Zero trust isn't a product or an architecture, but a philosophy, as Microsoft's David Weston stated in his talk, ZEROing Trust: Do Zero Trust Approaches Deliver Real Security?

Security hipsters love the zero-trust network (ZTN), as can be seen by many others (Duo included) in the industry, like Google.

Why the interest in zero trust? He listed a few reasons, including the perimeter is pwned, users are bringing all of their devices to work (BYOD), and workplaces are now predominantly cloud-native.

And inevitably, attackers will get into the network through either the user with no multi-factor authentication (MFA) enabled, or the worst (insecure) device on the network.

Per John Kindervag, the zero-trust security model means a few things:

• Location is nothing - every network is considered untrusted.
• All traffic flows are rejected by default; routed only if it meets security policy (or considered trusted)
• Trust is a combination of verifying user identities and device security posture
• Access policies are dynamic, based on attributes of the user and their device requesting access

The three main benefits of a zero-trust security model include:

1. Attack surface reduction
2. Mandatory access control
3. Principle of least privilege

An example of how an attack works starts with an initial compromise via a malicious link, which launches an executable. To move laterally, attackers use Mimikatz to steal credentials and Windows Management Instrumentation (WMI) to maintain persistence. Then they exfiltrate data.

With a zero-trust model, after a compromise, you can limit the access of an infected device and remove the ability to dump credentials, plus mandate the use of two-factor authentication (2FA) keys to make lateral movement even more difficult.

For more resources on understanding the zero-trust security approach, check out:

Moving Beyond the Perimeter: Part 1
This white paper explains the theory behind Google’s BeyondCorp security model (built upon the concept of zero trust), the different components required and the overall security architecture.

Moving Beyond the Perimeter: Part 2
Part two of this series explains how to easily build a new enterprise security model within your organization, including an outline of the maturity process.

BeyondCorp at Google
Google's research papers, principles, mission, guidelines and additional resources on BeyondCorp.

Yeah, well, you know, that's just like, uh, your opinion, man. - The Big Lebowski

The lively Duo-sponsored debate broke through the FUD, with opinionated security professionals bantering and buzzing on current issues in the information security industry. The panel included:

• Wendy Nather, Director of Advisory CISO, Duo Security (also moderator)
• Dave Lewis, Advisory CISO, Duo Security
• Steve Manzuik, Director of Security Research, Duo Security
• Katie Moussouris, Founder & CEO of Luta Security
• Ian Amit, Chief Security Officer, Cimpress
• Mike Rothman, President, DisruptOPS and Securosis
• Rachel Tobac, CEO, SocialProof Security
• Jayson E. Street, VP of InfoSec at SphereNY, DCG Global Ambassador

Defense vs. Offense

When it came to the defense vs. offense theme of Black Hat 2018, the question is how to sell defense - how to make protecting corporate data appealing, since breaking code and systems is more fun.

To Wendy’s point, if you’re not sitting in a conference room across from an auditor, you’re not doing real defense. Ian agrees that any consultant that hasn’t practiced defense is worthless.

The panelists also tackled the question of the evolution of the infosec industry - Jayson claimed it’s not the fault of technology; it’s more so the practitioners that are looking for the newest blinking box instead of tackling what our real issues are.

As security people, we need to talk to business people to help them better understand security, build relationships and bake security capabilities into the core stacks that other IT groups, like DevOps, are building.

In a discussion about bug bounties (which most all panelists agreed are overhyped), Katie stated that organizations are moving away from baking security in to using pentesting (an offensive tactic) to manage risk. As Jayson put it, “You’re asking me to rob your house, and you didn’t build the walls yet,” in regards to a company with no segmentation in place that asked him to conduct a pentest.

Wendy noted that so much of the industry is offense, with the attitude that we can fix issues individually, while really it’s a communal problem we need to solve. Fixing problems at scale requires influencing an entire organization to make that fix, and we must work nicely with other teams to ensure that happens.

Vulnerability Logos

The conversation shifted to the security marketing theater of producing logos, websites and PR campaigns for the latest vulnerabilities - are they hurting or helping the infosec cause?

The general consensus was that vulnerability logos, while useful for getting attention, aren’t a replacement for severity scoring with the overlay of your actual threat model, as Katie said. With 40 new Common Vulnerabilities and Exposures (CVEs) released daily, this can contribute to bug fatigue. Likewise, Steve agreed that the logos and attention garnered for vulnerabilities can mistakenly translate to the severity of the bug, which isn’t always the case.

“Everyone needs to chill the f--- out about patching,” said Wendy. Less than two percent of CVEs had ever been exploited in the wild - which raises the question of what portion of CVEs are actually worth patching.

It’s important to exemplify how the threat affects or is relevant to your company or product with the use of a proper red team, according to Ian. Katie stated that executives don’t actually think it’s a threat, even when pentesters prove it is, and that random patching is better than having a patch strategy.

Plus, from an attacker perspective, they’re not likely to burn through exploits of CVEs if they can just use a phishing attack to gain access to your company, said Steve. Rachel agreed it’s important to understand the realistic threats associated with the vulnerabilities, beyond the logos.

Users = Humans

When asked what problem was the most overhyped or one they were sick of hearing about, Rachel responded, “Humans are the weakest link.” In fact, they’re your first line of defense.

If you treat users like a liability, they will be a liability. There’s a problem with how infosec approaches, treats and trains employees. If we don’t tell them what the possible repercussions are, users won’t respect or take security responsibilities seriously, said Jayson.

But Katie and Wendy argue that the infosec industry is putting too much of the burden on users to make up for bad security systems. Users of a system don’t need to care about how it works; infosec people need to make infrastructure and systems seamless enough for non-tech-savvy people to still be secure.

Mike took the middle ground, claiming that the answer is both - we don’t need to choose between educating users and being secure enough without human intervention.

Jayson and Rachel also advocated for teaching users personal infosec that affects their life, which can translate to being more security conscious at work. Another tactic includes putting people in the shoes of an attacker, and allow them to craft phishing emails or ways to hack their own team.

Watch the entirety of the debate below (and be forewarned, some strong language is indeed used by some members of the panel ;P):

Proactive defense vs. offense. Strategy vs. tactics. These themes resonated loud and clear in the high-level talks at Black Hat USA 2018 in Las Vegas.

Dig Deep for Real Change

"We need to be more ambitious, strategic and collaborative in our approach to defense," said Google's Engineering Director, Parisa Tabriz in the opening keynote.

As the world's dependence on increasingly interconnected and complex technology rises, we need to do more digging to find out the structural and organizational security issues that need to change.

Get to the Root Cause

One approach to being more strategic moves beyond isolated fixes to identify and tackle the root cause of problems by asking five why questions; as one question can inform the next.

For example, someone discloses a remote code execution (RCE) bug in your product - your first question might be, why did this bug lead to RCE? Which might lead to - why didn't we discover it earlier?

And why don't we have tests and fuzzers? Why did it take so long to update, and why does it take five weeks to test a security fix? Following this format of asking why can uncover the real root cause, and help prevent similar problems in the future.

Intentional Defense

Google's Project Zero security team aims to enhance the understanding of offensive security to inform and improve defensive strategies, with a focus on usability for end users.

In an overview of their move to HTTPS in Chrome, Parisa detailed how the team kept the migration alive with quick wins for developers on smaller projects, while recognizing their success kept morale and motivation high during six years. The team did everything from internal TLS poetry slams to public UI change proposals to collaborating on UX research papers on security indicators and modern browser accessibility.

The results showed an increase of pages loaded over HTTPS on Chrome OS traffic, from 45 percent in 2014 to 87 percent, mid-2018 (and 29 percent on Android, to 77 percent for those respective years).

Simplify Code for Better Security

One example of a key, proactive defense project was site isolation that refactored Chrome's code and changed its architecture.

