Threat Protection

Modern threats need a multi-layered security approach able to defend organizations from known threats and zero-days with the same level of efficacy. Netskope has built a comprehensive threat protection framework that allows organizations to defend against malware through different engines including viruses, worms, trojans, ransomware, keyloggers, rootkits, downloaders, backdoors, botnets, spyware, info stealers, adware, mobile threats, potentially unwanted software, fileless malware, crypto-mining, wipers, packers, installers, malicious websites, URLs, malicious scripts (XSS, etc.), HTML smuggling, documents, macros, archives, exploits, credential compromise, domains, command and control, data exfiltration, beaconing, and other attacker artifacts, traffic, and malicious infrastructure. The Standard Threat engines support:

The Advanced Threat engines support:

While Signature-Based AV, IPS, DNS, callbacks, and threat intelligence indicators can detect and block malware in real time with Netskope fast scan, the Advanced Heuristics and Sandboxing engines require more time to analyze samples with deep scan. A malware detected by the deep scan engine can’t be blocked at the first occurrence. However, its hashes and convicted URLs /domains are shared globally in the Netskope Cloud to block inline:

The following architecture diagram illustrates how Netskope Threat Protection detects malware for your organization:

You can integrate external intelligence into Netskope’s threat protection engines with malicious hashes, domains, or URLs using Threat Exchange.

The table below breaks down the differences between the Standard and Advanced Threat Protection features:

As organizations move to the cloud, they are increasingly susceptible to modern day threats like malware and ransomware. One of the initial transitions to the cloud for organizations is in the cloud storage category, with a number of them using SaaS apps such as Microsoft OneDrive for Business, Google Drive, Box, Dropbox, etc. Files get into these cloud storage apps in a number of ways, like through third-party vendors, attachments saved from emails, and files uploaded from desktops. Not all files get scanned by endpoint systems. Netskope provides threat protection for files stored in enterprise-managed applications in the cloud storage category.

When a malicious file is found in a SaaS app, you have three choices based on severity: send a Skope IT alert, quarantine the file, or apply a malware remediation profile to a policy. With quarantine, Netskope uses the quarantine profile in Settings > Threat Protection > API-enabled Protection as the quarantine folder and tombstone. The malicious file is zipped and protected with a password to prevent users from inadvertently downloading the file. Netskope then notifies the admin specified in the profile. The quarantine option is only available for introspection mode. You can enable it in Settings > API-enabled Protection by selecting Malware, API Data Protection, and Quarantine for your instance.

With Standard Threat Protection, you scan your organization for malware, and with Advanced Threat Protection, you can scan for ransomware. However, if you don’t have the Advanced Threat Protection license enabled, you can use threat protection with Real-time Protection and API Data Protection policies to detect files with malware as well as Risk Insights to detect malicious sites.

To verify if your Threat Protection policies are working properly and to see some examples of alerts go through the Netskope cloud, you can run tests with the Netskope Security Check.