New Features And Enhancements In Release 107.0.0
New Features And Enhancements In Release 107.0.0
Here is the list of the new features and enhancements.
Advanced Analytics
NS Library Dashboards
Dashboards and Widgets created in the past 90 days will show under the New folder.
Overview Page Update
With this enhancement, the followings use cases are observed:
- The default dropdown selection is Security Leader if the default dashboard is not set in the Overview page insight dropdown under Advanced Analytics.
- If Security Leader is not available in your tenant access, then you will have Top Cloud App Usage Insights by default unless any of the dropdown option is selected as default.
API Data Protection
New Netskope Introspection v2 App For OneDrive & SharePoint
API Data Protection has introduced a new version of the Netskope Introspection v2 app (v2.0.0.3). With this new app, Netskope now requests reduced permission for the ‘Social’ scope. To learn more about the scope: Prerequisites To Configure Microsoft Office 365 OneDrive for API Data Protection (the table that lists the scopes). Existing customer can upgrade from v2.0.0.1 to v2.0.0.3 app. New customers will now need to install the v2.0.0.3 app.
To upgrade:
- Remove the v2.0.0.1 app. To remove the app, follow the steps documented here. Though the article mentions v1 app, the steps to remove the v2.0.0.1 app are the same.
- Install the v2.0.0.3 app. Follow the steps documented here. Though the article mentions v2.0.0.1 app, the steps to install the v2.0.0.3 app are the same.
New customers can directly download the v2.0.0.3 app from here and install the app. Follow the steps documented here.
New UI State Of Various Supported Features
In continuation to the deprecation of malware instance table in release 105.0.0, Netskope has rolled out a new UI table where the administrator can view the status of various supported features for each SaaS app. To view the status, navigate to Settings > Configure App Access > Classic > SaaS.
Behavior Analytics
Rule Scenario Label
Advanced UEBA shows a key detection scenario label for every user with low User Confidence Index (UCI) score. This enables a SOC analyst to quickly isolate the highest risk scenario for the user that needs investigation. UBA anomalies for a user shows the corresponding detection scenarios as seen in Behavior Analytics policies.
CASB Real-time Protection
GCP Storage Constraint Support
Enhanced the Google Cloud Storage app connector to support From Storage and To Storage constraints for the Copy activity. This allows enforcement for file/object movement through the Copy operation only to specified allowlists of storage buckets. Thus, preventing data exfiltration through Copy operations to unsanctioned buckets.
Multipart Upload Support
Added Multipart Upload to Adobe Creative Cloud application. With this support, even if the file is chunked into parts, the entire file content will be sent for inspection.
GCP App Connectors For API traffic
The new 140+ GCP app connectors covers API and CLI traffic to GCP services. Out of these 140+ connectors only 30 have been given a CCI score. The remaining GCP connectors are in the CCI research pipeline and will be given a score in subsequent realeases. For the existing GCP Cloud Storage app, both API/CLI and Browser traffic are now supported.
GCP Connectors with CCI Score
- GCP Key Management Service (KMS)
- GCP Resource Manager
- GCP Run Admin
- GCP TPU
- GCP Life Sciences
- GCP Identity and Access Management (IAM)
- GCP Kubernetes Engine
- GCP Service Directory
- GCP Spanner
- GCP Identity-Aware Proxy
- GCP Engine Admin
- GCP Storage
- GCP BigQuery
- GCP Apigee
- GCP Dialogflow
- GCP Datastore
- GCP Dataflow
- GCP Dataproc
- GCP Pub/Sub
- GCP Firestore
- GCP Deployment Manager V2
- GCP Datastream
- GCP Tag Manager
- GCP Compute Engine
- GCP VM Migration
- GCP Assured Workloads
- GCP Asset
- GCP Composer
- GCP DNS
- GCP Functions
To learn more details about individual connectors and associated activity coverage: Supported GCP Entities for Real-time Protection
Reverse Proxy as a Service for Appsheet
Added reverse proxy as a service (RaaS) to manage and control the usage of Appsheet application by un-managed devices. Admin can define policies to control control activities like share, create, and more.
Prerequisites: Google account should have been configured to Netskope SAML Proxy / Reverse Proxy. Reverse Proxy as a Service for AppSheet.
New Generative AI Connector Support With Activity Controls
Added the following four new App Connector for Apps with Generative AI capabilities:
- HeyGen
- Jasper
- Notion AI (part of Notion)
- Bing AI (part of Microsoft Bing)
Critical activities like Post, Upload and Download are covered with these connectors to monitor and prevent data exfiltration.
