The document discusses the need for cloud security solutions as cloud usage increases. It summarizes that the way people work has changed with access from any device at any time. More sensitive data is now stored in the cloud exposing it to new risks. It then provides an overview of the Netskope cloud security platform, highlighting its capabilities including visibility, data security, compliance, threat protection and ability to govern sanctioned and unsanctioned cloud applications and web usage from a single interface. Sample customers and use cases that Netskope addresses are also summarized.
25. Use Case #9
Protect sensitive
data in Amazon
S3 buckets
Confidential PCI-DSS PHI PII
26. Use Case #10
Protect against
cloud-based
malware and
ransomware
• Quarantine malware in
sanctioned cloud services
• Stop malware to and from
all cloud services
• Remediate post-
ransomware infections
• Detect anomalous
behavior
• Malicious insider
activities to potential
account hijacking
The move to the cloud has exposed limitations in existing security controls. In the past, data was controlled mostly by IT and stored inside a protected perimeter. Remote access to the data was permission-based and almost always through a VPN. Threats were focused on the network and endpoint. With a defined perimeter IT was able to tightly control access.
Fast forward to today….the business leads where data is created and stored. Remote use is expected and happens outside of IT’s controls. The focus is on speed to market, collaboration, sharing and business enablement with security lagging behind. As a result, use cases have evolved beyond what legacy tools understand. Examples include cloud to cloud data movement, direct to cloud access, advanced cloud threats, access from unmanaged devices and more.
Enterprises need a cloud native solution that understands this new way people work and how to secure data in a borderless world.
The real question, though, is how much of your data is in these apps? What do you think?
[build]
Last year we did a study with Ponemon to examine the impact the cloud has on the probability and economic impact of a data breach. One of the question we asked IT and security professionals was how much business data they believe is in the cloud. Their (self-reported) estimate is about 30 percent.
[build]
Whether it’s 30 percent or more than that, it’s only going up from here.
This transition to the cloud brings with it new challenges and new risks. Users are creating and storing your data in thousands of cloud services potentially exposing your sensitive business data like trade secrets, intellectual property, customer information, PII, PHI, etc. The reality is traditional security tools were not designed to protect the different ways users move and share data in the cloud.
So let’s look at some specific cloud security use cases.
Users are sharing sensitive data publicly directly from services like OneDrive, Box and personal instances of apps
Users are accessing data from remote or risky locations without IT permission
Users are exfiltrating data by moving it directly from one cloud service to another….and without the data touching the endpoint
Uses are Downloading data to personal or BYOD devices
In addition, malicious actors are trying to disrupt business with advanced cloud threats like Malware, encrypting files with ransomware, and hijacking cloud credentials to steal data.
The good news is the Netskope platform was designed to address all of these new risks even for the most advanced cloud security use cases.
Netskope is a cloud access security broker positioned as a leader in the Gartner Magic Quadrant. We are the only standalone vendor remaining in the leader’s quadrant and positioned the furthest right for completeness of vision. Netskope has also been named a leader by IDC while receiving numerous awards from other industry analysts.
Netskope’s mission is to provide a unified, cloud-native security platform covering all SaaS, IaaS and Web traffic.
As I go through this presentation I plan to show you that….
Netskope is most comprehensive CASB solution covering the most cloud services
Netskope provides true 360 degree data protection even when users are remote
And Netskope addresses both basic and advanced cloud security use cases with no blind spots
So let’s get going
So let me transition to talk more specifically about the Netskope solution. Netskope’s cloud security platform is a cloud native solution designed to be a single point of control for all SaaS, IaaS and Web traffic. Netskope is unique in that provides granular policy enforcement, comprehensive data protection, advanced threat protection and risk analytics for thousands of cloud services. Most other CASB solutions are limited to a small subset of cloud services and typically require course grain blocking as part of their solution.
