Background

This is a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  For additional articles in the series, review these links:

• Container Linux by CoreOS Support.
• Centrify Analytics Support for Infrastructure Services (preview).
• Centrify Agent for Windows™: Self-Service Password Reset and Windows 10 MDM Enrollment.
• Zero Trust Model - Conditional Access (UNIX/Linux and Windows access and privilege elevation).
• Official Announcement with all updates.

In this article, we'll discuss Centrify Analytics for Infrastructure Services Alpha.

Centrify Analytics Overview

In February 2017, we introduced Centrify Analytics with the goal to produce the following capabilities:

• Behavior-based access control - enhances access policy with risk patterns based on machine learning
• Insights - allows organizations to reconcile policy with day-to-day usage
• Explorer - allows security practitioners the ability to get a deep dive into each event.

The key focus of the service at launch was to protect our Application Services.

What's new in 2017.3

With the release of Infrastructure Services 2017.3, Centrify UNIX/Linux and Windows software is "analytics-aware" and organizations with Analytics-enabled Centrify platforms can extend risk-based behavioral analytics for servers and workstations and privilege elevation.  The framework is the same:

Insights

Server Suite Dashboard and Widgets

With the release of Centrify Identity Platform 17.11, there is a brand new Dashboard in the Analytics portfolio.  The "Server Suite" dashboard exposes the capabilities related to the information obtained via Centrify Infrastructure Services agents across UNIX, Linux, Mac OS X and Windows.  The Dashboard is completely customizable, but the first part of the view is the usage graph.

The main dashboard includes a few widgets by default: Command Usage (can be customized between UNIX/Linux and Windows) and Top CSS Users.

Clicking on any of the areas of the graph will switch to the explorer view.

The final part of the Server Suite dashboard is the heat map.  This provides an aggregated summary of the event categories (e.g. PAM, Centrify Commands, Centrify Configuration, Windows, etc) in a color-coded matrix indicating risk.

Event Explorer

Explorer allows security practitioners to look at the aggregated (or detailed) information processed by the Analytics engine.  Just like dashboards, this can be customized based on the needs of the organization (or user).

We can dedicate a blog series to justify Explorer's usability, however in summary, this view offers a number of dimensions to drill on the data.  In addition, it provides a geo-location map, plus active users and Multi-factor Authentication breakdown.

Event Detail 

This is the information captured by the Analytics service.  In this "single pane of glass" we see the multi-platform activity across our Infrastructure based on how the information is being collected.

Risk Dimension for Conditional Access

Part of the changes introduced with Identity Platform 17.11 in the policy side, includes support for conditional access (Server Access and Privilege Elevation) across UNIX, Linux or Windows can now use behavioral analytics risk profile to Allow, Deny or invoke additional methods for identity assurance.

Like with any other machine learning-based solutions, the goal is to establish a very good baseline of the normal behavior, when combined with least privilege and temporary access controls, the risk profile adds a new dimension for security assurance in the context of infrastructure servers.  Some of the components of the risk dimension are:  day of the week, time of the day, operating system, geo-location, transaction type, user, etc.  These can be optimized based on RBAC and MFA policy.

Architecture

"Server Suite" analytics works with information captured via the Analytics Sensor. This  is a micro services based solution that can be deployed in UNIX-like systems or in Windows.

Sensor Communications

• Platform:  The analytics sensor establishes a secure channel with the Centrify Platform using TLS (directly or via proxy) and OATH2 to access the corresponding APIs.  

Data Sources

• Syslog (local)
• Syslog (server)
• File
• Windows Event Log
• Centrify DirectAudit Collector

Summary

Expect in that in 2018 we'll continue to work with this capability to delight our current and future customers.  For more information on this service and for early access, feel free to work with your Centrify customer success representative.