Netskope NSK101 Netskope Certified Cloud Security Administrator (NCCSA) Exam Practice Test

A Netskope Virtual Appliance is a software-based appliance that can be deployed on-premises or in the cloud to provide various functions and features for the Netskope Security Cloud platform. One use for deploying a Netskope Virtual Appliance is as an endpoint for Netskope Private Access (NPA), which is a service that allows users to securely access private applications without exposing them to the internet or using VPNs. Another use for deploying a Netskope Virtual Appliance is as a Secure Forwarder to steer traffic from on-premises devices or networks to the Netskope platform for inspection and policy enforcement. Using a Netskope Virtual Appliance as a local reverse-proxy to secure a SaaS application or as a log parser to discover in-use cloud applications are not valid uses, as these functions are performed by other components of the Netskope Security Cloud platform, such as the Cloud Access Security Broker (CASB) or the Cloud XD engine. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 2: Architecture Overview; [Netskope Private Access]; [Netskope Secure Forwarder].

To provide an additional pop-up warning to users before allowing them to proceed to web applications categorized as "low" or "poor" by Netskope's Cloud Confidence Index (CCI), you can:

Enable real-time user coaching based on CCL: This feature allows administrators to create policies that provide real-time guidance and warnings to users when they attempt to access web applications with low or poor confidence levels. This helps in educating users about the potential risks and ensures that they proceed with caution.

References:

Netskope documentation on configuring real-time user coaching and leveraging the Cloud Confidence Index for policy enforcement.

Best practices for using CCL to guide user behavior and enhance security awareness.

=================

To create a policy to quarantine files based on sensitive content in Netskope, you need to include the DLP Profile variable. Here's a detailed explanation of the steps involved:

Access Netskope Admin Console: First, log in to your Netskope admin console.

Navigate to Policies: Go to the Policies section where you can create and manage different types of policies.

Create a New Policy: Click on the option to create a new policy. Select the type of policy you want to create. In this case, it will be a Data Loss Prevention (DLP) policy.

Define Policy Criteria: Define the criteria for your policy. This includes specifying the conditions under which files should be quarantined. You will need to include sensitive content detection as part of the criteria.

Include DLP Profile: The most crucial step is to include a DLP Profile in your policy. The DLP Profile will define the sensitive content that the policy will monitor for. Netskope provides various predefined DLP profiles that you can use, or you can create custom DLP profiles based on your organization's needs.

Set Action to Quarantine: Specify the action to be taken when the policy criteria are met. In this case, you want to quarantine the files. Select the "Quarantine" action from the available options.

Save and Apply Policy: Once you have configured the policy with the DLP profile and action, save the policy and apply it to the relevant users, groups, or organizational units.

References:

Netskope Knowledge Portal: Using DLP Profiles and Policies​​​​​​.

An administrator would use the Digital Experience Management (DEM) component to see an overview of private application usage and performance. DEM provides comprehensive insights into the performance and user experience of private applications, including metrics on latency, bandwidth, and application health.

Digital Experience Management (DEM): This component focuses on monitoring and optimizing the user experience for private and public applications by collecting detailed performance data and providing actionable insights.

The other options do not provide the same level of detailed performance and usage overview for private applications:

Publishers page: Typically used for managing and configuring Netskope Publishers.

Incident Management: Focuses on tracking and resolving security incidents.

Cloud Exchange: Deals with integrations and data sharing between Netskope and other security solutions.

References:

Netskope documentation on Digital Experience Management and its capabilities.

Best practices for using DEM to monitor application performance and enhance user experience.

=================

Legacy solutions, such as on-premises firewalls and proxies, fail to secure the data and data access compared to Netskope Secure Web Gateway because they are designed for a perimeter-based security model, where the applications and the users are both within the corporate network. However, with the rise of cloud computing and remote work, this model is no longer valid. The applications where the data resides are no longer in one central location, but distributed across multiple cloud services and regions. The users accessing this data are not in one central place, but working from anywhere, on any device. Legacy solutions cannot provide adequate visibility and control over this dynamic and complex environment, resulting in security gaps and performance issues. Netskope Secure Web Gateway, on the other hand, leverages a cloud-native architecture that provides high-performance and scalable inspection of traffic from any location and device, as well as granular policies and advanced threat and data protection for web and cloud applications. References: Netskope Architecture OverviewNetskope Next Gen SWG

Deploying a Netskope Virtual Appliance (NPA) can serve multiple purposes within an organization's security infrastructure. Two key uses are:

To use as a log parser to discover in-use cloud applications:

The Netskope Virtual Appliance can be deployed to parse logs from various sources, including firewalls, proxies, and other network devices. By analyzing these logs, the appliance can discover and identify cloud applications that are being used within the network. This provides visibility into shadow IT and helps in managing and securing cloud application usage.

