Citrix Blogs

Uncover VDI and DaaS data risks with in-session clipboard monitoring

This blog post was co-authored by Gavin Strong, Pre-Sales Engineer at Citrix.

To meet the needs of a fast-growing, distributed workforce, organizations have rolled out virtual desktop infrastructure (VDI) with a goal of improving employee productivity and the end-user experience.

While these IT strategies have provided immense benefits in terms of infrastructure cost savings, flexibility of provisioning, scaling of corporate apps, and ability to provide quick IT access to end users, organizations are at risk of potential breaches and threats of data loss. Mergers and acquisition activities have added to the threat mix, creating access risks from unmanaged endpoints and third-party contractors or task-worker users.

These risks can lead to breach incidents that can damage businesses, exposing them to financial liability, damaged reputation, and costs and employee effort related to legal audits and incident responses.

Top of Mind: Data Exfiltration Risks

A key security risk for VDI and DaaS security is the threat of data loss from screen capturing and data transfer to and from other endpoints using cut/copy/paste controls. IT security executives are also concerned about data leakage risks on VDI deployments and are looking to solve for four key requirements:

Administration Approaches and Challenges

IT admins are also looking at ways to manage data-loss cybersecurity mandates from cybersecurity leadership with two primary approaches:

The challenge with the lock-and-block approach is that the more you lock down, the more the user experience degrades because you’re taking away employee flexibility and the ability for your people to work seamlessly across virtual sessions and physical endpoints.

Admins also want an evidence trail of lockdown policies that are initiated so they can audit data movement attempts and risky users and have visibility into policies that are violated and the apps and files these data movement attempts are happening from.

Uncovering, Understanding the Risk with Citrix Analytics

With Citrix Analytics for Security, we are helping organizations solve these challenges. IT admins are focused on security and enabling outcomes for security operations teams as they gather detailed data movement trails for deeper insights. Our focus is on helping organizations to:

Aggregate: Enable Clipboard Date Event Collection for Citrix DaaS

Citrix DaaS allows users to perform clipboard operations, and admins can view the related logs in Citrix Analytics for Security.

These clipboard logs provide valuable information such as the VDA name, clipboard size, clipboard format type, client IP, clipboard operation, clipboard operation direction, and whether the clipboard operation was permitted.

Follow these simple steps to collect clipboard telemetry:

1) Install VDA version 2212 and setup registry settings in VDA. Create Key called “Clipboard” under “Computer\HKLM\SOFTWARE\Citrix\Clipboard” and create Reg Key REG_DWORD called “CASDataCollection” = 1.

2) Reboot the Machine/Master Image for the Reg key to take effect. Update Machine Catalog using Master Image Template (if using MCS).

3) To verify that the Clipboard Actions are being captured and sent to CAS Event hubs, we can confirm via CDF Traces.

4) Select the BrokerAgent Module only. Within the Traces, when we initiate a clipboard operation within a VDI session, it will generate a HdxClipboardEvent.

Audit & Learn: Clipboard In-Session Activity

Review the VDA Clipboard telemetry in self-service view. You can see the VDA.Clipboard Event Type telemetry being processed in and use these logs for risk analysis and investigations by selecting the Apps and Desktops data source on the Search page in Citrix Analytics for Security.

You can also hand off these events to a SIEM (Splunk , Microsoft Sentinel) for deeper threat hunting, audit reporting, and correlation with other SaaS, cloud deployment, and user identity events.

Actions: Setting Up Alert Policies and Actions for Monitoring

You can set up alerts with Citrix Analytics for security custom risk indicator workflows. For example, you can detect excessive use of clipboard operations greater than 30B within Citrix VDI sessions.

You can also set up an action policy to automate response to risk indicator to:

Increase Security, Enhance Employee Productivity

Don’t let data loss risk and data security policies get in the way of your employees working productively with Citrix VDI technology. Enable audit and monitoring capabilities with Citrix Analytics for Security so you can:

Learn more about Citrix Analytics for Security. And try it today! If you’re not already a customer, you can sign up for a trial at analytics.cloud.com.

Exit mobile version