You don’t have to look very hard to see a company who has experienced a data breech. According to businessinsider.com, the top 5 breeches of 2018 exceeded 100 million or more personal records lost. Security teams are working harder than ever to ensure data loss does not occur. And we can all expect that GDPR is only the start of a new wave of privacy laws. Or at least it should be.
The biggest hurdle most companies face in the modern age of the Internet of things (have you counted how many devices are on your home network, mine is over 30), Software as a Service, Shadow IT, etc. is that security teams are facing a deluge of data. It’s like trying to find a needle in a stack of needles. This is where Security Information and Event Management (SIEM) tools come in. They take all that information and try to make the important items “bubble to the top.” One of the most popular tools used by larger enterprises is Splunk. Splunk is a great tool. It can receive data from many different inputs. Firewall logs, Event logs from servers, network flow data, and on and on. There are many dashboards and reports written that allow security personnel to glean what is important. It then allows the user to correlate this data by date and time, dig in and see what is going on, and store the information for long term. But, importing all that data comes at a price. The more information Splunk takes in, the higher the cost. In addition, there is more information for the customer reports and dashboards to sift through to find what is important.
Here is where Citrix Analytics can help. Citrix Analytics is a Software as a Service (SaaS) product that works with the Citrix products to analyze network and application traffic, detect anomalies, and highlight possible security problems. It then generates actionable insights that administrators can act on proactively and automatically for security threats. Citrix uses advanced intelligence and machine learning on top of their own expectations for program usage to follow user and app access through normal conditions. Then, when it sees activity that is abnormal, it creates a threat score that can trigger IT intervention and/or automatic actions like turning on Session Recording. This helps to lessen the load on the security team, while improving the likelihood of catching unusual activity and taking action faster when something does happen. It also permits access to the original data. If the security team needs to go back and research when and where the breach occurred or to see when the problem started, all of the necessary information is there and can be drilled down in to.
The security dashboard of Citrix Analytics quickly shows the user risk profiles. It presents useful information such as the number of risky users and the trend over time. In addition, the users with the highest risk score are listed.
The hyperlink of the user name quickly takes you to a view of what actions the user took that resulted in that score.
Additionally, it shows what actions were taken by analytics. In this example we see that the user had login failures followed by unusual application usage. This went on to unusual logon access and a potential data exfiltration. As a result of these actions, their risk score climbed to 99 and the system took the actions of notifying the user that there might be a problem and the user was added to a watch list.
An example of some of the actions that can be automated can be seen here:
If you need to see what the unusual logon access was indicated from, you can select that item and analytics will show what happened, the timeline it was happening, and the event including IP address, Time, and location if it can be determined. It also allows you as the administrator to click a link to report it as a false positive. This can reduce their score, and restore links to files or their ability to logon to the network.
Splunk integration using analytics first permits us to send only the actions taken and alerts to Splunk instead of all the logs and data reducing the amount of data tremendously. And, it allows us to be sure the Splunk users are only being alerted when they need to be. And finally, it automates actions so that we can say it was detected and corrected as rapidly as possible. Splunk integration is enabled under the Settings:Data Sources links
If you need to enable this capability, the Analytics Documentation can be found here
And Analytics is winning awards.
“With cybercrime, hacktivism, cyberespionage, ransomware and malware exploits on the rise, companies leveraging the cloud must pay close attention to its security implications. After reviewing nearly 3,000 InfoSec companies worldwide, we chose Citrix for our 2018 InfoSec Awards Editor’s Choice for Cloud Security because they are an innovator on a mission to help stop breaches and get one step ahead of the next threat.”
Gary S. Miliefsky, publisher, Cyber Defense Magazine.
For more information, read this Citrix eBook about behavior analytics