Subscribe to DeepL Pro to translate larger documents.

Visit www.DeepL.com/pro for more information.

Netskope Security Hands-on Lab

How to Deliver a Successful Netskope

SSE Demo
Lab Demo Guide

2024

2021 © Netskope Confidential. All rights reserved.

Target
This lab guide aims to guide the development of the main use cases of an SSE architecture,
which can be used in demonstrations and proofs of concept for customers and prospects, and in
this way, show the great differentials of Netskope SSE Intelligent.

Prerequisites

1. Have access to a Netskope tenant. For the development of this guide you will be given
access to a laboratory tenant.
2. A client machine (Windows, MacOS) with administrator privileges to install the Netskope
agent.
3. Install the Netskope agent on the client machine to be used in this lab.

Amazon Workspace

A remote desktop will be enabled in Amazon Workspace to use it as a client machine and install
Netskope client. It is recommended to install the Amazon Workspaces client to have a better
experience interacting with the desktop. You can download it from the following link:

Amazon WorkSpaces Client Download

Access credentials to your Workspace will be assigned by the instructor.

Deployment of the Netskope client via Email invitation

The Netskope client can be installed via email invitation from the tenant's administration
console.

To create the invitation via mail follow the instructions below:

1. Navigate to Settings > Security Cloud Platform > Netskope Client > Users page
2. Click on New Users
3. Add the email address and make sure to activate the Send Email invite option.

2021 © Netskope Confidential. All rights reserved.

 4. Click on Add.

Steering verification of all web traffic in the tenant

To ensure that the Netskope client is redirecting all web traffic, validate the steering
configuration you are applying to users on the tenant.

1. Navigate to Settings > Security Cloud Platform > Steering Configuration

2. Identify the steering configuration used by your user, and validate that you have
enabled steering for Web Traffic. As well as the Steer private apps option active
with All Private Apps.
3. If it is not found in this way, enable this option.

1. Use Case - Visibility & Control of Cloud

Applications by Risk

Prevent file uploading and downloading to and from any application

with a CCI Low, Poor & Unknown.

Configuration User Notification template

1.1. Navigate to Policies > Templates > User Notification

1.2. Click on Add Template > Cloud Apps and Web
1.3. Complete the template wizard with the following information

Field Value
Template Name <User> NetskopeSSE - Activities control of Risky Apps
Logo Select an existing one, or select Create New
Title Control of Activities in Hazardous Applications

Message He was trying to perform a {{NS_ACTIVITY}} on an

application with a low level of trust. This activity was
blocked because it was considered a risky activity
according to the organization's security policy.

Action Buttons Configure actions to: Block

2021 © Netskope Confidential. All rights reserved.

 Acknowledge Button: OK

1.4. Click Save

1.5. Apply changes.

Real Time policy configuration

1.6. Navigate to Policies > Real-Time Protection

1.7. Click on New Policy > Web Access
1.8. Complete the policy wizard with the following values:

Field Value
Source Assigned user
Destination > Category Cloud Backup, Cloud Storage,
Collaboration, HR, Social, Consumer,
Web mail, File/Software Download Sites,
Files Repositories, File Converter
Activities & Constraints Upload, Download
Criteria> CCL Low, Poor & Unknown
Profile & Action > Action Block
Profile & Action > Template <User> NetskopeSSE - Activities control
of Risky Apps
Set Policy <user> SSE -Prevent uploads downloads
from untrusted apps

1.9. Click Save

1.10. In Move Policy, select To the bottom. Then click Save
1.11. Apply changes.
1.12. Check policy: Log in to the following sites and try to upload or download files.

4shared.com - free file sharing and storage

https://www.freepdfconvert.com/

1.13. Verify the alerts and log of blocked activities in SkopeIT. Identify to which category
the sites belong and the CCL (Cloud Confidence Level).

2. Use Case - Sensitive data propagation control

2021 © Netskope Confidential. All rights reserved.

To demonstrate this case of controlling the movement of sensitive data through different
applications or media not authorized by the organization, being the corporate instance the only
application approved to store sensitive data, the following elements will be used:

▪ File Storage application such as OneDrive or GDrive, on which you have a corporate
type account and a personal account.
▪ Additional cloud applications to use as possible means of exfiltration of sensitive
data; Microsoft Teams, Slack, LinkedIn.
▪ Test files with sensitive data to trigger DLP incidents, download from:

https://drive.google.com/drive/folders/1KHOwPXpPmJ7Ua9h7nbMhZ1HxGG9p73_4?usp=share_link

▪ Predefined DLP profile:

▪ Payment Card Industry Data Security Standard PCI
▪ DLP Custom Profile:
▪ ML Image Classifier
▪ Constrain associated with the corporate domain

To control the actions that users can perform on non-corporate cloud instances, a Constrain will
be used to define non-corporate instances.

