We are excited to announce the release of Duo Trust Monitor, a risk detection tool that helps Duo administrators identify and act on suspicious user and device behavior that could indicate account compromise.
Duo Trust Monitor uses machine learning to analyze and model user authentication telemetry in order to create a baseline of normal user access behavior. After reviewing typical access patterns in an organization, Duo Trust Monitor highlights potentially risky logins for further investigation. By surfacing contextual information to Duo administrators directly in the Duo Admin Panel, Trust Monitor makes it easy to understand why a login was deemed anomalous.
For example, Duo Trust Monitor can identify and flag such anomalous behavior as:
- Novel IPs or devices
- Unusual authentication factors or times of day
- Access attempts against high-value applications
- Recognized patterns such as unrealistic geovelocity or brute force attacks
To help improve Trust Monitor over time, you can provide feedback on the surfaced events by marking them as suspicious or dismissing them. Marking an event as suspicious helps Duo Trust Monitor data science improve model precision by adapting its understanding of what constitutes normal behavior for a user.
Duo Trust Monitor is available at no additional cost on Duo Access and Duo Beyond editions.
To get started using Duo Trust Monitor, log in to the Admin Panel and go to Trust Monitor in the left sidebar. We recommend setting up a Risk Profile first. Your Risk Profile will tell Trust Monitor which applications, user groups, and locations/IPs are highest priority.
Within one to two days, you will start seeing Security Events flagged by Trust Monitor appear in a dashboard in the Admin Panel, where you can triage and investigate. Over time, Trust Monitor helps you gain visibility into your environment and harden your security posture by adjusting or adding policies.
Here are a few frequently asked questions about Duo Trust Monitor, and we invite you to comment below with your own question!
What data does Trust Monitor have access to?
Trust Monitor analyzes only Duo authentication data and administrator actions (such as surfacing when a user is put in bypass status). To see which data points Trust Monitor reviews, refer to the documentation.
How long does it take to set up Trust Monitor?
You can designate your Risk Profile in the Admin Panel in a few minutes and start seeing Security Events in the Trust Monitor dashboard in one to two days.
I’m a new Duo customer. Can I still use Trust Monitor?
Trust Monitor may leverage up to 180 days worth of historical Duo data to define a baseline. However, organizations don’t need this much data for Duo Trust Monitor to be useful. We recommend customers enable the feature after using Duo in their environment for at least six weeks.
Can I use Trust Monitor in conjunction with my SIEM?
Yes. Trust Monitor is a powerful complement to other security applications such as a SIEM, which can be configured to programmatically ingest event logs using various methods, including via the Trust Monitor endpoint for the Duo Admin API.
Will Trust Monitor ever block my users?
No. Trust Monitor does not block logins. It only surfaces information for you to review and take action on as needed. In the future, Trust Monitor’s insights into user access behavior may help inform an adaptive authentication strategy as part of a future Duo product offering.
To get the most out of Trust Monitor, check out our course on Duo Level Up, our free customer education platform that is now in public beta. If you are not already a Level Up beta participant, you can register by following the instructions in this post.
You can also learn more about Trust Monitor on the Duo blog.