Introduction to Multifactor Authentication – Cisco Duo and a Zero Trust Solution

In this 30 minute session, our Cisco-certified cybersecurity expert, Kenya Thomas, highlights the importance of using MFA to protect yourself and your company from phishing attempts and overall security breaches. He also shares insights gained from developing secure access implementation plans with Cisco Duo’s Zero Trust strategy.

video
play-sharp-fill
 
Welcome everybody. Thank you for joining us today for our introduction to multifactor authentication, Cisco's Duo and zero trust solution. I'm Jessica Jackson, your moderator. In today's session, Kenya will highlight the importance of using MFA to protect yourself and your company from phishing attempts and security breaches.
I'm happy to introduce our speaker today.
Kenya Thomas is a Cisco certified instructor since 2002. He has traveled the world teaching classes in routing, switching, optical, networking, and cybersecurity. All right, first and foremost, thank you all for taking the time to attend this presentation is very much appreciated. A couple of things. There was an ancient Chinese proverb that says, may you live in interesting times. It's actually almost like a curse and we are most definitely living in interesting times. We're in 2022 and we're in year three of a global pandemic. And this, this global pandemic has actually transformed the very nature of how we all work and the very nature of work itself. The security perimeter, the edge of the network that perimeter continues to expand so that we actually have more and more resources in the cloud and more and more resources that need to be available to the users wherever they may be. At the same time we're seeing that cyber attacks and ransomware attacks are on the rise at a level that has been unprecedented. Companies have been looking at how do they add additional layers of protection to their networks and network managers and network professionals like yourself, they have been asking, how can they make sure they know who is on their network? What devices are being used to connect to the network? And what resources are being accessed? Towards that end, multifactor authentication has become an essential component of a security solution. What we're going to be talking about here for the next 30 minutes or so is the fact that Cisco Duo is a critical part of an MFA solution, but Cisco Duo actually goes far beyond just MFA to what will be referred to as a zero trust solution. And we're going to define zero trust for you in a moment. Now, as I said before, thank you for being here because each of you guys has made an investment in your security. You guys are aware of the type of dangers that are out there and the kind of risks that organizations have to deal with. You guys are committed to keeping your organization safe. There's no question about that. At the same time, let's explore some gaps that might exist in your network security. So I'm going to give you guys a couple of scenarios here, and then in your head, think about what the responses might be. So scenario number one is this, I get the username and password of one of your employees, and then I attempt to log into your network. So I've got the username and password. Am I successful? Scenario two, I'm actually an employee of your organization. So I've got a right to be on the network, but my laptop is running an outdated operating system and that operating system has known vulnerabilities. Am I able to access corporate resources? Scenario number three, I'm a hacker, which sounds really dramatic, but really I just send out emails that contain attachments with malware, or I send out emails that have enticing URLs. And if you click them, then I can put malware on the network, but I'm a hacker and I've penetrated your network. I am now attempting to access your organization's most sensitive applications. What controls do you guys have in place to stop me? The perimeter of our network has continued to expand. It used to be in the old days, old days as in like four or five years ago that the bulk of the data resided at the data center, hence the term data center. So the bulk of the data was at the data center or headquarters. And as a matter of fact, the bulk of the company's traffic was internal. So, if you had branch offices, the branch offices would connect back to the headquarters in the data center to be able to perform their function. And then the business began to change. So that now we've got cloud based applications and we've got hybrid infrastructure and we got infrastructure as a service and we've got remote users and hybrid users, et cetera. So now my perimeter has shifted. Now the network perimeter is wherever the network is being active. If you take your laptop and you go to Starbucks and you get a double mocha latte with caramel on top, and you open up your laptop and you access the corporate network. Well, the corporate network now extends to Starbucks. If, while you're picking up your kids from daycare, you go ahead and use your phone to access corporate network. Well, the corporate network now extends to the daycare. So that, that expanded attack surface that represents a boon for