It seemed like a good deal and it was since most people would cancel or never pay. I can’t remember if that was me (hey, it was a long time ago) but I do remember that Rush’s 2112 was among my 10 choices. I chose this record, like I did most records back then, not because I had any idea who they were (they hadn’t been played on the radio up until this point and we didn’t have cable TV let alone a thing called the Internet) but because of the album cover (same reason I chose Kiss "Destroyer"). Something about the album cover spoke to me. It’s sci-fi feel, it’s simplicity, everything. 

When I played the record (and I played it a lot — especially the 20-minute entire first side the magnum opus 2112), I was hooked, and I have been a rabid Rush fan ever since.

I have since passed on my love (or at least a strong like) of Rush to my kids by taking my two oldest boys to see their "Vapor Trails" tour — and then the whole family to see then as they exited stage left for their "R40" final tour. They’ve had an amazing career, and the world is better off for having them in it. (I know we still have Ged and Alex but somehow it just won’t be the same). 

I quote Neil’s profound words regularly and until his passing I hadn’t really thought much about it. One of my favorites that I have used often is “if you chose not to decide you still have made a choice.” From the song “Freewill.”

I’ve quoted this to my kids and I’ve quoted this in work situations (among many situations) wherever and whenever inaction and/or indecision seem like the right path forward (psst… it never is). 

Mr. Peart, you will be missed. I will miss you. Change is hard.

This brings me to the point of this somewhat rambling micro-thought of mine. Change. All change is hard (some harder than others), and some change is bad, but often times it’s neither bad nor good but it is always inevitable. We spend a lot of time trying to get out of (or outright fighting) change and to me this is totally wasted energy. There is also welcome change, and while it is welcome, it is still change, ergo it will probably be hard.

Prepping for Passwordless 

This is the preparation for the day where we no longer have to live with passwords as a security construct. I think it’s safe to say that this will be a happy change that we will all embrace. But the “how do we get there?” part is still a little TBD. The good news is that I’ve seen where an open and standards based approach can work wonders to solve hard problems like this. 

I’ve written about this a bunch but usually as an adjunct to something else (usually Zero Trust aka ZT) but now, as much as identity is an anchor tenant of a ZT architecture, this is all about the WebAuthN baby. 

I always talk about how passwords were never truly designed to be a security construct to begin with. They were created way back in the sixties  at MIT by legendary computer scientist the late Fernando Corbodo. They were first put in place as a basic protection for timeshare sessions and files, no one kicked up much of a fuss when the “passwd” file got swapped with the “message of the day” file. 

I think Mr. Corbato would be none too happy that passwords have persisted as the primary login security mechanism for the last 60 years. We just kinda took the lazy way out of protecting our data and we’ve been doubling down on lazy ever since.

The Road of Constant Password Failure

When computers were new we failed to create a mechanism to protect them. No biggie. Computers  were as big as a house and there were like ten in the whole US of A at the time, so big whoop. Then the PC revolution happened and we just dragged the same failed construct along for the ride (FAIL 100x). Then the Internet happened and we thought well, if it worked for PCs it’ll work for this too (FAIL x Million). Then we got to cloud and then mobile and then……… and we never fixed the problem. We made a choice to have terrible security (“if you chose not to decide, you still have made a choice”)

Developers are amazing but they are also lazy, especially when it comes to mundane things like security. Much easier to put all of the burden of security on the user (hey, I’ll just create a database of strings and the user will have to enter it in and maintain it. Oh there’s already a database that doesn’t that (LDAP)? I’ll just use that because it’ll hash a password. Check. Sometimes dev folks balk at this level of security involvement. Heck, might as well outsource the entire security stack (OpenSSL) and just leave everything as default and never update it.

We are where we are because of choices we made (or didn’t make). It’s our own fault. But….. we finally have a chance to make this right.

We Can “Decide” To Make Security Right

I vividly remember the online commerce revolution, when the internet went from a passive information model to a meaningful way to transact business. It was enabled and fueled by encryption. PKI to be exact. Before SSL no one was even thinking about buying things or accessing their bank accounts online (keep in mind it took a few years for this to really take off). When we (Netscape) introduced SSL, it changed the game, but not for the only reason you might be thinking. Sure, it was the security of “the lock” that made people more comfortable with trusting the internet for such transactions, but it was really the transparency that drove rapid and total adoption. 

