 Protecting Data at Rest in SharePoint:

Protecting intellectual property stored in Microsoft 365 SharePoint requires a solution that can monitor and control data access and usage.

Netskope ' s API-enabled Protection integrates directly with Microsoft 365 to provide comprehensive security for data at rest.

 API-enabled Protection:

Netskope ' s API-enabled Protection allows direct integration with SharePoint, enabling continuous monitoring and enforcement of security policies.

It ensures that data such as source code or product designs are protected from unauthorized access and potential data breaches.

 Configuration:

Configure API-enabled Protection by navigating to the Netskope admin console.

Set up the necessary API integrations with Microsoft 365 SharePoint.

Define security policies to monitor and control access to sensitive data stored in SharePoint.

 References:

For more details on setting up and configuring API-enabled Protection for SharePoint, refer to the Netskope documentation on API-enabled protection solutions​​​​.

In a CASB-only deployment of Netskope, there could be several reasons why Dropbox.com traffic is not visible in SkopeIT:

Certificate Pinning :

The Dropbox Web application might be using certificate pinning, which means it only accepts specific certificates for its connections. This can prevent the traffic from being steered to the Netskope tenant because the proxy ' s certificate might not match the pinned certificate​​​​.

Configuration of Dropbox Domains :

If the Dropbox domains are not properly configured to be steered to the Netskope tenant, then the traffic will bypass the Netskope inspection and will not be visible in SkopeIT. Ensuring that the domains are configured correctly is essential for the traffic to be captured and analyzed by Netskope​​​​.

References:

" Certificate pinning prevents the interception of traffic by requiring that the presented certificate matches a known good certificate. This can interfere with traffic steering in CASB deployments. " ​​​​.

" Proper configuration of application domains is necessary to ensure traffic is steered to the Netskope tenant for inspection and visibility. " ​​​​.

 Identify Non-standard HTTPS Ports:

Determine the specific non-standard HTTPS ports used by the business application.

 Create a Steering Exception:

Navigate to the Netskope admin console.

Go to the steering configuration section and create a new steering exception.

Specify the domain of the business application and include the non-standard HTTPS ports.

This exception will ensure that traffic to this application is steered correctly for inspection and control.

 Configure Non-standard Ports in the Steering Configuration:

Go to the steering configuration settings.

Add the identified non-standard HTTPS ports to ensure that all traffic using these ports is captured and inspected.

This ensures comprehensive visibility and control over the user activities on the application.

 References:

For more details on steering configurations and managing exceptions, refer to the Netskope documentation on steering traffic and configuring non-standard ports​​​​.

To set up a Netskope API connection to Box, two actions that must be completed are: authorize the Netskope application in Box and configure Box in SaaS API Data protection. Authorizing the Netskope application in Box allows Netskope to access the Box API and perform out-of-band inspection and enforcement of policies on the data that is already stored in Box. Configuring Box in SaaS API Data protection allows you to specify the Box instance details, such as domain name, admin email, etc., and enable features such as retroactive scan, event stream, etc. References:  Authorize Netskope Introspection App on Box Enterprise - Netskope Knowledge Portal Configure Box Instance in Netskope UI - Netskope Knowledge Portal

 Create the Report in Advanced Analytics:

Data Collection:

Use the " Page Events " data collection, which captures detailed user activities on web pages, including edits and uploads.

Filters:

Apply filters to include only the activities " Edit " and " Upload " .

Add another filter for the Cloud Confidence Level (CCL) to include only those with " Low " or " Poor " ratings.

This ensures the report focuses on the specified user activities within cloud applications that have lower security ratings.

Steps:

Navigate to Advanced Analytics > Reports.

Create a new report and select " Page Events " as the data collection source.

Apply the necessary filters for activities and CCL values.

 Schedule the Report:

Monthly Recurrence:

Set the report to run on a monthly schedule to ensure regular updates.

Configure the report to be sent via email with a PDF attachment.

Steps:

In the report scheduling options, set the recurrence to monthly.

Specify the email recipients, ensuring the CISO receives the report.

Select PDF as the report format.

 References:

For more details on creating and scheduling reports, refer to the Netskope documentation on Advanced Analytics and report generation​​​​.

Two statements that describe a website categorized as a domain generated algorithm (DGA) are: The website is used to hide a command-and-control server and the domain was created by a program. A domain generated algorithm (DGA) is a technique used by cyber attackers to generate new domain names and IP addresses for malware’s command and control servers. Executed in a manner that seems random, it makes it nearly impossible for threat hunters to detect and contain the attack. A command-and-control server is a server that communicates with malware installed on infected machines and sends commands or updates to them. A program is a piece of software that performs a specific task or function. A domain generated algorithm is implemented by a program that runs on the attacker’s machine or the malware itself, and produces a large number of domain names based on some logic, such as date, time, seed, dictionary, etc. References:  Domain generation algorithm Among cyber-attack techniques, what is a DGA?

When comparing data in motion with data at rest, it is important to understand how each type of data is handled in terms of security and monitoring:

Data in motion refers to data actively moving from one location to another, such as through email, instant messaging, or any other form of communication over the internet. To secure and monitor data in motion, Netskope typically requires the deployment of the Netskope client on user devices. The client helps enforce security policies, monitor data transfers, and protect against data loss and other threats during the data ' s transit.

References:

Netskope Knowledge Portal: Data Protection

Netskope Client Overview

To block all FTP connections regardless of the ports being used, the following steps should be taken using Netskope ' s Cloud Firewall:

Real-time Protection Policy :

Create a Real-time Protection policy where FTP is defined as the destination application.

Set the action to " Block " to ensure that any FTP traffic is blocked regardless of the port being used​​​​.

Custom Firewall App Definition :

Create a custom Firewall App Definition specifically for TCP port 21.

Define the action as " Block " to ensure any traffic directed to this port is blocked, preventing FTP access​​​​.

These configurations ensure that FTP traffic is effectively blocked, securing the network from potential threats and unauthorized data transfers via FTP​​​​.

An administrator would use the Digital Experience Management (DEM) component to see an overview of private application usage and performance. DEM provides comprehensive insights into the performance and user experience of private applications, including metrics on latency, bandwidth, and application health.

Digital Experience Management (DEM) : This component focuses on monitoring and optimizing the user experience for private and public applications by collecting detailed performance data and providing actionable insights.

The other options do not provide the same level of detailed performance and usage overview for private applications:

Publishers page : Typically used for managing and configuring Netskope Publishers.

Incident Management : Focuses on tracking and resolving security incidents.

Cloud Exchange : Deals with integrations and data sharing between Netskope and other security solutions.

References :

Netskope documentation on Digital Experience Management and its capabilities.

Best practices for using DEM to monitor application performance and enhance user experience.

=================

A SAML reverse proxy is a service that acts as an intermediary between a SAML service provider (SP) and one or more SAML identity providers (IdPs). It can perform various functions, such as authentication, authorization, load balancing, caching, etc. One scenario where you would use a SAML reverse proxy is when there are multiple SAML IdPs in use and the SAML reverse proxy can help federate them all together. For example, suppose you have an internal application that needs to authenticate users from different domains or organizations, each with their own SAML IdP. Instead of configuring the application to trust each IdP separately, you can use a SAML reverse proxy to act as a single SP for the application and a single IdP for the users. The SAML reverse proxy can then redirect the users to their respective IdPs for authentication and relay the SAML assertions back to the application. This way, you can simplify the integration and management of multiple SAML IdPs and provide a seamless user experience. References:  SAML Reverse Proxy What is application proxy & SAML SSO?