‘Share’ and ‘Preview’ Activities Support with ChatGPT Connector
CASB Real-time Protection now supports ‘Share’ and ‘Preview’ ChatGPT-based activities. The ‘share’ activity via ChatGPT allows users to easily share conversation and chats via social media, email, and other media. The ‘Preview’ activity is triggered when the shared link is viewed. With this enhancement an administrator can add granular controls for the usage and consumption of ChatGPT.
Create Draft DLP Enhancement for Gmail
Enhanced the Google Gmail App with the ability to perform DLP for the ‘create draft’ activity when more than 100 bytes of data is added/pasted into email. This feature prevents data exfiltration through drafting of sensitive information.
Cloud Confidence Index (CCI)
Connected App Risk Assessment Catalogue
A new Catalogue for Connected App risk assessment in CCI provides insights into risks associated with a connected/OAuth apps available through Google Workspace and Microsoft App Source marketplace.
In this initial release 500 connected apps are added and more apps would be added in upcoming releases.
Global Risk Weight Customisation
A new functionality to bulk customise CCI attribute weightage across all categories has been introduced. This can be accessed on the CCI page by clicking on the Global Risk Weight setting.
Data Protection
Mexico Bank Account Number Entity Support
Added a new DLP Entity (“Deposit Account Numbers (MX)”) to detect Mexican bank account numbers (CLABE), and a companion Entity to detect relevant terms (“Bank Account Terms (MX)”).
Support For New And Emerging IBAN Countries
Added support for detecting International Bank Account Numbers (IBANs) for 18 new countries:
- Angola
- Burundi
- Congo (Brazzaville)
- Cameroon
- Cabo Verde
- Djibouti
- Gabon
- Honduras
- Libya
- Madagascar
- Mongolia
- Mozambique
- Niger
- Nicaragua
- Russia
- Sudan
- Somalia
- Togo.
Additionally, existing IBAN Entities for Azerbaijan and El Salvador were enhanced to detect case-insensitive IBANs.
Support For India PAN
Additional entities have been introduced to further the support of taxIDs in India, including :
- Taxpayer ID Numbers (IN; “PAN”)
- Corporate Tax ID Numbers (IN; “PAN”)
- Corporate Tax ID Numbers (IN; “STRN”)
Netskope Private Access (NPA)
Clientless WebSockets
Netskope Private Access (NPA) now supports websocket based HTTP connections over Browser Access. Websockets capability to enables access to applications like Apache Guacamole, RDP, and Azure Remote Desktop Service.
Publisher Auto-upgrade Feature Flag
Publisher auto-update feature is now available for all the customers to use.
To learn more: Configure Publisher Auto-Updates
Netskope Secure Web Gateway (NG SWG)
SSL Policy
Transaction Event fills ‘x-ssl-policy-name’ and ‘x-policy-name’ separately when SSL policy hits access control realtime policy.
Policy-Based Dedicate Egress Validation
The following changes are part of this enhancement:
- Validations that prevent the deletion of a Network Location Profile when it exists in a customized Dedicated Egress IP profile.
- Validations that prevent the deletion of a custom category Web profile when it exists in a customized Dedicated Egress IP profile.
- The prevention of saving a customized Dedicated Egress IP profile when the user group in it was deleted, similar to the behavior on the SSL Decryption Profiles page.
Policy-Based Dedicated Egress IP UI Panel
This change enables customers who have the flag turned on to set a more detailed Dedicated Egress IP policy with the following specifications:
- user
- user groups
- organizational units
- source locations
- destination locations
- domains
- apps
- app suites
- categories
Tenant Exception List For Domain Fronting Feature
Added new Generic List and Domain Fronting Profile REST APIs that comply with the Netskope REST API v2 standard. These provide wildcard domain or full-domain match to domain fronting protection.
Next Generation API Data Protection
Support Remediation Action In GitHub
Next Generation API Data Protection now supports Restrict Access to Internal Collaborators remediation action in GitHub. This action restricts the access of the file to users within the organization and domains as defined under Settings > Administration > Internal Domains.
You can navigate to Policies > API Data Protection . Click the Next Gen tab, then New Policy. Under Object, select the GitHub app. Under Profiles & Actions, click the Action drop-down menu, then select Restrict Access > Restrict Access to Internal Collaborators.
For a consolidated list of supported features, see Next Generation API Data Protection Feature Matrix per Cloud App.
Google Badged Label Support
Netskope now supports Google’s badged label, a content classification feature. With this new capability, Netskope can read through the badged labels in Google Drive and apply a policy action. For example, if a document matches a badged label value which is deemed sensitive, an alert action can be taken. To learn more: Create a Next Generation API Data Protection Policy
For Netskope to read Google badge labels, you should grant additional OAuth scopes. They are:
https://www.googleapis.com/auth/drive.labelshttps://www.googleapis.com/auth/drive.admin.labels
Once you add the above OAuth scopes, regrant the Google Drive app in the Netskope tenant. To learn more: Grant Scopes to the Netskope Service Account
Next Generation SaaS Security Posture Management
PCI-DSS v4.0 Support For Microsoft 365
Next Generation SaaS Security Posture Management (SSPM) now supports the latest version of PCI-DSS v4.0 for Microsoft 365.
