Endpoint Security Policy activation & threat detection reporting in Director
Citrix Workspace App is introducing built-in security checks that will automatically detect high-risk conditions, such as keyloggers or Microsoft Recall enabled on endpoints without the need for any manual configuration. This real-time visibility of such detections will be available in Citrix Director and Monitor. The reporting will enable the administrators to quickly assess the risk and configure their protection policies to ensure a safer environment. While detection for select events like Recall is automatic, protection from events requires manual configuration of app protection policies by the admin. Activation events for all enabled policies will also be reported in Director and Monitor. By utilizing proactive risk management and policy reconfiguration, Admins will be able to strengthen endpoint security in their environment and reduce exposure to emerging threats.
The following reporting will be available in Director:
-
Audit Trail -
-
Automatic Detection – During its default scan, CWA detects various threats like Windows Recall on the endpoint. If a threat is detected, CWA will send an event to Director Monitor. The following data will be reported for each event – - Timestamp
- Username
- Endpoint name
- Endpoint OS
- CWA version
- Event name – including Screen Capture, Keylogging, DLL injection (when app protection is enabled)
- Event type – Detection or protection
-
Protection for configured policies – Administrators can configure protection policies to prevent certain events such as Screen capture, DLL injection, or Keylogging. Anti screen capture policy can be used to prevent screen capture attempts by recall as well. Protection events reported in Director Monitor will include all the data points listed above.
-
-
Aggregated insights and trends – Events data will be aggregated to report the following information:
-
Detection/protection summary for the environment,
-
Top protected/detected events, and
-
Trend of protection and detections events over time
-
This capability is designed to further strengthen Citrix’s commitment to securely deliver applications by helping organizations identify emerging threats and respond to them in real time.
Administrators can use the above insights to better understand the security “threats” in their environment and setup protection policies to protect sensitive data, minimize security risk, and support the establishment of related corporate level policies designed to mitigate such risk. (e.g. discourage the use of tools like recall, keylogger, etc.)