At the heart of the Netskope’s enablement platform is a patented CloudXD engine providing unparalleled granular control (extreme definition) of user activity for cloud and web. This granular control allows Netskope customers to securely enable cloud services without being forced into binary allow or block decisions.
And finally, with Netskope’s advanced cloud architectures, customers can secure any user regardless of device - managed or unmanaged, and from any location – on-premises or remote. In fact, Netskope protection for remote users applies to thousands of cloud services regardless of their access method (mobile apps, sync clients, browser and desktop apps). This is a key differentiator versus other CASB solutions.
A question we get frequently is how do I start thinking about deploying a CASB like Netskope. We call this the cloud security journey in phases.
Phase 1 is a discovery of cloud services in your environment along with determining risk using the Netskope Cloud Confidence Index. Here we start to correlate risk with usage and build the foundation for understanding the type of cloud policies that will be required in phases 2 and 3.
Phase 2 is focused on sanctioned cloud services with a combination of API (data-at-rest) and real-time controls. Think of apps like OneDrive, Box, AWS and ServiceNow.
Phase 3 is when we transition to full governance including business and user-led cloud services. In this phase we deploy real-time, data-in-motion controls for all cloud services. This phase is a big differentiator of Netskope allowing you to securely enable cloud services…..rather than blocking.
Our customers have deployed these phases in a number of different combinations. Some have started out with phase 1 or just phase 2…while others have started with all 3. It is really driven by your use cases and your requirements. What’s important to know is Netskope can grow as your cloud security needs grow.
• Walk through app analytics and CCI
• Walk through Introspection dashboard
• Walk through app analytics and CCI
• Walk through Introspection dashboard
The final use case is centered around providing granular visibility and control of users connecting to IT-led cloud services from personal devices.
Demo script
• Disable Netskope client
• Show inline policy to block downloads of PCI from Box when on an unmanaged device
• Login to Okta and launch Box (pint out reverse proxy)
• Attempt to download Credit Cards.pdf from Box and show block
- The 1st use case is centered around sensitive data loss with a focus on accuracy and precision. Netskope’s award-winning Cloud DLP provides more than 25 out of the box templates to cover compliance regimens ranging from PCI to GDPR. In addition, Netskope’s DLP supports advanced features like fingerprinting and exact match and when you combine those with context you get unparalleled accuracy and pre- Let’s look at a common example (demo fingerprinting of document and showcase similarity matching)
Demo Script
• Go to Policies > DLP > Profiles and show 25 out-of-the-box compliance templates
• Show a form with filled in data how this is an example of content that you may want to protect. You can use an out-of-the-box compliance template like PII, but that can lead to false positives
• Show DLP rule config by going to Policies > DLP > Fingerprint Classification > Rules and select the profile with the fingerprinted form data. Talk about how Netskope supports advanced features like fingerprinting with similarity matching. Show a black form that is fingerprinted and then when data gets filled in it will be caught.
• To show fingerprinting in action, this is a good segue to the next use case
The 2nd use case is a common one across Netskope’s customer base and is often cause for great concern. This is the scenario when a user uses their corporate credentials to login to a sanctioned cloud service like Box and download sensitive data. That alone is probably OK because that is why you sanctioned Box in the first place. However, what the user does next is scary. After they download the data from the corporate Box, they turn around and upload that data to their personal cloud app. This is problematic because this present s a big blind spot.
A CASB like Netskope has the unique ability to see all cloud transactions in real time and understand activities across both sanctioned and unsanctioned and can both detection data exfiltration taking place alert security folks, or can prevent it altogether since we are a control point between the users and the cloud services they are accessing.
Demo Script (bonus is to use form data specific to customer)
• Show data exfiltration anomaly with form data going form Box to Dropbox and how Netskope can prevent this without requiring you to block Dropbox
• Briefly show allow and block policies we setup in previous use case. Reiterate that this policy sequence allows the form data going to sanctioned Box and another that blocks it going to any unsanctioned cloud storage, webmail, or collaboration app (thousands of apps)
• Attempt to upload a filled in form that has to Dropbox and show block
- The next use case is one of the next steps many enterprises want to take after discovering cloud services in use and assessing risk. This is all about putting granular controls in place to safely enable cloud services instead of being forced to block them.
