Netskope Global Technical Success (GTS)
Netskope Offering to Threat Management
Netskope Cloud Version - 126
Objective
This article aims to guide customers on how to effectively leverage Netskope’s security capabilities to prevent threats across their cloud and web environments.
Context
- In today’s hybrid work environment, organizations face an increasingly complex threat landscape—ranging from insider threats to risky web destinations, security risk Websites access, etc. As cloud adoption continues to rise, the need for visibility and real-time threat protection across all user activity has never been greater.
- Netskope provides a modern, cloud-native security platform designed to help organizations prevent threats without compromising performance or user experience. This article walks you through key Netskope features and configurations that can significantly reduce your attack surface and enhance overall security posture.
- We’ll explore critical tools that Netskope Offers to protect users on managed and unmanaged devices. Together, these capabilities help Netskope customers build a proactive and adaptive defense strategy tailored to today’s cloud-first world.
Netskope Features to adopt for Threat Protection:
| Offering | License Required |
| Real Time Threat Protection Policy | SWG or Next-Gen SWG along with Standard/Advance Threat Protection |
| UEBA - Protection against Insider Threats | Standard/Advance UEBA License |
| Netskope Enterprise Browser on Unmanaged devices for Managed Apps | Enterprise Browser License |
| Targeted RBI - Protect against unknown web threats | Standard/Extended RBI |
| DNS Security for malicious DNS queries | Cloud Firewall along with DNS Security License |
| Partner EDR Integration with Cloud Exchange Threat Module | SWG or Next-Gen SWG along with Standard/Advance Threat Protection |
| Dedicated Egress IP | Regional/Global DEIP License |
Details
Real Time Protection Policy
- Creating a DNS over HTTP (DoH) Policy
DoH encrypts DNS requests, preventing eavesdropping and manipulation of DNS traffic. While good for ensuring privacy in home networks, DoH can present risks to enterprise networks if it isn’t appropriately implemented. Therefore, Netskope recommends configuring a policy to steer and block this traffic.
-
Creating a Threat Protection Policy for Patient Zero (Please note: A Patient Zero Policy requires Advanced Threat Protection License)
A patient zero event occurs when a user downloads a file that’s not detected by signature-based analysis (e.g., Netskope AV engine) in Standard Threat Protection. However, if you have Advanced Threat Protection, you can prevent patient zero events by creating a Threat Protection policy that only releases unknown files to users after the Netskope advanced threat engines determine they’re benign. Netskope's threat database is updated frequently (every 15 minutes) to keep up with the latest threats
- Creating a malware policy to block upload/download of malicious files across all the Web categories.
Netskope recommends selecting all users and categories with the Activity set to Upload and Download and selecting a Default Malware Scan (predefined) because it automatically scans across all Threat Protection engines based on your organizations license.
- Blocking Security Risk & Sub-categories:
The websites that pose potential threats to users or their data are marked under Security Risk web categories. This includes sites associated with malware distribution, phishing scams, and other harmful activities. Security Risk is the parent category, and all those preceded with "Security Risk - " are subcategories of the parent. Netskope recommend blocking these categories
- A Custom Threat Protection Profile:
When customers create a Malware policy they would normally leverage our default threat protection profile while not noticing that you can create a custom malware profile where you can enhance the detection list as per the organization requirement:
Refer the article here to have a deeper understanding:
- Policy to block the traffic destined to Security Risk destination
Netskope does not provide a specific, pre-defined list of High-Risk countries that should be included in the High-Risk Real-Time Protection Policy. Instead, Netskope allows organizations to define their own High-Risk countries based on their business requirements and compliance needs and block the traffic destined to these high-risk countries.
- Block traffic to Low & Poor CCL Websites
Each app is assigned a score of 0-100, and based on that score, is placed into one of five Cloud Confidence Levels (CCL): Poor, Low, Medium, High, or Excellent. You can use the CCI score to make an app selection decision, as well as set policies based on level. Create inline policies that are meant to block risky activities in Low or poor CCL apps for a list of allowed categories.
UEBA - Protection against Insider Threats
UEBA helps to focus on a typical “blind spot” which is Insider Threats. Insider threats refer to security risks caused by malicious users within a corporate network. In the case of a malicious insider, the user typically is acting with intent and likely knows that they are breaking policy and potentially the law. Use the Behavior Analytics dashboard to address some common use cases like below:
Netskope Enterprise Browser on Unmanaged devices
Netskope One Enterprise Browser allows companies to deliver secure browser-based access to their corporate apps to minimize the risk of data leakage even on untrusted, unmanaged devices.
- You may Provide BYOD users and contractors secure access to the corporate apps with DLP and Threat Protection like below
- You can also further control the browser operations like copy, paste, print and screen sharing for your corporate apps.
For more details on the Enterprise Browser, Please visit the link here.
Targeted RBI - Protect against unknown web threats
Netskope Remote Browser Isolation (RBI) isolates uncategorized and risky websites. Known safe sites are allowed, known bad sites are blocked, and the uncategorized and risky (allowed) websites are isolated for safe viewing
You can configure an isolation policy to forward traffic from selected categories to RBI using the “Isolate” action.
DNS Security for Malicious DNS Queries
Netskope DNS Security, part of its Cloud Firewall, is a key component of its threat protection framework, designed to safeguard against various cyber threats that utilize DNS services.
Benefits of DNS Security against Threats:
- If a domain is identified as malicious, Netskope will respond to the DNS query with a sinkholed IP address, leading the user to a block page.
- It helps block phishing, command and control servers, and malware that utilize DNS services.
- It can be used to block malicious websites and prevent data from being sent to compromised servers.
- By protecting against DNS-based threats, it strengthens the overall security posture of the organization.
You can configure the DNS Profile to block the DNS Query sent to Security Risk category and sinkhole (redirects the malicious IP to a controlled IP Address) the queries for Newly Registered and Newly Observed Domains to a Sinkholed IP like below:
Now, Apply the DNS Profile to the users using the Real Time Policy.
For more details on the DNS Security Profile configuration, Please visit the article here
Partner EDR Integration with Cloud Exchange Threat Module
Netskope's Cloud Threat Exchange (CTXE) integrates with Third Party EDR like Crowdstrike, Carbon Black, Microsoft Defender, etc. to enhance security by sharing threat intelligence and enabling closed-loop remediation. Netskope detects threats within cloud services, while the EDR uses this information to act on endpoints, alerting on or preventing malicious activity.
Netskope Cloud Exchange is a free powerful integration tool that can be installed inside a Linux Docker environment which provides flexibility with many integrations along with the ability to detect threats.
You can refer to the article here.
Dedicated Egress IP to deny access from untrusted location to Corporate Apps
Use dedicated Egress IP addresses (DEIPs) to ensure that only traffic originating from authorized sources can access managed SaaS applications. This way, even if user credentials are compromised, unauthorized access attempts from unapproved locations will be blocked—because they do not originate from the designated DEIPs.
Netskope’s Dedicated Egress IP Footprint feature allocates a minimum of two IP addresses from Netskope owned IP ranges per data plane that matches your accounts NewEdge traffic management zone/region. The dedicated IP ranges are completely separate from the shared IP ranges.
Learn more about the DEIP here.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