the bad guys, wherever the network is being access represents a potential entry point into the network for the bad guys. And they know that, and they've been taken advantage of it. 81% of breaches involve compromised credentials. Right now, today, you and I could go onto the dark web and we could buy compromised credentials for a couple of hundred thousand people. In addition to compromised credentials, you've got the bad guys who were targeting web-based applications with known vulnerabilities, and then you've got this massive increase in IoT devices and malware. That's designed to target IoT devices like thermostats and, smoke detectors and vending machines, et cetera. But let's go back to that 81% of breaches with compromised credentials. Let me tell you guys a story that many of you may be familiar with. Even if you're not in networking, you may have heard of the colonial pipeline hack that happened last year. Just as background for you. Again, prior to May six Eastern European hacker group, dark side, they got inside of colonial pipelines network and they stole hundreds of gigs of data. So hundreds of gigs of data, without anybody realizing it. On May 6th, they launch a ransomware attack and shut down part of colonial pipelines network executives that colonial pipeline, they actually shut down the entire pipeline. This is the pipeline that controls gasoline going to the Eastern coast of the United States. May 7th colonial pipeline executives agreed to actually go ahead and pay $4.4 million in ransom. Not bad work for the hackers, if you can get it. So $4.4 million. Interestingly enough, the FBI was actually able to recover about half of that, but the bad guys still got away with a couple of million. May 10th, the FBI confirmed that the dark side group, their ransomware was indeed responsible for the attacks. May 12th, everybody on the east coast, there was panic buying of gasoline. Thousands of fuel stations ran out of gas. As people started worrying that they were going to be able to get gasoline at all. May 12th, colonial pipeline restarted their operations. But as a result of this attack, this was the largest cyber attack on an oil infrastructure target in the history of the United States. Cost was in the tens of millions of dollars. President Joe Biden actually met with president Putin to actually discuss the fact that Russia was providing safe haven for the hackers. Here's the interesting part of the story that most people don't realize that entire attack, the source of the breach was a single compromised password. Bloomberg news on June 4th announced the following, the hack that took down the largest fuel pipeline in the us and led the shortages across the east coast was the result of a single compromised password. Hackers gained entry into the networks on April 29th through a VPN account. The account was no longer in use at the time of the attack, but could still be used to access colonial pipeline's network. The VPN account, which has since been deactivated, did not use multi-factor authentication. Consequently, it was utilized then to actually access the network tens of millions of dollars and a single compromised password. So one of the things that we want to explore and kind of discuss with you is this is not just, yeah, they should've had MFA. That's easy after the fact, but the concept of what we call the zero trust. Here's what zero trust says. Zero trust says before you get access onto my network, I need to verify that you are who you say you are. And in addition to verifying you are who you say you are. I need to verify the device that you're actually on. And in addition to verify the device that you're on and that you are who you say you are, I need to monitor all of your access as you move through my network. At no point do I just simply trust that you are, who you say you are, hence the term zero trust also referred to as least privileged access. You get access to what you need to get access to. And no more than that now. The idea behind a zero trust approach. And it makes sense it's tricky to implement sometimes, but it makes sense. Here's what it says. It used to be that you would have to verify you are who you are, who you say you are as you enter into the network, username and password with just a username and. And then once you were in the network, there wasn't as much emphasis on monitoring you once you're in, because we assume that you could be trusted now with the zero trust approach. We don't take that approach. We monitor one that you are who you say you are, and we've verified that beyond a username and password. As a matter of fact, many organizations, Cisco is one of them is actually moving beyond passwords altogether. That's a separate conversation, but we go far beyond just a username and password and we continue to verify as you're in. So north south is the technical term that we use for outside the network to inside the network. So we've verified north south, but we also verify east west that's refers to as lateral movement, your ability to navigate inside the network. We're going to monitor and control that also. So the idea behind a zero trust approach and zero trust is not a single product or a