Users didn’t have to do anything, not really. This was the secret to SSL’s (and it’s protege TLS) success. It was, in my humble opinion, PKI done right. The right combination of security and ease of use had always been (and always will be) a balancing act but SSL was the right balance of the two dynamics needed to succeed.

WebAuthn Will Change Identity Security

We are on the cusp of a very similar revolution when it comes to user identity security. WebAuthn will do for user authentication and access what SSL did for e-commerce. It will allow us to login, securely and transparently for the first time. Ever. The acceleration of adoption has already started once Apple got in on the game at the platform level, this decision will be the fuel that will propel the rocket ship. WebAuthN will be what will finally save us from the password hell we have been living in for so many years. But it will happen. I can feel it. In my bones. We WILL kill the password once and for all.

Now, WebAuthN is not magic, it’s still very early-stage, and will take some time.I like to tell people that if we measure it’s life using a baseball analogy we are only in the 2nd inning and the top of the 2nd at that. 

Passwordless and the Public Sector

In the US public sector, we are very familiar with PKI. We’ve been living a PKI life and trying to kill the password for 20 years. We intrinsically knew the value that PKI could bring to solving this problem,  but the tools didn’t exist at the time, so we built it ourselves. But what we’ve found is that it’s easy (or at least easier) to build a complex system but much harder to maintain it. This part was an expensive (but necessary at the time) choice and it only gets more and more expensive to maintain as time goes on, let alone if you need to (and you definitely do) innovate. This “I”nfrastructure (as in the I in PKI) has to be able to adapt in a modern world. This is why WebAuthN is compelling. It’s the PKI we know, love and understand, but implemented in a way that can be deployed to the masses, across all platforms, using an open standard.

I, for one, could not be more excited for this revolution and Duo’s part in it. It will take all of us in the end user compute ecosystem. Anyone who provides the ability for users to login to things will be affected and it is incumbent upon us all to move quickly (as quick as we can) to join the passwordless party. 

The next 10 years are going to be fun.

Picture a rumpled yet dapper man walking the streets of 1970s Silicon Valley carrying a heavy briefcase. The man is Bill Moggridge. The briefcase holds computer components: circuit boards, hard drive, floppy drive, a power supply. The question on Moggridge’s mind is could a computer be portable. While he works the question, he carries the briefcase. Feeling the weight. Opening and inspecting the parts. Closing and thinking some more. You are picturing the essence of innovation.

I think about Moggridge and his briefcase often when planning out a strategy for an emerging category. There are a few lessons we can take. First, be specific about the use cases we’re trying to solve. Second, start where we are with what we have, even if it means putting the parts in a briefcase and carrying them for a bit. Finally, learn from the experiences to rapidly iterate and improve the implementation.

The place many of us get held up is where to begin. It’s not feasible to move everything into a zero-trust architecture. And passwordless, arguably the first step in establishing strong user identity in order to provide zero-trust for the workforce, doesn’t yet support all applications and workloads. That’s why selecting specific use cases is key to being successful. A good use case is one where the design simplifies the user experience, reduces security and compliance risk, is in an area that matters to the business, and has applications which work with passwordless and fit within a zero-trust architecture. In other words, begin with the briefcase.

In 1982, the GRID Compass hit the stores. Moggridge had figured it out. All those times opening and closing the briefcase led to an inspiration which continues in all modern laptops to this day. The computer opened up to show the display and keyboard. What began as a collection of parts, evolved into a sleek design, and set the standard for the next four decades. In much the same way, the components we have today -- SAML, WebAuthn, MDM, NAC -- will be brought together in a unified design. We get there by carrying them, implementing what works, keeping an eye towards iterating and simplifying. The first step is to start.

After being immersed in the mayhem that is RSA I often wonder if it is what you miss rather than what you see that is so intriguing. The range of activities and opportunities to listen are immense. The expo floor is as crowded as ever with a plethora of vendors. Many were pushing dashboards as key. There is undoubtedly a place in the market for a dashboard of security dashboard vendors.

What Were We Thinking?

It is the range of talks and discussions that provides the most interesting area of thought. Without any bias Wendy Nather’s talk was received extremely well. Not only did it provoke controversy about the industry– her opening line was “What were we thinking?” – it also produced laughter and nodding in agreement. Before the end I was being pinged by folks asking for introductions. That is a sign of success. Always take the chance to bask in others glory..