To use as an endpoint for Netskope Private Access (NPA):

The virtual appliance can act as an endpoint for Netskope Private Access, enabling secure access to private applications hosted in data centers or public clouds. It facilitates the establishment of secure, direct connections between users and the applications they need to access, without exposing the applications to the public internet.

References:

Netskope Knowledge Portal: Deploying Virtual Appliances

Netskope Private Access Overview

In the context of the cloud shared responsibility model, the customer's responsibilities include:

Controlling access:

Customers must manage access controls to ensure that only authorized users can access their data and applications. This includes implementing identity and access management (IAM) policies, multi-factor authentication (MFA), and regular auditing of access permissions.

Preventing data leakage:

Customers are responsible for implementing data loss prevention (DLP) strategies to protect sensitive information from unauthorized access, disclosure, or exfiltration. This involves configuring and monitoring DLP policies, encryption, and other security measures.

These responsibilities are critical for maintaining the security and integrity of data in the cloud, complementing the cloud provider's responsibilities for the infrastructure and services.

References:

Netskope Knowledge Portal: Cloud Security

Shared Responsibility Model

 NewEdge Data Planes Monitoring:

To determine which NewEdge data planes your remote users have been using, you need to access the relevant monitoring section in the Netskope Tenant UI.

 Client Steering under Digital Experience Management:

The Client Steering section under Digital Experience Management provides detailed information on how traffic is being steered for remote users.

This section includes insights into the NewEdge data planes being utilized by users.

 Steps:

Navigate to Digital Experience Management in the Netskope Tenant UI.

Select Client Steering to view detailed reports and logs on traffic steering.

Analyze the data to identify the NewEdge data planes used by remote users recently.

 References:

For more details on accessing and using the Client Steering section under Digital Experience Management, refer to the Netskope documentation on digital experience management and client steering​​​​.

Two primary advantages of Netskope’s Secure Access Service Edge (SASE) architecture are: no on-premises hardware required for policy enforcement and single management console. Netskope’s SASE architecture delivers network and security services as cloud-based services that can be accessed from any location and device. This eliminates the need for on-premises hardware appliances such as firewalls, proxies, VPNs, etc., that are costly to maintain and scale. Netskope’s SASE architecture also provides a single management console that allows administrators to configure and monitor all the network and security services from one place. This simplifies IT operations and reduces complexity and overhead. References: Netskope SASEWhat is SASE?

 Adaptive Zero Trust Data Protection Overview:

Netskope's Adaptive Zero Trust Data Protection ensures that data is protected based on continuous risk assessments and adaptive policies that respond to changing contexts and threats.

 Contextual Risk Awareness:

This capability involves understanding the context around data access and usage to assess risk dynamically.

Netskope leverages various signals such as user behavior, device security posture, location, and other factors to gauge risk levels.

By continuously evaluating these factors, Netskope can enforce appropriate security measures in real-time.

 Continuous Adaptive Policies:

Policies in the Netskope platform adapt continuously based on the assessed risk and changing contexts.

These policies are not static; they evolve based on ongoing risk assessments and threat intelligence.

Adaptive policies ensure that security measures are always aligned with the current threat landscape and organizational requirements.

 References:

For detailed capabilities and how they are implemented, refer to the Netskope documentation on Adaptive Zero Trust Data Protection​​​​.

To set up a real-time threat protection policy for patient zero to block previously unseen files until a benign verdict is produced by the Netskope Threat Protection Service, you need to configure the following parameters:

Block Action: This action ensures that any previously unseen file is blocked until it has been analyzed and a verdict has been reached. By blocking the file, the policy prevents potential threats from entering the network until they are deemed safe.

