Congratulations to my neighbors at Duo! That's a crazy amount of money and I hope that many Ann Arborites pay it forward in the tech scene from which Duo came.
Lots of good tech in A2 in general - Deepfield acquired by Nokia, SkySpecs, Trove, FarmLogs (a YC startup), LLamasoft (my employer!), IBM is here, Toyota, Hyundai, a rapidly increasing number of medtech companies, and plenty of boutique consulting. It makes for a healthy life - a strong tech scene drives wages up, yet the cost of living is still fairly low (downtown A2 is very expensive already, but you can live in the nearby areas for considerably less). There were four companies from A2 in the who's hiring page the other day. Take a look! :)
> downtown A2 is very expensive already, but you can live in the nearby areas for considerably less
A big part of the August 7th primary will be about building more housing. Taylor wants more, Eaton wants to freeze Ann Arbor in amber so that no one else can move in and change the town.
I really hope that Duo survives this. Cisco isn't necessarily known for handling acquisitions well...or software...but who knows. Maybe it's the shot in the arm that many companies will need to move to token based auth. Lot's of enterprise IT departments take Cisco's word as divine. I have had some bad experiences with Cisco the company, but the devices have always been really good even if they lag behind some of the more aggressive competitors in features or speeds.
The acquisition track record for the Cisco Security business is pretty incredible. Like HBS Case Study good. Sourcefire, ThreatGrid, OpenDNS, Lancope, CloudLock, Observable. Great products and teams brought to scale and maintained. Even IronPort 10+ years later has done fantastically well.
I'm thrilled that Duo will be joining an amazing business filled with a deep bench of security talent and wonderful customers. It's a really strong fit with what Duo has already built and with where both teams are going, now together.
I guess I should mention I was founder / CEO of OpenDNS, was acquired by Cisco, previously led the Cisco Security business, and am still an executive at Cisco. So maybe a bit biased, but still factually on the mark. ;-)
OpenDNS was pretty good until Cisco bought it, made the interface worse arbitrarily, and started increasing the cost without providing anything new worth having. The second we heard it was acquired I turned to my boss and said we ought to be looking for an alternative.
Ironport and openDNS are not doing better. Sourcefire is mediocre and I don't know about the rest.
I hope you read this,the reason why Cisco chooses to aquire rather than compete is the same reason those companies would do better without Cisco. I am glad for the founders who get aquired but at least the John Chambers era aquisitions did not fare well.
I take that as a compliment. I really like working with almost every single one of my peers.
I'm not responsible for the buildings or teams in SJC15 and the OP knows that. The people who work with me at Cisco know that when I say I'll help, I do.
Caveating your offer of support three or four times signals hostility not helpfulness.
Any rational actor reading that statement would assume you’d forward their message onto HR without a real response. And make note of the complainer in question.
If you can’t be concrete with your words, why even bother?
I'm not normally one to defend upper management, but that's a dick thing to say to someone who probably genuinely wants to help, but isn't authorized to pay for and ship an expensive snack machine into a random building in a giant company.
"I'll see if I can give you some pointers of how to make some progress on that ask"
probably means
"I'm not the god damn office facilities manager, and I'm not spending my limited time and social capital to quarterback your request for you, but I'll see if I can figure out who in god's name in this 70,000+ person company you should talk to, and tips for how you might convince them to change their budget to give you free snacks".
Cisco is essentially composed of nothing but acquisitions. That is what Cisco does.
The reputation of Cisco's internal engineering culture used to be pretty grim. I never understood why any PM or lead would actually build something from a Cisco internal MRD, rather than jumping ship, building it privately, and selling it back to Cisco. I know of more than one person that did literally exactly that, successfully.
But post-Sourcefire I think it's a different scene there; they have some very large, long-lived teams with coherent cultures now. I assume in the post-Sourcefire Cisco game plan, Duo stays Duo.
The culture didn't shift much post-Sourcefire, it just melded a bit. Everything they acquire becomes a little Cisco-y, depending on how big it was. Duo will become "Cisco-y Duo". But it may be more Cisco or Duo depending on the strength of the culture.
Talos is a good example: it was created from merging Cisco SIO and SourceFire VRT, but I would wager it's 80% VRT [in terms of culture]. They also have so many researchers now that it probably has sub-cultures. Even a single remote office can have its own culture.
I agree 100%. My experience with Duo has been awesome compared to other 2FA solutions such as RSA (which was a dumpster fire setting up and maintaining). I would hate it if it Cisco ruined it.
Also made the switch from RSA to Duo - was like a breath of fresh air. Sales rep said that about half of their clients that had an MFA solution already were converts from RSA (not surprising really.)
In my experience Cisco leaves acquisition alone for at least couple of years providing its brand and sales force. If the acquisition isn't proving its worth and/or if revenue growth is staying flat then start packing your bags.
On the other hand I don't like how the acquisition's leadership gets to absorb other BU's which are targeting similar market space because there is a lot of time and effort that gets invested into integrating teams working culture and style. Also the incoming teams fight to keep their product portfolios alive which leads to sub-optimal decisions.
Cisco follows a survival of the fittest strategy without really saying it or pushing teams/acquisitions to the death.
They provide all the resources you need, are very ethical and help your newly acquired team do your best. If your team (business unit as they call it) doesn't cut it after a few years, they start maneuvering those resources elsewhere. But they've always given every acquisition a fair chance to have their own story. See: Meraki, Insieme, Webex.