Constraint configuration

2.1. Navigate to Policies > Profiles > Constraint> User

2.2. Click on New User Constraint Profile.
2.3. In the Constrains Profile Name add: <user>SSE Corporate
2.4. In Emails, select, Matches: add your corporate domain. Ex: *@netskope.com

2021 © Netskope Confidential. All rights reserved.

 2.5. Click on Save
2.6. Apply Changes

Real Time policy configuration to allow movement of any document on corporate

instances

2.7. Navigate to Policies > Real-Time Protection

2.8. Click on New Policy > Cloud App Access
2.9. Complete the policy wizard with the following values:

Note: In Destination Cloud App, use a cloud storage application, where you have
access to a corporate and a personal instance. Gdrive, Microsoft Office 365 OneDrive
for Business, Box, etc.

Field Value
Source User =User assigned
Destination > Google Drive, Microsoft Office 365 OneDrive for Business
Application
Activities & Constraints Activity= All > From User = <user>SSE Corporate
Profile & Action Action: Allow
Set Policy <user> SSE- Monitoring activities Corporate Instances

2.10. Click on Save

2.11. In Move Policy, select To the Top. Then click Save
2.12. Apply changes.

Note: Remember best practices regarding the order of policies, make adjustments to
the order of policies if required, so that this Corporate Instance Exception policy is at
the top before any General Blocking.

Creation of the Custom DLP profile

2.13. Navigate to Policies > Profiles > DLP

2.14. Click on New Profile
2.15. In the File Profiles tab, select Matches and click next

2021 © Netskope Confidential. All rights reserved.

 2.16. In Rule|Classification, under Classifier, locate the Miscellaneous> Screenshot,
Whiteboard option. Then locate the Financial option and select Payment Card
(Credit,Debit). Click Next
2.17. Assign the name <user> ML Image Classifier
2.18. Click on Save and apply the changes.

Real Time policy configuration for blocking the movement of any document with
sensitive data using PCI DLP profiles and Image Classification with ML.

Configuration User Notification template

2.19. Navigate to Policies > Templates > User Notification

2.20. Click on Add Template > Cloud Apps and Web
2.21. Complete the template wizard with the following information

Field Value
Template Name <User> Netskope SSE - Block sensitive data movement
Logo Select an existing one, or select Create New
Title Notification of unauthorized movement of sensitive data
Subtitle {{NS_ACTIVITY}} {{NS_FILENAME}} using {{NS_APP}}
Message You are attempting to make an unauthorized movement of
sensitive data outside the organization. This request has
been blocked and a DLP incident has been generated.
Action Buttons Configure actions to: Block

Acknowledge Button: OK

2021 © Netskope Confidential. All rights reserved.

 2.22. Click on Save
2.23. Apply changes.

Custom Category Configuration - All Categories

2.24. Navigate to Policies > Profiles > Web

2.25. Click on New Custom Category
2.26. Enter as Custom category name: <user> All Categories
2.27. Click on Select All
2.28. Click on Save
2.29. Apply changes

Real Time policy configuration

2.30. Navigate to Policies > Real-Time Protection

2.31. Click on New Policy > Web Access
2.32. Complete the policy wizard with the following values:

Field Value
Source Assigned user
Destination > Category <user>All Categories
Activities & Constraints Activity= Upload, FormPost
Profile & Action DLP Profile= Payment Card Industry Data Security
Standard PCI-DSS (predefined), ML Image Classifier
(custom)
Profile & Action Action: Block Template:<User> Netskope SSE - Block
sensitive data movement
Set Policy <user> Netskope SSE - Block sensitive data movement

2.33. Click on Save

2.34. In Move Policy, select To the Bottom. Then click Save

2021 © Netskope Confidential. All rights reserved.

 2.35. Apply changes.

Real Time policy configuration for sensitive data post blocking using PCI DLP profiles and
Image Classification with ML.

