Monitoring User Behavior Anomalies with Citrix Analytics

My story, like many others, is rooted in a basic human instinct for survival and inherent greed. It was early 2000 something and the dot-com bubble was bursting right before my eyes, sending the hopes, dreams and fortunes of the young and old tech wannabe spiraling down into an abyss of bankruptcy.

I was running Technical Training for a mid-size computer training company based in Boston. At the climax of the tech craze we had grown in size, both in terms of sales and employees beyond our wildest dreams. Seemingly overnight we had gone from one employee with no office to fifty with three locations and over twenty classrooms going night and day. Every Friday afternoon the receptionist desk was converted into an open bar with catered food and employees who lost all inhibitions.

And for trainers with technical certifications in Microsoft, Novell, and Citrix it felt like the sky was the limit.

In no time at all, the training landscape became crowded with competing “certification factories”, all grabbing for the same customers and instructors alike. I had never been very popular in high school, but I suddenly felt like the kid at prom who snuck in a bottle of Southern Comfort he stole from his Dad’s basement bar. Everyone wanted me, or someone like me.

Being a senior person (at the ripe old age of 28), I had access to all the servers and network shares that the business ran on. I had a shared account on the CRM application (on-prem) and the common mapped drive that was setup through a complex logon script. After all, I was the one who had setup the infrastructure in the first place.

I had just accepted a job at the main competitor for 30% more salary and added days out of the class to prep new materials. I was drunk on arrogance. Thinking I would make a big splash in my new job, I decided to take a few bits and bytes from my “old” company. These included account names, decision maker contact, current and future budgeted training needs and everything short of the custom training guides (intellectual property). For those, I had to access the S:\ drive — again mapped through my own batch files. What I didn’t copy over to an external hard drive that dangled from its ribbon cable on the side of the server like a broken pendulum on a grandfather clock, I printed off in reams of paper.

All this, of course, was before we had tools like Citrix Analytics, which applies machine learning to data that spans network traffic, users, files, and endpoints to identify and act on malicious user behavior and app performance anomalies. Back in those days we had no monitoring capabilities. If you didn’t see the employee wheeling out stacks of data in a wheelbarrow you may never have known there was a theft. And because network security consisted only of user name & password, even if you did know there was data theft, proving who stole your IP was near impossible.

Karma is a fickle lover and it was only a matter of months after this that the tech bubble burst and with it my cloak of arrogance.