Advanced Threat Protection

Advanced Threat Protection

Netskope Advanced Threat Protection includes multiple detection engines that detect sophisticated zero day threats and targeted attacks. The comprehensive, multi-engine approach ensures higher efficacy and protection against evasive threats that may be optimized to bypass some detection engines.

Advanced Threat Protection is not offered for applications accessed through China PoPs.

The Netskope Advanced Threat Protection solution includes:

  • Deobfuscation and recursive file unpacking with support for 350+ families of installers, packers, and compressors.

  • Pre-execution analysis and heuristics for 3,500+ file format families, with 3,000+ static binary threat indicators for Windows, Mac OS, Linux, iOS, Android, firmware, Flash, PDF, and other document types.

  • Cloud Sandboxing for 30+ file types, including Portable Executables (e.g., .exe), Microsoft Office, PDF files, batch files, archive files (e.g., zip, 7z, tar), Microsoft Visio, RTF, Flash, HTML, and Java Applets.

  • Machine learning deep analysis to detect unknown threats, anomalies, and behaviors, with ML models for PEs, PDFs, malicious Office files, and malicious URLs in files.

  • Patient zero alerts, Sandbox API, RetroHunt API, and MITRE ATT&CK sandboxing analysis.

  • Patient zero protection by holding files until Netskope finishes sandboxing.

  • Malware Retention profile to retain files detected as malicious in your designated location for SOC analysis.

  • Third-party sandbox integration for secondary detonations and verdicts.

Advanced Threat Protection enables engines in deep scan that overcome the limitations of traditional signature-based detection techniques:

  • Detects unknown malware (dynamic vs signature based).

  • Performs dynamic analysis, which can determine indicators of compromise (IOCs) such as command and control (C2) domains, IPs, endpoint registry keys, created files, etc. IOCs can be used to detect the next occurrences of the same malware without re-analyzing the artifact.

  • Patient zero alerts provide zero day detection alerts and patient zero protection policy releases unknown files to users only after the Netskope advanced threat scanning engines determine they’re benign. Netskope holds the unknown file and notifies the user that it’s analyzing the file until it determines a verdict. The Netskope advanced threat engines can take up to 10 minutes (~2 min typical) to analyze the file after which the file will be blocked or allowed for the user.

  • REST APIs for integrating into typical security operations center (SOC) workflows.

    • RetroHunt API provides an API that allows you to query detections by hash (e.g., MD5 and SHA-256) if the file is seen (whether malicious or benign) in traffic within the Netskope account. Additionally, you can obtain a report for the detections and verdicts by the different engines. To learn more, go to Settings > Tools > REST API v2 in your Netskope tenant, and then click the API Documentation.

    • Sandbox file submission API. Allows submitting files and retrieving a detailed analysis report from the sandbox.

  • Malware Retention profile enables retention of a malware sample detected as malicious in inline user traffic in a customer designated IaaS cloud location. The malware sample can be retrieved at a later time for additional analysis. The Retention location can be customized and file will be protected (zip/password)

ATP alerts appear on the Malware page.

Configuring Advanced Threat Protection Integrations

To enable this feature, contact Netskope Support.

The Netskope cloud platform has threat protection capabilities, including advanced threat detection engines, such as heuristic analysis, sandbox analysis, and ransomware detection and remediation.

You can also leverage some of your existing, trusted threat detection products like Palo Alto Networks Wildfire, Juniper SkyATP, and Check Point SandBlast to work with Netskope ATP. You must have the Advanced Threat Protection license.

After integration, verify the status is green. Go to Settings > Threat Protection > Integration. Under Advanced Threat Protection look for a green arrow besides Status. Verifying the status is green ensures that blocklisted and allowlisted files are included in your Ransomware detection scan.

The file types Palo Alto Networks Wildfire supports are:

  • Android application package (APK) files

  • Adobe Flash files Archive (RAR and 7-Zip) files

  • Java Archive (JAR) files

  • Microsoft Office files

  • Portable executable (PE) files

  • Portable document format (PDF) files

  • Mac OS X files

  • Linux (ELF) files

Share this Doc

Advanced Threat Protection

Or copy link

In this topic ...