30 Days of ADM: Day 4 September 30, 2022
Machine learning and AI with Citrix ADM
I am back, it’s day 4!
How much time do you have? Can you poor over the management interface of your monitoring system to spot particular behavior types? It’s likely, you have less time than you would like and would struggle to spot changes in the behavior of your environment.
What you need is some help!
You have been selected for a training course in Citrix ADM, the goal is to provide you with enough information to be actually dangerous when talking to a customer or client. 30 days is a bit of an arbitrary number, but I am prepared to give you 2 minutes of material, can I get 2 minutes of your time? I have talked about Fleet management, general analytics and security analytics.
Today is all about ML and AI.
What are ML and AI?
The purpose of ML and AI is to tell you what kind of behaviors that your applications are being exposed to, it will then allow you to better understand if you are being attacked in some subtle way. This is a follow-up session to the Web application Firewall and BOT protection that I talked about briefly yesterday. In this case, the same modules are used but are augmented with some cloud services for better interrogation.
So what? What problem does it solve?
Typically, certain types of behavior are actual attacks. These are:
Again, this is all about giving you further insight. This allows you to better estimate your current risk. Understanding risk allows you to then make some decisions about how the service should be set up and run. This might mean that access to the application might only be necessary for people based in a certain area or location.
Who needs to know this?
Anyone who runs a NetScaler for a service that is public-facing, as it allows them to be better informed.
What is the benefit of using ADM service for this?
There are two types of ADM, one you run locally and another that Citrix runs as a cloud service. These ML and AI options are only available in the cloud edition. It’s a prerequisite.
ADM provides a graphical user view that is simple to see and understand. Of course, there are other providers that offer this. The idea of this piece was to show that some really useful intelligence will make the site owner’s job easier.
Ok, so what kinds of attacks?
There is a list above, here I will pick out a few highlights.
Account Take Over
Account takeover (ATO) is an attack in which cybercriminals take unauthorized ownership of online accounts using stolen usernames and passwords. It affects businesses with data loss, financial fraud and unauthorized purchases. The techniques that are used are password spraying, credential stuffing and low and slow ATO. This can be a problem for Citrix Gateway portals, as once someone gets access they are effectively getting a trusted desktop on the internal network. It can also affect sites that have a simple login option, so a non-gateway use case.
By enabling ATO the boot Strap Time is two weeks, so it needs some time to understand what is normal behavior. It then updates its training frequency everyday day and can offer anomaly detection every hour.
This is a BOT based protection, using advanced analytics.
This is what it looks like.
Content Scrapping detection
This is where we detect client sessions that might be trying to scrape some/all content from your website. The model Characteristics are:
• Boot Strap Time: Two weeks (at least 1500 client sessions)
• Training Frequency : Daily
• Anomaly Detection Frequency : Hourly
• Data type : Transactional
This is a BOT based protection, using advanced analytics.
Large upload / download detection
Detects when there is a large volume of data uploaded or downloaded to an application than normal
Model Characteristics
• Boot Strap Time: 3 weeks
• Training Frequency : Daily
• Anomaly Detection Frequency : Hourly
• Data type : Metrics
This is a BOT based protection.
Summary.
AI and ML is a powerful option that ADM service offers, just getting sight of what the bad guys are trying to do does allow you to take action
BTW, this capability is free for the first 2 Virtual servers! You can add packs of VIPS to cover off more than that.
What’s not to like?