Best Practice Policies - Inline

2021 © Netskope. All rights reserved.

Best Practice Policies - InlineFocus: “Real-time Protection” Policy (Not “API Data Protection” Policy)


Agenda

2

• Introductions

• Real-time Protection vs. API Data Protection Policies

• Preparing Your Organization for Change

• Structuring Real-time Protection Policies

• Real-time Protection - Threat Policies

• Real-time Protection - Utility Policies

• Real-time Protection - Active CASB Policies

• Real-time Protection - Web Policies

• Q&A


Real-time Protection vs. API Data Protection Policies


Real-time (Inline) vs API Protection (Out of Band) Policies

2021 © Netskope. All rights reserved. 5

Real-time Protection Policy Processing is Order specific!• Understanding the order of your Real-time Protection policies is important

• Real-time Protection policies are processed sequentially (Top to Bottom)• When traffic matches rule conditions, the action applies (Allow/Coach/Block) without

further processing through the rule base• Select the rule position when saving the policy: Top / Bottom / Before / After

• Drag and drop, or choose the policies to re-order• Click Apply Changes to save the order.• Policy changes do not take effect until you apply changes.


Best Practice Policies - General guidelines

• Remember that rules are processed from the top down in the

Real-time Protection policies list

• Place rules to be applied to individuals or small groups near

the top of the list.

• Block with exceptions at the top

• Use the Filter option to view specific policies

– Note : Default allow if no policy is matched


Best Practice Policies - Web Configuration• Dynamic Classification

– Dynamic classification looks at the textual contents of a page and dynamically determines the category for the uncategorized URLs. This feature is turned off by default.

– After a page has been dynamically categorized, the classification applies to all of your tenant instances. The page classification to a category expires every 12 hours so that if any changes occur to the page, the content is re-evaluated so the chosen category matches the current page content.

– Navigate to: “Settings > Security Cloud Platform > Configuration”• Dynamic classification looks at the textual contents of a page and dynamically

determines the category for the uncategorized URLs


Real-time Protection Policies - Workflow

8

1. Create a new Real-time Protection Policy

2. Select “Add Criteria” to add additional source criteria (such as Access Method)

3. Define the Identity (User, Group, OU)

4. Specify the Application, Category, App instance (Ex: Box, Cloud Storage, etc.)

5. Select “Edit” to specify the Activities & Constraints that need protection/control (Ex: create, delete,

share, etc.)

6. Select “Add Criteria” to add additional destination criteria (such as App Tagging)

7. Choose an action (Alert, Allow, Block, By-Pass, etc.)

8. Give the policy a name

9. (Optional) Provide a description for this policy

10. (Optional) Email Notifications (None, Every Event, 30 mins, 60 mins, 6 hours, 24 hours).


Preparing Your Organization for Change


Introducing new Inline Policy to an Organization

10

Ensuring a Smooth Policy

Roll-Out to your Organization:

- Create a Documented Acceptable Use Policy (AUP)

- Ensure an Escalation/Exception process is in place and followed throughout the roll out process


Monitor: Steer traffic to tenant

Alert: alert netskope admins on particularly risky behavior (covered later)

Coaching: create policy that will inform users of risky behavior

Blocking: enable policy blocking to enforce company policy

Monitoring Phase - Steer traffic to your tenant

11

TSM


• As an organization moves from monitoring user traffic to actually alerting and coaching users on violations, it is important to involve key stakeholders

• Create SOC / Help Desk processes and inform executives of upcoming changes

– It is important that key departments understand the changes that users (from Executives to Individual Contributors) will be experiencing

– An example of a process for a SOC would be to follow a naming convention like appending [pre-prod] and [prod] to policy names to differentiate policies

– Follow a naming convention like [pre-prod] and [prod] policy names to differentiate policies and filter active channels

Monitoring Phase Part 2 - Involve Key Departments

12

TSM


• In the previous phase, we informed key operational departments of the upcoming changes users will see while performing their day to day activities

• Before we actually transition the policies and change the user experience, we need to communicate the upcoming change to the entire organization

– Create User Awareness Campaign - Very Important to dispel FUD

• Note from Executives on new program to ease user lash back for new control.

– Some customers also create an internal wiki that they link in the user alert to reduce user questions about new control.

