Configure Duo and Secure Endpoint to Respond to Threats

Available Languages

Download Options

  • PDF     (3.2 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (3.2 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.3 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 20, 2023
Document ID:220404

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    DUO Login Flow

    This document describes how to integrate Duo Trusted EndPoints with Cisco Secure EndPoint.

    Background Information

    The integration between Cisco Secure EndPoint and Duo, allows for effective collaboration in response to threats detected on trusted network devices. This integration is achieved through multiple device management tools that establish the reliability of each device. Some of these tools include:

    • Active Directory Domain Services
    • Active Directory with Device Health
    • Generic with Device Health
    • Intune with Device Health
    • Jamf Pro with Device Health
    • LANDESK Management Suite
    • Mac OS X Enterprise Asset Management Tool
    • Manual with Device Health
    • Windows Enterprise Asset Management Tool
    • Workspace ONE with Device Health

    Once devices are integrated with a device management tool, it is possible to integrate Cisco Secure EndPoint and Duo by API in the Administration Panel. Subsequently, the appropriate policy must be configured in Duo to execute trusted device verification and detect compromised devices that can affect applications protected by Duo.

    Note: In this case, we work with Active Directory and Device Health.

    Prerequisites

    • Active Directory to make the integration.
    • To integrate Duo with Trusted Endpoints, your devices must be registered in the Active Directory domain. This allows Duo to authenticate and authorize access to network resources and services securely.
    • Duo Beyond Plan.

    Configuration and Use Case

    Configure the Integration in Duo

    Log in to the Admin Panel and go to:

    • Trusted EndPoints > Add Integration
    • Select Active Directory Domain Services

    DUO Add Management Tools Integration

    After that, you are redirected to configure the Active Directory and Device Health.

    Take into count that this only works with machines in the domain.

    Go to the active directory and run the next command in PowerShell:

    (Get-ADDomain | Format-Table -Property DomainSID -HideTableHeaders | Out-String).Trim() | clip

    Active Directory SID string

    After that, be sure you have copied to the clipboard the security identifier of your Active Directory.

    Example 

    S-1-5-21-2952046551-2792955545-1855548404

    This is used in your Active Directory and Device Health Integration.

    DUO Active Directory SID Integration

    Click Save and enable the integration and Activate for all.  Otherwise, you cannot integrate with Cisco Secure EndPoint.

    Integration Status Button

    Go to Trusted EndPoints > Select Endpoint Detection & Response System > Add this integration.

    Trusted EndPoints Active Directory With Device Health Integration

    Now you are on the main page of the integration for Cisco Secure EndPoint.

    Cisco Secure Endpoints Integration

    After that, go to the Admin Panel of the Cisco Secure EndPoint.

    Configure the Integration in Cisco Secure EndPoint

    And navigate to Accounts > API Credentials and select New API Credentials.

    Cisco Secure Endpoint API Creation

    API Creation - Read Only

    Note: Only Read-only is needed to make this integration because Duo makes GET queries to Cisco Secure EndPoint to know if the device meets the requirements of the policy.

    Insert Application Name, Scope, and Create.

    API Parameters - Integration

    • Copy the 3rd API Party Client ID from Cisco Secure EndPoint to Duo Admin Panel in Client ID.
    • Copy the API Key from Cisco Secure EndPoint to Duo Admin Panel in API Key.

    DUO and Secure Endpoint API Integration

    Test the integration, and If everything works well, click Save to save the integration.

    Configure Policies in Duo

    To configure the policies for your integration, you go through your application:

    Navigate to Application > Search for your Application > Select your policy

    DUO App Creation

    Configure the Policy to Detect a Trusted Device

    Policy Require Endpoint to be Trusted

    Test Trusted Machines

    Machine with Duo Device Health and joined the domain

    Trusted Endpoint Status

    Machine outside the domain without Duo Device Health

    Unable to Communicate with Device Health

    Download Device Health

    Machine outside the domain with Duo Device Health

    Machine Outside Domain not Trusted

    Not Trusted Access not Allowed

    Configure the Policy for Cisco Secure EndPoint

    In this policy setup, configure the already trusted device to meet the requirement about threats that can affect your application, so if a device gets infected, or if some behaviors mark that machine with suspicious artifacts or Indicators of Compromise, you can block the machine access to the secured applications.

