Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
2021 © Netskope. All rights reserved.
Best Practice Policies - InlineFocus: “Real-time Protection” Policy (Not “API Data Protection” Policy)
2021 © Netskope. All rights reserved.
Agenda
2
• Introductions
• Real-time Protection vs. API Data Protection Policies
• Preparing Your Organization for Change
• Structuring Real-time Protection Policies
• Real-time Protection - Threat Policies
• Real-time Protection - Utility Policies
• Real-time Protection - Active CASB Policies
• Real-time Protection - Web Policies
• Q&A
2021 © Netskope. All rights reserved.
Real-time Protection vs. API Data Protection Policies
2021 © Netskope. All rights reserved.
Real-time (Inline) vs API Protection (Out of Band) Policies
2021 © Netskope. All rights reserved. 5
Real-time Protection Policy Processing is Order specific!• Understanding the order of your Real-time Protection policies is important
• Real-time Protection policies are processed sequentially (Top to Bottom)• When traffic matches rule conditions, the action applies (Allow/Coach/Block) without
further processing through the rule base• Select the rule position when saving the policy: Top / Bottom / Before / After
• Drag and drop, or choose the policies to re-order• Click Apply Changes to save the order.• Policy changes do not take effect until you apply changes.
2021 © Netskope. All rights reserved.
Best Practice Policies - General guidelines
• Remember that rules are processed from the top down in the
Real-time Protection policies list
• Place rules to be applied to individuals or small groups near
the top of the list.
• Block with exceptions at the top
• Use the Filter option to view specific policies
– Note : Default allow if no policy is matched
2021 © Netskope. All rights reserved.
Best Practice Policies - Web Configuration• Dynamic Classification
– Dynamic classification looks at the textual contents of a page and dynamically determines the category for the uncategorized URLs. This feature is turned off by default.
– After a page has been dynamically categorized, the classification applies to all of your tenant instances. The page classification to a category expires every 12 hours so that if any changes occur to the page, the content is re-evaluated so the chosen category matches the current page content.
– Navigate to: “Settings > Security Cloud Platform > Configuration”• Dynamic classification looks at the textual contents of a page and dynamically
determines the category for the uncategorized URLs
2021 © Netskope. All rights reserved.
Real-time Protection Policies - Workflow
8
1. Create a new Real-time Protection Policy
2. Select “Add Criteria” to add additional source criteria (such as Access Method)
3. Define the Identity (User, Group, OU)
4. Specify the Application, Category, App instance (Ex: Box, Cloud Storage, etc.)
5. Select “Edit” to specify the Activities & Constraints that need protection/control (Ex: create, delete,
share, etc.)
6. Select “Add Criteria” to add additional destination criteria (such as App Tagging)
7. Choose an action (Alert, Allow, Block, By-Pass, etc.)
8. Give the policy a name
9. (Optional) Provide a description for this policy
10. (Optional) Email Notifications (None, Every Event, 30 mins, 60 mins, 6 hours, 24 hours).
2021 © Netskope. All rights reserved.
Preparing Your Organization for Change
2021 © Netskope. All rights reserved.
Introducing new Inline Policy to an Organization
10
Ensuring a Smooth Policy
Roll-Out to your Organization:
- Create a Documented Acceptable Use Policy (AUP)
- Ensure an Escalation/Exception process is in place and followed throughout the roll out process
2021 © Netskope. All rights reserved.
Monitor: Steer traffic to tenant
Alert: alert netskope admins on particularly risky behavior (covered later)
Coaching: create policy that will inform users of risky behavior
Blocking: enable policy blocking to enforce company policy
Monitoring Phase - Steer traffic to your tenant
11
TSM
2021 © Netskope. All rights reserved.
• As an organization moves from monitoring user traffic to actually alerting and coaching users on violations, it is important to involve key stakeholders
• Create SOC / Help Desk processes and inform executives of upcoming changes
– It is important that key departments understand the changes that users (from Executives to Individual Contributors) will be experiencing
– An example of a process for a SOC would be to follow a naming convention like appending [pre-prod] and [prod] to policy names to differentiate policies
– Follow a naming convention like [pre-prod] and [prod] policy names to differentiate policies and filter active channels
Monitoring Phase Part 2 - Involve Key Departments
12
TSM
2021 © Netskope. All rights reserved.
• In the previous phase, we informed key operational departments of the upcoming changes users will see while performing their day to day activities
• Before we actually transition the policies and change the user experience, we need to communicate the upcoming change to the entire organization
– Create User Awareness Campaign - Very Important to dispel FUD
• Note from Executives on new program to ease user lash back for new control.
– Some customers also create an internal wiki that they link in the user alert to reduce user questions about new control.
• Important - Only provide as much detail as needed an no more. Never include actual policy logic as this can be used by malicious actors to work around controls.
User Alerting and Coaching Phases - Involve the Entire Organization
13
TSM
2021 © Netskope. All rights reserved.
