Citrix Analytics links security with applications, networking and people

The security game changes when an endpoint or user account is compromised. Once inside the business from a compromised user or penetrated device, an attack no longer has to prioritize smuggling exploit code under the noses of prevention products. Instead, the attack shifts to impersonating approved users and devices with IT-approved access to critical network assets. An approach examining internal activity – one that leverages IT systems for analytics – is required to detect attacks in the business in less than 200 days. It is the precise ability of Citrix Analytics to correlate datacenter-to-desktop activity between NetScaler, XenApp, XenDesktop, XenMobile and ShareFile that makes its contribution to the security of Citrix environments noteworthy.

The 451 Take

Citrix relies on desktop and mobile device security to ensure that virtual sessions are not hijacked to access sensitive information and applications. Detecting compromised endpoints or user accounts requires time-based analytics across user, application, data and network activity. The process preferably also clears a path for delivering customized responses. Citrix Analytics, anchored by the NetScaler Management and Analytics System, promises to combine insights from NetScaler user access, XenDesktop and XenMobile application interfaces, ShareFile cloud-based data management, and XenApp virtualized applications to ferret out threats that would be difficult for human IT staff to find. We like the inclusion of security features in Citrix Analytics as the symptoms of serious security issues are frequently found in unexplained changes in operational performance metrics.

Context

Citrix's market appeal is its ability to run Windows programs in the controlled datacenter and use remote display protocols to give users a local look-and-feel experience. The company has set 2017 revenue guidance of approximately $2.8bn, with workspace and networking offerings leading the product mix. In fiscal 2016, workspace services, including Citrix' XenApp flagship offering as well as XenDesktop and XenMobile, generated $1.69bn, representing 62% of total products and services, while the networking product lines, featuring NetScaler and XenServer, contributed $783m, or 29% of revenue.

Large infrastructure vendors tend to treat security as an integral component of their product architecture, and Citrix is no exception. It is an application delivery specialist first and foremost, with security features critical for demonstrating compliance, access control, and integrity of its environment. Of particular importance are the integrity of applications available to Citrix Receiver through its application store and reliance of secure access to regulated data delivered via XenApp servers. Citrix Analytics provides detection of security issues by correlating end-to-end activity within the Citrix infrastructure, from XenApp in the datacenter through NetScaler connectivity points to Citrix Receiver, XenDesktop and XenMobile on desktops and mobile devices.

Products

Once an end user or endpoint is compromised, attacks shift gears to exploit IT-authorized operations. That is, an attack will impersonate an authenticated user and device to access applications and data, searching for information that has value to the intruder. Preventive pattern-matching security offerings such as next-generation antivirus or intrusion-prevention systems have already been defeated and are of little use as there is no malware traversing the network. Applications follow instructions, delivering sensitive data to the user without knowing that the user, device or mobile application is controlled by attackers. The security challenge is to use machine learning across networking, application, user and data observations to detect security incidents before wide-scale damage can be done.

Citrix Analytics meets the vision of intersecting operational data with security insights to uncover threats. Issues such as increased server latency, surges in http and other protocol errors, deviations in user behavior accessing applications, and fluctuations in application store updates are examples of activity with roots tracing back to potential security breaches. Factors considered in the machine-learning algorithms spanning datacenter-to-desktop activity include:

• Users – Frequency, geo-location of connection, typical time of day, devices used
• Data – Upload patterns, download patterns, changes to restricted access rules
• Applications – Access patterns, usage frequency, degraded capacity utilization, memory and CPU consumption
• Network – Unexpected latencies, traffic surges, queue lengths, uneven load balancing

Citrix Analytics, which includes NetScaler Analytics, will be available as a Citrix Cloud Service. Its features should contribute to an increase in subscription revenue from cloud-based services, and may increase the attach rate of NetScaler sales into XenApp environments. The analytics package, including data storage, can be deployed in the Citrix public cloud or on-premises in an enterprise's private cloud.

We believe that Citrix Analytics also has an important role to play for incident response. The very nature of collecting data and sorting out a time-series analysis of activity with machine learning to detect threats in the system also provides critical datacenter-to-desktop visibility that can accelerate incident responses for security teams. At some point in the future, we think that customer demand for automated responses will push Citrix Analytics to help close the loop on remediation processes. This may be as simple as adjusting access permissions in NetScaler, re-provisioning virtual application images in XenApp, controlling applications available through Citrix Receiver, or offering an SDK for enterprises to customize their own graduated responses.

Competition

There will not be many direct competitors for Citrix Analytics as it is a product custom built for the Citrix installed base. Citrix Analytics should appeal to enterprises committed to a XenApp, XenDesktop, XenMobile, ShareFile and NetScaler infrastructure for securely delivering applications.

Large infrastructure vendors such as Akamai, Cisco, Dell, HPE, IBM and Microsoft all have vibrant security product lines that are separately priced, allowing the vendors to measure customer value and acceptance. Our interviews reflect that penetration of security products by infrastructure providers is running ahead of internal plans. We'd like to see the company market Citrix Analytics as a discrete means of gauging customer interest and justifying future product enhancements.

We have talked with security information and event management (SIEM) firms that report that roughly 70% of their security analytic deals close without ever having to run through competitive proofs of concept. Thus, SIEM vendors such as AlienVault, Exabeam, HPE, IBM, LogRhythm, Securonix, Splunk and Sumo Logic may extend their behavior analytic products to include Citrix application delivery. However, we expect that rivals will not even be aware of opportunities around Citrix Analytics.

VMware's vRealize Network Insight technology integrates security, networking and operational concepts to help detect security issues within the business. In April, VMware bought Wavefront, which we expect will be integrated with Arkin, which the company purchased in June 2016 for operations and analytics of virtualized environments.

We are seeing innovative startups such as Cleafy hang their analytic products off application delivery controller (ADC) ports to protect against web and mobile threats. In addition to Citrix NetScaler, Cleafy also supports ADC devices from Array Networks, F5 Networks and Microsoft for organizations evaluating an independent analytics supplier.