Cloud Security and CISO Communications 

But what of the topics in the more general sessions away from the keynote. I had a glance through the agenda and found two areas which seem to have grown in profile. Firstly, Cloud security, more particularly the protection or exploitation of cloud applications and the importance of security in the Kubernetes world. 

Secondly the importance of the CISO being able to communicate or interact with the senior C level teams within organisations. So, one area technical. The other definitely not technical. This is a personal scan and I am sure that others will take a more scientific approach and analysis.

Zero Trust

When it came to the more management type of task, I also noticed that the queues were much longer. The standby lines for spare seats were often doubling back on themselves. This is a sure sign of interest. One particular talk on Zero Trust by the Microsoft CISO had a huge queue plus an overfill room full to the brim. So, there is interest in Zero Trust although it is does not appear as high profile as it was. This talk discussed the need to start the Zero Trust journey by implementing MFA at once and how the use of a strong solution could be part of a programme to remove passwords. This aspect made the solution very popular with users and management as it improved ease of access as well as reducing the cost of passwords resets. So user efficiency and operational efficiency rolled up into one.

Automation 

From an operational perspective it seems that a continuing theme is how more processes and analysis can be automated. How to reduce the need for the so called “mandraulic” activities to be reduced. This is driven by the need to reduce the time from detection to reaction but also by the shortage of skills within the industry. I cannot count how many time the topic of the shortage of skills and talent was mentioned in talks of all natures. A common theme was the need to look outside the normal technical areas for those with diverse skills and talents that could be developed as security professionals.

Having written the above, perhaps the most striking change this year was the omnipresent nature of the automated hand sanitizers. Wherever possible small devices were placed to squirt hygiene into your life. A reassuring reaction to the news that we are all hearing. Hopefully these will become a common feature at all future events.

Honorable mention: Our friends at Decipher walked away with the the Security Blogger Awards top honors securing "Best Corporate Security Blog!

See the video at the blog post.

This is the final blog of the 4 part series showcasing how organizations can verify device trust with Duo. In the first blog we saw the importance and the need for device visibility. The second blog informed on how organizations can block vulnerable devices. The third blog showed how organizations can prevent breaches and achieve compliance. In this blog, we will summarize how organizations can easily reduce their exposure to cyber risk with the newly available capabilities that make up Duo Device Trust.

The Complicated Problem of Endpoints 

Enterprise and SMBs struggle with managing all the endpoints that need access to corporate data. As the workforce becomes more diverse with remote workers, vendors and contractors more third-party devices and BYOD enter the network. This onslaught of unmanaged devices creates complicated challenges for IT to address. Questions arise around how to verify and make an access decision on these devices that have different OS platforms. Do these devices have the recent critical security update installed? What endpoint security settings are required to stay compliant with corporate policies and data security regulations? These devices reside outside of the control of corporate EMM (enterprise mobility management)  and MDM (mobile device management) solutions. Enforcing security policies for BYOD and third-party devices can be an arduous undertaking.

Almost half (49%) of enterprise devices are being used without any managed update policy and about 40% of organizations surveyed said they had experienced a mobile-related compromise.

                                               — Verizon Mobile Security Index 2020

Consistently applying policies for managed and unmanaged devices and having the capabilities to verify the trustworthiness of a device is essential to protecting an organization from risk while providing seamless access for the diverse workforce. 

Simplifying Device Trust  

Duo is known for democratizing security with easy to use multi-factor authentication, but we haven’t stopped there. Knowing which devices to trust and who is accessing your applications is a key tenant to achieving a zero trust framework. Duo is committed to making this security framework simple and achievable for businesses of all sizes. 

Duo is tackling the complicated endpoint problem by developing solutions that help solve the challenges around establishing trust in devices regardless of their management status. To that effect, we are delighted to announce exciting new Device Trust capabilities that build on the functionality that Duo has been offering - Device Insight and Trusted Endpoints. The new capabilities further help organizations minimize their risk surface by verifying trust and enforcing security policy compliance across any device that requires access to corporate applications.

The following new device trust capabilities make it easy for organizations to assess the health and security posture of any device (managed or unmanaged), on any platform (Windows, MacOS, iOS and Android), and enforce adaptive access control policies in order to reduce risks of security and non-compliance. 