- This is a big shift in security strategy from the old days of blocking as much as you can on your perimeter security device. In today’s cloud environment, blocking everything is usually not a good strategy as users and lines of business often rely on cloud services to be more productive and get their job done
- In this example, let’s look at a financial firm in NYC where the CISO had a catch-22. Does he try to block social media so that his firm is not at risk for FINRA compliance issues related to users sharing their opinion via social media about a public company or stock? Or does he accept the risk and let users use social media because culturally it is the right thing to do, not to mention that folks from marketing and support need it for their job?
- This is where a CASB like Netskope enables this CISO to have their cake and eat it too. They don’t have to block social media apps altogether, but instead can leverage granular policies and advanced CASB features to block risky activities instead.
Demo Script
• Walk through DLP rule that has keywords “guarantee” and “recommend”, custom keyword dictionaries that include public company names and stock symbols, and boolean operator that brings everything together. Name it FINRA Compliance.
• Walk through inline policy that blocks posts to social media with the FINRA Compliance rule from users in Finance
• Attempt to post “guarantee AAPl will do well in Q4” into Twitter and show block
• Go to Incident Management and show trigger words
• Mention how this enabled the company to safely enable social media instead of being forced to block it.
The final use case is centered around providing granular visibility and control of users connecting to IT-led cloud services from personal devices.
Demo script
• Disable Netskope client
• Show inline policy to block downloads of PCI from Box when on an unmanaged device
• Login to Okta and launch Box (pint out reverse proxy)
• Attempt to download Credit Cards.pdf from Box and show block
- The next use case is one of the next steps many enterprises want to take after discovering cloud services in use and assessing risk. This is all about putting granular controls in place to safely enable cloud services instead of being forced to block them.
- This is a big shift in security strategy from the old days of blocking as much as you can on your perimeter security device. In today’s cloud environment, blocking everything is usually not a good strategy as users and lines of business often rely on cloud services to be more productive and get their job done
- In this example, let’s look at a financial firm in NYC where the CISO had a catch-22. Does he try to block social media so that his firm is not at risk for FINRA compliance issues related to users sharing their opinion via social media about a public company or stock? Or does he accept the risk and let users use social media because culturally it is the right thing to do, not to mention that folks from marketing and support need it for their job?
- This is where a CASB like Netskope enables this CISO to have their cake and eat it too. They don’t have to block social media apps altogether, but instead can leverage granular policies and advanced CASB features to block risky activities instead.
Demo Script
• Walk through DLP rule that has keywords “guarantee” and “recommend”, custom keyword dictionaries that include public company names and stock symbols, and boolean operator that brings everything together. Name it FINRA Compliance.
• Walk through inline policy that blocks posts to social media with the FINRA Compliance rule from users in Finance
• Attempt to post “guarantee AAPl will do well in Q4” into Twitter and show block
• Go to Incident Management and show trigger words
• Mention how this enabled the company to safely enable social media instead of being forced to block it.
• Talk about Monsanto use case
• Netskope provides both API and inline support for Amazon AWS and S3
• Show Introspection policy to alert on PCI in S3 buckets
• Open credit cards.pdf to show credit card numbers and drag to an S3 bucket
• Show saved queries in SkopeIT and also point out EC2 activities covered
- The 5th use case is tied to threat protection. It turns out that the cloud presents a major threat vector when it comes to hiding and propagating various strains of malware like ransomware.
- One common scenario is when you have a cloud storage environment with a combination of shared folders and sync clients. That environment is great for users because it gives them anytime, anywhere, access to their data. It is also a great environment for malware because once malware gets into a sync client or a shared folder it spreads rapidly and can infect unsuspecting users. We can this the attack of the malware fan out.
