Not only is IT getting more difficult but keeping it all secure is perhaps a tougher job. So, where can we monitor all these apps, data usage and user activity? And what if there is someone who has bad intentions and wants to download all corporate data? Or a user that tries to logon from an untrusted computer? Ransomware that is uploaded?
First thing that popped in my mind: Could Citrix Cloud Analytics help us out?
Time to find out on a series of blogs! First of: How to get started and what sources can we monitor within Citrix Cloud Analytics.
First: When accessing the Citrix Cloud there is a tile named ‘Analytics’, easy!
Within Citrix Cloud Analytics you can add sources and “Turn on Data Processing”. This can be done by clicking on the Settings on the upper right area of your dashboard and select “data sources”.
First up are the Citrix Data Sources, the definition of Citrix is :
“Data sources are Citrix services and products that send data to Citrix Analytics. The data sources associated with your Citrix Cloud account are automatically discovered by Citrix Analytics. This includes Citrix ADC instances added to Citrix Application Delivery Management (ADM) and on-premises Citrix Virtual Apps and Desktops added to Citrix Workspace.”
Data sources we can add from Citrix side (and are one-on-one to be found as a Cloud service)
Access Control (service)
I’ve added the key capabilities of the Citrix Cloud Access Control offering below because the service is a little more unknown:
- Publish SaaS apps with single sign-on access.
- Set enhanced security policies for SaaS apps. (For example, watermark, copy-paste restriction, and prevent downloads.)
- Define access policy for website categories and websites to be blocked.
- Define access policy for website categories and websites to be redirected to Secure Browser service.
- Understand users and websites activity in the context of SaaS apps and correlate it to defined policies.
- Make policy changes to allow or block website access, and enable access in a secure browser service session.
And now, what can we do / monitor with the data generated by the offering? Analytics lets you set up rules concerning the following risk indicators*:
- Attempts to access blacklisted url’s.
- Risky website access.
- Unusual download volume.
- Unusual upload volume.
*Risk indicators are rules that can be set up and differ within each service. These ‘rules’ can trigger actions, example could be: If user A downloads X files from Content Collaboration then –
Content Collaboration (service)
Off course we all know Citrix ShareFile, the collaboration tool to securely share and sync content from the cloud and / or on-premises storage devices. Available risk indicators on Analytics:
- Excessive file downloads.
- Excessive file/folder deletion.
- Excessive file sharing.
- Excessive file uploads.
- Ransomware activity suspected (files replaced).
- Ransomware activity suspected (files updated).
- Excessive access to sensitive files (dlp alert).
- Unusual logon access.
Endpoint Management (service)
Next up is Endpoint Management (aka XenMobile) for managing endpoints (MDM and MAM). Analytics is only available on the cloud offering version only and we can set up the following risk indicators:
- Device with blacklisted apps detected.
- Jailbroken or rooted device detected.
- Unmanaged device detected.
Virtual Apps and Desktops (service and on-prem)
No need to explain the former XenApp and XenDesktop service, up to the risk indicators:
- Potential data exfiltration.
- Access from new device(s).
- Access from device with unsupported OS.
- Unusual application usage (SaaS).
- Unusual application usage (Virtual).
Gateway / Citrix Application Delivery Management (service and on-prem).
The last thing we can analyze is the Citrix ADC / Gateway, available risk indicators:
- Authorization failures.
- EPA scan failures.
- Logon failures.
- Unusual logon access.
On the same page you can add the External Data Sources. These are sources that integrate and will supply Analytics with more information.
Microsoft Security Graph.
Microsoft Security Graph is an external data source that aggregates data from multiple security providers such as Azure AD identity protection and Windows Defender ATP.
By default, Citrix Cloud uses the Citrix Identity provider to manage the identity information for all users in your account. With this option you can change this to AD. This integration enhances the context of users with additional information available in the AD.
Final is the option to extract data to Splunk under Data Exports:
“Citrix Analytics integrates with Splunk to enhance your security incident monitoring and troubleshooting experiences. This integration augments your existing data sources with the intelligence of Citrix Analytics’ risk analysis capabilities such as risk indicators, risk scores, and user profiles. Citrix Analytics exports risk analysis information to a channel. Splunk pulls the same from this channel.”
We have data and rules can be set up but: what if a rule is hit? The following actions (after a risk indicator is hit) are available in Analytics:
Off course there is a big caveat: What do they store and where is it kept save?
Citrix well documented it all, Data location, Data collection, Data transmission, Data control, Data retention, Data collection agreement and logs collected can be found here:
Data processing agreement:
Perhaps the most important thing for us in Europe…..
It is not the only ‘exception’ on Citrix cloud offerings, sadly there are more differences within the US and EU Citrix Cloud…
But hey! Citrix Analytics looks very promising in providing a dashboard for all our apps, data and user activity and for sure the possibilities keep growing on alerts, risk indicators and actions.
Next up: configuring a service and start data processing, what service do you want to see first?