Stronger Protection & Frictionless Access Can Coexist (Really)
If endless false positives and reactive security models have been threatening your productivity and that of your users, you’re not alone. Many organizations struggle with authentication processes that frustrate and burden users to the point that they see security as nothing but a point of friction. Meanwhile, admins waste time chasing down alerts that ultimately point not to threats, but false signals.
Here, we explore how Cisco Duo’s risk-based authentication can decrease false positives, accelerate frictionless trusted access, and help you assess risk at the point of login.
Assessing the attack landscape
To implement a frictionless trusted access experience, it’s important to understand the attack landscape. Today's cyber attackers aren't sacrificing quality for quantity; instead, they are increasing the complexity of their attacks with multiple stages that expose companies to different kinds of risks. For example, a ransomware attack can lock users out of the company network while also exfiltrating sensitive data to sell on the dark web.
Increasingly, attackers are successfully finding ways to take advantage of gaps in weaker multi-factor authentication (MFA) systems. These MFA bypass attacks outsmart standard MFA protections by using the MFA system’s own software and processes, as well as users’ fatigue with more difficult MFA tools, to goad users into accepting fraudulent verification requests. Attackers manipulate user behavior via a variety of attacks, including:
Push phishing attacks
Man-in-the-middle (MitM) attacks
One-time-password attacks (OTP)
Vulnerable device attacks
The truth is users are attackers’ favorite targets. The most recent Verizon Data Breach Investigation Report lists credential and phishing attacks as the top attack vector (followed by vulnerability and botnet attacks). In fact, the report finds that 82% of attacks involved the human element.
Despite these growing risks, 80% of organizations are not prepared to protect themselves against this latest generation of attacks, according to the 2023 Cisco Cybersecurity Readiness Report.
Evaluate risk to establish trust
To reliably and efficiently establish trust, it’s critical to understand the risk level an authentication attempt poses. Duo’s Risk-Based Authentication (RBA) uses a series of contextualized signals to evaluate risk at the point of login. Duo then provides the right level of friction for the user based on the corresponding risk level. Duo’s RBA enables security policies and risk signals to work together to create an automated, dynamic user experience. (Organizations can create policies that reflect their trust tolerance and implement them with Duo.)
If a user meets the established risk threshold, the session can be extended using Duo’s Risk-Based Remembered Devices. Reducing the time spent authenticating improves user experience and user productivity. If risk signals indicate that trust has dropped below the threshold due to the presence of worrisome signals (say, if the user’s authentication device suddenly appears to be in a far-off time zone), Duo automatically requests additional verification steps for the use. Continuously adapting to changes in user context between authentications provides an additional layer of security.
Risk signs are vital
Many other MFA systems’ risk-based authentication signals are plagued by false positives and weak contextualized risk signals. Some simply do not check all risk signals at the point of login.
Cisco Duo's RBA offering is a real-time, adaptive security product that can help fight threats at the point of login. Duo detects potential attacks such as push-spray and push harassment attempts, while also assessing factors such as device geo-location, unrealistic travel, time of authentication, and more. Duo collects user data to determine location risk, using Duo’s unique Wi-Fi Fingerprint capability to intuit their working location and detect changes to that location when the Wi-Fi Fingerprint varies. This provides a high level of assurance on location and network. Duo also assesses device attributes (OS and browser version, firewall, security settings. etc.), XDR/anti-virus status, and management status—and couples all this information with signals from known attack patterns. In real time, the Duo risk engine analyzes the signals and decides where the authentication falls in the trust spectrum.
If a user logs in at their normal time and location on their corporate device, the decision engine would label it as “high trust” with no added verification steps, such as requiring Verified Duo Push (which sends a code to the user’s authentication device) or authentication using a security key.
But if authentication is deemed “low trust,” the user may be required to take additional security measures such as remediating a non-compliant device, using a more secure authentication factor, or entering a verification code before they gain access to the network or application. Unlike other access management solutions, Duo is designed for self-remediation. Rather than giving users a meaningless error code and telling them to contact IT, Duo tells them what the problem is and how they can fix it, so they can get back to work quickly and easily.
To protect users, data, networks, and applications, Duo places friction only where and when you really need it. Our goal is to frustrate attackers, not users. In the process, we deliver what every organization and users really want: stronger protection and frictionless access.
To learn more, contact the Duo sales team today.