single solution. It's a frame. But the idea behind zero trust is this. Who are you? I need some way to verify distinctly in that moment of access that you are, who you say you are. Is your network access device safe? Does it have vulnerabilities? I can put my network at risk. And what are you doing? What applications are you accessing? Which means I need to have a list of who gets to access which particular applications. Now the end result of this approach is that we reduce the attack surface, and we also gain visibility into who's on my network and what devices on my network. And we also can go ahead and actually reduce risk. Now, as I mentioned before, zero trust is not a single product or a single solution. There's an overall framework that you adopt to ensure and protect your network. Cisco Duo is an essential part of the zero trust solution. Cisco Duo says the following. So let's go, Duo says, Hey, we're going to go ahead and have trusted users. Now, what do we mean by trusted users, users who have been verified at the moment of access who are then on trusted devices, devices that are compliant with whatever my corporation's requirements are and application. Specific applications tied to those particular users so that I don't have users who don't need to be accessing various applications, able to access those applications. Now, one of the things as human beings that we always value is that we always value something called social proof. Proof that nobody wants to be the first. Well, Cisco Duo has been around for a while and by no means at all, would you guys be the first, just to give you an idea of the scope of Cisco Duo. As of right now, Duo does over 900 million authentications per month, close to a billion. So 900 million authentications per month. We have over 37 billion that's billion with a B devices that are being protected with Cisco Duo and. Cisco Duo is monitoring access to 436,000 unique applications. Okay. So let's delve a little bit deeper here. So when you talk about Cisco Duo, let's talk about user trust. Now, Duo is not an MFA solution. What do I mean by that? It's not just an MFA solution. So don't think of it as just an MFA solution. That's like thinking of a Ferrari as just a way to transport stuff from home Depot. You can do it and it does that just fine, but it goes far beyond that. Now having said that, Duo is actually probably one of the easiest MFA solutions out there. As a matter of fact, we make the claim that we are the world's easiest and most secure MFA solution. Users are allowed to self-enroll in a matter of minutes, users can authenticate in seconds. There's no codes to deliver. It works with wearable devices. You can do phone calls, soft tokens. You can do biometrics. You can do a little USB security things that have to be plugged in the side of the laptop. You can do hardware, tokens, SMS it'll work with the full range of solutions. That's part of its appeal is its ease of use and its flexibility. And. It is HIPAA compliant and NIST compliant and department of drug enforcement, agency compliant and PCI compliant and financial institution, examination, council compliance, compliance in GDPR data protection, laws, compliance it's compliant in so many different ways. One of its major selling points. And this is why one of the big things with Duo is, Hey, People buy Duo not because they come to a meeting like this, they buy it because Hey, they come to a meeting like this and then they go and they try it out. And they're like, whoa, this is easy to use. And once customers see that ease of use, it begins to spread through their organizations. Here's a customer. You may have heard of these guys. This is Facebook. So Facebook's internal developers they heard about Duo and they started off with just 300 people in their organization. So these are the guys who actually developed the code that runs Facebook and keeps it up and going. These guys have to connect into a variety of different systems. Every day, Facebook started using Duo with 300 people, and then now it's grown to more than 10,000 user. John Flynn information security manager at Facebook says Facebook is a very fast paced environment and we needed technologies that would allow us to maintain that pace because of the ease of use of Duo. And that's a common thing because of the ease of use of Duo. We've seen minimal support and overhead costs. Other technologies didn't allow full support for our need to allow multiple and rapid logins to SSH. If you're in charge of network security, here's what you don't want. You don't want a security solution where the employees themselves are trying to bypass it because it's cumbersome and difficult to work with. That creates a problem. One of the nice things about Duo as you'll see again and again and again, and as you'll hopefully, experience for yourself is its ease of use. Now let's talk about posture. Posture is far more than just making sure you don't slouch, which by the way, that actually is important, it actually helps with your breathing and your spine and a bunch of other stuff. But we're talking about device posture. I need to make sure that the devices that access my network, those devices are compliant.