Verifying Trust on Managed and Unmanaged Devices

Duo's Device Health application gives organizations control over which laptop and desktop computers can access corporate applications based on device security — even if that device is not controlled by corporate management systems and/or isn’t directly on the corporate network. Customizable access policies can block access if the device is unhealthy or has a weak security configuration, and provides self-remediation options to users so they can address issues themselves alleviating the burden on helpdesks.

Organizations can prevent a breach caused by vulnerable devices, while protecting all users accessing any application, from any location. With Duo, you can prevent malware infection, identify shadow devices on your network, block risky devices and protect access to your data.

Existing Duo Access customers can set policies to require Duo Health App and verify device posture before granting access. And existing Duo Beyond customers can additionally set policies to verify the presence of one of the following AVs.

• Cisco AMP for Endpoints
• CrowdStrike Falcon Sensor
• Symantec Endpoint Protection
• Windows Defender

Device Health application is available on Windows and Mac OS platforms.

Extending Trust to Devices Managed by Microsoft Intune

Device trust for the enterprise often extends even further with more complex IT environments with managed devices. Through our partnership with Microsoft we have extended our Trusted Endpoints capabilities to integrate with Microsoft Intune, helping organizations to set adaptive access policies around unmanaged endpoints (BYOD) and managed endpoints based on their enrollment status with Microsoft Intune.

This feature will be supported on Windows, iOS and Android platforms and existing Duo customers can reach out to their reps to participate in the beta program

Block Infected Devices Using Cisco AMP for Endpoints

The modern workforce prefers to work in a variety of places outside of the normal office, which may include unsecure networks which could potentially expose devices to additional risk of malware and ransomware. To address this scenario we have integrated with AMP for Endpoints, which allows administrators to enforce a Trusted Endpoint policy. This provides the ability to automatically block access to Duo protected applications from devices that are running AMP and have been flagged in AMP as an infected endpoint containing malware. This automates the response to an infected endpoint device, preventing the propagation of malware and reducing the risk of data breaches. Since Duo only blocks the infected device, the user can access the application from a different device that passes the trust checks as per policy and be productive.

This feature is now generally available and supported on Windows and MacOS platforms. Existing Duo Beyond customers can leverage this feature along with Cisco AMP.

3 Reasons Customers Choose Duo for Device Trust

1. Duo offers the most comprehensive device trust capabilities in the market today that is easy to use for end-users and simple to manage for administrators.
2. Duo’s unique approach to verifying the trustworthiness of devices caters to a wide variety of use cases and a diverse population of workforce devices.
3. Duo helps organizations to improve security in a manner that is user friendly and enables productivity. Users are empowered with self remediation for out of policy devices, so security does not interrupt daily tasks. 

For organizations, all this translates to reducing cyber risk while enabling productivity and realizing lower total cost of ownership.

• Get started with Duo Device Trust today, sign-up for a free trial now. 
  
  
• For details on pricing and packaging, click here.
  
  
• Watch this on-demand webinar to learn why Device Trust is important and how Duo can help.

The struggle is real. How can the US Department of Defense (DoD) reasonably secure data of their supply chain that supports $716B in congressional funds? With over 300,000 companies holding defense contracts, there’s significant risk associated with sizable user groups managing controlled unclassified information (CUI). This is why the Office of the Under Secretary of Defense for Acquisition & Sustainment now provides a digestible framework with infosec best practices for prime and subprime contractors. 

Notable: 

1. Unclassified information is a national security risk, too. A data bunker may be overkill, but proper care is critical for any contactor with operational system access and personally identifiable information
2. A breach in the defense supply chain will have a cascading effect - potentially halting mission-critical operations
3. Not all contractors are made equal. Some have DFARS swagger, others do not

DoD Contractors Will Need A Third-Party Audit

With the recent release of Cybersecurity Maturity Model Certification (CMMC), a third-party audit is required for any contractor responding to DoD bids. Audits will confirm and document the implementation of security practices pursuant to DFARS & NIST SP800-171 - a significant change from the status quo of contractor self-assessment and an insufficient verification process. 

CMMC is a game-changer with its concise summary of security controls and a newly found accreditation body. The necessary controls are outlined in five levels (L1-5) to accommodate varying degrees of CUI management. This simultaneously helps contractors identify their vulnerabilities, while maintaining audit-ready work streams for a competitive advantage when bidding. 