This architectural change and years of investment in site isolation helped quickly protect against CPU-related bugs - like Spectre. But site isolation ended up taking six years, instead of the estimated one. Clear communication and demonstrating positive security impact/benefits was key to keeping the project alive and getting executive buy-in.

Some of the most impactful security projects simplify existing code or systems, rather than adding more complexity - this inevitably leads to better security.

Politics of Defense

Black Hat Founder and member of the Global Commission on the Stability of Cyberspace Jeff Moss echoed the need for a more strategic approach.

Our adversaries have strategies and we have tactics - that's not very good.

If your strategy is to buy good products - you're totally dependent on vendors. Buying good products is a tactic, and offense is likewise very tactic-oriented.

Most of the technology we're currently developing favors offense, including machine learning and reinforcing algorithms. The momentum is on offense, but we're stuck on internal politics when it comes to defense.

But defense can be largely political within an organization, as the questions to be answered include - how much money do you spend? What is your cross-departmental risk strategy? What corporate gems are you trying to protect?

Despite the politics, there has been great progress over the last decade within the information security industry. As Parisa put it - infosec is a rather cynical crowd. But she’s optimistic that we can be cynical for positive change.

Most web traffic to online retail websites comes from automated programs attempting to breach user accounts - between 80 to 90 percent, according to Shape Security’s 2018 Credential Spill Report.

Axio's Codebook newsletter outlines the process:

• Lists of passwords from data breaches are sold on the underground market
• A group of criminals creates a botnet (a networked group of hacked computers)
• Yet another group configures the botnet to test passwords out on retail user's accounts (like your Amazon login)

This is known as 'credential stuffing,' a subset of the brute-force attack category. By testing out already-breached username and passwords combos in an automated way, a criminal can quickly gain access to accounts that:

• Are either re-using breached passwords, unknowingly, or never updated their old password
• Are only protected by a single factor (a password), which makes it trivial for an attacker to breach remotely using this technique

It’s Raining Hacked Credentials

Where do these vast lists of credentials come from? According to Shape Security's report, most of them originate from VBulletin, a popular software used to create online forums.

A patch was released in 2015 for SQL vulnerabilities, but many forum owners didn't update, leaving their credentials open to attackers to leverage. VBulletin was also hacked in 2015, warning users that an attacker may have accessed customer IDs and encrypted passwords on their systems.

Another major source is misconfigured databases or servers that leave access to lists of credentials and more exposed to the Internet. Finally, malware and phishing campaigns directly targeting users is another source of stolen credentials.

Retail has the highest proportion of traffic that is fraudulent, ranking ahead of other industries such as airline, consumer banking and hotel.

One reason why password attacks against online retailers is lucrative, according to the report, is because retail websites often prioritize ease of the user experience over promoting security measures that could introduce friction, like two-factor authentication or email confirmations. These extra steps can introduce the potential for customers to abandon their cart, which means lost profits to online retailers.

Half of All Retail Credential-Stuffing Attempts Actually Work

The percentage of fraud success, that is, the proportion of fraudulent purchases that aren't detected by internal fraud resources, was reported to be 50 percent.

This correlates with the average credential stuffing success rate - or how many attacks resulted in a successful login (credentials were found to be valid on a targeted site).

That means half of the attempts worked! Using just a password to protect your online retail accounts isn’t enough. See How to Add Two-Factor Authentication to Your Amazon Account With Duo Mobile to learn how to set up a second channel of authentication to protect against credential stuffing attacks.

At Duo, we are looking for enthusiastic engineers who are good team players and who will increase our diversity of identity and thought. We can teach people the skills found on technical resumes, but it’s much harder to teach someone to be a good team member who is excited to solve hard problems.

Career Fairs, While Necessary, Don’t Cut It

In order to recruit successfully at universities, we have found that we need to look beyond career fairs.

We need to be in events and spaces with increased time to interact with students, which allows us to have higher quality conversations. We need to be in spaces with talent pools of higher identity and thought diversity, and with fewer competing companies looking to hire the same students. Finally, we want to be in spaces that are human-focused, not GPA-focused.

Go Beyond Career Fairs and Seek Out Your Ideal Candidates

One place we’ve found that fits all of these criteria is the University of Michigan’s Introduction to Computer Science (EECS 183) course. This course is the third largest at the university, and prides itself on being at nearly gender parity, according to William Arthur, EECS 183 Lecturer at the University of Michigan. The course staff has worked hard to attract students from a wide variety of backgrounds and majors.

At the end of every semester, the course holds a final showcase where groups of students present projects they’ve been working on as teammates - everything from full-sized, arduino-powered Dance Dance Revolution (DDR) to AI-powered messaging apps that help users communicate in their non-native language.

Duo has been sponsoring the University of Michigan’s EECS 183 showcase for the last four semesters because it succeeds as a great place to build connections with diverse, passionate engineers.

We are one of a handful of companies sponsoring the showcase in order to drastically increase our face time and have meaningful conversations with students. In these conversations, we talk with students about the work they have accomplished and the ways they’ve worked together as teams. It’s easy to see which people are passionate about their projects and work well together, making them good potential Duo hires. Since we start these conversations in such a diverse venue, we are in a great position to recruit in alignment with our values. We also have a lot of fun because we are as passionate about software engineering as the students!

These kinds of events are well worth our time. At the EECS 183 showcase, we meet with primarily first and second year students. Meeting with these students early on means they’re familiar with our brand and mission long before they attend career fairs. By the time they’re looking for internships or full time positions, they are already excited to work together with us. After each showcase, we’ve started conversations with students and set up opportunities to visit our offices, attend Duo-hosted events, and to start engaging with our internship program.

You Need to Go Where the Talent Is

Go get involved with some of the great organizations across the country like The Society of Women in Engineering (SWE) and the Association of Computing Machinery (ACM). At Duo, we engage with local groups like Girl Develop It, GEECS and Digital Divas. These are all groups where passionate people are putting in overtime to learn about things that interest them. Look for chapters of these organizations near you. Give a talk at their events and become an active sponsor!

You Need to Bring the Talent to Your Office

Duo has been hosting public technical meetups for over 5 years.

We’ve learned that people go to meetups because they’re interested in the culture of technologies; they’re passionate learners; and they’re often working on interesting projects themselves. Moreover, they want to connect with other like-minded people. These are the kinds of people we want to work with.

Successful recruiting is rooted in successful relationships, so go attend, host or sponsor a technical meetup near you.

Our Work Here Isn’t Done

We’re still working toward even better representation of diversity at Duo. We recognize that there is a huge wealth of talent and diversity outside of university recruiting - there are people belonging to the next generation of developers who do not attend universities. If we hope to create a truly inclusive recruitment practice, it’s our responsibility to reach people in all different situations. We're challenged like the rest of the tech community on how to fix inequality in tech teams, but we’re motivated to face this challenge as we hire the next generation of developers.

The issue of cyber insurance came to mind after a recent article was published about a claim brought against a security vendor by an insurance company concerning a breach in 2008. There are various aspects to the claim including liability for not detecting malware; where this case will go is another matter. Claims on cyber insurance are not always straightforward. However, the issue of cyber insurance has become part of the lexicon of cyber resilience.

When assessing risk and deciding on the appropriate response, there are three options: accept, mitigate or insure. In recent years, cyber insurance has risen as a topic. Fourteen years ago, I recall trying to work with a major insurance broker on the concept of cyber insurance. It did not have much market pull. Now insurance brokers have adverts leaping out from web pages, festooning public places and appealing to us from the radio. So there must be money in it.

What are the areas of risk that may be covered? A straightforward policy may cover losses associated with a data breach, including:

• The costs of incident response, forensics and other investigations
• Repairing and restoring assets such as websites, networks and data
• Legal costs
• Business disruption and non-availability
• The PR costs of minimising brand damage and informing customers

In 2016, the Cambridge Centre for Risk Studies produced a Cyber Exposure Data Schema with 19 categorisations of cyber loss coverage. These covered loss areas from data breach to physical damage and injury to people; exemplifying a broad spectrum of risks that may result in liability.

