Skip to main content

As a security architect or as a Netskope admin it is sometimes tempting to configure controls that are too broad. Especially when a tool's UI makes it easy for you to do so.:) Think of the implications of broader controls from an operations point of view.

 

Think of some of the side effects: false positives, missed true positives, barge of DLP incidents in your queue to name few. A seasoned DLP admin would share stories of painstaking tasks of managing those incidents, storing chain of custodies using Legal Hold and Forensic folders, determining the right storage of choice and then the cost associated with it just storing files and meta data that may or may not make sense without a good DLP program in place.

 

Here are some questions you might want to ask your DLP / Compliance team / or the sponsor of DLP program to get a discussion started on this topic: 

 

It allows me to apply DLP to  "All Web Categories", should I go ahead and create such a broad DLP policy though?

 

Answers to the questions below will help your team minimize the incident sprawl and control exfiltration of what's important to your organization.

 

  • Do you have a DLP program or compliance program in your Org? If the answer is 'NO' have the sponsor at least share a broad vision on what are you trying to protect?
  • How are you treating your DLP incidents currently?

What are your compliance liabilities? e.g. GDPR, PCI , PII. Refer to this link to see how Netskope  DLP can help

 

Indeed  Netskope real time protection aka inline policies allow you to select DLP for "All categories". I recommend the following order of operation:

  • enable your CASB policies such that initially you are discovering your critical apps
  • determine right DLP profiles (depending upon your compliance liabilities)
  • user Netskope risk insights discovery to understand critical CASB apps discovered in your SaaS sprawl
  • then expand to specific broader cloud app or web categories. 
  • through this journey and beyond use Netskope CCI to maintain your security posture with an annual or quarterly risk insights discovery Leverage Netskope CCI
  • as you define policies be aware of the activities and profiles you will be selecting. Be sure to check supported categories within a policy. 

 

Pro tip: After you save a DLP policy Netskope policy UI lets you view supported activities for the categories selected before committing the change as shown in the attached images.

 

Although Netskope can do cloud app discovery using a dedicated appliance use Netskope Client as it is more convenient, quicker to deploy and more efficient than streaming your proxy or firewall logs to an appliance.

 

 
As you will notice in the screenshot some categories are very broad, e.g. Cloud Storage has too many individual apps and may have more activities Netskope can detect than others. So the next question is: 
 
Don't enable DLP on categories that don't make sense e.g. a category that is blocked by a top policy or not allowed to be accessed or an activity that will be blocked e.g. comment for Social Media or Form Post for a blocked app?
 

To summarize: apply access control before DLP.   It will cut down the noise and allow you to roll out faster. DLP can take time to mature. It can slow down the deployment if the deployment team gets busy correlating Incidents before your product is rolled out to your org  

 

If you are a small org you may not have dedicated team for DLP or compliance, I am sure this post will help defining the right DLP policies and how to  order them.

 

Netskope DLP:

https://docs.netskope.com/en/data-loss-prevention.html

Netskope CCI:

https://docs.netskope.com/en/understand-the-risk-of-cloud-services-utilization-by-leveraging-cci.html

https://docs.netskope.com/en/provide-a-risk-assessment-of-a-cloud-service-using-cci.html 

Netskope Web Categories and sample URLs:

https://docs.netskope.com/en/category-definitions.html

 

Hi @MM_NS  Thank you for sharing with the Netskope Community


@MM_NS I understand the crux of the article is to guide admins to be more surgical in their approach to DLP scanning which I agree is a best practice. I just wanted to clarify one point concerning "All Web Traffic":


 


"Indeed you can do this but would you? Real time policies do allow you to select DLP for "All categories". It also allows you to select DLP for "Any Web Traffic" under real time policies, I though recommend the following order of operation:"

Today, when you select "Any Web Traffic"  profile selection is disabled. The UI doesn't allow you to use "Any Web Traffic" in conjunction with threat or DLP. You can, however, manually select all categories though which, as you mentioned, is not a good idea. 

Thanks for a great article!


Thanks @mpray for reviewing. Changed "all web traffic" to " all web categories" and added some screenshots.


Reply