When you hear about or see about like cybersecurity or hacking
in the news, they'll talk about something called a zero day attack. Zero day attacks are sexy. Zero day attacks is what we're like in the movies, the bad guys write some special code, and then they somehow insert that code into the network. And then they take control of the network. Well, the vast majority. Of successful hacking attempts or making use of known vulnerabilities. These are known vulnerabilities and operating systems or software they're out there. They're published. People just simply have an updated. I get it. I don't always update. I'm actually one of the last people to update. So in most of the cases, people are actually are actually accessing your network. Using devices that are potentially compromised. What can we do about that? Well, we can implement Duo device, posture, device, posture checks. We'll actually go in and ensure that the devices that are utilized to access my network are compliant with my policies that the. Mobile devices and that the laptops and desktops are all compliant. They're compliant in terms of their operating system. They're compliant in terms of biometrics. If that's an issue I'm able to go ahead and assess that posture and the health of those devices before I allow them access. So for my mobile devices I'm actually able to go with for my desktop. So I'm actually able to go in and check to make sure that the operating system is up to date. That passwords have been set. If I require a firewall that I actually have the firewall enabled, whatever my requirements are for the business, I can ensure that the devices that access my network are. For my mobile devices, I can actually go in and make sure it's running current software. It's encrypted, I've got biometrics enabled. I've got firewall enabled, whatever my requirements are just as a partial list here is we're seeing a partial list of some of the information that Duo was able to gather before it allows access onto the network. So trusted users, trusted devices. Then my various applications cause ultimately the network is about the applications and the data with Duo as part of a zero trust strategy. We're able to take Duo interface that with identity programs, such as Cisco ISE, or. Microsoft active directory and create policies of who gets to access, which particular applications and the nice thing about it is, it works with so many different applications, right out of the box. It'll work with Microsoft environments. It'll work with cloud-based services, Unix devices it'll work with various VPNs cloud applications, web applications, SAML applications, and a whole host of proprietary applications through the use of API keys. We get that right out of the box, which you don't get with a lot of other solutions. So with Duo, I can have trusted users on trusted devices and I can monitor which particular applications they're able to access, but don't believe me, University of Louisville, hospital. University of Louisville hospital says we are adopting a zero trust security framework, and we needed an MFA solution to start, which is a good place to start. And by the way, zero trust once again, not a single product. It is an overall framework for how you approach networks. Multiple clinicians recommended Duo. It was an easy choice for us. It was the first ever security solution recommended by the users and by the clinicians. This never happens in healthcare. Why? Because Duo is so easy to use. These guys were concerned about being HIPAA compliant and they were also concerned about being attacked because healthcare companies are a target rich environment for the bad guys lift. Entirely different business silo Duo beyond has proven to be one of those rare solutions that both improves the security of our company while simultaneously being easy for our employees to use. Did I mention that it was easy to use? I sure did. And Lyft's case they were concerned about a BYOD solution. A BYOD is not bring your own drinks. It's bring your own device. They wanted a solution where people could use their own cell phones, their own iPad, their own laptops, and still be safe on the network. Duo made that possible. All right. So let's go back to our scenario. Scenario, number one, I gained the username and password of one of your employees, and I attempt to logged into your network and my successful.
Not if Duo was implemented, the username and password by themselves
are insufficient for login scenario. Number two, I'm an employee of your organization. My laptop is running an outdated operating system with known vulnerabilities. Am I able to access corporate resources?
Not with Duo posture checks.

Scenario in three, I'm a hacker.
Ooh, I'm a hacker. And I've penetrated your network. I'm now attempting to access your most sensitive applications. What controls are in place to stop me? Hopefully multiple, because one of the things about security security is like happiness is not going to be just one thing that's going to be the source of your happiness. And hopefully you've got multiple layers. Uh, protection, but hopefully one of those also is Duo with that application level visibility.
Now.

As you're thinking about your zero trust solution and how you
can better protect your network. We want you to also give some thought to who your security partners are. Here's what you don't want as a company. You don't want to just simply buy a bunch of individual products. There's nothing wrong with that, except that you want a partner. You want a security partner who has the knowledge and skills and expertise to actually help protect your network. And it is our sincere desire that Cisco is that partner for.
