Netskope Global Technical Success (GTS)

Best Practices - Security Risk and Its Subcategories

Netskope Cloud Version - 120

Objective

Best Practices for managing traffic to predefined web categories: Security Risks and its Subcategories

Prerequisite

Netskope SWG license is required

Context

This document offers detailed, step-by-step instructions for implementing a Real-Time Protection Policy targeting predefined web categories Security risk and its subcategories.

Do You Know?

• As of October 23, 2024, Netskope has ~131 predefined web categories. Among these, 15 categories are specifically related to Security Risk and its subcategories. Ref. - Link
• What is the Security Risk web category?

The websites that pose potential threats to users or their data are marked under Security Risk web categories. This includes sites associated with malware distribution, phishing scams, and other harmful activities. Security Risk is the parent category, and all those preceded with "Security Risk - " are subcategories of the parent.

• Security Risk (main/parent category)
• Security Risk subcategories
  • Security Risk - Ad Fraud
  • Security Risk - Attack
  • Security Risk - Botnets
  • Security Risk - Command and Control server
  • Security Risk - Compromised/malicious sites
  • Security Risk - Cryptocurrency Mining
  • Security Risk - DGA
  • Security Risk - Hacking
  • Security Risk - Malware Call-Home
  • Security Risk - Malware Distribution Point
  • Security Risk - Miscellaneous
  • Security Risk - Phishing/Fraud
  • Security Risk - Spam sites
  • Security Risk - Spyware & Questionable Software

• For more about Security Risk and Its Subcategories, kindly review - Link

Configuration

Create a Real-time protection policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access

• Select the predefined web category "Security Risk" along with its subcategories. There will be a total of 15 web categories
• Policy Action - ‘Block’

Netskope’s Recommendation

• Netskope strongly advises prioritizing the proactive blocking of all categories categorized under 'Security Risk,' including its sub-categories, as a critical security measure.
• Placing this policy at the top of your order is essential to maximize its effectiveness in safeguarding your network and data.

Author Notes

• Create a separate Realtime Protection Policy for Security Risk.
• One common mistake I've noticed is that customers often create a custom category that encompasses all 15 Security Risk subcategories. It’s advisable to avoid this practice, as it can obscure accurate visibility and reporting.

For example, a customer created a custom category called "All Security Risk" and included all 15 Security Risk subcategories, setting the policy action to Block. While this policy effectively blocks traffic to those subcategories, it significantly impacts visibility and reporting. For instance, if there are 1,000 blocks recorded under "All Security Risk," you won’t be able to determine whether the blocked URLs belong to "Security Risk - Hacking" or "Security Risk - Command and Control Server." The only way to get clarity is by performing a URL lookup for the predefined categories.

Note - Custom category takes precedence over predefined category

• In the event that Netskope flags any destination as a Security Risk, and you require additional details, we encourage you to promptly contact Netskope Customer Support.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.