A best practices recommendation guide from Netskope’s Customer Zero team
It brings the Customer Zero team great joy in connecting with the security community with some best practices of how we do what we do at Netskope to protect critical applications and data. In this blog post, let us look at how we have achieved to bring the security posture score of some SaaS apps to an excellent level with regard to Netskope’s Security Posture Management product offering. SSPM performs continuous evaluation of connected SaaS applications for security posture, and ensures that these applications are configured securely and in compliance with regulatory requirements such as GDPR, ISO, NIST, CSA and so on.
Step 1 - Set up the SSPM policies
The Netskope Security administrators can set up policies under Security Posture based on the configurations and settings to assess. The product comes with a predefined set of policies which can be used as a baseline to start the process as well.
Step 2: Establish communication with the SaaS app admins
SaaS app admins would be key resources to help remediate failed security assessment findings, and help improve the posture score. Hence, it is important to set the expectations right, establish the process to ensure rules are remediated on a regular basis. In the Customer Zero program, we have weekly syncs with app admins, and ensure all of us are on the same page when it comes to rule remediations. The app admins are also given appropriate view permissions to view the failed findings in the Netskope admin console. A few admins might request for weekly reports to be sent to their emails with failed findings and remediation details. This process is all about understanding what works best for Netskope admins and SaaS application admins after a few initial rounds of test and feedback gathering.
It is also acknowledging that it is quite normal to have multiple perspectives and points of view when working together on improving the security posture. While application admins would have a detailed and in depth understanding of the concerned SaaS application, Netskope Security admins would have a good understanding of the SSPM rules, findings and workflows of rule remediations. Both these perspectives come handy to help improve the security posture of applications over a period of time.
Step 3: Prioritize the remediations based on severity and risk
Let’s face it! When starting to work on remediating the failed findings of SSPM rules it can get quite overwhelming in general. It may be hard to decide what to remediate, when to remediate. The severity field of findings is a savior in such scenarios.
The recommended approach is to start with Critical and High severity rules, and also gather feedback from app admins about the rules that fall in this category since not all the rules may be relevant to our environments or configuration set up. Understanding the nuances of the rules, and also the risks associated with not remediating the rules need to be determined comprehensively by concerned teams in the security department.
Step 4: Ensure the admin is provided with all the necessary information to perform the remediations
Once the admins are onboard to help make changes in the SaaS app settings and configurations according to specific rules, Netskope security admins need to ensure that all the resources are provided to the app admins to ensure they can carry out the required procedure. App admins who prefer to use the Netskope cloud admin console would be able to look at the procedure for remediations along with the resources that need to be remediated directly in the UI. In case they prefer tickets/emails to be created with them, admins would need to provide the rule details along with the remediations and the export of findings (csv file) accordingly.
Export option available in the Netskope cloud admin console
Step 5: Analyze the results and take appropriate actions
Once the results have started to come in, and the app admins are also working on the remediation of few rules, Netskope admins can analyze the results on a timely basis by making use of various metrics like the weekly trend of alerts, making sure that the remediations performed by the admins are reflecting in the recent SSPM evaluations, and if any issues are found when correlating the same, admins can bring it to the notice of their Netskope representatives. The SSPM product itself offers some great visualizations.
We can also make use of Advanced Analytics to get some insights and visualizations in place.
We have an extensive set of REST API v2 calls that can also be used to perform Steps 4 and 5.
Sometimes the existing rules may have to be modified to build custom rules according to what we are trying to assess in our SaaS app environments. One tool that really comes in handy when we build custom rules is the NGL query to validate that custom rules match with the inventory.
One of the primary reasons why we are called the ‘Customer Zero’ team is because of our intent to consume Netskope products as the first customer and also get involved in some key testing efforts to ensure the end user experience is as desired, while providing critical feedback to the engineering and product teams. While the SSPM product has been beneficial to improve the security posture of critical applications at Netskope, we hope other enterprises can also make use of the product as effectively as possible.