With COVID-19 forcing employees out of the office and into remote work, many IT and security teams are feeling the burden of the sudden shift. That was the case for one ExtraHop customer, who, with the increase in remote workers due to COVID-19, had to dramatically increase the number of people using their Citrix VPN.
Within hours on the first day of the COVID "stay at home" mandate in France, large numbers of remote employees reported being unable to start some Citrix applications via the VPN. Clearly the sudden increase in users was causing issues, but it was difficult to tell which assets were being affected or why.
Using ExtraHop Reveal(x), the customer was able to gain visibility into the Citrix storefront servers, XenApp servers, and NetScaler devices running in their AWS environment. ExtraHop's Citrix dashboards showed a significant increase (from a few milliseconds to several seconds) in network latency and aborts.
Upon looking into the detailed metrics of the ICA protocol, the customer was quickly able to identify which Citrix applications were slowing down, the users affected, the client devices initiating the sessions, and the XenApp servers in question.
From there, the customer clicked down to the device TCP level in order to easily identify that the NetScaler devices were being overloaded with connection requests, as indicated by a significant increase in TCP retransmissions and zero windows.
They also noticed a peak in aborted SSL connections between these Citrix components. Because Reveal(x) decrypts PFS-encrypted TLS traffic in real time, the customer was able to see into their HTTP transactions in order to monitor errors and address long processing times.
Reveal(x) provides the visibility you need to go from detection to answers in a matter of clicks. We invite you to watch this short threat scenario runthrough to see a guided investigation in Reveal(x) in real time:
You can explore the Reveal(x) workflow for yourself in the full product demo, available for free online. Start your demo now!