In case you missed the latest webinar in our Inside Netskope series—where Netskope experts show you how we protect our users, applications, and data using our own cloud-based architecture—a recording and recap of our recent session on off-boarding user monitoring protections in practice can be found below. Feel free to comment and continue the discussion!
Watch on-demand 
Q: Can you go back to before the user was identified as off-boarding?
A: Depending on how long you have data retention set up for your tenant, this would determine how long you can look back for some of the user's activities. When you do the look backs, the dashboards we put together will pull all that data within Netskope and give you a view of what was actually happening.
Q: Off-boarding users can be sneaky, especially those coming from a technical background. Can you suggest how Netskope can detect data exfil using common protocols, such as DNS or encrypted communication channels?
A: Yes, there's definitely ways you can work with that. We have DNS security, so that can help you out with making sure that we're not allowing things that claim to be DNS.
For encrypted communication channels, you'll have to allow some of the encrypted communication out there in order to make certain things work. But, you can also block a large number of things. If it's not official business, you can make sure that those aren't available for the end user. It really just depends on what's permissible at your company.
Q: For USB DLP restrictions protection policy, do we need any additional licensing?
A: Endpoint DLP is the only one that I'm aware of for that.
Q: How are you monitoring user offboarding from systems like Okta? Is this through the API integration? Is this monitored another way? What are you using for SOAR and SIEM to automate all this?
A: Part of this is covered in the presentation, but we do a SIEM sync to the Netskope platform and that's how we make sure we keep that up to date. In addition, Okta has a feed from Workday so everything stays up to date in near real time.
Q: What's the best way to tune DLP rules across various modules Endpoint, Web Apps, and Outbound email?
A: We actually did a webinar on this topic a few months ago, with one of our DLP Customer Zero security engineers. Check out the resources below to learn more about effective allowlisting with Netskope DLP:
Q: How can Netskope's DSPM ensure that an off-boarding user would only upload personal data to a personal cloud storage without manual supervision?
A: Great question! We're currently onboarding DSPM for ourselves, so we haven't integrated it into our off-boarding processes yet. That being said, I don't have a really great answer for that right now, but more information will be coming soon as we work to get this integrated.
Q: Is this still a possibility with basic scripting and not have reliance on orchestrators like Tine?
A: There's a lot of it you would be able to do, if you're good with Python and some APIs.
Most of the work that we do in Tines is API based, with some data transformation stuff that is useful from Tines. This combination gives it really robust flexibility. But if you wanted to write Python scripts to just run one offs here and there, then as long as you could have the API set up and understand those, you should be good!
Q: Office applications seem to slow down when policies for off-boarding employees are active, is there a trick to improve the performance?
A: We utilize PDEM, an application within Netskope, to check user experience scores. That being said, I haven't noticed a performance difference for users that are in the off-boarding policies versus not in the off-boarding policies.
Q: Is there a way to monitor Oracle directly when an employee status changes?
A: We don't use Oracle, but I think there is an integration that you could use. We utilize Workday, and we have a feed from Workday that lets us know what an employee status is.
Q: Does this align with NIST best practices?
A: Yes. It's not a formal alignment, but based on what I've read about the NIST best practices, we do hit all the areas of access control, device recovery, account disabling, log monitoring, critical asset identification, and onboarding integration. We are still working on this to make sure we have a good onboarding, so we can have an equally good off point. So we basically do, but it's not formally linked 1 to 1.
Q: How do you all tackle macOS users that have airdrop for Endpoint DLP as an off-boarding data exfil point?
A: For the MDM, we actually have disabled AirDrop as an idea data exfiltration risk.
Q: Why use a different Client config for off-boarding policies when you can just create different policies for the departing employees (who are typically added to an AD group)?
A: Good question! For us, we have a lot of users that we allow to disable the client because they're doing development or different things and they need to be able to switch between a test tenant and the primary tenant to get their jobs done on a daily basis. So for somebody that's being off boarded, we wanna make sure that our data protections stay in place. So, we have a separate client config that locks all that down.
Q: Would you ever make templates of those queries available for customers?
A: Definitely! If you just ping us in the Community or via email (rbutler@netskope.com), we can get the queries out to you.
Going forward, we will make the dashboards we create with Advanced Analytics available so you'll be able to download it from our Community posts to have a starting place to customize for your environment.
Q: Same question, if you would ever share the Tines query templates for customers to use?
A: Yes, we would definitely share! We're actually trying to get some of our stuff that we've worked on with the Tines team into the library so that these are automatically available.
A lot of our V1 API is in template form within Tines, so you can access it directly from there.
Q: What are the license requirements for this enablement?
A: We utilized Endpoint DLP, DLP, UEBA, Advanced UEBA, and SMTP proxy.
Q: Can you share the recording of this session along with PPT?
A: Absolutely! The recording can be found here and the powerpoint is attached to this post as a PDF.
View past events in this series!
Some responses above contain roadmap items. These are intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Netskope’s products remains at the sole discretion of Netskope.