Majority of the defense industry base will need L3 certification, wherein multi-factor authentication (MFA) is the first line of defense. Herein lies a challenge for contractors to elegantly verify employee identities in a remote, mobile, SCIF, and air-gapped universe. These hybrid environments beg for a zero-trust approach toward application access; modern networks must consider smart security practices for their workforce, workplace, and workloads. 

Throughout my time with Duo, I’ve quickly realized that MFA doesn’t need to be a poor user experience, cumbersome to deploy, and/or costly. Contractors with BYOD now have an accessible FedRAMP tool built for SP800-171 requirements to secure their application suites in a way users appreciate, and without exhausting their budget. 

How Duo Helps DoD Contractors Stay Compliant

There’s tons of resources available for beginner and expert contractors alike to prepare themselves for a healthy security greenlight. The hard part is doing the assessment, and building a strategy that best suits the business. 

For those just getting started - or pros looking for additional resources - Duo offers free tools and activities for security awareness, training, and password party tips that’ll impress your friends!

Kudos to John Hopkins Applied Physics Lab, Carnegie Mellon University, and OUSD (A&S) for their dedicated collaboration in assembling a program that not only helps contractors identify their security gaps, but standardizes protection of unclassified data. 

The best security control is the security control people actually use. We’ve shifted from enforcing security to creating security that users want to adopt. When it comes to zero trust, one thing many of us have been considering is how to make it attractive to end users. Enter passwordless authentication.

The problems of passwords are well understood. People have too many of them, for starters. People forget passwords. This results in IT and help desk work resetting passwords and unlocking accounts. People reuse passwords. This leads to the security team working overtime to stop attackers from logging in with credentials from the latest password dump.

No one likes passwords.

Going passwordless means establishing a strong assurance of a user's identity without relying on passwords, allowing users to authenticate using biometrics, security keys, or a mobile device. Passwordless authenticates with whatever is appropriate for the use case. No passwords, no problems. (That might be a slight exaggeration.) The shift away from passwords both improves the user experience while improving the security. When positioned as part of an overall zero-trust architecture, passwordless becomes what’s in it for the people.

The journey to passwordless begins with carefully selecting the people, devices and applications. As with other transformations, it is imperative we scope the use cases to maximize buy-in, risk reduction and efforts. Given the scope, the high-level approach to passwordless includes:

1. Reduce Password Reliance: Strong Authentication for All Apps - Reduce your reliance on passwords and lower the risk of credential theft by protecting cloud and on-premises applications with Duo’s multi-factor authentication (MFA).
2. Achieve Less Passwords: Minimize Passwords for Cloud Apps - Achieve less passwords by using WebAuthn with Duo and single sign-on (SSO) for SAML-based applications. Ideally, users can log in using a single biometric authenticator (or security key) to access any web-based application.
3. Achieve True Passwordless: Eliminate Passwords for Legacy & Cloud Apps - Achieve true passwordless for all use cases, including passwordless for both legacy tools using older protocols and cloud-based applications by removing passwords as the primary factor.

The strategy is strengthening the user identity while improving the user experience. From a security perspective, a passwordless play establishes the cornerstone of a zero-trust architecture. Without the ability to establish and maintain trust in the user identity, the additional components of zero trust have nothing to build upon. More importantly, from a usability perspective, a passwordless play actually improves people’s daily work. 

User adoption has taken the front seat in security today, and passwordless gets us there. 

Come visit us at RSA Conference 2020 at our Duo booth [#1835S] to learn more about the human element of passwordless and ask for a demo. Talk to our team and ask them about how through our technology partnerships, Duo is innovating toward a true passwordless future! 

If you want to hear more about our vision for true passwordless, stop by the Cisco Booth [#6045N] at 5:00 p.m. Tuesday, Feb. 25 as Steve Won, Group PM for Authentication, gives a booth talk about the journey to passwordless.

This is the third of a four-part blog series on how Duo helps organizations in verifying device trust. This blog will explain how Duo's Device Trust enables organizations to check and enforce the device security and compliance posture prescribed by standards such as PCI-DSS, HIPAA, and the NIST cybersecurity framework.

Verifying the trustworthiness of devices accessing corporate applications is part of basic cyber hygiene. So it's no surprise that many IT security standards and regulations have required security controls to assess device posture. 