But how does the CISO prepare an analysis of the potential costs so that a risk-based decision can be made? There will now be many models which will set out to quantify any loss so that a cost vs. risk comparison may be made. But no forecast can ever be 100 percent accurate. Insurance has its place, but there will always be a risk in insuring against risk. It is more of a Russian doll solution than an exact science.

A 2016 survey of insurers by PWC, albeit on a small sample set in London, found that 85 percent of respondents claim to have a loss estimation methodology; yet they were also simplistic and in the past, underestimated the risk.

With the insurable risk being difficult to estimate for both insurers and security professionals, it will always make sense to close the stable door to prevent the expenses from bolting. A zero-trust approach is one way of understanding and securing access to the corporate applications’ doors.

The first benefit is to prevent a breach by reducing the risk posed by compromised credentials. Only allow controlled access to an application after having authenticated the user and assured their device. - a multi-lock approach.

But how else can this approach reduce the risk or impact of a compromise? During a breach, there is seldom a clear and exact solution or identification of the cause of the breach. It can take time. So rolling out multi-factor authentication (MFA) rapidly can bring control to a corporation and protect against further misuse of compromised identities by the attackers.

This can be especially helpful when there is a mixed environment with cloud providers, corporate users and outsourced employees all accessing the same applications and data. As the digital investigation continues, the authentication logs can be fed into the analysis process to provide greater intelligence and insight.

In the event of a disruption that requires business continuity plans to be dusted off and applied, then a zero-trust approach enables high-risk users to change their working practices and deploy to new locations. So if there is heavy snowfall preventing people getting into work - in the UK this means more than an inch of snow - then remote yet trusted access to key applications can continue. This is not mitigating the cost of a cyber breach, but the cost of business disruption -an added benefit of the zero-trust approach.

An organization’s risk profile can be improved by the more rigorous analysis of the importance of different applications. Having to manage and control access enables applications to be risk-rated from a business perspective. When users are set up in a zero-trust environment, the process will highlight where the business may be most vulnerable from a compromise or disruption.

For insurers, this results in what is referred to as silent cyber risk. That is risk is not a direct consequence of a cyber attack. For example, a successful attack on a certain application may also give rise to claims under a professional indemnity policy. Clearer control of access by users may shed light on this area of concern.

Zero trust provides a great opportunity to implement a simple method of reducing the risk of a breach through compromised accounts. It enables better control over who can use an application in today's complicated technology environment. But a CISO should not lose sight of how it provides much more benefit to the risk-based accept, mitigate and insure approach to cyber resilience.

This brings us back to the issue of cyber breach insurance. When it comes to assessing the cost of cyber insurance, the better the state of security, the easier it is for a premium to be calculated. Having a zero-trust approach improves cyber resilience as a whole and may help pay for itself by reducing those premiums.

Social networks allow people to connect with one another, share ideas, and have healthy conversations. Recently, automated Twitter accounts, or “bots,” have been making headlines for their effectiveness at spreading spam and malware, as well as influencing this online discussion.

At our talk, Don't @ Me: Hunting Twitter Bots at Scale at Black Hat USA 2018, we are excited to release the results of a three-month long research project identifying Twitter bots at a large scale.

To accompany the conference talk, we are releasing a technical paper that details:

• How we gathered the dataset
• Our scientific approach to data analyzation
• How we built a classifier to identify bots
• How we identified botnets, including a spam-spreading botnet case study

It's important to note that in this paper, we specifically looked for automated accounts, not necessarily malicious automated accounts. Distinguishing benign automation from malicious automation is a topic for future work.

In order to allow everyone to make use of our work as easily as possible, we’re open-sourcing our data collection code, which you can find here: https://github.com/duo-labs/twitterbots. The full code will be released after our talk on Wednesday, August 8.

Key Findings

Botnet Account Relationships, Following/Followers & Likes

In the technical paper released today, Don’t @ Me: Hunting Twitter Bots at Scale, we detail the following key findings:

• Using knowledge of how Twitter generates user IDs, we gathered a dataset of 88 million public Twitter profiles consisting of standard account information represented in the Twitter API, such as screen name, tweet count, followers/following counts, avatar and description.
• As API limits allow, this dataset was enriched with both the tweets posted by accounts, as well as with targeted social network information (follower/following) information.
• Practical data science techniques can be applied to create a classifier that is effective at finding automated Twitter accounts, also known as “bots.”
• A case study detailing a large botnet of at least 15,000 bots spreading a cryptocurrency scam. By monitoring the botnet over time, we discover ways the bots evolve to evade detection.
• Our cryptobot scam case study demonstrates that, after finding initial bots using the tools and techniques described in this paper, a thread can be followed that can result in the discovery and unraveling of an entire botnet. For this botnet, we use targeted social network analysis to reveal a unique three-tiered hierarchical structure.

This paper provides an in-depth description of the entire process for finding Twitter bots, from gathering the data to performing the analysis. To help enable the community of researchers to build on our work, we provide a narrative to our research, explaining why we chose various approaches. We then include a section at the end of the paper that highlights different techniques we tried that didn’t yield the expected results for the purposes of providing transparent research.

Research Focus / Motivations

Many of us on Duo Labs use Twitter as a way to connect to the infosec industry. We were familiar with automated Twitter accounts, and had read previous academic papers covering both techniques on building a dataset of Twitter accounts as well as using various techniques to identify automated accounts from a previously shared dataset.

However, we hadn’t come across a work that attempted to tell the entire story by providing detailed techniques on how to both build datasets; identifying initial bots within that dataset; and using those bots to uncover an organized botnet. We wanted to show that practical, straightforward approaches can still be used to effectively identify automated accounts with a high degree of accuracy.

In addition to this, we believe that there is an incredibly talented community of security researchers interested in the topic of how bots operate on social networks. We wanted to open-source the code used during this research to make it easy to get involved with bot identification, enabling this community to build on and improve our work.

Conclusion

During the course of this research, Twitter announced that they are taking more proactive action against both automated spam and malicious content by identifying and challenging “more than 9.9 million potentially spammy or automated accounts per week.” In a follow-up blog post, Twitter also described their plans to remove accounts that had been previously locked due to suspicious activity from follower counts.

We’re excited to see these efforts by Twitter and are hopeful that these increased investments will be effective in combating spam and malicious content, however, we don’t consider the problem solved. The case study presented in this paper demonstrates that organized botnets are still active and can be discovered with relatively straightforward analysis.

By open-sourcing the tools and techniques developed during this research, we hope to enable researchers to continue building on our work, creating new techniques to identify and flag malicious bots, and helping to keep Twitter and other social networks a place for healthy online discussion and community.

[In response to today’s amazing news, our CEO Dug Song wrote this letter to the Duo team. — Editor]

Dear Duo,

Today we have some exciting news to announce. This morning, we entered into an agreement to be acquired by Cisco. You can see our press release about this news here, but I want to give you more context.

When we started Duo, the security industry was badly broken. Users were blamed and victims were shamed for what were really design failures in IT – or worse, vendors spent more time admiring attackers versus defeating them. The complexity of security products often introduced more problems than they solved, and for every dollar of product, twice as many dollars were spent on services to support them.

A new philosophy and approach to security was needed; one that demonstrated respect for people, both in the design of the products and in how business is done. And so we formed Duo.

We wanted to make security easy & effective, and we’ve done that by building the right kind of company to do so. We design and deliver security that gets out of your way and just works, versus an industry full of impractical ideas and frustrating experiences. Our industry-leading measure of customer satisfaction (70+ Net Promoter Score – NPS) is a testament to our relentless focus on customers, and solving for their needs.