Real Time policy configuration

2.30. Navigate to Policies > Real-Time Protection

2.31. Click on New Policy > Cloud App Access
2.32. Complete the policy wizard with the following values:

Field Value
Source Assigned user
Destination > Slack, Microsoft Teams, LinkedIn
Application
Activities & Constraints Activity= Upload, Post
Profile & Action DLP Profile= Payment Card Industry Data Security
Standard PCI-DSS (predefined), ML Image Classifier
(custom)
Profile & Action Action: Block Template:<User> Netskope SSE - Block
sensitive data movement
Set Policy <user> Netskope SSE - Block Sensitive Data post

2.33. Click on Save

2.34. In Move Policy, select To the Bottom. Then click Save
2.35. Apply changes.

Note: Make sure that this policy comes before the general sensitive data movement
control policy previously created.

Verify the configured policies:

2.36. Log in to a personal instance of One Drive/ Gdrive and try to upload the Uber
Invoice.pdf file. This action should be blocked.
2.37. Log in to One Drive/ Gdrive corporate instance and try to upload the Uber
Invoice.pdf file. This action should be allowed
2.38. Open the PDF and copy the sensitive information, user name and all credit card data
INCLUDING the date and security code,

2021 © Netskope Confidential. All rights reserved.

 and try to paste them into the chat of Microsoft Teams, LinkedIn applications. This action
should be blocked.
2.39. Take the Whats In your Wallet.png image and try to upload it via Slack,
Twitter, LinkedIn this action should be blocked.
2.40. Verify the alerts generated in Skope IT and validate the generated DLP incident. Get
the details of what sensitive information the document contained and which DLP profile
was activated, in the Incidents > DLP section.

3. Case from Use -

Protection against advanced threats

This use case uses the malware protection and dangerous site access
policies which should always be configured as a baseline on any
Netskope tenant.

Apply the Default Malware Scan profile to all web traffic downloads.

Configuration User Notification template

3.1. Navigate to Policies > Templates > User Notification

3.2. Click on Add Template > Cloud Apps and Web
3.3. Complete the template wizard with the following information

Field Value
Template Name <User> Netskope SSE- Block Malware
Logo Select an existing one, or select Create New
Title Malware Detected
Subtitle {{NS_ACTIVITY}} {{NS_FILENAME}} using {{NS_APP}}

2021 © Netskope Confidential. All rights reserved.

 Message Malware has been detected in your application and your
application has been stopped. Please notify the IT team
about this incident for investigation.

Action Buttons Configure actions to: Block

Acknowledge Button: OK

3.4. Click Save

3.5. Apply changes.

Real Time policy configuration

3.6. Navigate to Policies > Real-Time Protection

3.7. Click on New Policy > Threat Protection
3.8. Complete the policy wizard with the following values:

Field Value
Source Assigned user
Destination > Category Select all the categories that appear
Activities & Constraints Download, Upload
Profile & Action > Default Malware Scan (pre-defined)
Threat Protection
Profile
Profile & Action > Low Severity > Action: Block > Template:<User>
Threat Protection Netskope SSE- Block Malware Remediation: None
Profile Medium Severity > Action: Block > Template:<User>
Netskope SSE- Block Malware Remediation: None
High Severity > Action: Block > Template:<User>
Netskope SSE- Block Malware Remediation: None
High Severity > Action: Block > Template: <User
Netskope SSE- Block Malware Remediation: None
Set Policy <user> SSE - Block Malware Internet

3.9. Click on Save

3.10. In Move Policy, select To the Top. Then click Save
3.11. Apply changes.
3.12. Verify the policy: Try downloading one of the Eicar test files.

https://www.eicar.org/download-anti-malware-testfile/

2021 © Netskope Confidential. All rights reserved.

 3.13. Check the incidents and types of Malware detected in the Incidents > Malware
section.

Block access to any potentially dangerous or identified high-risk sites

for activities such as C&C, botnets, phishing, illegal activity, etc.

Configuration User Notification template

3.14. Navigate to Policies > Templates > User Notification

3.15. Click on Add Template > Cloud Apps and Web
3.16. Complete the template wizard with the following information

Field Value
Template Name <User> Netskope SSE - High Risk Activity Detected
Logo Select an existing one, or select Create New
Title High Risk Activity Detected
Message Access to the requested website has been blocked because
it is considered a high-risk site belonging to the
{{NS_CATEGORY}} category.

Action Buttons Configure actions to: Block

Acknowledge Button: OK

2021 © Netskope Confidential. All rights reserved.