    Allow Cisco Secure Endpoint to Block Compromised Endpoints

    Test the Trusted Machines with Cisco Secure EndPoint

    Machine without Cisco Secure Agent Installed

    In this case, the machine can pass without AMP verification.

    Trusted Endpoint Reporting

    If you want to have a restrictive policy, you can set up the policy to be more restrictive if you modify the Device Health Application policy from Reporting to Enforcing.

    And add Block Access if an EndPoint Security Agent is not running.

    Trusted Endpoint Enforcing Cisco Secure EndpointComputer without infection

    With a machine, without infection, you can test how Duo with Cisco Secure EndPoint works to exchange information about the machine status and how the events are shown in this case in Duo and Cisco Secure EndPoint.

    If you check the status of your machine in Cisco Secure EndPoint:

    Navigate to Management > Computers.

    When you filter for your machine, you can see the event of that, and in this case, you can determine your machine is clean.

    Cisco Secure Endpoint Computer

    You can see there is no detection for your device, and also it is on a status of clean, which means your machine is not in triage to attend.

    Cisco Secure Endpoint Events

    This is how Duo categorizes that machine:

    Trusted Endpoint not in Triage

    The machine maintains the trusted label.

    What happens if the same machine gets infected by a Malicious Actor, has repetitive attempts of infection, or Indicators of Compromise alerts about this machine?

    Computer with infection

    To try with an example of EICAR to test the feature, access https://www.eicar.org/, and download a malicious sample.

    Note: Do not worry. You can download that EICAR test, it is safe, and it is only a test file.

    Eicar

    Scroll down and go to the section and download the test file.

    Eicar File Download

    Cisco Secure EndPoint detects the malware and moves it to quarantine.

    Eicar Detection

    This is how it changes, as shown in the Cisco Secure EndPoint Admin panel.

    Event Detection as Malware

    You also have the detection of the malware in the machine, but this means the endpoints are considered to be analyzed under the triage of Cisco Secure EndPoint on the Inbox.

    Note: To send an endpoint to triage, it needs to have multiple detections of artifacts or strange behavior that activate some Indicators of Compromise in the endpoint.

    Under the Dashboard, click in the Inbox.

    Cisco Secure Endpoint Inbox

    Now you have a machine that requires attention.

    Cisco Secure Endpoint Triage

    Now, switch to Duo and see what the status is.

    Authentication is tried first to see the behavior after the machine was put on the Cisco Secure EndPoint under Require Attention.

    Not Trusted Endpoint in Triage

    This is how it changes in Duo and how the event under authentication events is shown.

    Denied Access Endpoint in Triage

    Your machine was detected as not a safety device for your organization.

    Permit the Access to a Machine After Review

    Triage Workflow

    After verification under Cisco Secure EndPoint and by your Cybersecurity Specialist, you can permit access to this machine to your app in Duo.

    Now the question is how to permit access again to the app protected by Duo.

    You need to go under Cisco Secure EndPoint and in your Inbox, mark this device as resolved to permit access to the application protected by Duo.

    Triage Process

    After that, you do not have the machine with the status attention required. This changed to resolved status.

    Triage Resolved Status

    In a few words, now you are prepared to test again the access to our application protected by Duo.

    DUO Push Request

    Now you have permission to send the push to Duo, and you are logged into the app.

    Trusted After Triage

    Triage Workflow

    Triage Flow

    Revision History

    Revision Publish Date Comments
    1.0
    20-Apr-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jairo Andres Moreno Ciro
      TAC
    • Jean Orozco Navarro
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products