Remediation Profile: This profile defines the actions to be taken when a threat is detected. It includes configuring the alerts and responses (such as notifying administrators) when a file is blocked. This ensures that there is a process in place for handling detected threats and that appropriate measures are taken.

References:

Netskope Threat Protection documentation detailing the setup of real-time threat protection policies.

Configuration guides for policy actions and remediation profiles in the Netskope platform.

=================

Data Loss Prevention (DLP) document classifiers are designed to identify and control the flow of sensitive information based on predefined patterns and criteria. In this scenario, where the customer has cloud storage repositories containing sensitive files such as bank statements, consulting agreements, and disclosure agreements, DLP document classifiers can help:

Identify sensitive documents: By scanning and classifying documents based on their content, DLP document classifiers ensure that sensitive files are recognized and handled appropriately.

Control data flow: Policies can be applied to prevent unauthorized access, sharing, or movement of sensitive files, thereby protecting the data from leakage or exposure.

References:

Netskope DLP documentation, detailing how document classifiers work and how they can be configured to protect sensitive information.

Best practices for implementing DLP solutions to safeguard sensitive data in cloud storage environments.

=================

To allow access to an application using Netskope Private Access (NPA) with Private Apps steering already enabled for all users, follow these steps:

Create a Private App:

Go to the Netskope admin console.

Navigate to the Private Access section.

Create a new Private App by specifying the necessary details such as app name, IP address, ports, and protocols. This step is essential for defining the private application that users will access through NPA.

Create a Real-time Protection "Allow" Policy:

Navigate to the Policies section in the Netskope admin console.

Create a new Real-time Protection policy.

Set the policy action to "Allow".

Define the criteria for the policy to match the traffic directed to the newly created Private App.

Apply the policy to the relevant users or groups to ensure that access to the Private App is allowed.

Ensure Other Required Settings:

Ensure that SSO (Single Sign-On) is properly configured if it is needed for user authentication.

Verify that Private App steering is enabled for all users, which might already be the case as per the scenario.

References:

Netskope API Documentation: Configuring Private Apps and Real-time Protection Policies​​​​​​​​.

By following these steps, you ensure that the private app is properly defined and that users are allowed to access it through the appropriate Real-time Protection policies. This approach leverages Netskope's capabilities to manage and secure access to private applications seamlessly.

Shadow IT is the term for the unauthorized use of IT resources and functions by employees within an organization. It can include cloud services, software, and hardware that are not approved or managed by the IT department. Two use cases that would be considered examples of shadow IT within an organization are: an unsanctioned Microsoft 365 OneDrive account being used by a corporate user to upload sensitive data and an unsanctioned Google Drive account used by a corporate user to upload non-sensitive data. In both cases, the corporate user is using a personal cloud storage service that is not sanctioned by the organization to store work-related data. This can introduce security risks, such as data leakage, data loss, compliance violations, malware infections, etc. The IT department may not have visibility or control over these cloud services or the data stored in them. References: What is shadow IT? | CloudflareWhat is Shadow IT? | IBM

Steering Configuration page under Settings (A):The Steering Configuration page under Settings is used to configure and manage the steering policies, including IPsec and GRE tunnels. This section provides the necessary tools to configure the network traffic routing and ensures that the configurations are set according to the organization's requirements.

IPsec Site and GRE Site pages under Settings (D):These specific pages under the Settings section allow administrators to monitor and manage the status of IPsec and GRE tunnels. They provide detailed information about the tunnel configurations, status, and other metrics that are essential for maintaining the health and performance of the network connections.

These details are confirmed based on the features and configurations available within the Netskope Admin UI settings, as documented in the Netskope Knowledge Portal.

Netskope’s DLP solution is a powerful tool that can help customers protect their sensitive data from unauthorized access, exposure, or loss. One use case for Netskope’s DLP solution is to stop unintentional data movement, such as accidental uploads, downloads, or sharing of confidential files or information to or from cloud applications. Another use case for Netskope’s DLP solution is to ensure regulatory compliance, such as GDPR, HIPAA, PCI-DSS, or other industry-specific standards that require data protection and privacy measures. Netskope’s DLP solution can help customers comply with these regulations by detecting and preventing data breaches, enforcing encryption policies, applying data retention rules, and generating audit reports. Detecting malware in files before they are uploaded to a cloud application or detecting sensitive data in password protected files are not use cases for Netskope’s DLP solution, as they are more related to threat protection or file inspection capabilities. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 6: Data Loss Prevention, Lesson 1: DLP Overview.