 3.17. Click Save
3.18. Apply changes.

Real Time policy configuration

3.19. Navigate to Policies > Real-Time Protection

3.20. Click on New Policy > Web Access
3.21. Complete the policy wizard with the following values:

Field Value
Source Assigned user
Destination > Category Select all Security Risk categories
Activities & Constraints Browse
Profile & Action Action: Block Template:<User> Netskope SSE - High
Risk Activity Detected
Set Policy <user> SSE - Block Malicious Sites

3.22. Click on Save

3.23. Under Move Policy, select To the Bottom. Then click Save
3.24. Apply changes.
3.25. Verify the policy: After downloading the PowerShell script
malsite_demo.ps1 and the file with the list of malicious sites
netskope_malicious_site_overview.csv that you will find in the following
path:

https://drive.google.com/drive/folders/1IgOjhYMjohw3mFBGKlgEJuFl7jjkJwnc?usp=share_link

2021 © Netskope Confidential. All rights reserved.

 Enter the command prompt of the client machine, from the command line access the path
where these two files were stored and execute the following command:

powershell.exe -ExecutionPolicy ByPass -File ./malsite_demo.ps1

netskope_malicious_site_overview.csv

3.26. Check for blocked malicious sites in the Incidents > Malicious Sites section.

4. Safe access to potentially dangerous sites

Provide 100% secure navigation to uncategorized websites or new
registered domains avoiding the compromise of a user or machine
when accessing these sites of unknown reputation.

Configuration of real time policy to isolate web traffic

4.1. Login to the Netskope tenant, then Policies > Profiles > Web > URL Lists and
click on New URL List.
4.2. Name the list using the <user> Isolation URLs convention and add the following
URLs: cnet.com and *.cnet.com. Add any other sites you want to test with. Save
and Apply Changes.

4.3. Click on Custom Categories, then select New Custom category. Assign a name
using the <user> Isolation Categories convention. Add the URL list created in the
previous step in the URL List (Include) section. Click Save and Apply Changes.

2021 © Netskope Confidential. All rights reserved.

4.4. Go back to Policies > Real Time Policies > New Policy > Web Access. Define
the policy according to the following parameters:

Field Value
User <your user>
Destination>Category Uncategorized, Newly Registered Domain,
Parked Domains, No Content, <user>
Isolation Categories
Profile & Action Isolate
Set Policy SSE - Browser Isolation Uncategorized
WebSites
Status Enabled

Click on Save and Apply Changes.

Note: You will receive a warning when using a custom category, skip the warning
and continue with the policy configuration.

2021 © Netskope Confidential. All rights reserved.

 4.5. Test the policy from a machine where the Netskope client is installed, with Web
Traffic steering enabled. Validate the following isolation technology use cases:

▪ File download disabled: Enter the following URLs and try to download any file.
Please note the result of this action.
▪ https://download.cnet.com

▪ Restricted actions (Printing & Clipboard limited): Try to print the page with the
command (win: ctrl + P, mac: Command + P). Likewise, right click on an isolated
page, check what options are available in clipboard compared to an unisolated
page. Check the result of this action.

5. Use Case - Granular access control in cloud

applications such as YouTube

Ensure that only certain content can be consumed on YouTube

channels, in cases where access cannot be blocked due to the need
to consume corporate channels.

2021 © Netskope Confidential. All rights reserved.

Configuration User Notification template

5.1. Navigate to Policies > Templates > User Notification

5.2. Click on Add Template > Cloud Apps and Web
5.3. Complete the template wizard with the following information

Field Value
Template Name <User> Netskope SSE - Youtube Navigation Control
Logo Select an existing one, or select Create New
Title Access to non-corporate content
Message Access to the content of these types of channels in
{{NS_APP}} is prohibited and has been blocked by the
{{NS_POLICY_NAME}} policy.

See corporate acceptable use policy

Action Buttons Configure actions to: Block

Acknoledge Button: OK

5.4. Click on Save

5.5. Apply changes.

Real Time policy settings for YouTube blocking

5.6. Navigate to Policies > Real-Time Protection

5.7. Click on New Policy > Cloud App Access
5.8. Complete the policy wizard with the following values:

Field Value
Source Assigned user
Destination > Application YouTube
Activities & Constraints Activity= View
Profile & Action Action: Block Template:<User> Netskope SSE -
Youtube Navigation Control
Set Policy <user> SSE - Block Cloud Apps prohibited

5.9. Click on Save

5.10. In Move Policy, select To the Bottom. Then click Save
5.11. Apply changes.

2021 © Netskope Confidential. All rights reserved.