• After policies have been in User Alerting and Coaching mode, you will see drastic changes to user behavior (for the good!). Now it’s time to modify certain high risk (prevent malware and data loss) and unacceptable (browsing inappropriate websites) activities policies to blocking mode– Ex. Upload of Sensitive document to Cloud Storage App
• IP - <ORG> Secret, TS, Design Documents
• Customer Databases
• Form data – DD214 member B, Medical Documentation
• Controlled Documents
• Offensive and productivity killing web browsing
Blocking Phase - Real Time Prevention
14
TSM
2021 © Netskope. All rights reserved.
Structuring Real-time Protection Policies
2021 © Netskope. All rights reserved.
Best Practice - Structuring Real-time Protection Policies
16
1. Threat Protection (High risk)2. Utility Policies3. Remote Browser Isolation (RBI)4. CASB (Activity Oriented)5. Web(Category Based)6. Netskope Private Access (NPA)
Threat protection policies should block high risk behaviors, such as downloading malware or uploading sensitive data to an unsanctioned application. More broad access control policies should be towards the bottom of the policy.
● Allow list business critical applications ● Block list predefined high risk
categories and IOCs.● Leverage the Netskope REST API to
maintain URL lists.
More specific to less specific
Threat
Utility
RBI
CASB
Web
2021 © Netskope. All rights reserved.
ThreatBlockScanAllow
Utility
Web
Category Level Policy
Instance ID
App
Category Sanctioned
Category Personal
CASB Tools
Category Unsanctioned
Low / Poor CCL
2021 © Netskope. All rights reserved.
Real-time Protection - Threat Policies
2021 © Netskope. All rights reserved.
Best Practice: Threat Policies - Overview
19
TSM
2021 © Netskope. All rights reserved.
Best Practice Policies - High Risk Categories
20
TSM
In almost all situations these risk categories should be blocked
Create a custom category to include the predefined high risk categories, Global Deny URL, and security risk exception URL Lists
2021 © Netskope. All rights reserved.
Threat Protection Policy:Block Security Risks
21
Source - Any
Destination - Custom Category that contains all security risk subcategories, parent security risk category, global deny url list, and security risk exceptions
Activity - Any
Profile/Action: Block ; Template of your choice
Name - Customer Discretion but Naming convention can be useful to differentiate between production and test policies during roll out and tuning. Example - [Test] Threat Protection Policy or
- [Threat] Block Security Risk Categories
2021 © Netskope. All rights reserved.
Best Practice Policies - Threat Protection: File Profile
22
TSM
Customize your Threat Protection Profile, by creating a “File Profile”
This will enable you to create additional controls for known good and bad files.
Common use cases are:
● Allow list of business critical applications and/or false positives by file hash, type, object id, file size, and/or encryption
● Block list of known file types, hashes, and IOCs
2021 © Netskope. All rights reserved.
Best Practice Policies - Threat Protection: TP Profile
23
TSM
● Now you can include your new File Filter Profiles within a new Threat Protection (TP) Profile
● Creating multiple File Filters allows you to create exceptions for different business units.
2021 © Netskope. All rights reserved.
Best Practice Policies - Threat Protection : Block Malware
24
TSM
● Source - Any● Destination - All Categories (CC)
● Activity = Download & Upload● Profile: Custom Malware profile
(with File Profiles) or Default Malware Scan ○ Set all severities to Block
● Email notification after each event
2021 © Netskope. All rights reserved.
Best Practice Policies - Threat Protection: Risk Exception
25
TSM
● Source : Depending on Business use case of exception
● Destination: Custom Category (URL list of exception to the security risk categories)
● Action : Allow● Name: [Threat] Allow Security Risk
Category Exception
2021 © Netskope. All rights reserved.
Real-time Protection - Utility Policies
2021 © Netskope. All rights reserved.
Best Practice: Utility Policies - Overview
27
TSM
2021 © Netskope. All rights reserved.
Best Practice Policies - Policy Replication Sync
28
TSM
When a Netskope administrator applies a Real-time Protection policy change in the Netskope UI, those changes are replicated across the NewEdge data plane. Replication is generally complete within five minutes, but there are times where replication can take a prolonged period of time.
To confirm which policy is active, a user notification can be configured to inform the administrator which version of the policy is currently being applied through the POP within the NewEdge data plane being used.
For more information and configuration please visit: https://support.netskope.com/hc/en-us/articles/360047227794-How-to-Test-a-Real-time-Protection-Policy-Change-Runbook
2021 © Netskope. All rights reserved.
Best Practice Policies - DNS over HTTPS
29
TSM
DNS over HTTPS is not a supported protocol for Netskope steering(CASB/NGSWG/NPA) and can be compromised by malicious actors. Therefore, we need to ensure that we configure a policy to steer and block this traffic.
Source - AnyDestination : Cloud App
- DNS Over HTTPS- Do not press “Edit”- Leave as “Any”
Action - Block : No notification *This will not prompt the user*
2021 © Netskope. All rights reserved.
