Uncover VDI and DaaS data risks with in-session clipboard monitoring

Abhinava Sharma

1 year ago

This blog post was co-authored by Gavin Strong, Pre-Sales Engineer at Citrix.

To meet the needs of a fast-growing, distributed workforce, organizations have rolled out virtual desktop infrastructure (VDI) with a goal of improving employee productivity and the end-user experience.

While these IT strategies have provided immense benefits in terms of infrastructure cost savings, flexibility of provisioning, scaling of corporate apps, and ability to provide quick IT access to end users, organizations are at risk of potential breaches and threats of data loss. Mergers and acquisition activities have added to the threat mix, creating access risks from unmanaged endpoints and third-party contractors or task-worker users.

These risks can lead to breach incidents that can damage businesses, exposing them to financial liability, damaged reputation, and costs and employee effort related to legal audits and incident responses.

Top of Mind: Data Exfiltration Risks

A key security risk for VDI and DaaS security is the threat of data loss from screen capturing and data transfer to and from other endpoints using cut/copy/paste controls. IT security executives are also concerned about data leakage risks on VDI deployments and are looking to solve for four key requirements:

Protecting company intellectual property and mission-critical data from leaking from VDI environments
Balancing labor and privacy law expectations with a data collection mechanism without compromising visibility
Realizing more value from existing VDI platforms with vendor-native data events, collections agents, and fewer tool deployments
Deploying data control and audit measures with block, alerting, and audit policies in the context of VDI sessions, users, device postures, and access for full risk-surface coverage with SOC tools and monitoring

Administration Approaches and Challenges

IT admins are also looking at ways to manage data-loss cybersecurity mandates from cybersecurity leadership with two primary approaches:

Lock and Block: Admins deploy a variety of controls for blocking data movements such as screenshotting and clipboard policies across VDI sessions.
Allow and Audit: Enable access to clipboard data handoff across endpoints and sessions with a strict regimen for gathering adequate evidence in case of unusual in-session activity with session recording and an audit trail of events.

The challenge with the lock-and-block approach is that the more you lock down, the more the user experience degrades because you’re taking away employee flexibility and the ability for your people to work seamlessly across virtual sessions and physical endpoints.

Admins also want an evidence trail of lockdown policies that are initiated so they can audit data movement attempts and risky users and have visibility into policies that are violated and the apps and files these data movement attempts are happening from.

Uncovering, Understanding the Risk with Citrix Analytics

With Citrix Analytics for Security, we are helping organizations solve these challenges. IT admins are focused on security and enabling outcomes for security operations teams as they gather detailed data movement trails for deeper insights. Our focus is on helping organizations to:

Aggregate: With our deep VDI integrations, we help admins pull out focused data sets such as clipboard place by tapping into proprietary Citrix protocols like (HDX) and generating events (VDA.clipboard) and supporting this with Citrix Workspace’s client-side instrumentations (app.saas.clipboard). The focus here is on generating adequate context for security teams to put together a complete user behavior profile, including details about user, session, applications, and data movements for critical departments and workflows.
Audit: These events are available with full context and metadata with our self-service view or you can hand them off to SIEM for SecOps trails and compliance data. This enables admins to gather adequate evidence in case of unusual in-session activity
Learn: With our custom conditional alerting mechanism and policies engine, admins can put in elaborate event conditions with session and application launches and isolate risky user behavior across the access surface.
Act: With our Action framework, you can pair CAS alerts with sophisticated responses to lock down a user’s session, kick off a session recording for evidentiary trails, or merely put a user on a watchlist for continuous monitoring.

Aggregate: Enable Clipboard Date Event Collection for Citrix DaaS

Citrix DaaS allows users to perform clipboard operations, and admins can view the related logs in Citrix Analytics for Security.

These clipboard logs provide valuable information such as the VDA name, clipboard size, clipboard format type, client IP, clipboard operation, clipboard operation direction, and whether the clipboard operation was permitted.

Follow these simple steps to collect clipboard telemetry:

1) Install VDA version 2212 and setup registry settings in VDA. Create Key called “Clipboard” under “Computer\HKLM\SOFTWARE\Citrix\Clipboard” and create Reg Key REG_DWORD called “CASDataCollection” = 1.

2) Reboot the Machine/Master Image for the Reg key to take effect. Update Machine Catalog using Master Image Template (if using MCS).

3) To verify that the Clipboard Actions are being captured and sent to CAS Event hubs, we can confirm via CDF Traces.

4) Select the BrokerAgent Module only. Within the Traces, when we initiate a clipboard operation within a VDI session, it will generate a HdxClipboardEvent.

Audit & Learn: Clipboard In-Session Activity

Review the VDA Clipboard telemetry in self-service view. You can see the VDA.Clipboard Event Type telemetry being processed in and use these logs for risk analysis and investigations by selecting the Apps and Desktops data source on the Search page in Citrix Analytics for Security.

You can also hand off these events to a SIEM (Splunk , Microsoft Sentinel) for deeper threat hunting, audit reporting, and correlation with other SaaS, cloud deployment, and user identity events.

Actions: Setting Up Alert Policies and Actions for Monitoring

You can set up alerts with Citrix Analytics for security custom risk indicator workflows. For example, you can detect excessive use of clipboard operations greater than 30B within Citrix VDI sessions.

You can also set up an action policy to automate response to risk indicator to:

Trigger Session Recording dynamically to proactively record for potential data exfiltration in the context of user in-session activity
Notify administrators of excessive clipboard usage within VDI sessions
Add users to the watchlist

Increase Security, Enhance Employee Productivity

Don’t let data loss risk and data security policies get in the way of your employees working productively with Citrix VDI technology. Enable audit and monitoring capabilities with Citrix Analytics for Security so you can:

Enhance visibility and uncover VDI blindspots that present data exfiltration risks
Get more out of your Citrix deployments with native integrations and Citrix monitoring
Get the audit and reporting capabilities you need for regulatory compliance of VDI session data movements

Learn more about Citrix Analytics for Security. And try it today! If you’re not already a customer, you can sign up for a trial at analytics.cloud.com.