When it comes to technology, generally one of the easiest ways to become more interested in a new product or feature is to understand what it does and how its components interact. This article intends to do just that, by explaining all the different pieces that come together in one of our latest additions to the Citrix Cloud dashboard: Citrix Analytics.
What I personally enjoy about this service is that it is not just monitoring, it is automation: you have the ability to act upon the collected data. This makes it a particularly interesting service. Since Citrix Analytics was introduced, it has been a major topic on multiple blog posts. Many of these articles do a great job at presenting Citrix Analytics; others explain how this service is a convenient solution to secure our environments and prevent ransomware attacks or other threats, while there are other blog posts detailing how the service works. Today, we will talk about the components that make all of this possible:
First, one of the most important components in Citrix Analytics is the Data Sources. After all, without a data source, there is nothing to analyze. These sources are the On-Premises products or the Cloud services that can send data to Citrix Analytics. Our entire portfolio can be analyzed now, on at least one deployment type: Cloud services (which are automatically discovered and you only need to enable them) or On-Premises (which require an agent to be installed). For more details on Data Sources, including how to add or onboard your product instance to Citrix Analytics, be sure to check out this post.
Next, another vital component to understand is the Risk Indicators. These refer to suspicious events or unusual activities that could pose a security threat. They form the basis for calculating the Risk score for users, a value calculated dynamically using Artificial Intelligence and Machine Learning algorithms. The algorithms analyze user behavior patterns and the differences between them over a pre-determined period.
There are three different Risk Indicator categories:
- Access – Refers to when the user has accessed the network or a specific resource, which is unauthorized or the user failed to access it.
- Data – Identifies if a user downloaded or uploaded an unusually large volume of data to either internal or external destinations over a pre-determined monitoring period.
- Application – This is the category for when the user has attempted to access an unauthorized application over a predetermined monitoring period.
The risk score is, therefore, an aggregate of the Risk Indicators (on different categories) triggered by the user and it indicates the level of risk based on User Behavioral Analytics (UBA). There are also three different risk levels:
- High Risk Users – Score from 91 to 100. This score is assigned to immediate complex threats or use cases as defined by policies.
- Medium Risk Users – Score from 71 to 90. It identifies possible complex threats on the rise or multiple serious violations as defined by policies or detected.
- Low Risk Users – Score from 0 and 70. It includes some violations as defined by policies or as detected by the algorithms. This can also include re-evaluated users who were previously marked as a high/medium risk.
Last, we have the Actions, which allow you to configure what you want to see happening after a certain event. Actions can be performed manually (when purposely triggered by the administrator) or they can be rule-based (which are automatically applied when a condition is met). The actions can be global or product-specific. Some examples of these actions include disabling a user, locking a device, logging a user off their session, notifying the administrator, recording the session and adding a user to a watchlist.
Location of these components within the Analytics Service interface
You will find the aforementioned user related concepts, such as information on Risk Users, user scores and users in watchlist on the Users link within the Security tab.
Other useful tabs are the Performance tab, which displays application performance data. The Operations tab, which will show you Network Operations data, and the Director tab, which takes you to the same place as the Monitor tab within the Virtual Apps and Desktop Service would.
You can configure and manage your Data Sources and Rules using the Settings tab.
The Help tab offers links to documentation, access to the Welcome page that contains a short demo and a tutorial as well, and a link to the Analytics discussion forum.
Last, you can view Security Alerts and Risk indicators in the Alerts tab.
If this post helped you gain a better understanding of the Citrix Analytics and you want to learn more, check the Product Documentation for more information on the Analytics User interface or request the service and explore all the possibilities it offers in your own Cloud Dashboard.
Cloud Success Engineer