Duo Trust Monitor

Cisco Duo is a comprehensive MFA solution offering beyond basic MFA capabilities with advanced security features, such as Verifying the Health, Security Posture, and Trust Status of a device attempting access to applications, Adaptive Policy, Risk-Based Authentication, as well as VPN-less Access to private servers and applications, just to name a few.

Within Duo’s Security features is Duo Trust Monitor, a threat detection feature focused on surfacing actionable Security Events.

Duo Trust Monitor ingests authentication data for Duo protected apps to create a historical and contextual baseline of access activity for the environment to determine:

• Who typically accesses applications
• Which applications are being accessed
• From which devices
• At what times are applications being accessed
• From which locations are applications being accessed
• And by which authentication methods (Duo Push, Passcode, etc)
  

In a Duo-protected environment, it is recommended to have around 180 days of data from the environment in order to define Monitor Access Baseline.

From there, Trust Monitor surfaces anomalous or risky access with the goal of reducing access abuse, allowing admins to create more intuitive policies.

 This allows Duo to highlight unauthorized access attempts, such as:

• Access attempts to an app the user hasn’t’ previously been accessed
• Attempts to establish a connection from a new, unrecognized device
• Access attempt at an unusual time from an unusual device
• Unrealistic Travel Logins (MFA device and Access Device are in different parts of the country)
• Unusual Login Time, Unusual 2FA IP
• New Access
• New 2FA Device

Once Duo Trust Monitor has been enabled, authentication logs will be ingested, and evaluation of authentication data will commence. Within 24-48 hours, Duo Admins can start to see new security events from Duo Trust Monitor. On average, Duo Trust Monitor surfaces around 2 high-risk events per day to Admins on the Security Events Dashboard (more on this later).

Many risk analytics tools focus on singular events, such as a new device or first-time application access attempt, without any regard for contextual awareness.

Conversely, Duo Trust Monitor incorporates a holistic view of users’ authentication patterns, activity, and historical login data, in conjunction with Duo-specific data, in order to reduce the potential for false positives.

Based on Duo’s Trust Monitor Output, Duo Administrators can work to amend policies/highlight incidents that need further investigation.

How Does Duo Trust Monitor Work?

Duo Trust Monitor analyzes and models authentication telemetry data to determine risky events and, over time, tunes these models to combinations that generate the most valuable security events for the business.

Some examples of telemetry data that can be collected by Duo include, but are not limited to:

• Username
• Authentication Timestamp
• Application being accessed
• Factor/MFA method: Push, SMS, Passcode
• IP address of access/auth device
• Access or authentication Device Characteristics coming from Duo Desktop and Trusted Endpoints feature
• Authentication Result

Some of the models utilized by Duo Trust Monitor include, but are not limited to:

• Novelty: New device, location, or a first-time access attempt to a specific application
• Rarity: Variable isn’t new, but is seen infrequently
• Attack Patterns: Known patterns in the world of access security, such as unrealistic travel logins, device registration, brute force attacks, etc.
• Known Signal: User marking an attempt as fraud or an admin applying bypass status to a user
• Compounding Risk: Access attempts that include more anomalous variables, thus being considered more risky than other events
• Administrator Designated: Duo Trust Monitors risk profile allows Duo Admins to define certain assets as “priority”

Risk profile flow enables admins to select a prioritized set of Duo-Protected applications, user groups, and locations/IPs, which, in turn, will allow Duo Trust Monitor to prioritize Security Events and Anomalies associated with these profiles over others.

Monitor Access Risk Security Events Dashboard:

The events highlighted by Duo Trust Monitor can be viewed in the Security Events Dashboard. A security event can be defined by a user authentication or device registration that has been deemed as an anomaly within the baseline and is surfaced due to its risk score.

Security Events can be Triggered by Numerous events, such as, but not limited to:

• New Access Device
• New Access Device IP
• New Application access
• New Location
• Unrealistic travel (i.e.MFA Device and Access Device are in different Geos)
• Unusual Access Device IP, 2FA Method, Application, or Time
• User Marked Fraud
• Dormant user

Once the risky event has been logged, Admins have the option to provide input to “process” the Security Event, which allows for further tuning of events.

Security Events can be Processed as Follows:

• Mark as Suspicious: Help to tune Duo Trust Monitor by helping it to understand what is normal (or abnormal) event behavior. Within this designation, you can also provide optional feedback as to why the event was deemed suspicious, leave comments regarding the event, etc.
• Dismiss Event: Define that the event behavior is expected.
• Lock Out User: User activity is suspicious, requiring the user to be locked out of accessing resources. This can be initiated right from the Security Events Dashboard.

For more information around the Duo Solution, please check out the complimentary blog, https://www.moderncyber.com/blog/cisco-duo-more-than-mfa or reach out to the ModernCyber team to learn more about our consultative Duo and Zero Trust Enablement and Adoption services.