Here are some common checks that organizations would need to perform before granting access in order to attest whether a laptop or desktop is trustworthy:

1. Is the device managed?
2. Is the OS version and the patch level up-to-date?
3. Is the enterprise antivirus (AV) agent installed and running?
4. Is the disk encryption turned ON?
5. Is the host firewall turned ON?
6. Does the device have a password set?

Examples of Required Security Controls

Below are some of the required security controls that call for similar device posture assessments before granting access to sensitive data.

How Duo's Device Trust Helps Organizations Enforce Endpoint Compliance

Endpoint security controls can be implemented in various methods using different solutions. But challenges exist for administrators in checking and enforcing these controls at the time of application access and maintaining sufficient artifacts in order to prove compliance across groups of devices over a period of time.

Duo's Device Trust provides IT administrators an access control enforcement tool to ensure that the devices accessing sensitive data are compliant. 

For example, if the user has not installed a recent OS security patch or does not have the enterprise AV agent running on their device, and is requesting access to CDE (cardholder data environment), the Device Health application blocks the device’s access and provides instructions to the user on remediation steps needed to comply with the security policy. Duo also captures detailed logs of every device and every access request, providing an audit artifact that can be used to prove compliance during audit. 

For complete information on how Duo can help organizations meet compliance requirements read the solution brief. 

Enabling Compliance for BYOD and Unmanaged Devices  

Organizations find it difficult to gain the level of visibility needed to make an access control enforcement decision on BYOD and unmanaged devices. Device management solutions may not be a viable option in this scenario. 

Employees typically do not adopt corporate solutions such as a mobile device management (MDM) agent on personal devices due to concerns regarding loss of privacy and control. External contractors and partners that comprise the extended workforce for an organization may already be enrolled in a different solution from their primary employer. The lack of visibility and control into these devices creates security and compliance gaps as organizations might be blind to the device state when they are accessing corporate data. 

Duo's Device Trust makes it easy for organizations to gain just the right level of the level visibility needed to attest to the devices. With the Device Health application organizations can enforce access control policies to corporate applications and restrict access when devices do not meet specified security and compliance requirements. 

This lightweight application can be installed by users with administrative privileges when they login the first time after the policy is configured. Unlike other device management agents, the application cannot make changes to the device, such as execute remote wiping of data. Duo’s novel approach is BYOD-friendly as the Device Health application only performs device posture checks at the time of accessing applications. The application empowers users by enabling self-remediation, which reduces the number of IT tickets raised or calls to a support help desk.

“Cisco has over 3,000 applications, 4,000 extranet users (partners) and 15,000 contractors worldwide. A huge security challenge we need to solve is making sure we assess and verify the state of every device we allow access. Duo's Device Trust will help us solve this challenge by providing us the visibility into the world of the unknowns so that we can flag and block devices that do not meet our security criteria.”

                                           — Rich West, Principal Engineer of Information Security, Cisco

Enabling Compliance for Managed Devices

To comply with more strict regulatory requirements, many organizations implement MDM or enterprise mobility management (EMM) solutions. Duo integrates with leading device management systems such as MobileIron, VMware Workspace One and Microsoft Intune*. With Duo’s Trusted Endpoints, organizations can distinguish between unmanaged endpoints and managed endpoints that access browser-based applications. 

The Trusted Endpoints Policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate. 

Further, deploying the Device Health application on managed devices helps IT easily enforce granular security policy checks at the time of authentication.

“Duo Beyond creates an invisible and open gate that authorized users with trusted devices never have to see, the gate only materializes and closes when the device trust standards are not met.”

                                                           — Dan Regan, Former Cloud Security Engineer, Zenefits

Learn how Duo can improve your organization’s security and compliance. Try it for free by signing up for a 30-day trial.

*Microsoft Intune integration for Duo Trusted Endpoints will start beta at the end of February 2020. For details on participating in the beta program, current Duo Beyond customers can reach out to their account representative.

Download the Ebook "Customer Chronicles: Securing State and Local Government Agencies with Strong MFA"

See the video at the blog post.

Welcome to the Plaintext Podcast! I'm Dave Lewis, Global Advisory CISO for Duo Security (a Cisco company). This podcast is the natural progression from the awesomeness that is Decipher. 

See what I did there? 

The idea here is an interview-based series where I sit down with current and former CISOs to discuss how they got to where they are in their careers. We’ll talk about where they started and lessons learned along the way. 

In this first episode I chat with Thom Langford, CEO of (TL)2 Security and recovering CISO. Thank you, Thom for joining me for the inaugural episode!

