Where on Earth Are My Users?

August 29, 2014
243 Views

IT administrators have plenty of logs to pour through. With a bit of digging, admins can discover where login attempts are coming from, but doing this for every application, server, and network appliance is a fair bit of work. Logs are also inherently noisy. Was that invalid login attempt from a user accidentally mistyping a password or is someone maliciously trying to guess that user’s password?

IT administrators have plenty of logs to pour through. With a bit of digging, admins can discover where login attempts are coming from, but doing this for every application, server, and network appliance is a fair bit of work. Logs are also inherently noisy. Was that invalid login attempt from a user accidentally mistyping a password or is someone maliciously trying to guess that user’s password?

Many organizatons attempt to solve the “log problem” by deploying a Security Information and Event Management product. SIEM helps, but it’s still a fairly big investment to procure, deploy, and maintain.

Duo Security protects some of the most critical assets at organizations of all sizes. After a user successfully completes primary authentication, Duo ensures the user is who she/he claims to be. All Duo authentication attempts are logged, and in most cases, Duo sees the location the user is attempting to authenticate from (by IP address).

Making Logs More Accessible and Actionable

Duo has recently made it a lot easier to see where your users are authenticating from with a feature we’ve been calling Maps and Flags. After logging into the Duo Admin Panel, you’ll now see a map and some new data in the authentication logs table.

Maps and flags of recent Duo authentication attempts

Our first cut at this visualization shows all authentication attempts over the last 24 hours plotted on a map by the result of the attempt. In all of these cases, primary authentication was successful (since Duo is only invoked after a password was verified). The Authentication Log table shows the details of all login attempts.

These details show who attempted to authenticate to which resource, when it hapened, from where, which Duo auth method was used, and the results of the attempt. If the attempt was not successful more information will be provided, such as whether or not the attempt was reported by the user as fraudulent by using an Out-of-Band authentication method such as Duo Push or phone callback.

This isn’t the first time that you’ve seen authentication geolocation information from Duo. Anyone using Duo Push has probably noticed this information when approving a login request. Now this data is easily scannable in aggregrate for all of your organization’s Duo Administrators.

When launching this feature we also upgraded our IP address geolocation database, so now it is even more accurate than it was earlier this year.

Looks Pretty, But What Do I Do With It?

Everyone loves a map. Initially, we wanted to make it easier for admins to see where potentially thousands of daily login attempts are coming from at a glance. Currently, the more actionable data is in the Authentication Log. If you notice any failed attempts you might contact the user invovled to make sure they were accidental, or to see if that user needs some help.

The flags and geolocation information provides a quick, visual spot check that authentication attempts are coming from places that you would expect your users to be located. If 100% of your users are based in the US and you’re seeing a bunch of authentication attempts from China, you might want to investigate further.

Try It Today

The new dashboard has been deployed to all customers and is viewable after logging in to the Duo Admin Panel.

Not using Duo, yet? Sign up for a trial and start protecting everything that matters with two-factor authentication.