We challenged ourselves to be the kind of trustworthy partner that we would want to work with. We’ve done that by being transparent and ethical, reliable and dependable, and demonstrating expertise across the organization, our customers and partners have come to value us as much for our character as our competence.

And so 8 years, 12,000 customers, and over 700 extremely talented and dedicated team members later, we’ve made our mark on the industry, helping to make security easy and effective for all, and earning the love of our customers, partners, and community. I could not be more proud of what we’ve accomplished together, but we’ve only scratched the surface of our potential. So today I am also extremely proud to announce our next chapter; Duo will be joining forces with Cisco, the world’s largest networking company.

Before we get into why this makes so much sense for our team, our product, and our brand, I would encourage everyone to take a moment to process this news. You’re likely feeling mixed emotions, some excitement, some worry, some sadness, some joy. I have felt all of those emotions too, as we’ve built something amazing together over almost a decade. But I can also say, without a doubt, that this is the right thing to do for Duo, our team, our customers, partners, and stakeholders, and our industry.

Duo + Cisco: The Evolution of Security + Access

This agreement begins an exciting new chapter for Duo. With this deal, we will realize significant value for our shareholders, while gaining the opportunity to leverage Cisco’s global scale & resources to democratize security faster without compromising our vision.

Cisco is not only the world’s largest networking company, but also the world’s leading enterprise security business. They agree with us on the past state of security, and we’re going to fix it together. They’ve had a long and successful history of acquiring companies to support and accelerate their strategic initiatives.

And some of their recent strategic acquisitions — like OpenDNS, Sourcefire, Cloudlock, and now Duo — show just how seriously they take the next phase of their security business. They are a company evolving themselves under new leadership, new momentum, and a new focus on innovation in the cloud era. Cisco views our leadership in zero-trust security as transformational to their business, bringing cloud-based user and device trustworthiness to an already impressive security product portfolio.

Cisco has a successful track record of supporting and empowering the management teams of the companies that join them. Cisco is confident that as a new business unit in the Security Business Group, Duo has the opportunity to accelerate growth and achieve even greater success. In addition, I strongly believe that Cisco’s “People Deal” is well-aligned with our values - as they say, to Connect Everything, Innovate Everywhere, and Benefit Everyone.

As a new business unit within Cisco, Duo will benefit from being part of a larger organization with established go-to-market reach, scale, and partnerships. We will also have support and resources as part of Cisco to accelerate our strategy. I view this as an exciting opportunity to continue to innovate and invest in the future, and will continue to lead as Duo’s new General Manager, rather than its CEO (which is great - General Dug has a nice ring to it).

I know this news is unexpected, and I’m sure you’re all wondering what this means for each of you. Our strategy, purpose, and values remain unchanged. Cisco is committed to our leadership and core values that have made Duo a trusted advisor, industry leader, and a great place to work.

This is an important next chapter for Duo and there is much more we can accomplish together to position Cisco for enduring success. I am incredibly proud of the company we have built and look forward to our future with our friends at Cisco!

What’s Next?

Until the deal closes, we will continue to operate as separate companies. Let us all remain focused on executing our 2018 strategic plan and delivering our customers the unmatched products and experience they have come to expect from us.

Keep doing what you do best – providing the most loved security experience, product and service in the industry for our customers. And thank you for all of your hard work and dedication up to now, and in the journey ahead.

Best,

-d.

Last week, the FBI released its indictment of the 11 Russian military intelligence operatives who hacked the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) in 2016. No matter what political stripes you wear, this was quite an operation and the indictment details the actions, methods and timeline of how it all played out.

There is something here for all of us to learn and take away. It’s quite a fascinating (and quick) read and I encourage everyone to take the 10 minutes. If you’re like me, your significant other will think you ate some bad sushi with all the head shaking and muttering. Here’s a link to the indictment.

The good news was that, for all its play in the news, this was a meat-and-potatoes, by-the-book cyber attack. It doesn’t mean we should relax -- quite the opposite -- but we’ve seen this movie before and there are some basic “blocking and tackling” things we can do to mitigate these things.

подводная охота

Yeah, it’s 2018 and phishing is still a thing. This time it was well-targeted spear phishing. For those who don’t know the difference, phishing is casting a wide net (who can I get to click this link?) and hoping (and usually getting) a small return. Which is really all they’re after.

Spear phishing is more targeted. You know who you’re going after and you expect they have something you want. Both methods of phishing have really become so easy to do that it’s become part of our lexicon. It was a little odd to hear it batted about on the evening news over the past few weeks though. It’s definitely become part of our lexicon, for better or worse... mostly worse.

First off (and yes this is a slightly shameless Duo plug), for goodness sake, protect your stuff with 2FA (two-factor authentication)! If we take one thing away from this event, it’s this. This is especially true if you’re gonna use a password like ahem... Password12345. Now, the first rule of good password hygiene is don’t do that, but if you’re gonna do that (and even if you don’t) you better use two-factor authentication.

This is your first line of defense.

And don’t take my word for it - read Google’s “hot off the presses” proclamation that since deploying 2FA AND zero trust (more on that later), they have been “phish free.”Now, I’m a cynical old fart with the grey hair to prove it and I don’t believe for a minute that Google has had ZERO phishing events, but I do believe they are safer now than they were two years ago, and we should all strive to be like that.

This was initially a spear-phishing campaign. This is how the operatives got access to the network, databases and the Exchange server and allowed them to move around the network with ease. This is the part that’s hard. Once your first line of defense breaks down, and if your network is wide open once the attacker is in, it’s game over.

You need to shrink the attack surface.

Limit what the attacker can do even when he or she does get past that first test. There are techniques and best practices that can help here too, and you should be looking at anything and everything you can do to make it as hard (and less fruitful) as you possibly can.

Concepts like a zero-trust architecture are a good place to start, and while it ain’t going to be easy (nothing is ever easy), AND it’s never a “one size fits all” proposition, you have to do something. You have to start somewhere -here are some helpful resources to get you started:

Moving Beyond the Perimeter: Part 1
This white paper explains the theory behind Google’s BeyondCorp security model (a new approach to enterprise security that mitigates the risks resulting from placing too much trust in the internal network), the different components required and the overall security architecture.

Moving Beyond the Perimeter: Part 2
Part two of this series explains how to easily build a new enterprise security model within your organization, including an outline of the maturity process.

BeyondCorp at Google
Google's research papers, principles, mission, guidelines and additional resources on BeyondCorp.

Next-Generation Access and Zero Trust A Forrester analyst’s take on the components of a zero-trust strategic initiative, including command and control over network access and other key technologies.

Zero Trust Networks from O'Reilly Media
Written by Evan Gilman and Doug Barth, this O'Reilly Media book explains how to build secure systems in untrusted networks.

Here we go again.

It’s also worth noting that we’ve just had another event hit the wire regarding a spear phishing operation targeting U.S. critical power infrastructure. We’ve also seen evidence that the GRU (the Russian acronym for the Main Intelligence Directorate of the Russian Armed Forces) are up to their old tricks and deploying the same techniques against targets for the 2018 election cycle.

So far it looks like they’ve been unsuccessful due to a heightened awareness and probably a little luck. We’ll need to stay vigilant and see how this all plays out. Stay safe out there, my friends.

< Sean shakes head frantically > but luckily he’s on a plane so his wife can’t see.

For any company born in the cloud era, bring your own device (BYOD) is a part of doing business. Employees want access to corporate applications and data at any time, from anywhere and from whatever device they choose.

This creates a unique challenge for security teams, who have to secure access to corporate applications from employee-owned devices without invading employees’ privacy or creating a cumbersome and frustrating workstream.

Historically, security practitioners turned to mobile device management (MDM) solutions to secure employee-owned devices. But users are skeptical about allowing an MDM on a personal device - they’re concerned that admins can glean personal information and control how they use their devices. Yet, without an MDM on user-owned devices, admins fear they lack visibility.

