Blog

Best Practices for password protection using Netskope DLP

  • 21 May 2024
  • 0 replies
  • 155 views
Best Practices for password protection using Netskope DLP
Userlevel 4
Badge +10

The Data Loss Prevention product at Netskope offers a wide variety of options to customize and deploy rules that can be used in Realtime, API protection, SMTP proxy and Endpoint policies. The granular level of detailing helps information security engineers to fine tune the rule as much as possible to avoid false positives and false negatives. The same approach applies for password protection too. Passwords act as the first line of defense against unauthorized access. Strong password protection is essential for safeguarding company data, maintaining compliance, and preventing unauthorized access. 

In the customer zero program at Netskope, our team has been extensively working on training the DLP rules, analyzing the false positive incidents, ensuring that the DLP rules cover different types of passwords (common, contextual, secure and so on) by actively collaborating with the relevant product teams. After some intensive training and testing, here’s the recommended DLP rule for password protection which has helped prevent the exposure of passwords to unintended audiences. 

 

L5G4tTUGKwkHqvC_BLnddHMPTR6MsM-fMdbmxt93WfnJxw0vQUYsRRY9Rp6T9dvqIcgs7V9G-t4uZwR3Z2GEn2ZHDGNdz-V8uZnTVmibAAaR1R6ugQo_j_MFCOBIaTIDYHtpbi6Ig_VmAyc6onuZML4

 

This rule ensures the following types of passwords are detected by the DLP engine:

  • Contextual passwords like mysql_root_password=abcd1234, password: lightsaber and so on.
  • Common passwords like 123123, passwOrd, wizard1.
  • Secure passwords which include a combination of alphabets, numbers and symbols. 

Sometimes, when this DLP rule is applied for SMTP proxy policies where passwords sent in emails can be detected and stopped, it can also trigger alerts for calendar invites that may contain passcodes for joining virtual meetings. With that in mind, we can modify this a little further to not detect such email forwards. 

For this use case, we can create a dictionary of words or sentences that are part of such calendar invites. 

 

iTueb02wxobugt1JpnZxREsOMMXeTF4FiOvStSTSSMMA2Ou-llN02Iil-0k7B6BgzimLf7WEjMTkD6ifiwCuwPyugeb7ItzT42zTPIkIxHGEydNzivxfYF6qRVuxFGdB_b3rnD81WWEGYbz_lJHXkc8

 

This csv file can be uploaded as a dictionary (case insensitive) under DLP profile -> DLP rules -> Entities.

 

jQ1AEx9m5w6NqP3LQeoFGlFbvoAjzVCs9Kp3ey15sJSj0Ycu--Xp83Rm_fWuYTt528pzO8A0pNiIOhUgbhUQx3RmnDP8VD5nER4rLveClLHuv8ExnHwNvjI7biGLl2_JcIXHpYbjkED0NO4iJslgK3I



The dictionary entity can then be used in the DLP rule in the format listed below:

 

itPD-XQTPTul_bR-1vToZzVsJP8O9P2RHOj4mEdZ6RmVT17m0hGUYNjAn-mPRp2VzXPvFKUM6Tn9kVm4W7mCCy6AXwuSroTdwQgDQQ8WJAsLu70sI6nIqaBJIMTnbqW1JFMhBx_h8_5cJI--iKHuXjY

From here, this DLP rule can be used in different policies according to specific use cases. 

 

We would love to hear your feedback regarding this approach.

 


0 replies

Be the first to reply!

Reply