• Important - Only provide as much detail as needed an no more. Never include actual policy logic as this can be used by malicious actors to work around controls.

User Alerting and Coaching Phases - Involve the Entire Organization

13

TSM


• After policies have been in User Alerting and Coaching mode, you will see drastic changes to user behavior (for the good!). Now it’s time to modify certain high risk (prevent malware and data loss) and unacceptable (browsing inappropriate websites) activities policies to blocking mode– Ex. Upload of Sensitive document to Cloud Storage App

• IP - <ORG> Secret, TS, Design Documents

• Customer Databases

• Form data – DD214 member B, Medical Documentation

• Controlled Documents

• Offensive and productivity killing web browsing

Blocking Phase - Real Time Prevention

14

TSM


Structuring Real-time Protection Policies


Best Practice - Structuring Real-time Protection Policies

16

1. Threat Protection (High risk)2. Utility Policies3. Remote Browser Isolation (RBI)4. CASB (Activity Oriented)5. Web(Category Based)6. Netskope Private Access (NPA)

Threat protection policies should block high risk behaviors, such as downloading malware or uploading sensitive data to an unsanctioned application. More broad access control policies should be towards the bottom of the policy.

● Allow list business critical applications ● Block list predefined high risk

categories and IOCs.● Leverage the Netskope REST API to

maintain URL lists.

More specific to less specific

Threat

Utility

RBI

CASB

Web


ThreatBlockScanAllow

Utility

Web

Category Level Policy

Instance ID

App

Category Sanctioned

Category Personal

CASB Tools

Category Unsanctioned

Low / Poor CCL


Real-time Protection - Threat Policies


Best Practice: Threat Policies - Overview

19

TSM


Best Practice Policies - High Risk Categories

20

TSM

In almost all situations these risk categories should be blocked

Create a custom category to include the predefined high risk categories, Global Deny URL, and security risk exception URL Lists


Threat Protection Policy:Block Security Risks

21

Source - Any

Destination - Custom Category that contains all security risk subcategories, parent security risk category, global deny url list, and security risk exceptions

Activity - Any

Profile/Action: Block ; Template of your choice

Name - Customer Discretion but Naming convention can be useful to differentiate between production and test policies during roll out and tuning. Example - [Test] Threat Protection Policy or

- [Threat] Block Security Risk Categories


Best Practice Policies - Threat Protection: File Profile

22

TSM

Customize your Threat Protection Profile, by creating a “File Profile”

This will enable you to create additional controls for known good and bad files.

Common use cases are:

● Allow list of business critical applications and/or false positives by file hash, type, object id, file size, and/or encryption

● Block list of known file types, hashes, and IOCs


Best Practice Policies - Threat Protection: TP Profile

23

TSM

● Now you can include your new File Filter Profiles within a new Threat Protection (TP) Profile

● Creating multiple File Filters allows you to create exceptions for different business units.


Best Practice Policies - Threat Protection : Block Malware

24

TSM

● Source - Any● Destination - All Categories (CC)

● Activity = Download & Upload● Profile: Custom Malware profile

(with File Profiles) or Default Malware Scan ○ Set all severities to Block

● Email notification after each event


Best Practice Policies - Threat Protection: Risk Exception

25

TSM

● Source : Depending on Business use case of exception

● Destination: Custom Category (URL list of exception to the security risk categories)

● Action : Allow● Name: [Threat] Allow Security Risk

Category Exception


Real-time Protection - Utility Policies


Best Practice: Utility Policies - Overview

27

TSM


Best Practice Policies - Policy Replication Sync

28

TSM

When a Netskope administrator applies a Real-time Protection policy change in the Netskope UI, those changes are replicated across the NewEdge data plane. Replication is generally complete within five minutes, but there are times where replication can take a prolonged period of time.

To confirm which policy is active, a user notification can be configured to inform the administrator which version of the policy is currently being applied through the POP within the NewEdge data plane being used.