CASB inline interception use cases are scenarios where you need to apply real-time policies and actions on the traffic between users and cloud applications. For example, you may want to block file uploads to a personal Box account to prevent data leakage or exfiltration. You can use Netskope’s inline proxy mode to intercept and inspect the traffic between users and Box, and apply granular policies based on user identity, device type, app instance, file metadata, etc. You can also use Netskope’s inline proxy mode to provide user alerts when sensitive information is posted in Slack. For example, you may want to warn users when they share credit card numbers or social security numbers in Slack channels or messages. You can use Netskope’s steering client to redirect the traffic between users and Slack to Netskope’s inline proxy for inspection and enforcement. You can also use Netskope’s DLP engine to detect sensitive data patterns and apply actions such as alerting or blocking. References: Netskope Inline Proxy ModeNetskope Steering Client [Netskope DLP Engine]

Two pillars of CASB are visibility and compliance. CASB stands for Cloud Access Security Broker, which is a solution that provides visibility and control over cloud services and web traffic, as well as data and threat protection for cloud users and devices. Visibility is the capability to identify all cloud services in use and assess their risk factors, such as security, auditability, business continuity, etc. Compliance is the capability to ensure that cloud services and data meet the regulatory standards and policies of the organization or industry, such as GDPR, HIPAA, PCI DSS, etc. References: What Is a Cloud Access Security Broker (CASB)? | MicrosoftCASB Guide: What are the 4 Pillars of CASB? - Security Service Edge

The two traffic steering configurations that are supported by Netskope are cloud applications only and all Web traffic including cloud applications. These configurations allow you to control what kind of traffic gets steered to Netskope for real-time deep analysis and what kind of traffic gets bypassed. You can choose one of these options for both on-premises and off-premises scenarios, depending on your network environment and security needs. You can also create exceptions for specific domains, IP addresses, or certificate-pinned applications that you want to bypass or steer regardless of the configuration option. References: Steering ConfigurationCreating a Steering Configuration

When creating a real-time policy for cloud applications, you can use access method and device classification as source criteria, in addition to users, groups, and organizational units. Access method refers to how the user accesses the cloud application, such as browser, sync client, mobile app, etc. Device classification refers to the type of device used by the user, such as managed or unmanaged, Windows or Mac, etc. These criteria can help you define granular policies based on different scenarios and risks. References: [Creating Real-Time Policies for Cloud Applications]

When an administrator suspects that a DLP rule is generating false positives, the Forensic feature within the Netskope tenant allows for reviewing the data that was matched by the DLP rule. This feature provides detailed logs and insights into why a specific piece of data was flagged, enabling the administrator to analyze and adjust the rule as needed.

To access and use the Forensic feature:

Navigate to the Forensic section in the Netskope UI.

Review the detailed logs and matched data to understand the context and reason behind each match.

Adjust the DLP rules if necessary to reduce false positives and improve accuracy.

References:

Netskope REST API Overview​​.

Netskope SDK Documentation​​.

Three security controls that are offered by the Netskope Cloud platform are: C. cloud security posture management, E. threat protection, and B. data loss prevention for SMTP.

Cloud security posture management is a service that provides continuous assessment and remediation of public cloud deployments for risks, threats, and compliance issues. Netskope CSPM leverages the APIs available from cloud service providers such as AWS, Azure, and GCP to scan the cloud infrastructure for misconfigurations, such as insecure permissions, open ports, unencrypted data, etc. Netskope CSPM also provides security posture policies, profiles, and rules that can be customized to match the security standards and best practices of the organization or industry.

Threat protection is a capability to detect and block malware, ransomware, phishing, and other cyber threats that may compromise cloud data or users. Netskope threat protection uses advanced techniques such as machine learning, sandboxing, threat intelligence, and behavioral analysis to identify and prevent malicious activities in real time. Netskope threat protection also integrates with third-party solutions such as antivirus engines, firewalls, SIEMs, etc., to provide comprehensive defense across the cloud and web1.

