Monitoring the monitor
Jumping into customer issues is a great way to learn about what a product does and how it works.
Four months back I took on the role of architect for Citrix Analytics for Security and I'm trying my best to learn and contribute in parallel. I have some great colleagues who are always there to fill me in on things I don't know.
What is also helping me is getting involved in customer issues because that gives direct exposure to the problems faced by customers and opportunities to help them be successful with the product.
A few weeks back I was pulled into a customer case where the problem was that the customer was not seeing any events in Citrix Analytics for Security dashboard when users launched sessions.
Let me unpack this a bit.
Citrix customers use our virtualization solution (CVAD/DaaS) to enable their end users (employees, contractors etc.) to securely access apps and desktops from anywhere and provide a great end user experience.
When an end user uses Citrix Workspace App (CWA) to login to their Citrix Workspace and launch app/desktop sessions, events are dispatched by the CWA to Citrix Analytics for security monitoring purposes. Examples of events that are sent are: app start, app end, web app launch, file print, file download and so on. These events show up on the Citrix Analytics dashboard. Once the events flow through to Citrix Analytics, the customer admin can setup monitoring for what they deem risky behavior and further configure actions to take when a such behavior is detected.
So far so good.
The problem the customer was facing was that events were not received from the workspace app. Upon investigation, the root cause of the issue turned out to be the particular version of the CWA they were using. Once they upgraded to the next version, the problem disappeared and event started flowing in.
领英推荐
I thought the issue is resolved but that's when the customer raised a concern. "We are relying on getting the events from the CWA for security monitoring but what if the end user uses a version like this one which doesn't send the events? We will not know what's going on."
The problem statement had changed. Now the concern for the customer was how to prevent end users from using this particular version of CWA. I didn't know how to help in this case because in my understanding security monitoring could kick in only when events are received from the CWA. If there are no events coming in what can security monitoring do?
That's when a helpful team member opened my eyes to the depth and beauty of the security monitoring solution. The client side (CWA) events are complemented by server side (Monitoring) events which are co-related by Citrix Analytics.
We just had to turn on some configurations to enable Monitoring events to flow in for the customer. With this done, it was easy to demonstrate to the customer that even when CWA didn't send events, there were events received from Monitoring which had details of which version of CWA a user launched a session from. This was enough to setup monitoring for such occurrences.
Now came the last part. I asked the customer, now that you can detect this how do you want to respond to it? The customer wanted to log-off such sessions automatically and send an email notification to the end user urging them to upgrade their CWA version.
We could achieve this with an out of the box capability in the product to do exactly that. After testing that it works, the customer was satisfied and agreed to close the case.
When I was new to Citrix, I used to think what's the big deal in connecting to a remote desktop. Over the years I have learnt - the big deal is doing it at scale, with security baked in and providing a great end user experience.
In this post I have deliberately simplified the technical details and diagram to make it an easy read. To know more about Citrix Analytics for Security visit this page. If you are using Citrix in your organization, consider using the security monitoring and response capabilities of Citrix Analytics. This post only scratches the surface. There is a lot more to it.