Netskope Global Technical Success (GTS)

Netskope Offering to Threat Management

Netskope Cloud Version - 126

Objective

This article aims to guide customers on how to effectively leverage Netskope’s security capabilities to prevent threats across their cloud and web environments.

Context

• In today’s hybrid work environment, organizations face an increasingly complex threat landscape—ranging from insider threats to risky web destinations, security risk Websites access, etc.  As cloud adoption continues to rise, the need for visibility and real-time threat protection across all user activity has never been greater.

• Netskope provides a modern, cloud-native security platform designed to help organizations prevent threats without compromising performance or user experience. This article walks you through key Netskope features and configurations that can significantly reduce your attack surface and enhance overall security posture.

• We’ll explore critical tools that Netskope Offers to protect users on managed and unmanaged devices. Together, these capabilities help Netskope customers build a proactive and adaptive defense strategy tailored to today’s cloud-first world.

Netskope Features to adopt for Threat Protection:

Details

Real Time Protection Policy

1. Creating a DNS over HTTP (DoH) Policy 

DoH encrypts DNS requests, preventing eavesdropping and manipulation of DNS traffic. While good for ensuring privacy in home networks, DoH can present risks to enterprise networks if it isn’t appropriately implemented. Therefore, Netskope recommends configuring a policy to steer and block this traffic.

Please find the article here for the reference.

2. Creating a Threat Protection Policy for Patient Zero (Please note: A Patient Zero Policy requires Advanced Threat Protection License)

A patient zero event occurs when a user downloads a file that’s not detected by signature-based analysis (e.g., Netskope AV engine) in Standard Threat Protection. However, if you have Advanced Threat Protection, you can prevent patient zero events by creating a Threat Protection policy that only releases unknown files to users after the Netskope advanced threat engines determine they’re benign. Netskope's threat database is updated frequently (every 15 minutes) to keep up with the latest threats

To learn more about Patient zero. Click here

Please find the Standard Threat Protection & Advanced Threat Protection feature support matrix:

3. Creating a malware policy to block upload/download of malicious files across all the Web categories.

Netskope recommends selecting all users and categories with the Activity set to Upload and Download and selecting a Default Malware Scan (predefined) because it automatically scans across all Threat Protection engines based on your organization’s license.

4. Blocking Security Risk & Sub-categories:

The websites that pose potential threats to users or their data are marked under Security Risk web categories. This includes sites associated with malware distribution, phishing scams, and other harmful activities. Security Risk is the parent category, and all those preceded with "Security Risk - " are subcategories of the parent. Netskope recommend blocking these categories

5. A Custom Threat Protection Profile:

When customers create a Malware policy they would normally leverage our default threat protection profile while not noticing that you can create a custom malware profile where you can enhance the detection list as per the organization requirement:

Refer the article here to have a deeper understanding.

6. Policy to block the traffic destined to Security Risk destination

Netskope does not provide a specific, pre-defined list of High-Risk countries that should be included in the High-Risk Real-Time Protection Policy. Instead, Netskope allows organizations to define their own High-Risk countries based on their business requirements and compliance needs and block the traffic destined to these high-risk countries. 

7. Block traffic to Low & Poor CCL Websites

Each app is assigned a score of 0-100, and based on that score, is placed into one of five Cloud Confidence Levels (CCL): Poor, Low, Medium, High, or Excellent. You can use the CCI score to make an app selection decision, as well as set policies based on level. Create inline policies that are meant to block risky activities in Low or poor CCL apps for a list of allowed categories. 

Here is the Netskope Malware Detection Architecture - Threat Detection Flow:

The diagram below illustrates Netskope’s malware detection architecture, detailing how customer traffic (both in motion and at rest) is analyzed for threats. The flow begins with file interception and progresses through multiple security layers including domain/URL filtering, threat intelligence, and local/inline allow/block lists. Threat scanning services apply advanced techniques such as machine learning classifiers, antivirus engines, hash blacklists, and sandboxing to detect and mitigate malware. Alerts and metadata are sent to various outputs like the admin portal, third-party tools, and APIs for visibility and response.

