The job of a security professional has never been easy, but today it may be more difficult than ever. Remote work is now the norm, making traditional, perimeter-based defense strategies ineffective. Employees use their personal, unmanaged devices for work. High-profile ransomware attacks are disrupting industries from beef to oil. Meanwhile, talent shortages have left security departments short-staffed.
Citrix Analytics for Security helps security teams address these challenges. Through machine learning (ML) and artificial intelligence (AI), it learns how end users interact with apps, files, and devices. These tools help IT to detect risky behavior without dedicating a member of the security team to an endless review of log files. When risky or malicious behavior is identified, policy automation springs into action. With actions like logging users out of their account, initiating session recording, or expiring links to shared documents, Citrix Analytics for Security helps keep your data safe.
Many Citrix customers also leverage a security information and event management (SIEM) tool. This helps them to monitor the non-Citrix components of their technology stack. While Citrix Analytics for Security and SIEMs each offer unique value, many security practitioners want a consolidated view of risk.
The first step we took toward this consolidation was through our integration with the Splunk platform. Before, admins had to integrate data from several different Citrix products and manually determine what constitutes a security event and the level of associated risk. With the integration with the Splunk platform, customers can export data that can only be generated by Citrix Analytics for Security to their Splunk instance. The first place our joint customers found value was through centralized alerts. The integration also enabled combining and correlating Citrix Analytics for Security risk intelligence information with external data sources within Splunk solutions.
Today, we’re happy to announce a deeper integration with Splunk: the Citrix Analytics App for Splunk, now available through Splunkbase! The app enables integration of each data source, helping you to gain even richer insights with new dashboards. It also gives security operations (SOC) teams the ability to correlate data from disparate logs, helping to identify and proactively remediate security risk quickly.
Additionally, valuable dashboards that were unique to the Citrix Analytics for Security are now available in the Splunk platform. You can also create additional, new custom views to suit your debugging and monitoring needs. With this app, you’ll get several integrations designed to enhance the value of your investment in both Citrix Analytics for Security and Splunk solutions. These include:
User Risk Score Overview
Get a consolidated view of users organized by risk level. This integration correlates data between Citrix Analytics for Security and the Splunk platform, giving you a complete view of user risk and enabling you to identify and remediate issues with your riskiest users.
Risk Indicator Overview
The Risk Indicator Overview Dashboard helps to identify both the type of risk and its origination. With insights into apps, files, endpoints, and browsing, Citrix Analytics for Security provides a holistic view of user activity. This dashboard groups risk by different criteria, giving you visibility into the types of risk that are most imminent.
Risk Indicator Details
The Risk Indicator Details Dashboard provides deep insights into potentially risky behavior. Citrix Analytics for Security captures events like device use with blacklisted apps, excessive file downloads, ransomware activity, and more. This dashboard organizes these events into a simple view. This empowers security teams to identify and filter risks by:
- Data Source: Citrix Workspace services feeding data into Citrix Analytics for Security
- Risk Category: Citrix Analytics for Security classifies risk into categories like insider threats, compromised users, and data exfiltration
- Indicator Name: View the specific events creating risk
Our newly released app integrates data from Citrix Analytics for Security and other Splunk logs. This helps correlate user data to identify other risky behavior by the user.
Entity Details
The Entity Details dashboard provides a detailed overview of the actions contributing to the risk score. Citrix Analytics for Security provides insights into activity with apps, files, devices, and the IP address of each request. This unparalleled insight into user behavior is processed by machine learning, which can identify deviations from each user’s normal activity. This detailed view of user activity is complemented by policy automation, which can act on your behalf to prevent data exfiltration or account compromise. As an added value, integrating data from Citrix Analytics for Security and Splunk solutions can correlate data between the tools, giving you unparalleled visibility into end-user behavior.
User Profile Overview
Data help tell stories, but you need context to get the full picture. The User Profile Overview dashboard provides that context by showing trends and comparisons that provide you a rich understanding of user activity at your organization.
Received Events
The Received Events dashboard provides an overview of the total number of events received by the app. Aberrations in the amount of data flowing into the app may be indicative of a misconfiguration. By checking this dashboard regularly, you’ll be able to identify and debug any potential issues.
Connecting With Other Logs
With Citrix Analytics for Security for Splunk, you can connect with other log files to correlate data from Citrix Analytics for Security to other data sets that are being stored in the Splunk platform. Integrating these data sets enables you to gain a full picture of user activity across your entire technology portfolio, giving you a comprehensive view of risk at your organization.
To get started with the Citrix Analytics for Security for Splunk app, please visit Splunkbase.