Data loss prevention for SMTP is a feature that allows you to protect sensitive data that is sent or received via email. Netskope DLP for SMTP can scan email messages and attachments for predefined or custom data patterns, such as credit card numbers, social security numbers, health records, etc., and apply appropriate actions, such as block, quarantine, encrypt, notify, etc., based on the DLP policies. Netskope DLP for SMTP can also support multiple email domains and routing rules for different groups of users2.

In the exhibit, a user is uploading a file containing PCI-DSS data to the corporate Google Drive instance. Despite the policy that blocks DLP (Data Loss Prevention) uploads being active, the upload is not blocked. This indicates that the policy is not applied in the correct order.

Netskope applies policies in a top-down manner. If there are multiple policies that could apply to an action, the order in which the policies are evaluated is crucial. In this case, another policy might be allowing the upload before the DLP policy can block it. Ensuring that the DLP policy is higher in the order can resolve this issue.

References:

Netskope policy configuration and enforcement documentation.

Details on how Netskope processes and applies policies based on their order in the policy list.

When designing an architecture with Netskope Private Access, the Netskope Publisher is the element that guarantees connectivity between the Netskope cloud and the private application. The Publisher acts as a gateway, securely connecting users to private applications hosted on-premises or in data centers.

Netskope Publisher: This component facilitates secure access to private applications by connecting the Netskope cloud with the internal network. It ensures that users can access private applications seamlessly while maintaining security and compliance.

References:

Netskope documentation on Private Access and the role of the Publisher.

Best practices for configuring and deploying Netskope Publisher to ensure secure connectivity to private applications.

=================

To monitor IPsec tunnels to a Netskope data plane, it is essential to ensure the stability and responsiveness of the tunnels. The recommended steps involve enabling monitoring mechanisms that detect and respond to tunnel failures. Here’s a detailed explanation of the two recommended steps:

Enable IKE Dead Peer Detection (DPD) for each tunnel:

Explanation: IKE Dead Peer Detection (DPD) is a method used to detect if the peer (remote endpoint of the tunnel) is no longer available or reachable. By enabling DPD, the device can automatically detect and tear down the IPsec tunnel if the peer does not respond, allowing for quick re-establishment of the tunnel if needed.

Implementation: Configure DPD in the IPsec settings of the perimeter device. This ensures that if the Netskope data plane is unreachable, the tunnel is automatically terminated and re-negotiated.

Send ICMP requests to the Netskope location's Probe IP:

Explanation: Sending ICMP requests (ping) to the Netskope location's Probe IP helps in monitoring the availability and latency of the connection to the Netskope data plane. If the ICMP requests fail, it indicates a potential issue with the connectivity.

Implementation: Set up regular ICMP requests (ping) from the perimeter device to the Netskope Probe IPs. This allows for continuous monitoring of the tunnel’s health and immediate detection of connectivity issues.

References:

REST API v2 Overview - Netskope Knowledge Portal

Using the REST API v2 dataexport Iterator Endpoints - Netskope Knowledge Portal

Using the REST API v2 UCI Impact Endpoints - Netskope Knowledge Portal

 NewEdge Traffic Management:

NewEdge is Netskope's high-performance global network designed to deliver fast and secure access to the internet and cloud applications.

NewEdge Traffic Management ensures efficient routing and traffic steering for optimal performance and security.

 Client Integration:

The Netskope Client uses NewEdge Traffic Management to steer traffic securely to the Netskope cloud.

It ensures that user traffic is routed through the best possible path for performance and security.

The Client component is responsible for redirecting user traffic to the NewEdge network, applying security policies, and ensuring secure access.

 References:

For detailed information on NewEdge Traffic Management and how the Netskope Client utilizes it, refer to the Netskope documentation on traffic management and client configuration​​​​.

