Threat Protection

Threat Protection

Modern threats need a multi-layered security approach able to defend organizations from known threats and zero-days with the same level of efficacy. Netskope has built a comprehensive threat protection framework that allows organizations to defend against malware through different engines including viruses, worms, trojans, ransomware, keyloggers, rootkits, downloaders, backdoors, botnets, spyware, info stealers, adware, mobile threats, potentially unwanted software, fileless malware, crypto-mining, wipers, packers, installers, malicious websites, URLs, malicious scripts (XSS, etc.), HTML smuggling, documents, macros, archives, exploits, credential compromise, domains, command and control, data exfiltration, beaconing, and other attacker artifacts, traffic, and malicious infrastructure. The Standard Threat engines support:

  • Signature-Based Antivirus (AV)
  • Web IPS
  • Command and Control (C2 or C&C) detection
  • Machine learning-based detection and real-time blocking for Portable Executable malware as well as phishing sites and domains.

The Advanced Threat engines support:

  • Machine learning-based detection and real-time blocking for Microsoft Office files.
  • Advanced Heuristics Analysis
  • Cloud Sandboxing

While Signature-Based AV, IPS, DNS, callbacks, and threat intelligence indicators can detect and block malware in real time with Netskope fast scan, the Advanced Heuristics and Sandboxing engines require more time to analyze samples with deep scan. A malware detected by the deep scan engine can’t be blocked at the first occurrence. However, its hashes and convicted URLs /domains are shared globally in the Netskope Cloud to block inline:

  • Within 1 hour for customers with the Advanced Threat Protection license.
  • Within 24 hours for customers with the Standard Threat Protection license.

The following architecture diagram illustrates how Netskope Threat Protection detects malware for your organization:

A diagram illustrating how Netskope Threat Protection detects malware.

You can integrate external intelligence into Netskope’s threat protection engines with malicious hashes, domains, or URLs using Threat Exchange.

Standard Versus Advanced Threat Protection

The table below breaks down the differences between the Standard and Advanced Threat Protection features:

FeatureStandard Threat ProtectionAdvanced Threat Protection
Perform real-time ML-based scanning for portable executable files, phishing sites and domains, and prevent patient zero threats.XX
Leverage advanced threat engines, such as Cloud Sandbox, to corroborate AV and ML detections.XX
Leverage web IPS (including Microsoft Active Protections, CVE matching, and C2).XX
Perform ML-based scanning and blocking for Microsoft Office files.X
Analyze files undetected by AV or ML in advanced threat engines. Netskope supports 30+ file types, including Portable Executables (e.g., .exe), Microsoft Office, PDF files, batch files, archive files (e.g., zip, 7z, tar), Microsoft Visio, RTF, Flash, HTML, and Java Applets. X
View Sandbox reports, detailed forensics, MITRE ATT&CK mapping, and advanced heuristic analysis.X
Submit files to the Cloud Sandbox via Sandbox API.X
Use file hashes to query detections via RetroHunt API.X
Receive patient zero alerts for newly discovered advanced threat detections.X
Prevent patient zero events by creating policies to only release the file if the advanced threat engines determine it’s benign.X

Threat Protection for Cloud Storage Apps

As organizations move to the cloud, they are increasingly susceptible to modern day threats like malware and ransomware. One of the initial transitions to the cloud for organizations is in the cloud storage category, with a number of them using SaaS apps such as Microsoft OneDrive for Business, Google Drive, Box, Dropbox, etc. Files get into these cloud storage apps in a number of ways, like through third-party vendors, attachments saved from emails, and files uploaded from desktops. Not all files get scanned by endpoint systems. Netskope provides threat protection for files stored in enterprise-managed applications in the cloud storage category.

When a malicious file is found in a SaaS app, you have three choices based on severity: send a Skope IT alert, quarantine the file, or apply a malware remediation profile to a policy. With quarantine, Netskope uses the quarantine profile in Settings > Threat Protection > API-enabled Protection as the quarantine folder and tombstone. The malicious file is zipped and protected with a password to prevent users from inadvertently downloading the file. Netskope then notifies the admin specified in the profile. The quarantine option is only available for introspection mode. You can enable it in Settings > API-enabled Protection by selecting Malware, API Data Protection, and Quarantine for your instance.

With Standard Threat Protection, you scan your organization for malware, and with Advanced Threat Protection, you can scan for ransomware. However, if you don’t have the Advanced Threat Protection license enabled, you can use threat protection with Real-time Protection and API Data Protection policies to detect files with malware as well as Risk Insights to detect malicious sites.

Netskope Security Check

To verify if your Threat Protection policies are working properly and to see some examples of alerts go through the Netskope cloud, you can run tests with the Netskope Security Check.

More Resources

Share this Doc

Threat Protection

Or copy link

In this topic ...