Cisco probably doesn't care if a few of their startup acquisitions don't work out.
The more recent acquisitions like Meraki and OpenDNS seem to have fared better. Perhaps the lesson here is that the acquisitions do better when left alone by the mothership. :)
Are they a cybersecurity company? I thought they were more about IAM. I realize this is the CNBC headline, but I am curious if Duo does something I was unaware of, like rev. engineering, pen. testing, etc.
Not to be too sticky about it, but IAM is cybersecurity. There's a lot more to security than reverse engineering, pen-testing, and vulnerability research.
Sorry for making it about semantics when it should be about celebrating Duo and discussing the acquisition. I just don't love the term "cybersecurity" in the first place because HR (training, background checks) and facilities (physical security) are just as important to an overall security posture. I think proper IAM policy and implementation are part of that and none of them succeed in isolation.
That's an excellent point! It would be good to get away from 'cybersecurity' as a term and more towards focus on general security. You're right that none of these succeed in isolation. :)
I've never been clear about the connection to the core business but Duo Labs does a lot of vulnerability research / reverse engineering. https://duo.com/labs
Duo Beyond was a very smart move on their part, taking Google's enterprise security architecture and turning it into a third-party turnkey solution for enterprise customers. They did it before Cloudflare, too. I bet that is a big part of the reason why Cisco is paying so much now.
There isn't anything particularly innovative about Duo Beyond. Inspect the Docker containers and you'll see they simply rebranded simplesamlphp and wrote a custom ngx_http_auth_request_module handler for NGINX for their authenticated reverse proxy product.
If Cisco paid 2 billion dollars for this, my mind is really blown. I'm struggling to figure out how they ended up at 2 billion because I don't see it in anything material -- perhaps the patents or a play against Okta for recurring revenue from smaller companies which might not have Cisco gear?
Duo's "Duo Push" push based second factor says it "can protect against man-in-the-middle (MITM) attacks" but I don't see how this type of push system can do that.
Does anybody have an explanation, or is this claim in fact entirely hollow and a real world MITM would work just fine but they're pretending to believe real users would do stuff like verify their IP address in a phone message?
I know some of the Duo folks and they are serious security nerds and I don't think they would make this up. That said, I don't have any knowledge of the implementation. I did find this[1]:
> Duo Push technology employs asymmetric encryption to sign and verify communications between Duo's servers and a smartphone running the Duo Push app
I'm thinking this is saying something like they sign the contents of the push notification with a key that the app knows and that the man in the middle wouldn't have. So, they're not just relying on the provider of the push notification service.
Yeah, this doesn't help with a MITM because what happens is the victim is at Mallory's site thinking it's their real sign on site, Mallory is taking to their real sign on service. The victim types in real credentials, and says OK let's use Duo Push... Mallory now has their credentials and does Duo Push. The push is securely sent to the victim's phone, and they press OK because they really are trying to sign in. Mallory is allowed in.
FIDO tokens break this attack because the token is talking to the victim's web browser, and that's not visiting the real site so it doesn't work. If Mallory lets the victim's browser talk to the real site, sign in works but Mallory is cut out of the loop.
It's a Confused Deputy problem. Push 2FA assumes that if you confirm that you're trying to sign in at 9:14 and there's an attempted sign in at 9:14 then that's one event, but unlike U2F the only thing connecting the two is the timing, which Mallory can choose.
Why would Duo Push allow Mallory's site to initiate a Duo Push for RealSite.com without either a shared secret or certificate validation?
You present an obvious problem that has been solved securely many times over many products and act as if a group of IAM and 2fa professionals ignored or just hadn't thought of it before...
Because mallory.com (who's impersonating valery.com by ripping off the site design, and has a valid certificate for mallory.com) is running a full-up copy of Chrome in a VM, and is clicking the signin link just like a user would do.
I assume what Duo is referring to, though, is that they send through the IP address that your push request is coming from.
So if a user is observant and knows their public IP, they should see the difference.
The real site doesn't know this is Mallory, after all Mallory has the victim's credentials. It stands to reason it will offer Duo Push. And the victim is expecting Duo Push so they'll hit OK.
You insist this "has been solved securely many times over" but it famously hasn't, which is why I asked if Duo had some secret sauce. They evidently don't.
People keep building things that are very clever but don't actually respond to the threats in the real world, MITM is a real world threat, and one Duo shouldn't be pretending they're defending against with this Push technology.
Looks like Duo provides a 2FA for accessing any application ? Does it work for any random app ? Are there any details online about the technical details on how that works ?
We have been successfully offering on-premise solution to local financial institutes here in Nepal and we are working
on launching our SaaS offering (it's currently in beta with few users). If you are interested for beta access, drop me a message at sakshyam[at]seknox.com
Lots of good tech in A2 in general - Deepfield acquired by Nokia, SkySpecs, Trove, FarmLogs (a YC startup), LLamasoft (my employer!), IBM is here, Toyota, Hyundai, a rapidly increasing number of medtech companies, and plenty of boutique consulting. It makes for a healthy life - a strong tech scene drives wages up, yet the cost of living is still fairly low (downtown A2 is very expensive already, but you can live in the nearby areas for considerably less). There were four companies from A2 in the who's hiring page the other day. Take a look! :)