For more information and configuration please visit: https://support.netskope.com/hc/en-us/articles/360047227794-How-to-Test-a-Real-time-Protection-Policy-Change-Runbook

https://support.netskope.com/hc/en-us/articles/360047227794-How-to-Test-a-Real-time-Protection-Policy-Change-Runbook




Best Practice Policies - DNS over HTTPS

29

TSM

DNS over HTTPS is not a supported protocol for Netskope steering(CASB/NGSWG/NPA) and can be compromised by malicious actors. Therefore, we need to ensure that we configure a policy to steer and block this traffic.

Source - AnyDestination : Cloud App

- DNS Over HTTPS- Do not press “Edit”- Leave as “Any”

Action - Block : No notification *This will not prompt the user*


Real-time Protection - Active CASB Policies


Best Practice: Active CASB Policies - Overview

31

TSM


Sanctioned Instance - For supported Apps

32

Note: you have to tag the instance before you can set an instance id policy. instance_id !~ 'NULL'

Source - Any

Destination - Sanctioned App Instance

Activities - All Supported Actions

Profile/Action: Allow

Traffic Action - Not Set

Name - Customer Discretion but Naming convention can be useful to differentiate between production and test policies during roll out and tuning. Example - [Test] Threat Protection Policy


Instance ID Support

- P1 Apps Supported - Please work with your TSM to understand the scope- Regularly testing instance efficacy- Activities (login, upload, download, post, share, send)

- Other activities also should work for instance ID, but we are not regularly testing it.- Activities Not Supported(Browse, Formpost, etc) - These activities for Web tenants with

App and Category Level blocks with no Activities specified in the policy will come into play unless you explicitly define Allow policies for these activities.

- We add Instance ID to events for 100+ apps- These are not regularly tested and may have limited activity support.

- Malformed instance IDs and/or Minor Instance ID deviations do occur occasionally and will need to be manually tagged and added to policy while working with support to enhance the product to handle the ever changing nature of these app flows.

33


Block Non-Corporate Logins to Sanctioned Suite

34

Source - Any

Destination - Sanctioned App Suite

Activities - All Login Activities

From User Constraint - Non-Corporate Domains i.e. Not *@netskope.com

Profile/Action: Block




App Tag Based Policy

35

Source - Any

Destination - App Tag - Sanctioned

Profile/Action:

Allow - Download + Upload




CCL Based Policy

36

Source - Any

Destination - Select All - Predefined CASB Categories or Define Custom Category on CASB Categories

Profile/Action: Block - Upload



Real-time Protection - Web Policies


Best Practice: Web Policies - Overview

38

TSM


Best Practice Policies - Block AUP Categories By leveraging the Custom Categories and User Notifications we can block access to inappropriate

sites and present the end user with a coaching message.

39

TSM

The message presented to the end user can be customized to contain information as to why the URL was blocked and even redirect them to the AUP.

You can also prompt the user to provide a justification.

Add mailto and links so the end user can open a ticket for FP / TP


Common Web Categories Used with AUP-Policy

● Child Abuse● Abortion● Gambling● Dating● Drugs● Weapon● Aggressive● Child Abuse● Criminal Activities● Piracy & Copyright Theft● Chat, IM & other communication● Web Proxies/Anonymizers


Best Practice Policies - How to configure AUP / UA

41

TSM

Combine all AUP categories into a custom category, exclude the global allow list and then leverage this new “Prohibited Websites” category in your Real-Time Protection policies!


Best Practice Policies - Silent Ad Blocking

42

TSM

● Block Online Ads with a silent block to reduce advertising noise while not impacting the user experience.


Best Practice Policies - Silent Ad Blocking

43

TSM

● The category must be Online Ads.● The activity must be Browse only.

If the category is configured for only Online Ads, Activity is configured for just Browse, then the Block action will have the option to alert with None (No Notification).

This rule will block any URL that is classified as an online add and render the HTML around it to ensure the user experience is not negatively impacted.


HTTP Header Based Policies

HTTP headers have been very popular among admins who want to create granular policies based on the value of header. In addition, many SWG prospects who are looking to migrate from competitors to Netskope have been using header based policies to restrict or allow access to resources. For example, allow access to abc.com only when referred by mycompany.com.

Netskope is introducing HTTP header based policies in R81 that can read the value of header and enforce the admin configured policy. This will help in reducing friction for both pre and post sales cycles and allow customers to on-board our product more swiftly. The feature is available for both Web and CASB Inline tenants.

44