Real-time Protection - Active CASB Policies
2021 © Netskope. All rights reserved.
Best Practice: Active CASB Policies - Overview
31
TSM
2021 © Netskope. All rights reserved.
Sanctioned Instance - For supported Apps
32
Note: you have to tag the instance before you can set an instance id policy. instance_id !~ 'NULL'
Source - Any
Destination - Sanctioned App Instance
Activities - All Supported Actions
Profile/Action: Allow
Traffic Action - Not Set
Name - Customer Discretion but Naming convention can be useful to differentiate between production and test policies during roll out and tuning. Example - [Test] Threat Protection Policy
2021 © Netskope. All rights reserved.
Instance ID Support
- P1 Apps Supported - Please work with your TSM to understand the scope- Regularly testing instance efficacy- Activities (login, upload, download, post, share, send)
- Other activities also should work for instance ID, but we are not regularly testing it.- Activities Not Supported(Browse, Formpost, etc) - These activities for Web tenants with
App and Category Level blocks with no Activities specified in the policy will come into play unless you explicitly define Allow policies for these activities.
- We add Instance ID to events for 100+ apps- These are not regularly tested and may have limited activity support.
- Malformed instance IDs and/or Minor Instance ID deviations do occur occasionally and will need to be manually tagged and added to policy while working with support to enhance the product to handle the ever changing nature of these app flows.
33
2021 © Netskope. All rights reserved.
Block Non-Corporate Logins to Sanctioned Suite
34
Source - Any
Destination - Sanctioned App Suite
Activities - All Login Activities
From User Constraint - Non-Corporate Domains i.e. Not *@netskope.com
Profile/Action: Block
Traffic Action - Not Set
Name - Customer Discretion but Naming convention can be useful to differentiate between production and test policies during roll out and tuning. Example - [Test] Threat Protection Policy
2021 © Netskope. All rights reserved.
App Tag Based Policy
35
Source - Any
Destination - App Tag - Sanctioned
Profile/Action:
Allow - Download + Upload
Traffic Action - Not Set
Name - Customer Discretion but Naming convention can be useful to differentiate between production and test policies during roll out and tuning. Example - [Test] Threat Protection Policy
2021 © Netskope. All rights reserved.
CCL Based Policy
36
Source - Any
Destination - Select All - Predefined CASB Categories or Define Custom Category on CASB Categories
Profile/Action: Block - Upload
Name - Customer Discretion but Naming convention can be useful to differentiate between production and test policies during roll out and tuning. Example - [Test] Threat Protection Policy
2021 © Netskope. All rights reserved.
Real-time Protection - Web Policies
2021 © Netskope. All rights reserved.
Best Practice: Web Policies - Overview
38
TSM
2021 © Netskope. All rights reserved.
Best Practice Policies - Block AUP Categories By leveraging the Custom Categories and User Notifications we can block access to inappropriate
sites and present the end user with a coaching message.
39
TSM
The message presented to the end user can be customized to contain information as to why the URL was blocked and even redirect them to the AUP.
You can also prompt the user to provide a justification.
Add mailto and links so the end user can open a ticket for FP / TP
2021 © Netskope. All rights reserved.
Common Web Categories Used with AUP-Policy
● Child Abuse● Abortion● Gambling● Dating● Drugs● Weapon● Aggressive● Child Abuse● Criminal Activities● Piracy & Copyright Theft● Chat, IM & other communication● Web Proxies/Anonymizers
2021 © Netskope. All rights reserved.
Best Practice Policies - How to configure AUP / UA
41
TSM
Combine all AUP categories into a custom category, exclude the global allow list and then leverage this new “Prohibited Websites” category in your Real-Time Protection policies!
2021 © Netskope. All rights reserved.
Best Practice Policies - Silent Ad Blocking
42
TSM
● Block Online Ads with a silent block to reduce advertising noise while not impacting the user experience.
2021 © Netskope. All rights reserved.
Best Practice Policies - Silent Ad Blocking
43
TSM
● The category must be Online Ads.● The activity must be Browse only.
If the category is configured for only Online Ads, Activity is configured for just Browse, then the Block action will have the option to alert with None (No Notification).
This rule will block any URL that is classified as an online add and render the HTML around it to ensure the user experience is not negatively impacted.
2021 © Netskope. All rights reserved.
HTTP Header Based Policies
HTTP headers have been very popular among admins who want to create granular policies based on the value of header. In addition, many SWG prospects who are looking to migrate from competitors to Netskope have been using header based policies to restrict or allow access to resources. For example, allow access to abc.com only when referred by mycompany.com.
Netskope is introducing HTTP header based policies in R81 that can read the value of header and enforce the admin configured policy. This will help in reducing friction for both pre and post sales cycles and allow customers to on-board our product more swiftly. The feature is available for both Web and CASB Inline tenants.
44