A tombstone file is a placeholder file that replaces the original file when it is moved to quarantine by a Netskope policy. The tombstone file contains information about the original file, such as its name, size, type, owner, and the reason why it was quarantined. The tombstone file also provides a link to the Netskope UI where the administrator or the file owner can view more details about the incident and take appropriate actions, such as restoring or deleting the file. The purpose of using a tombstone file is to preserve the metadata and location of the original file, as well as to notify the users about the quarantine action and how to access the file if needed. References: Threat Protection - Netskope Knowledge PortalNetskope threat protection - Netskope

To collect the logs from the client machine when you have an issue with the Netskope client connecting to the tenant, two ways that you can use are: from the Netskope client UI About page and from the command line using the nsdiag command. From the Netskope client UI About page, you can click on the “Collect Logs” button to generate a zip file containing all the relevant logs and configuration files from the client machine. You can then send this zip file to Netskope support for troubleshooting. From the command line, you can use the nsdiag command with various options to collect different types of logs and diagnostic information from the client machine. For example, you can use nsdiag -l to collect all logs, nsdiag -c to collect configuration files, nsdiag -t to collect traffic statistics, etc. You can also use nsdiag -h to see all available options and usage instructions. You can then send the output files to Netskope support for troubleshooting. References: Netskope Client Configuration overviewInstall and Test the Client - Netskope Knowledge Portal

The exhibit shows that Group A is allowed only SSH traffic, while Group B is allowed both SSH and RDP traffic. Since users in Group A need access to a third-party server using TCP port 3389 (RDP), you need to create a specific policy to allow this traffic without granting unnecessary access.

Creating an Allow policy using a custom application that includes the destination IP and TCP port 3389 will precisely target the required traffic and ensure that only the necessary connections are permitted. This method avoids broader policy changes that could introduce unnecessary access.

References:

Netskope documentation on creating and managing Cloud Firewall policies.

Best practices for configuring application-specific policies to control network traffic effectively.

=================

 TLS/SSL Inspection:

Cloud security solutions achieve visibility into TLS/SSL-protected web traffic through a process known as TLS/SSL interception or inspection.

 How It Works:

The security solution acts as an intermediary (man-in-the-middle) during the TLS handshake.

When a user initiates a connection to a TLS/SSL-protected website, the security solution intercepts this connection.

It completes the TLS handshake with the user's device using its own certificate, and simultaneously performs the handshake with the destination website.

 Certificate Replacement:

The security solution decrypts the traffic, inspects it, and then re-encrypts it before forwarding it to the destination website.

The user’s browser trusts the security solution’s certificate, which replaces the original website's certificate.

 Security Implications:

This method allows the security solution to inspect encrypted traffic for threats or policy violations while maintaining secure communication.

 References:

Detailed explanations and implementation steps can be found in Netskope documentation on SSL/TLS inspection​​​​​​.

The given exhibit shows an inline policy blocking the predefined webmail category via an explicit proxy. However, the user can still access Yahoo Mail, indicating that Yahoo Mail is not included in the webmail category when using an explicit proxy.

Policy Configuration:

The policy is set to block access to the webmail category through an explicit proxy.

The action for this policy is 'Block'.

Understanding the Webmail Category:

Netskope's predefined categories may not always cover all services under a category, especially when it comes to specific configurations like explicit proxy.

The webmail category in the policy might not have included Yahoo Mail when using explicit proxy configurations.

Checking the Category Definitions:

It is important to verify what URLs or services are included under the "webmail" category in the Netskope administration console.

Administrators can check the category definitions and manually add Yahoo Mail if it's not included by default.

References:

REST API v2 Overview - Netskope Knowledge Portal

Using the REST API v2 dataexport Iterator Endpoints - Netskope Knowledge Portal

Using the REST API v2 UCI Impact Endpoints - Netskope Knowledge Portal

netskopesdk · PyPI

Netskope Rest APIv2(OAS 3.1) - Postman Collection

Netskope provides both inline and API protection for cloud applications and web traffic. Inline protection refers to the real-time inspection and enforcement of policies on the traffic between users and cloud applications, using Netskope’s inline proxy mode. API protection refers to the retrospective inspection and enforcement of policies on the data that is already stored in cloud applications, using Netskope’s API connectors. Two functions that are available for both inline and API protection are threat protection and DLP. Threat protection is the capability to detect and block malware, ransomware, phishing, and other cyber threats that may compromise cloud data or users. DLP is the capability to detect and protect sensitive data, such as personal information, intellectual property, or regulated data, that may be exposed or leaked through cloud applications. References: Netskope Inline Proxy ModeNetskope API ProtectionNetskope Threat ProtectionNetskope DLP Engine

When using the Netskope Compromised Credentials feature, administrators can gain valuable insights into security incidents related to compromised credentials. The insights provided by this feature include:

Compromised usernames: This information helps identify which user accounts have been compromised, allowing administrators to take necessary actions such as resetting passwords and notifying affected users.