These issues can stall out BYOD security programs and increase risk of exposure.

So how do you minimize the risk associated with BYOD without an MDM solution?

In our new ebook, 10 Things to Consider Before Buying an MDM Solution, you’ll learn:

• How the rise of BYOD creates new challenges for security teams
• Where traditional MDM solutions fall short and how to secure BYOD without an MDM
• How modern solutions including Unified Endpoint Visibility give insight into which devices (employee- and corporate-owned) are accessing your applications
• 10 key things you should consider before buying an MDM solution

Your users want access to corporate applications and data from their personal devices from wherever they choose. But traditional MDMs create challenges. Before you invest in an MDM solution, download our guide, 10 Things to Consider Before Buying an MDM Solution, to determine how best to secure BYOD in your organization.

The following is an excerpt from Duo’s latest guide - Phishing: A Modern Guide to an Age-Old Problem. Download the complete guide here.

Phishing the New Enterprise

Organizations comprise people, and those people’s behaviors are driving change at the consumer level and at the enterprise level.

They use smartphones, tablets, smartwatches and more to meld work and personal computing. They’re increasingly remote, distributed and working odd hours, from different locations – communication, data and apps are expected to be available, on demand.

As a result, staying competitive in today’s market demands business agility and adaptation — and development and support for the technology that enables it — cloud computing, web applications, mobile and connected devices.

Yet, it’s so easy to exploit this new enterprise model for malicious gain. Phishing is a low-effort, successful method for attackers seeking unauthorized access to your organization’s data.

With a password, it’s trivial for an attacker to gain remote access to your company’s network where they can move laterally within – undetected and undeterred. This type of attack bypasses traditional security measures (like firewalls) that focus on protecting the perimeter of your network, but fail to protect the inside.

This guide gives you a look into:

• How phishing works, how it has evolved, and the new tactics used to appear legitimate to users
• Statistics into who and what industries phishers are targeting, what people click on the most, and what is being stolen
• What to look out for, tips for both admins and users on how to protect against phishing, and how a zero-trust security model can help protect your organization

Protecting your network both externally and internally requires more controls than a traditional perimeter security model and must rely on trust in user identity and device health. This will help secure the new "identity-based perimeter."

One of the many ways we practice Duo’s value of Learn Together is through co-creation workshops. These are workshops run by our product designers and design researchers, and are aimed to bring together voices from across Duo to come up with the best products for our customers. Through the workshops, we encourage employees to avoid the silo mentality and leverage the sum of our parts.

What Are Co-Creation Workshops?

Co-creation is defined as “any act of collective creativity - creativity that is shared by two or more people” by CoDesign Journal. At Duo, our hour to several day-long co-creation workshops bring together stakeholders from different teams at Duo, including Product, Engineering, Sales, Customer Success and more. The purpose is to create a common space to exchange different points of view, unleash the creativity of participants, and foster collaboration.

"The design workshops I attended at Duo were awesome, because they had us collaborating with other team members. We also got to design against real issues and problems that our customers face." - Xander Desai, Software Engineer

Why Run Co-Creation Workshops?

What happens when you bring together a room full of people with different roles and perspectives? At Duo, we have found it to be the perfect recipe for creating innovative, empathetic and holistic ideas!

Firstly, by being in the same discussion, it becomes easy to create alignment in shared product visions and timelines. We spend less time going back and forth in separate discussions, or passing along information which might get lost or miscommunicated. Plus, since the stakeholders are responsible for different parts of Duo’s success in their everyday work, they each bring unique experiences and perspectives to the table. This diversity is critical in helping each other see new opportunities or new ways to solve existing challenges. It also ensures our solutions are holistic and consider the entire product life cycle.

Finally, the workshops create additional opportunities for employees in different roles to interact with and learn from each other. For example, an engineer and a sales executive who might not usually interact with each other as part of their everyday work now get the chance to collaborate and work toward a common goal at a workshop. As Duo grows, maintaining cross-team interaction becomes even more critical in helping employees understand what each other does in order to leverage each other’s strengths.

“The workshop allowed me to set aside time to learn about something that is not normally part of my every day. It gave me the opportunity to hear more about Duo's products and meet with a team I usually don't get to partner with.” - Anndrea Boris, Total Rewards Specialist

Types of Workshops

Duo’s Product Design team facilitates two types of co-creation workshops - feature team workshops and lunch-and-learn workshops.

Feature Team Workshops

Feature team workshops usually involve teams consisting of 10 to 15 Duo employees from cross-functional groups such as Product, Engineering and Product Design, and are deliberately arranged to develop the same product feature. Teams dedicate up to two days to participate fully in such workshops, without the distraction of their everyday work.

We usually start by learning from each other - for example, product managers may outline the market opportunity; design researchers share insights from customer interviews; and engineers walk the team through technical considerations. Sometimes, we even invite customers to share their perspectives firsthand, hence enabling us to build stronger user empathy.

Having established a common understanding of the problem space, we facilitate a range of hands-on activities such as creating a product vision, defining success metrics, brainstorming new ideas and prioritizing the best ideas to prototype. Check out Google Sprint and IDEO’s Design Kit where we get our workshop activities inspiration from. At the end of the workshops, teams leave with a shared understanding of the problem space, a common vision and fresh ideas to start prototyping with.

Feature team workshops not only keep teams on the same page, but also ensure our solutions consider important business, user and technical perspectives. Not to mention all the team bonding we get from spending time with each other!

“Our workshop was a fantastic way to quickly get the team to a shared understanding of our goals, and align on a vision going forward. It also provided a great opportunity for team members to bond and learn more about each other.” Scott Duren, Senior QA Engineer

"The workshop helps the team form a shared understanding of the most important end user problem to go tackle. The structure of the workshop, which is a healthy balance of group collaboration and individual brainstorming, is an effective method that helps you solve it." Ryan Leatherbury, Senior Product Manager

Lunch and Learn Workshops

Duo’s Product Design team also regularly hosts one-hour workshops over lunch which we refer to as Lunch and Learn workshops. Contrary to the feature team workshops, which are kept within feature teams, employees across Duo are invited to these sessions.

For example, when Duo was looking to update an existing product, we conducted two company-wide Lunch and Learn workshops with participation from over 200 Duo employees. We started by sharing insights from our customer interviews. Then, participants were asked to get into teams of four to five to generate new ideas for the product.

Our participants ended up generating a few hundred ideas! Those ideas helped us rethink the product with fresh perspectives. The Lunch and Learn workshops also allow employees who may not have direct contact with our customers to build empathy by understanding how they may experience our products.

In Summary...

We have found co-creation workshops to be an effective way to ensure alignment; collaborate and build stronger team culture; and create the most innovative, empathetic and relevant solutions for our customers. Give it a try!

With August around the corner, infosec professionals around the country are preparing for a week of back-to-back security conferences and events in Las Vegas. Want to see a live debate from some of the top voices in security, get your groove on, or just stop by to say hi to your most-loved security partner? Read on for all the details!

B-Sides

B-sides is a volunteer-organized information security conference, put on by and for the community. B-Sides Las Vegas is the first and largest of these events. This year’s conference begins August 7 at Tuscany Suites.

While you’re there, check out Duo’s own Kat Sweet and her talk Using Lockpicking to Teach Authentication Concepts. Kat will explore using lockpicking as an educational tool for introducing authentication and security concepts. As security professionals deal with teaching many abstract concepts, seeing physical representations of these concepts helps unfamiliar users understand them better. Learn more by checking out her talk in the new Ground1234! talk track.

Black Hat

For more than 20 years, the Black Hat conference has provided an international stage to share the latest information security research, development, and trends for practitioners and vendors. Duo Security will be at booth #471 in the exhibit hall, so stop by to say hello!