If you, the listeners, have suggestions as to who you'd like to see join me on the show email me "hacker @ duo dot com".

Rap lyrics and vocals by int eighty (of Dual Core)
Music by Mikal kHill
Mixing and mastering by Cecil Decker

Learn more at Duo.com

Check out our free security toolkit! 

And if you like this podcast, you might enjoy Duo's "Murder Board" podcast where our CISO advisors have a candid, educational (and often hilarious) roundtable discussion about the latest in protection and trends for the cybersecurity industry. 

Duo verifies the trust of workforce access by evaluating every access attempt against several controls. First, Duo’s market leading multi-factor authentication solution protects customers against credential theft, the most common modern attack vector, by verifying the user’s identity. Next, Duo evaluates the access device’s security posture to establish that the endpoint meets security hygiene standards. Following this, Duo verifies authorization through its flexible and granular access policy engine, which enables Least Privilege access to critical corporate resources. To further extend these layers of trust controls into the behavioral realm, Duo is announcing the public beta of Duo Trust Monitor. 

What is Duo Trust Monitor?

Duo Trust Monitor is a security analytics feature that identifies and surfaces risky, potentially insecure user behavior in a customer’s Duo deployment. When the feature is enabled, Duo Trust Monitor will model all historical Duo activity and telemetry to create a baseline profile of workforce and device behavior. The feature evaluates each new access attempt in light of user, cohort, and organization’s behavioral norms. If a user significantly deviates from their individualized behavioral profile, Duo Trust Monitor will surface the case as behaviourally anomalous. 

Anomalous behavior may include novel IPs or devices, unusual authentication factors or times of day, access attempts by high risk users or against high risk applications, recognized patterns such unrealistic geo-velocity or brute force attacks, and much more. 

To illustrate the point, here are two typical explanatory modals that might be displayed within Duo Trust Monitor:

Not only does Duo Trust Monitor highlight behavioral novelties (i.e. login from a new geography or device), but it will also detect highly unusual access attempts (i.e. this happens less than 1% of the time). Additionally, security insight will be used in conjunction with unusual access to label events. For example, Duo Trust Monitor can group certain location and time anomalies into the impossible geo velocity category for easy triage. In the circumstance that a case that Duo Trust Monitor has identified is unimportant, the feature learns from customer feedback and will avoid surfacing events with similar detection characteristics.

How does this improve security?

Duo Trust Monitor has several value propositions:

1. Environment Visibility & Policy Hardening

By creating a historical baseline of user behavior and surfacing unusual access attempts, organizations get deep insight into their environment. Duo Trust Monitor does the heavy lifting of identifying strange access and contextualizing its security meaning. For example, Duo Trust Monitor might uncover a software engineer that is attempting access to a financial application for the first time, which an organization may not yet have an internal security policy built around. Such a situation may not be malicious, but might warrant a change to access policy.

2. Informed Risk Detection & Prevention

In enabling Duo Trust Monitor, organizations can designate high-priority, high-privilege applications and user groups. When these applications are accessed atypically or credentials associated with powerful users act anomalously, understanding the story behind the anomaly can provide key security insight. For example, if credentials belonging to a CXO abnormally “down factor” (i.e. move from a more secure second factor like a push to a less secure one like an SMS), the corresponding Duo Trust Monitor-identified security event might represent an instance of spear-phishing and account takeover. Teams can prioritize and respond efficiently by checking in with the executive, quarantining the device, and potentially updating the user group’s access policy set to require more secure forms of MFA

3. Security Investigation Efficiency

Before Duo Trust Monitor, collecting context during a security investigation involved scrolling through raw log data and templated reports across Duo and other tools. With Duo Trust Monitor, potentially risky access attempts are highlighted and surfaced. The feature contextualizes the anomalous behavior in a variety of easy to consume explanatory visualization. 

Furthermore, relevant access history is provided with each anomaly so that security teams can easily drill down to learn more about activity leading up to event - providing a simple-to-use workflow for any security professional. 

Should a team prefer that Duo Trust Monitor insights be exported in raw or into a modern SIEM, various export options will also be available.

Join the Public Beta

Duo Trust Monitor will be available in both Duo Access and Duo Beyond editions at no additional cost. If you are a customer currently on either edition, and are interested in joining the the public beta of Duo Trust Monitor, please reach out to your account representative.