Breach information source: Netskope provides details on the source of the breach, such as which third-party service or data breach resulted in the compromise of credentials. This helps in understanding the context of the breach and implementing measures to prevent future incidents.

While compromised passwords (option C) are indirectly involved, they are not explicitly listed as an insight provided by this feature. Similarly, affected managed applications (option D) are related but not directly part of the primary insights.

References:

Netskope documentation on Compromised Credentials feature and incident response.

Security best practices for managing and mitigating compromised credential incidents.

=================

To restrict cloud users from uploading data to risky cloud storage services as defined by the Cloud Confidence Index (CCI) in the Netskope platform, you would use the following policy elements:

Category: This policy element allows you to define and restrict actions based on the category of the cloud application. For example, you can categorize cloud storage services and create policies that restrict uploads to any application that falls under this category.

Cloud Confidence Level: This policy element leverages the Cloud Confidence Index (CCI), which rates the risk level of cloud applications. By using the Cloud Confidence Level, you can create policies that restrict uploads to applications with a low confidence level, thereby preventing data uploads to risky cloud storage services.

References:

Using the Netskope Knowledge Portal documentation, specifically under policy configuration and enforcement, which details how to use categories and Cloud Confidence Level in policy creation.

Postman collection and API documentation that describes the usage of these elements in the Netskope API.

=================

To block all FTP connections regardless of the ports being used, the following steps should be taken using Netskope's Cloud Firewall:

Real-time Protection Policy:

Create a Real-time Protection policy where FTP is defined as the destination application.

Set the action to "Block" to ensure that any FTP traffic is blocked regardless of the port being used​​​​.

Custom Firewall App Definition:

Create a custom Firewall App Definition specifically for TCP port 21.

Define the action as "Block" to ensure any traffic directed to this port is blocked, preventing FTP access​​​​.

These configurations ensure that FTP traffic is effectively blocked, securing the network from potential threats and unauthorized data transfers via FTP​​​​.

The portion of the interface shown in the exhibit that allows an administrator to set severity, assign ownership, track progress, and perform forensic analysis with excerpts of violating content is Incidents -> DLP. The Incidents dashboard provides a comprehensive view of all the incidents that have occurred in your cloud environment, such as DLP violations, malware infections, anomalous activities, etc. You can filter the incidents by various criteria, such as app name, incident type, severity, user name, etc. You can also drill down into each incident to see more details, such as file name, file path, file owner, file size, file type, etc. You can also assign an owner to an incident, change its status and severity, add notes or comments, and view the excerpts of the violating content that triggered the DLP policy. References: Netskope Incidents Dashboard

The CCI scoring is a way to measure the security posture of cloud applications based on a set of criteria and weights. The default objective score is calculated by Netskope using industry best practices and standards. However, customers can change the CCI scoring to suit their own business needs and risk appetite. For example, a customer may want to place a higher business risk weight on vendors that claim ownership of their data, as this may affect their data sovereignty and privacy rights. Changing the CCI scoring for this reason would be valid, as it reflects the customer’s own security requirements and preferences. Changing the CCI scoring for other reasons, such as discovering a new SaaS application, punishing an application vendor, or using an application under research, would not be valid, as they do not align with the purpose and methodology of the CCI scoring. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 7: Cloud Confidence Index (CCI), Lesson 1: CCI Overview and Lesson 2: CCI Scoring.

When comparing data in motion with data at rest, it is important to understand how each type of data is handled in terms of security and monitoring:

Data in motion refers to data actively moving from one location to another, such as through email, instant messaging, or any other form of communication over the internet. To secure and monitor data in motion, Netskope typically requires the deployment of the Netskope client on user devices. The client helps enforce security policies, monitor data transfers, and protect against data loss and other threats during the data's transit.

References:

Netskope Knowledge Portal: Data Protection

Netskope Client Overview