Duo Device Trust Monitor – Cisco Cloud Security

Duo Device Trust Monitor

With Duo, you can monitor the health of every device across your organization in real time, whether it’s corporate-managed or not. With Duo’s device trust features, you can customize access requirements at the device level, and because it’s a cloud-based solution, you’ll stay ahead of the latest security threats. Identify risky devices, enforce contextual access policies, and report on device health using an agentless approach or by integrating with your device management tools.

You can’t protect what you can’t see. Gaining visibility into devices is the first step in establishing device trust, and it’s an essential aspect of a strong zero-trust strategy. Duo provides visibility into every single device on your network and enforces health checks at every single login attempt.

With Duo, you can verify device health before granting access, to prevent exposing your applications to potential risk. Duo provides detailed information about both corporate and unmanaged devices, so you can easily spot security risks like out-of-date or jailbroken devices. Figure 8-43 shows Duo Device Trust Monitor dashboard.


Figure 8-43 Duo Device Trust Monitor dashboard

Duo helps you spot potential risks so you can meet compliance and adjust your access parameters for any situation. With powerful reporting capabilities and an admin-friendly dashboard, Duo makes it easy to monitor your security policies and spot anomalous login activity.

Duo Trust Monitor analyzes and models authentication telemetry in order to highlight risk as well as adapt its understanding of normal user behavior. Table 8-2 provides a sampling of some of the telemetry Duo Trust Monitor considers.

Table 8-2 Sampling of Duo Trust Monitor’s Telemetry

Duo Trust Monitor may leverage up to 180 days’ worth of historical Duo data to define a baseline. However, organizations don’t need this much data for Duo Trust Monitor to be useful. We recommend customers enable the feature after using Duo in their environment for at least six weeks.

Duo Trust Monitor uses a variety of tactics to build out a threat model. Duo Trust Monitor evaluates the effect of each component over time and learns which combinations provide the most security value.

Table 8-3 illustrates a sampling of some of the models present within the feature.

Table 8-3 Duo Trust Monitor’s Models

When first setting up Duo Trust Monitor, administrators should designate their organization’s risk profile. The Risk Profile flow enables administrators to select a prioritized set of Duo-protected applications, user groups, and locations/IPs.

Setting the risk profile is required to surface and view events. If an administrator creates a risk profile that selects every application, group, and location, Duo Trust Monitor still functions, but the feature will not prioritize any anomalies specifically over others.

To set up a risk profile, follow these steps:

Step 1. Log in to the Duo Admin Panel and navigate to Trust Monitor > Risk Profile.

Step 2. Click Create Risk Profile.

Step 3. Begin by selecting applications. Scroll through the list of all applications protected by Duo in your organization’s environment and then select the high-value applications to include in the risk profile.

Figure 8-44 illustrates application selection while creating a risk profile.


Figure 8-44 Application selection while creating a risk profile

Step 4. Your next step is selecting the priority user groups. Highly credentialed power users, contractors, and users in bypass mode are often selected, but the exact configuration will vary by organizational structure. We recommend selecting three to eight groups.

Figure 8-45 illustrates the user group selection while creating a risk profile.


Figure 8-45 User group selection while creating a risk profile

Step 5. In this step of configuring the risk profile, you set trusted IPs or select risky countries. Typical selections would be countries where your organizations doesn’t do any business or have any users, meaning an access attempt from those countries would warrant some suspicion. For low-risk IPs, companies may enter corporate network blocks or trusted IP ranges. To reiterate, this tool merely prioritizes anomalies; events from a trusted network or country can still be surfaced in the Security Events dashboard.

Figure 8-46 illustrates the trusted location and IP selection while creating a risk profile.


Figure 8-46 Trusted location and IP selection while creating a risk profile

Step 6. If you want Trust Monitor to surface non-authentication events that may be considered high risk, such as when a Duo admin applies bypass status to a user, enable that in this step.

Step 7. Review your application, group, location/IP, and non-authentication event selections. If you need to make corrections, you can use the Back to … buttons to revisit each of the selection’s steps. If everything looks okay, click Apply Configuration.

Leave a Comment