Duo Trust Monitor Is Here to Make Risk Detection Easy
We are thrilled to provide a simple, easy to enable, high signal source of risky access behavior to our customers. Our hope is that by surfacing risky logins, we’ll give them new visibility into their environments but, more importantly, a mechanism to remediate suspicious situations and harden their defenses.
Duo Trust Monitor’s Core Capabilities Include:
- Intuitive display highlighting risky access events for policy hardening and proactive credential remediation
- Clear contextual and reasoning information (no black box here)
- Single click enabled, no costly integration project
- API support for integration with Security Operations Center, workflow and SIEM tools
How Is Trust Monitor Different From Other UEBA Tools?
Duo Trust Monitor builds machine learning models to learn about common authentication patterns within the environment of each customer. By processing past Duo activity, it automatically builds a mathematical understanding of expected user behaviors.
Such patterns include typical geolocation, access device and factor usage, application access, and time of authentication activity for a user and across the company, in addition to other indicators of trust and risk.
Trust Monitor Highlights Suspect Authentications
Duo Trust Monitor does the heavy lifting of highlighting recent authentications that deviate from the normal patterns. To maintain a current understanding of those patterns, models are updated on a frequent basis and adapt quickly to new emergent behaviors.
An example might be a workforce transitioning to work from home. While the transition may take some time to account for, the Trust Monitor model would quickly adapt to see that a user’s new baseline is a home office IP and perhaps a personal laptop.
Context Provides Data Points to Assess
In order to further improve signal, the Duo Data Science team focused on modeling the context in which an authentication takes place. Context includes properties of the authentication that should happen in tandem, actions taken by other users in similar situations, or actions taken by the user recently.
“It was important to us to minimize the number of false positives surfaced by less thoughtful machine learning approaches,” said Brian Lindauer, Head of Data Science at Duo.
“The models we developed make better detections by learning about the relationships between authentication properties, combining that with customers’ specialized knowledge of risks in their own environment, and surfacing authentication patterns only when something is amiss,” said Lindauer.
This information can be used to mark an authentication as normal, even when it might look suspicious in isolation. For instance, access to a restricted production environment might look markedly different from baseline behavior, but is not necessarily risky when done through approved devices and 2FA factors.
Easy To Read, Actionable Alerts
Despite the complexity of behaviors taken into account by models, one of our core development principles was not to create a security black box. We wanted to provide an algorithmic approach that provided context and explainability.
Duo Trust Monitor provides easy to parse explanations for why a given event was flagged, what happened around that authentication, and a transparent feedback mechanism to improve future events.
To validate value and usability, certain customers were given early access to the feature throughout a public preview period. The feedback has been very positive, with a variety of customers catching credential compromise based on Duo Trust Monitor events and improving their access policy.
Duo Trust Monitor is a detection benefit many MFA providers don't provide out of the box. For us, the highlighted risky events have been spot on - with very few false positives. — Jason Waits, Director of Cybersecurity at Inductive Automation
What Is Next?
This is just the beginning of how we can continue to use the latest technologies to simplify security for our customers.
With our algorithmic understanding of what is normal for a customer, user and device we are heavily investing in Risk Adaptive Authentication. By dynamically adapting to a changing threat context, Duo Trust Monitor can help us get out of the way of end users in low risk settings, while adding more friction when risk increases
Duo Trust Monitor is available now for all Access & Beyond customers.
Try Duo For Free
With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.