On Wednesday morning, join Jamie Tomasello for her talk Holding on for Tonight: Addiction in InfoSec. She will detail the relationship between stress, addiction and relapse, and how it can uniquely affect those in the industry. She will share her story as well as advice on how people and companies can be more inclusive and supportive of those living sober.

Head to Mandalay Bay’s Breakers L Ballroom on Wednesday and enjoy lunch on Duo while you watch an exclusive live event: Everything You Know About Infosec is Wrong. A panel of experts including Wendy Nather, Katie Moussouris, Dave Lewis, Ian Amit, Mike Rothman and others will debate the topics near and dear to their hearts, and what they wish more people got right. Bring your appetite, lunch is included!

On Wednesday afternoon, you can catch Duo Labs’ Olabode Anise and Jordan Wright for their timely talk Don't @ Me: Hunting Twitter Bots at Scale, exploring their research on the economy and effects of automated accounts used to spread spam and malware.

After breakfast on Thursday, join Kelby Ludwig for Identity Theft: Attacks on SSO Systems, a presentation on a newly-discovered SAML vulnerability which has affected multiple independent implementations and poses a risk to the underpinning of many single sign-on (SSO) systems.

All talked out and ready to relax? Duo will be hosting a party on Wednesday night at Fleur in Mandalay Bay you won’t want to miss; so come unwind, enjoy some excellent food and music, and connect with other great infosec minds! RSVP to attend here.

DEF CON

DEF CON is one of the largest hacker conferences in the world, drawing tens of thousands of attendees from around the globe. DEF CON 26 starts August 9, and will be hosted at Caesar’s Palace.

Friday morning, Kat Sweet will be giving her second talk of the week at DEF CON’s Packet Hacking Village. Titled Rethinking Role-Based Security Education, this talk will explore strategies and tactics for developing security education based on employees' roles, access and attack surface, and is a must-see for anyone responsible for developing or maintaining a security communications program in their organization.

Do you like Duo so much you want to see us year-round? Good news! Our recruiters will be part of Queercon’s Diversity and Recruitment Expo, where you can learn all about what it’s like to work for Duo and how we foster an inclusive environment where team members can feel safe being their authentic self.

So whether you are headed to B-Sides, Black Hat, DEF CON, or all three, you’ll have lots of opportunities to learn, network in the community, and catch up with Duo this year in Vegas. We hope to see you there!

Summary

• By integrating with CyberArk's Privileged Access Security solution, Duo provides strong user authentication and device posturing
• This enables organizational agility through a variety of integration methods and a consistent user experience
• It also supports zero-trust principles by establishing user and device trust for enterprises in hybrid environments
• Duo’s CyberArk integration is available with Duo MFA, Duo Access, and Duo Beyond

Forrester estimates that 80 percent of security breaches involve privileged credentials. With the continued adoption of bring your own device (BYOD) and remote workers, organizations are challenged with ensuring their privileged accounts are secure.

Privileged account breaches can lead to the exposure of customers’ personally identifiable information (PII), financial data or intellectual property. Companies are challenged with the inevitability of employees requiring access to sensitive systems outside of their managed devices. This requires them to move security to users, devices and applications. How do they ensure these devices are up to date with the most recent security patches before logging into privileged accounts?

Duo + CyberArk

We are excited to announce an integration with CyberArk to help our joint customers protect their privileged accounts. With Duo and CyberArk, administrators get best-of-breed protection for both access control and privileged access security.

Administrators can create access policies that require strong user authentication and device authorization. This allows enterprises to move toward a zero-trust security model requiring authentication and authorization regardless of where the application is located.

How it Works

Duo’s integration with CyberArk Privileged Account Security offers complete single sign-on (SSO) support; fast and simple user-enrollment; visibility into the security posture of devices accessing CyberArk; and a consistent authentication experience no matter where users are located.

There are multiple ways to use Duo to protect CyberArk’s systems. For example, customers can use Duo Beyond to provide users with a secure SSO experience when they log in to CyberArk’s Enterprise Password Vault. This enables administrators to verify the identity of the user, and check the security posture and management status of their device. As with all of our integrations, end users experience a consistent and intuitive user interface when authenticating through Duo.

To enable this integration, first locate the SAML-CyberArk Privileged Account Security application in the Duo Admin Panel:

1. Enter the domain name used when logging into your company's CyberArk Web Access Server as the Domain. For example, if your CyberArk Web Access login URL is https://vault.yourcompany.com, then enter vault.yourcompany.com.
2. CyberArk Privileged Account Security SSO uses the Username attribute when authenticating.
3. Click Save Configuration to generate a downloadable configuration file.

For more detailed information about our SAML integration, visit our documentation page.

Learn More

• Duo and CyberArk Partner Page
• Duo and CyberArk Solution Brief
• Press Release

On November 1, 2018, organizations will be required to report breaches to the Office of the Privacy Commissioner (OPC) of Canada. This includes the breach of security safeguards if the breach poses a "real risk of significant harm" to individuals affected by the security incident.

If that is the case, the organization must notify all affected individuals, report it to the Commissioner as soon as feasible, and notify other organizations that can help mitigate any harm to affected individuals, as reported by the Canada Gazette.

PIPEDA, GDPR & The Digital Privacy Act

Canada’s current federal privacy law for how businesses must handle personal information is known as the Personal Information Protection and Electronic Documents Act (PIPEDA). The act applies to the collection, use or disclosure of personal information during a commercial activity, and affects all transactional organizations, as well as federally regulated ones, like banks, telecommunications and transportation companies.

This breach notification requirement was introduced as part of the Digital Privacy Act, which brought amendments to the PIPEDA, including the breach reporting provisions under Division 1.1 of PIPEDA. The reporting requirement was published in April 2018, giving organizations within scope about six months of time to prepare to come under compliance.

The new PIPEDA regulations coincide with the European Union's General Data Protection Regulation (GDPR) enforcement that also includes mandatory data breach reporting. EU companies must provide similar information to authorities and individuals, and keep a record of all data breaches, as the Government of Canada stated in their Breach of Security Safeguards Regulations.

Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000. - The Digital Privacy Act and PIPEDA, Office of the Privacy Commissioner of Canada

The Cost of Breaches in Canada

According to the Ponemon Institute's 2017 Cost of a Data Breach report, data breaches are the most expensive in the United States and Canada, at an average per capita cost of $225 and $190, respectively.

The average detection and escalation costs for Canada was $1.46 million, the highest among all other countries. These costs include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

Canada also ranks fifth for the most expensive notification costs (.12 million USD), while the U.S. (.69 million USD) ranks as first. Notification costs include creating contact databases, working through regulatory requirements, hiring outside experts, outbound communication to affected individuals, and more.

It’s important to prepare your company for the new breach reporting requirements, and to understand your IT environment in order to protect against a costly data breach. The Government of Canada offers some flexibility and guidance around the costs of breach notification:

It is anticipated that the flexible approach taken in the proposed Regulations will serve to mitigate the costs of complying with the statutory requirements for notifying individuals. The proposed Regulations allow for organizations to notify individuals indirectly where directly contacting each affected individual may prove unreasonably costly. In these cases, the proposed Regulations allow notification to take place via communication channels that are much more cost effective and efficient, greatly reducing the burden of notification. This may be particularly important for small to medium-sized organizations that may experience a data breach involving a very large number of customers.

Preparing for Breach Reporting

Here’s what organizations must include in their breach reports to the Commissioner:

• A description/cause of the breach (if known)
• Date or period during which the breach occurred
• What kind of personal information was breached
• How many people were affected
• What the organization has done to reduce the risk of harm of affected people, post-breach
• What the organization intends to do to notify affected people
• One point of contact that will represent the organization and answer questions about the breach

At a minimum, organizations must also maintain a data breach record for 24 months from the date that the breach was confirmed by the organization (not from when it occurred).

