This post is also based on a session I had at Citrix User Group about Citrix Analytics. Now even though that Citrix Analytics is still not released and I did a lot of research about the product in advance. So in this post, I will go into a bit of depth about the product and about features that are available now and also what I think is missing in the product as of now.
Citrix Analytics was announced at Citrix last year. In its core, it is about machine learning and analytics of data that is already available. So is about gathering the data from these different sources into a big data platform and using historical data from these sources to build a baseline and predict what normal behavior is and what abnormal behavior is. It is also about moving from being reactive to being proactive.
Like most monitoring tools today they are reactive meaning that they see that a process stops, a server goes down or that a service stops running and therefore we need to go and troubleshoot. With analytics, we try to shift that focus to be proactive seeing that “here we have the historical data, showing that based upon the last 12 months this occurred on the same data it was because of user load on the server” and based upon this historical data we can take actions. The same method that is looked at from a security perspective. For instance, if we have someone in HR let’s call him Dave and every day he accesses the HR system, and this is his trend for the last 6 months from the same physical device in the same location. Suddenly he accesses another application from another system from another location, and this then falls into abnormal behavior and based upon this we might have a risk, then we need to have an automation action.
Citrix Analytics is going to be available in three modules, but right now only the Security module is available (Which is now in Preview and you can request access here –> https://www.citrix.com/products/citrix-cloud/form/citrix-analytics/ ) Analytics can gather information from Citrix products only which means XenDesktop/XenApp, ShareFile, NetScaler and Citrix XenMobile.
The data collected from these sources is then placed into Citrix Analytics (Which is a cloud-only service) which consists of a data lake, event processing, and machine learning and will then store information for 13 months to generate a baseline (or user trends) based upon the historical data. Of course, having data stored for this long period allows the system to create more accurate models on user behavior.
NOTE: Even if Analytics is a cloud-only platform it can still get data from existing on-premises deployments
Now Citrix Analytics can also take actions against these systems. If we, for instance, have a user which suddenly is marked as a high risk (based upon risk indicators, failed EPA scan, unknown location for instance) we can then directly disconnect the end-user from XenDesktop or terminate the session. So all the data collected from the different sources can then be turned into actions.
To get the data into Analytics, we need to have other agents installed. For NetScaler we need to MA Service, which is actually sending AppFlow data to see the session information, for XenDesktop we need to have the an agent installed on the delivery controller and we also need to define Citrix Director access because it taps into it to get the historical data stored there.
Now as mentioned, Analytics creates a user score to determine if they are seen as a high risk or not, and if they are on a certain risk level based upon risk conditions, we can take actions.
So for instance if we see an excessive level of external file sharing on a particular user.
Or any other type of activity which might be a risk indicator.
We can take action on that rule such as disabling the user’s access or log off the account to NetScaler.
Now as a product Citrix Analytics has some promise. That it can enable to automatically detect abnormal behavior and react to it. Now when it comes to the limitations of the product so far as I see it is that.
1: It doesn’t as of now have any integrations with a SIEM tool to forward alerts/actions directly. Or any form of API that can be called upon to get that type of information (at least to my knowledge, there might be some API underneath but it is not documented yet)
2: It is Citrix only – when it comes to sources and actions is now only to other Citrix products, which is something that they to extend. Citrix announced something called Citrix Access Control as well during Synergy (source: https://www.citrix.com/blogs/2018/05/08/secure-the-access-and-use-of-saas-web-apps-in-your-digital-workspace/) which provides SaaS access control. Now, this also extends into Office 365 so it might be in the long run that Analytics can also handle against Office 365. Hopefully, Analytics can also re-use information across tenants, so for instance if they can see suspicious behavior from the same IP address across tenants that they can take action on it.
3: I see it a bit overlapping with Azure AD / Intune and Conditional Access – With Conditional Access also we have multiple conditions that we can use to determine or take action of a particular user or device. Now Conditional Access doesn’t use any form of analytics but we have risk levels which are based upon information from Azure ATP, Windows Defender ATP, Azure AD and Device Security which determines if a user should get access or not. Also, Microsoft has its own Security Graph API which has a lot of historical and analytics data. Microsoft also has Cloud App Security which can act as a proxy in web sessions and deny/allow access to the application.
Now what I would love to have here is a integration between Citrix and Microsoft so we could have an integration point between Conditional Access and Citrix when it comes to sources
and then have actions on Azure AD and SaaS and Citrix environments, then it would be really awesome!