Endpoint DLP - Netskope Customer Zero Best Practices

  • 8 August 2023
  • 0 replies

Userlevel 3
Badge +10

Netskope Endpoint Data Loss Prevention (Endpoint DLP) provides data protection at the endpoint by utilizing Netskope cloud DLP capabilities. You can use Endpoint DLP to monitor and govern USB storage devices connected to your endpoint. Endpoint DLP is an optional add-on capability to the Netskope Client and does not require deploying and managing a separate client or agent on the endpoint.


With Endpoint DLP, you can create Device Control and Content Control policies. Device Control policies enable granular control over which devices are allowed and which users can access them. Whereas, Content Control policies enable the full use of  Netskope DLP profiles and rules to inspect and control data movement between an endpoint and a USB mass storage device.

To avoid user interaction during deployment, please ensure that full disk access is enabled for all Mac OS systems for which the endpoint DLP service would be deployed. 


Within the Customer Zero team, we have deployed endpoint DLP policies in the following manner to monitor and secure data movement between Netskope managed devices and unmanaged endpoint devices (USBs, hard-disks, etc).


Device Control Policies

Device control policies help define granular control over what are allowed devices, and which users can access them. 

  • In the generic USB-Device-Control-Allow policy, users are allowed both read and write actions on the endpoint device. 
  • The [Offboarding Users] Read-Only USB device control policy was created with an intention of restricting read-only access to USB devices plugged into Netskope managed devices. The offboarding users group is specific group created for users serving their notice period, and this period is rather too important to monitor and prevent data leaks if any. 
  • In case of malicious USB devices, we have created certain constraints to block USBs with specific serial numbers from being plugged into managed devices, to protect managed devices and confidential corporate information from external threat actors. 



Content Control Policies


Content Control Policies help leverage Netskope DLP capabilities to inspect and control data movement between managed endpoints and external storage devices. 


  1. We have implemented sensitive data leak check with user alert as part of awareness and coaching efforts to avoid transferring files with personal information. User alert is a suitable action for our use case, in the sense that many users typically transfer their payslips and other personal financial information from their managed endpoints to their personal data storage devices, and user alert would help in coaching the users about their activities, instead of outright blocking the actions. 
  2. We also have implemented a file origin policy to restrict files downloaded from our sensitive SaaS apps from being transferred to personal storage devices.
  3. We have leveraged specific DLP keywords into a profile and blocked data movement involving files containing those keywords. 




The Incidents -> DLP is a good place to monitor Endpoint DLP incidents and alerts in the Netskope tenant. It gives a detailed summary of DLP incidents that triggered the content control policies for Endpoint DLP, along with forensics (if configured). Forensics help in concluding whether the alert is a false positive or not, and also helps finetine our DLP rules accordingly. 





We hope this helps other Netskope admins and CISO groups to outline Endpoint DLP policies and craft them aligning with your use cases. We are also interested in getting your insights on how you have deployed Endpoint DLP in your organization. Please let us know if you have any questions or concerns.

0 replies

Be the first to reply!