- A CASB like Netskope has build in cloud-centric malware protection with the ability to leverage the API deployment to scan content repositories of sanctioned cloud services for the presence of malware and quarantine that malware and can leverage an inline deployment to stop malware from making its way to its destination
Demo Script
• Talk about the strength of our threat protection with malware protection, anomaly detection, and ransomware remediation
• Drag a malware file to a Box sync folder and show block (put malware back to Box)
• Attempt to email malware file using Outlook and show block
• Go to Dashboard > Risk > Threat Protection > Malware, select last 90 days and show Gen.Malware.Detect.By.Sandbox
• Show Gen.Ransomware.Variant.ns, click on it, and show how you can restore
We are a global company with more than 480 people. Our technical and leadership team are former distinguished engineers, principal architects, and executives from companies such as Palo Alto Networks, Juniper/NetScreen, Cisco, McAfee/IntruVert, VMware, and more. We have a track record of innovation, amassing more than 40 patent claims across four categories. We have strong technology integrations and partnerships with Microsoft, Box, Google, Dropbox, and more, and supportive channel partners who lead in their respective fields. Our investors are top Silicon Valley venture capitalists who are early investors in some of the most important and transformational IT and cloud companies in the world. In short, we are a well-funded, well-positioned leader in the market.
Netskope has the most advanced threat protection platform of any CASB solution including a first of a kind Cloud Threat Research Lab. Netskope’s comprehensive solution includes real-time protection using AV, malicious site detection, global threat intelligence and more advanced “deep protection” like cloud sandboxing, heuristics, ransomware detection and more. And because Netskope can see all cloud and web traffic, there are no blind spots for threats.
Netskope is a cloud access security broker positioned as a leader in the Gartner Magic Quadrant. We are the only standalone vendor remaining in the leader’s quadrant and positioned the furthest right for completeness of vision. Netskope has also been named a leader by IDC while receiving numerous awards from other industry analysts.
Netskope’s mission is to provide a unified, cloud-native security platform covering all SaaS, IaaS and Web traffic.
As I go through this presentation I plan to show you that….
Netskope is most comprehensive CASB solution covering the most cloud services
Netskope provides true 360 degree data protection even when users are remote
And Netskope addresses both basic and advanced cloud security use cases with no blind spots
So let’s get going
• So why are the largest enterprises in the world choosing Netskope?
• It really comes down to four primary reasons
First, Netskope is the only CASB that can address use cases tied to safely enabling unsanctioned or Shadow IT cloud services.
Other CASBs cannot address this use case because they were not architected with the ability to provide granular visibility and control of thousands of cloud services
Their DLP is limited to dozens of apps, not the thousands required to adequately protect against sensitive data loss in unsanctioned cloud services
They don’t understand the language of the cloud. They can’t differentiate between corporate and personal instances of cloud apps and don’t have a policy engine that can adequately deal with thousands of cloud services with support for category-level policies with both allow and block actions.
Next is Netskope’s award-winning cloud DLP. Protecting against sensitive data loss in the cloud is a big use case, and Netskope’s DLP is far ahead of the competition when it comes to breadth of app coverage and accuracy of inspection results.
Netskope also provides the most comprehensive cloud-specific threat protection. Backed by the Netskope Threat Research labs, our ability to find and stop various strains of malware like ransomware in the cloud and even help you remediate post infection, separates us from other CASBs that provide rudimentary threat protection capabilities.
Last, but certainly not least is our ability to comprehensively cover customer use cases in a way that other CASBs simply cannot. Our platform was architected with flexible deployment options that enable you to optionally take a crawl-walk-run approach to cloud security and start with Discovery or a friction-less deployment like API Introspection. • You can then grow into a more advanced deployment method and go inline using a number of configurations to achieve real-time visibility and control with comprehensive coverage for users on premises, mobile, and remote and accessing browsers, mobile apps, desktop apps, and sync clients. The net-net is that we are architected to uniquely cover your use cases today and tomorrow.