UEBA (User and Entity Behaviour Analytics) - Protection against Insider Threats

UEBA helps to focus on a typical “blind spot” which is Insider Threats. Insider threats refer to security risks caused by malicious users within a corporate network. In the case of a malicious insider, the user typically is acting with intent and likely knows that they are breaking policy and potentially the law. Use the Behavior Analytics dashboard to address some common use cases like below:

The reference article is here to understand the offerings of Netskope UEBA in-depth.

Netskope Enterprise Browser on Unmanaged devices

Netskope One Enterprise Browser allows companies to deliver secure browser-based access to their corporate apps to minimize the risk of data leakage even on untrusted, unmanaged devices.

1. You may Provide BYOD users and contractors secure access to the corporate apps with DLP and Threat Protection like below 

2. You can also further control the browser operations like copy, paste, print and screen sharing for your corporate apps.

For more details on the Enterprise Browser, Please visit the link here. 

Netskope RBI - Protect against unknown web threats

Netskope Remote Browser Isolation (RBI) isolates uncategorized and risky websites. Known safe sites are allowed, known bad sites are blocked, and the uncategorized and risky (allowed) websites are isolated for safe viewing

You can configure an isolation policy to forward traffic from selected categories to RBI using the “Isolate” action. 

Learn more about the Netskope RBI here.

DNS Security for Malicious DNS Queries

Netskope DNS Security, part of its Cloud Firewall, is a key component of its threat protection framework, designed to safeguard against various cyber threats that utilize DNS services. 

Benefits of DNS Security against Threats:

• If a domain is identified as malicious, Netskope will respond to the DNS query with a sinkholed IP address, leading the user to a block page. 

• It helps block phishing, command and control servers, and malware that utilize DNS services. 

• It can be used to block malicious websites and prevent data from being sent to compromised servers. 

• By protecting against DNS-based threats, it strengthens the overall security posture of the organization. 

You can configure the DNS Profile to block the DNS Query sent to Security Risk category and sinkhole (redirects the malicious IP to a controlled IP Address) the queries for Newly Registered and Newly Observed Domains to a Sinkholed IP like below:

Now, Apply the DNS Profile to the users using the Real Time Policy.

For more details on the DNS Security Profile configuration, Please visit the article here

Partner EDR Integration with Cloud Exchange Threat Module 

Netskope's Cloud Threat Exchange (CTXE) integrates with Third Party EDR like Crowdstrike, Carbon Black, Microsoft Defender, etc. to enhance security by sharing threat intelligence and enabling closed-loop remediation. Netskope detects threats within cloud services, while the EDR uses this information to act on endpoints, alerting on or preventing malicious activity.

Netskope Cloud Exchange is a free powerful integration tool that can be installed inside a Linux Docker environment which provides flexibility with many integrations along with the ability to detect threats.

You can refer to the article here.

Dedicated Egress IP to deny access from untrusted location to Corporate Apps

Use dedicated Egress IP addresses (DEIPs) to ensure that only traffic originating from authorized sources can access managed SaaS applications. This way, even if user credentials are compromised, unauthorized access attempts from unapproved locations will be blocked—because they do not originate from the designated DEIPs.

Netskope’s Dedicated Egress IP Footprint feature allocates a minimum of two IP addresses from Netskope owned IP ranges per data plane that matches your accounts NewEdge traffic management zone/region. The dedicated IP ranges are completely separate from the shared IP ranges. 

Learn more about the DEIP here.

Conclusion

With this article, we understood that a single-layer defense is no longer sufficient. Customers must leverage Netskope’s multi-engine threat protection offering a comprehensive and layered security approach that inspects both data-in-motion and data-at-rest across managed and unmanaged environments. The diagram below depicts the same:

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.

• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).

• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.