To start preparing for a breach report (and to help prevent a breach):

• Conduct a risk assessment to consider the sensitivity of information that could be leaked, and how likely it is that the data will be misused.
• Conduct an audit of your applications and determine where personal information is collected, processed or stored.
• Then ensure you have visibility into security events with logs and reports of user access and activity, as well as actionable insight into the security of their devices.
• Determine which users or user groups have privileged access, and limit the number of administrative users to those that need it to do their jobs (least privilege).
• Keep track of new patches when they become available and update your systems and applications, and/or notify your users to update their personal devices.

Learn about a new security model designed to protect against threats that may lead to a data breach, in our free guide, Moving Beyond the Perimeter: Part 1.

Customers with Azure Active Directory Premium P1 can now integrate with Duo.

The Future of the Microsoft Directory

Microsoft means productivity in the enterprise, and our integrations data proves it out. Microsoft integrations account for three of Duo’s top 10 integrations by number of users.

Most customers use Active Directory (AD) for identity in some fashion, and we’ve seen a growing number of customers adopting Azure AD either in hybrid or cloud-only mode.

Customers still manage identities with AD in hybrid mode and will for the foreseeable future due to significant investments in custom identity and authentication workflows, but we’re seeing a trend of organizations using Azure AD’s built-in federation and single sign-on services to replace on-premises Active Directory Federation Service (AD FS).

Say Goodbye to AD FS

This may be a surprise to many, but Active Directory Federation Service (AD FS) is the most popular federation and single sign-on provider at Duo by a significant margin. Duo authenticates 300,000 users a month utilizing AD FS to get to Microsoft Office, Outlook or other web applications.

The thing with AD FS is that customers want to move off of it. Cloud applications simplify administration in general compared to on-premises applications by default, but our customers tell us that AD FS is a particularly challenging application to manage.

It’s also no secret that Microsoft is actively encouraging this migration. For all the reasons why companies find it difficult to move away from AD FS, we’ve found that keeping their investment in Duo’s authentication service without using a third-party identity as a service (IDaaS) solution is a major one.

Direct multi-factor authentication (MFA) integrations with Azure AD were simply not available, and this became a significant roadblock for Azure AD adoption amongst our customers.

This is why we were delighted to announce our integration with Azure AD last fall. Hundreds of customers were able to begin their transition away from AD FS, as they could now use their authentication vendor of choice alongside Azure AD.

Azure Integration & Adoption

The adoption of the Azure AD integration has far exceeded our internal projections since launch. We have exceeded our goal of 150 customers using the integration by a healthy margin.

Our customers are federating access to Office 365 - the productivity backbone of most enterprises - through Azure AD while using Duo to enforce policy controls. Customers like Sophos are using Duo Beyond to only allow access to Outlook from corporate-managed endpoints.

And Microsoft continues to add new controls to Conditional Access controls, allowing customers greater granularity for when to invoke Duo.

While we’re happy with the adoption of Azure AD, we were disappointed to hear from many customers that could not use our best-in-class integration due to Microsoft licensing costs.

When Microsoft first announced the Conditional Access and Custom Controls integration with Duo in 2017, our integration was limited to the highest tier of Azure AD: Premium P2. At $9 per user per month, this was cost prohibitive for many customers.

It was disappointing to see organizations blocked from implementing best-in-class cloud identity management from Microsoft and cloud security from Duo. Despite the hundreds of customers who deployed Azure AD and Duo together since our joint announcement, we had many more who could not.

That’s why we are thrilled to support the news today that Microsoft is moving third-party MFA integrations in Conditional Access down to Azure AD Premium P1!

Most of our customers who were migrating to Azure AD (in both hybrid or cloud-only mode) found that the P1 subscription best fit their needs from a technical requirements and budget perspective. With the Duo integration now available to many more Azure AD customers, we’re looking forward to securing our customers’ migration to the Microsoft cloud.

Duo + Microsoft Resources

To learn more about the Duo and Microsoft partnership, visit Duo for Microsoft. You can also read the press release and blog post on our Azure AD integration.

If you talk to security professionals in healthcare, they will tell you that physicians and healthcare don’t mix. If you talk with physicians, they’ll tell you that security gets in the way of them doing their job. So let’s discuss what makes the physician’s activities difficult to protect.

Physicians went through more training than most to be able to provide the best medical care to patients possible. With advances in tablets, smartphones, mobile applications and ubiquitous internet access, physicians are providing care in hospitals, in medical offices, over videoconference and even over the phone on a beach while they’re vacationing.

They may use their Mac in their office, their tablet in the hospital and their smartphone when they’re away from both locations. In order to facilitate the delivery of care in the most effective and efficient way, physicians demand access to patient records and require the convenience of being able to access them from anywhere and from whatever device is convenient for them.

So when a physician demands the ability to snap a photo of a wound or patient condition and use their iPhone to send it to a colleague in real time for immediate feedback, how can organizations balance those needs with the regulatory scrutiny that demands patient record confidentiality and a strict accounting of disclosures?

Many organizations have looked at mobile device management (MDM) as an answer, but it doesn’t resonate well with physicians. MDM applications certainly can provide layers of control on a mobile device, but they also give significant control to the organization’s IT department, which many don’t like. I remember an example where a physician informed me a colleague of theirs had their mobile device accidentally erased by another hospital system and because of that, the physician refused to give any control of their device to IT anymore. Is the ability to remotely erase a smartphone or tablet truly a requirement? Keep reading. MDMs can also expose photos and information about how the device is being used to an IT administrator, unless there are policy prohibitions against such access.

Another major roadblock in using an MDM with physicians is the restriction that a phone can only have one installed. Despite the trend that health systems hire more physicians directly, many physicians maintain private practices and have admitting privileges to local hospitals where their patients can be treated. It’s common for physicians to have privileges at more than one hospital, so if each one wants to install an MDM on the physician’s phone, it’s not possible for them to comply.

Some organizations have resorted to issuing physicians corporate-owned smartphones and restricting patient record access to that device only. Although that may meet the security needs of the organization, it certainly is more cumbersome for the physician’s and adds time and complexity to his daily routine.

So how can organizations bring security into physician workflows without hindering them unnecessarily? Here are some options:

Leverage mobile apps that don’t store data. Many healthcare mobile apps are simply gateways to web-based apps which reside in a secure environment. By leveraging these types of applications for patient data access, there is no sensitive patient data stored on the phone.

Force physicians to use virtual technology. There are multiple technologies out there that can present the user with a virtual desktop or environment where the applications are being executed in a secure environment and not on their device. Although these provide good control over data exposure and the spread of malware, they can still be vulnerable to security failures on the device they are using. A keylogger or video capture malware instance on their local device could still be capturing all activity during the session and so the potential for data loss should still be considered.

Verify the security hygiene of devices upon access. Certain platforms, like Duo Security, can check the security properties and hygiene of devices the company may not own or manage, at the time it’s being used to access a protected application. If a device is missing updates or is found to have poor security hygiene, the authentication attempt can be denied with a message to the physician explaining why.

PC verification is done without an agent, and a mobile application is used to verify the security posture for a smartphone. In both cases, the app and the IT department have no authority to view or make changes to any other content or property of the device. This also empowers the physician to remediate the device deficiency themselves to gain secure access.

If a device is lost or stolen, do you need to erase it? If the security checks verified that screen lock is enabled, the device is encrypted and is protected with a fingerprint or strong passcode, the data will not be exposed to an unauthorized individual - whether it’s erased or not. Do you know whether the physician turned off these properties after they accessed the application? A simple physician attestation can confirm they did not change the security properties of the device.

Authenticate registered personal devices upon access. If verifying device hygiene is still not strong enough security for the organization, require an additional verification that the physician is using the device they registered with the security platform. This registration is tied to the hardware code of the device and not simply the phone number. This control avoids the risk of individuals intercepting SMS verification codes or redirecting them to a false device.