Configuring Real Time Policy for Exception YouTube Education Channels

5.12. Navigate to Policies > Real-Time Protection

5.13. Click on New Policy > Cloud App Access
5.14. Complete the policy wizard with the following values:

Field Value
Source Assigned user
Destination > Application YouTube
Activities & Constraints Activity= ViewObject Type: Education
Profile & Action Action: Allow
Set Policy <user> SSE - Granular Access to Youtube

5.15. Click on Save

5.16. In Move Policy, select To the Top. Then click Save
5.17. Apply changes. Make sure this policy is just below the malicious site blocking
policy.

2021 © Netskope Confidential. All rights reserved.

 5.18. Check policy: Log in to YouTube and try to access any video related to topics
other than Education. This action should be blocked and you should not access this
content.

5.19. From YouTube search type the name of any university to enter their respective
channels. The content of these YouTube channels must be allowed to be related to
Education.

5.20. Check the alerts generated in SkopeIT > Alerts. Identify the ID of the education
channels and create a policy to only allow access to this specific channel.

6. Use Case - Zero Trust Network Access

Secure remote access under the Zero Trust model to a private

application.

This scenario is going to work with an architecture on the AWS cloud, in which there are private
resources of the DogCorp.local domain, to which it is intended to have secure remote access
through ZTNA.

2021 © Netskope Confidential. All rights reserved.

Validation of Real Time policy to only allow access to authorized internal applications

6.1. Navigate to Policies > Real time Protection and add your user to the Remote Access -
Windows Administrator policy. This policy only gives access to websites published on two
private servers (one with Windows Server OS and one with Ubuntu OS), as well as
administrator access via RDP to the Windows server.

2021 © Netskope Confidential. All rights reserved.

6.2. Click on Save
6.3. Apply changes.
6.4. Check the private apps mentioned in the real time policy, to identify which private IP
address and port they map to. Go to Settings> Security Cloud Platform> App Definition>
Private Apps

2021 © Netskope Confidential. All rights reserved.

 6.5. Test the policy: make sure that your steering configuration has private applications
enabled, try to log in to internal web sites, and also try to open an RDP connection to the
Windows server. These actions will be allowed.
6.6. Try to login via SSH to the Ubuntu server and this action should be blocked.
6.7. Check the alerts generated in SkopeIT > Network Events.

7. Use Case - Controlling risky users

One of the great differentials of Netskope SSE is the incorporation of specialized
technologies in cloud risk management, where under the concept of zero trust the
security posture is strengthened through continuous monitoring of user behavior
and thus the evaluation of the risk that this represents will be the main driver of
the security policy.

7.1. Check the new behavioral anomaly rules that were incorporated in the latest releases of the
platform, go to Policies> Behavior Analytics. High-performance activities

2021 © Netskope Confidential. All rights reserved.

Risk such as malware download, access to malicious sites and DLP incidents are included in
this set of rules, so many of the activities that have been performed in the course of this lab
have had a direct effect on reducing the user's confidence score.

7.2. Check your user's current trust score. Go to Incidents> Behavior Analytics. Check how many
events and what type of events have reduced your trust score.

2021 © Netskope Confidential. All rights reserved.

Continuously monitoring user behavior and assessing their risk score
to build an adaptive security policy is the way to implement a zero
trust model.

Taking into account that the previous scenario allowed us to significantly decrease the trust
score of a user, we will use this score as a criterion to define whether to block access to
corporate instances.

Configuration User Notification template

7.3. Navigate to Policies > Templates > User Notification

7.4. Click on Add Template > Cloud Apps and Web
7.5. Complete the template wizard with the following information

Field Value
Template Name <User> Netskope SSE Risky user detected
Logo Select an existing one, or select Create New
Title Potentially risky user detection
Message Downloading and sharing files in corporate instances has
been blocked due to the risk score reported by the user.

Contact your IT Administrator to verify this incident.

Action Buttons Configure actions to: Block

Acknoledge Button: OK

7.6. Click on Save

7.7. Apply changes.

Real Time policy configuration

Configure the policy according to the following values:

Field Value
Source Add Criteria > Select lower than the value of your user's current
User Confidence confidence score.
Destination > App OneDrive or corporate GDrive previously defined
Instance
Activities & Constraints Download, Share

2021 © Netskope Confidential. All rights reserved.

 Profile & Action Action: Block Template:<User> Netskope SSE Risky
User detected
Set Policy <user> SSE - Block downloads risky user to corporate
instances

7.8. Click on Save

7.9. Under Move Policy, select To the Bottom. Then click Save
7.10. Apply changes.
7.11. Verify the policy: In your corporate instance, try to perform activities such as
downloading files, sharing, etc.
7.12. Validate activities in Skope IT> Application Events

2021 © Netskope Confidential. All rights reserved.