Cisco has, is able to make a claim that no other security company can make,
which is that Cisco defends 100% of the fortune 100 companies every day. But Cisco does more than just defend the top 100 companies. Cisco has hundreds of thousands of customers, of various sizes and areas of business to give you an idea of the scope of Cisco secure. Cisco has a cyber threat research group. Uh, the name of that group is called Talos. Talos is actually the world's largest private threat hunting organization on the planet. Nobody sees and stops more threats than Talos to give you an idea of the scope of Cisco. 87 different million end points are being protected and monitored. 80% of the world's internet traffic flows through Cisco. Cisco security has over 300,000 customers worldwide and the tallows research team, they see over 1.4 million unique malware samples every day. And protect customers against those different types of malware and do all, as we mentioned before, has over 900 million authentications per month. These are the reasons why 100% of fortune 100 companies use Cisco. Now here's how that's going to benefit you. In addition to having all of the benefits of doing. What Cisco security does is that they make available to their customers. A platform called secure. The SecureX platform is designed to work with your existing security infrastructure. So if you already have a platform, you can take all the information from SecureX that it provides and then have that feed into your existing security platform. If you don't already have a single pane of glass integrated platform, Cisco SecureX can be that for you. All of that Talos threat research, intelligence, and insight gets fed into the SecureX platform and is then available to assist you with being able to identify threats. Here's something people don't know. What is the industry average amount of time it takes to determine if there is malware in a network. Think about it for a second. The answer is a hundred plus days. It's a hundred plus days industry average that malware is in the network before the customer realized that Cisco and the SecureX portfolio are actually able to bring that down from 100 days to under four hours. We're happy to go ahead and talk to you more about SecureX and, if you like, we can set up a demo for you of SecureX as well as a demo of Duo. But we want you to just start thinking about your overall security portfolio. Now, as we wrap this up, I want you to know the following that Duo gets broken up into three tiers, three different types of packages. You got Duo Basic MFA. Which also has, um, single sign on which a lot of customers really like. And then you've got Duo Access where I can go ahead and start doing the posture checks on the policies and then to take it to an even higher level. We've got Duo Beyond here. You're seeing a partial list of some of the different features that are involved in the different layers. Most customers tend to start with Duo Access. Now, next step. We would like to set up a time to meet with you to discuss your organization's zero stress, zero trust strategy. What are you guys currently doing? And then what's next for you guys then we'd like to actually go ahead and set you up for a Duo free 30 day trial. As I said before, once customers see the ease of use and the flexibility of Duo, uh, they tend to like it and they tend to stay with. Security and cyber security is so, so important nowadays, and it's not an abstract concept at all. Uh, my, I live in the San Francisco bay area. My niece is a social worker. I just, last month she went forward to work with a company called partnership health, um, as a social worker and she was loving it. And then suddenly they sent everybody. Um, and they were home for multiple days and those multiple days turned into a week. Plus turned out that partnership health had actually been hacked partnership Halifax. She had the healthcare records over 850,000 members in 14 counties. It was revealed that the bad guys had gotten into the network and were actually selling social security numbers on the dark web. Now, fortunately, they're back up and running. But one of the things that is so important is that we make sure that we keep your organization and other organizations safe. So with that being said, we definitely want to go ahead and actually talk with you more about a zero trust strategy in the interim. Stay safe, stay with. Thank you. My name is Kenya Thomas. Thank you so much for that great presentation. We have come to the Q and A portion of today's session. First question, can you expand on the differences between Duo access and Duo beyond, uh, you know what? That is an excellent question. So there's a number of different. Uh, benefits of utilizing the Duo beyond versus the Duo access. Uh, and with that being said, uh, there's actually a, rather than going to detail, if there's things like with Duo, beyond you have access to things like the Duo network gateway, you've got the capability to be able to determine whether or not a laptop or a desktop is BYOD or managed, but to see the full. The full list of all of the variations between the two. I'm going to go ahead and post a message into the chat. This is a website that actually goes into detail on that comparison. So I'll post that. So you actually have that to go through and explore and more detailed. Okay. Uh, and that breaks down exactly which features are offered in the Duo access Duo beyond the, the 10 users or 10 users or less free edition and Duo MFA. Um, we did have an additional question. Uh, can, I'm sorry if I am getting free MFA for Microsoft, do I really need a product like Duo? Uh, excellent question. Okay. Uh, first off, here's one of the things about Microsoft MFA and we don't want to downgrade anybody else's stuff, but Microsoft's MFA. Pretty good when it comes to Microsoft based applications. But the idea is that if you've got more than just Microsoft applications in your environment, then you're going to want something, um, that gives you more flexibility. And Duo does that. The other piece is, is that once again, I, we do encourage you don't think just in terms of MFA, think in terms of a zero trust solution. All right. Uh, carefully analyze whether or not you're getting what you need for zero trust approach. And it looks like we don't have any additional questions. And additionally, if you have any questions after today's session, please don't hesitate to reach out to our personal knowledge advisors. I've provided the email in the chat panel. I do want to thank you Kenya for presenting and thank you to everybody that joined. We hope you enjoy today's presentation. Have a wonderful day.

Leave a Reply