I’ve often stated that the healthcare environment is one of the most difficult to secure because of the amount of regulated data, the number of individuals with access to it, and the demands of modern healthcare workflows. But with a renewed focus on physician usability and a modern approach to security, it can be secured while satisfying both organizational requirements for security and privacy, as well as physician demands for access and convenience.

For more information on applying modern security to the healthcare environment, learn about Duo for Healthcare or contact me on Twitter at @DouglasCopley.

When I started my executive Master of Business Administration (MBA) at Southern Methodist University (SMU), I was asked by my one of my MBA professors to describe my life mission in one paragraph.

He said that I need to think about my mission as not a set of career goals and desired professional achievements, but more of things that give my life purpose. I need to look at my life mission as something I hope to achieve during my lifetime; something that provides me with a sense of fulfillment and satisfaction. I need to ponder on what kind of legacy I wanted to leave behind.

1. Will people remember me for the things I did or the ones I did not do?
2. Will I be remembered as a “good human” or “ great professional”?
3. What are things that I want to do everyday, what drives my passion; in other words, what floats my boat ?

A Paragraph! A Paragraph? Ahem…

How could I sum up all the above in 100-200 words? As I sat down to do this exercise, I realized that the point of this is not to pen down the 100- 200 words, but to really get me to spend an hour (who cares if it was the middle of the night!) thinking about my life’s purpose and goals, and the realization that my goals aren't aligning with my life’s purpose - thus, this article was born.

When anyone asked me for my life’s goals, one of the first things that came to my mind is that I want to break the ceiling in my career and be part of the C-suite in the next 2-3 years. I also think about how I want pour into my 13-yr-old daughter the values, work ethics and the goodness of the world so she grows up to be a good and successful human being. I think about spending quality time with my husband and family. I think about how much I want to give back to the community and the needy so I can fulfill my soul’s purpose in this world.

All the above, the things I want to do and the things I think I should do are driven by my goals.

The real question is, Are these aligned to my life’s purpose? A few may be, but I have never thought of them as two different entities.

One’s life’s purpose should not be merely a means to an end, but rather, the end itself, my professor said in his assignment question.

My life’s purpose should be how I make people feel when I walk into a room. I need to define what I would be driven to do if I had a limited amount of time and focus. I will have to think beyond me and the people around me. I should to be able to serve people in need, not just as a way to fulfill my soul, but something that truly benefits humankind. I need to shed the inhibitions and fear that hold me back from things I love doing. I need to think about how I am going to save this world if I am its only chance. Then and only then will my life’s purpose drive my life’s goals.

A friend of mine who recently left this world way before her time sent me this:

“Do not be too timid and squeamish about your actions. All life is an experiment. The more experiments you make the better. What if they are a little coarse and you may get your coat soiled or torn? What if you do fail, and get fairly rolled in the dirt once or twice? Up again, you shall never be so afraid of a tumble.” — Ralph Waldo Emerson”

I think I am ready to write my assignment, and I will not need 100 words for it!

My life’s mission: I want my life’s goal to meet my life’s purpose and for them to hang out in harmony forever!

Although the term “zero trust” is a popular term for the alternative security model that everyone’s talking about these days, it’s not always clear what it means, or whether it describes what policy changes you may want to make in your organization.

This is because it depends on your definition of the word “trust.” There are two possible ways to look at it:

Trust = Granting access to resources without verifying beforehand

This is what John Kindervag means by “trust,” and it’s why he coined the term “zero trust,” because you should never do this.

Or you can define it another way:

Trust = Granting access to resources because you verified beforehand

This is why Duo refers to its offering as “trusted access.” When someone wants to connect to a system or application, you authenticate the user, check out the device, and make an access decision based on however many factors you want to consider for that particular resource.

The important thing about trust is that it’s neither binary nor permanent. You don’t trust someone to do anything at all; you trust them to do a particular set of actions, on a particular system, perhaps on behalf of a particular entity (such as a third party accessing a client record as a member of one brokerage firm). And you don’t trust them forever; you trust them for as long as certain risk-related conditions are true. You might stop trusting them in cases where enough time has passed that their password might have been compromised, or when their endpoint becomes vulnerable to a certain exploit by virtue of its software becoming outdated.

This is the reason why network perimeter-based security is less than optimal: organizations tend to trust a user forever, to do anything, as long as they come from the right IP address and give the right password. We have known for a long time that open-ended trust is a bad idea, but given the available technology, it’s been a tough problem to address — until now.

These trust conditions change a lot more often than they used to. Users have different devices, some of which are personal ones; they want access from different locations; the applications they want to use aren’t in the employer’s data center. Criminals can more easily get a username and password and reuse them in an automated fashion, at scale. As a result, we need to check more factors and do more verification before deciding to grant access for a fixed period of time.

What if we never trusted the user? Unfortunately, that doesn’t work too well either. Any amount of additional friction annoys them. The most popular types of additional authentication require the user to demonstrate physical presence and control by taking a physical action: clicking the green button on a push notification app or tapping a Yubikey.

Even doing that once a session can result in pushback from your customers, depending on what they’re used to doing. This is why administrators have the option of configuring “remembered devices” and grace periods, to balance the risk windows (the time in which a certain risk might increase to unacceptable levels) with the user experience.

Whether you call it BeyondCorp, zero trust, or any other kind of model, the issue of trust is central to how you configure your access policies.

• What do you trust the user to do?
• For how long?
• What changes will require you to re-verify the factors?
• How does this translate into an acceptable user experience?

For more considerations when you’re implementing this transformation, see our white papers on Moving Beyond The Perimeter, parts 1 and 2.

The zero-trust concept starts with establishing a level of trust around the identity of the user and what they can access to work within the organisation’s environment. Having checked the device and authenticated the user, the next fundamental element is controlling what doors to what applications they can enter, and what is considered out of bounds. This is not a new idea. As Hamlet once said all those years ago:

“Let the doors be shut upon him, that he may play the fool nowhere but in’s own house.”

This is not to suggest that chief information security officers (CISOs) should start getting worked up about familial or romantic issues; as it didn’t appear to work out too well for poor old Hamlet. But the idea of restricting a user so that they can only enter into an area which is approved and relevant to their duties is a necessary control.

Virtual private networks (VPNs) ensure that the user is connected within the virtual corporate network. But once the credentials are accepted, the user is through the main door into the organisation. This is all well and good in a world where all users are completely honest and, in fact, who they say they are. Unfortunately, compromising credentials is all too common an occurrence. For example, the ease with which phishing has become an attack tool of choice has made relying on controlling the main door with a username and password a limited security control.

The Duo solution starts to address this level of control over users at the entry point. The use of a reverse proxy enables the mapping of users to applications. This means that each application has a door which the user has to open. It is a house on its own with one way in, and that is under lock and key. This provides a triple layer in the defence structure:

• The user is known and authenticated.
• The device is checked and found to be adequate.
• The user is limited to where they can go.

This all needs to be done with minimal impact on the end user. Introducing difficulty into any security control area just breeds avoidance. By integrating with established single sign-on (SSO) capabilities, the users’ rights can be identified without the need for any duplication of effort. The ease of adaptive authentication at the device level makes this a non-disruptive activity on the user side, and a natural part of the workflow of logging in to do some work. Meanwhile, the ability to block non-approved devices leverages the awareness of endpoint security. Wrapping this around a browser-based gateway screen provides a simple, secure single point of entry into each of the application doors.

What is appealing about the agile and flexible approach is the ability to bring new applications on board wherever they are found - whether running in the cloud, in a local data center or a third-party application. No matter where the doors are, they can be open or shut from a central point based on a policy. So as digital transformation drives change in the business and new applications are brought on stream, the Duo solution ensures that security controls enable, rather than block or hinder.

And, of course, because we want to control the doors, it doesn’t mean we think that all users are there to play the fool. Just the bad guys.