Visibility Into Zoom And ServiceNow Users
Next Generation SSPM now provides visibility into the following app users:
- ServiceNow
- Zoom
Enhanced Reporting
Next Generation SSPM now supports options to customize reports to skip passed findings and to generate reports at a per App suite basis.
To learn more: View Security Posture Findings
Introduction To Risk Level & Score of Connected Apps
With this new feature, you can now see the details like permission, scope, risk score, etc. of the connected apps that are configured using `OAuth`. Navigate to API-enabled Protection > Security Posture (Next Gen) > Inventory, then click the Resource tab. Click one of the resource name, the Resource Details panel opens. A new Risk & Permissions section is introduced in the side panel.
To learn more: View Security Posture Inventory
Remote Browser Isolation (RBI)
Gmail Print Feature
RBI has introduced support for the print feature in the Gmail web app. Users browsing in isolation can now leverage the print feature in the Gmail web app. Prior to this enhancement users were presented with a reconnection warning.
Extended RBI License
Extended RBI is a new license that expands RBI support for new risk scenarios such as browsing of unmanaged web categories and cloud apps.
Extended RBI is a new license that expands the RBI offering to support new risk scenarios in addition to the current ‘Targeted RBI’ license: additional web categories and unmanaged cloud apps (i.e. cloud apps not managed by IT or integrated with corporate IdP).
Netskope customers use Extended RBI to protect corporate users’ browsing activity and their browser when these users browse unmanaged websites and web apps (for example, personal webmail, social, chat and IM)
Extended RBI entitles customers to isolate up to 25% web traffic processed by NG-SWG, considering the above description and limited to 1.5GB isolated traffic per user per month.
To learn more about Extended RBI in Netskope Knowledge Portal: Extended RBI
Traffic Steering
Bogon IP category
In steering configuration, for Source Locations and Destination Locations exceptions, you can now configure to include Bogon Networks by searching “Bogon” in the search bar when adding these exceptions.
To learn more: Adding Exceptions.
Unique Device ID
Introduced a new device indexing to ensure that a single device record contains only a single user information in the Device Status page of the Tenant Dashboard. This simplifies the device view on the Device Status page and also makes Details page easily accessible for each entry in case of multi-user environment.
To learn more, see Unique Device ID.
Client Configuration User Interface Navigation Update
The placeholder for Client Configuration is moved out from the Devices page on the user interface(UI) and now is accessed from Settings > Security Cloud Platform > Netskope Client > Client Configuration.
IPsec/GRE CSV Import
The IPSec and GRE CSV import functionality now supports additional fields, earlier this feature only supported mandatory fields. You can now create IPSec and GRE sites with all required and optional fields.
To learn more: Importing IPSec Sites from a CSV File and Importing GRE Sites from a CSV File.
Flexible Dynamic Steering
Enhanced the following in this release:
- On-Prem detection enhancement support multiple IPs for DNS detection and multiple HTTP hosts detection.
- For the steering traffic mode, you can switch traffic mode between On-Prem, Off-Prem and the new mode None. When the traffic mode is None, the client will establish a tunnel but will not steer traffic. Exceptions will not be processed as they are only applicable for steered traffic.
- For the steering exception rules:
- Firewall app exceptions contains separate sets of rules between On-Prem and Off-Prem in All steering traffic mode.
- Category exceptions contains set of rules between On-Prem and Off-Prem in Web or All mode.
- If the packet matches configured exceptions and needs to be bypassed, you can select new exception bypass options to bypass locally on the client device, or bypass by tunnelling on backend.
To learn more, see Dynamic Steering.
UI Platform
UI Navigation Change Notification
There is a change in the UI navigation path. The Settings > API-enabled Protection navigation has changed to Settings > Configure App Access. Earlier, the API-enabled Protection page had two sub-categories – SaaS & IaaS. With the new change, the Configure App Access page is now categorized based on Next Gen & Classic. Detailed changes are below:
| Old Navigation | New Navigation |
|---|---|
| Settings > API-enabled Protection | Settings > Configure App Access |
| Settings > API-enabled Protection > SaaS > Classic | Settings > Configure App Access > Classic > SaaS |
| Settings > API-enabled Protection > IaaS | Settings > Configure App Access > Classic > IaaS |
| Settings > API-enabled Protection > SaaS > Next Gen | Settings > Configure App Access > Next Gen > CASB API or Security Posture |
Multiple IdP Support
Netskope enabled multiple SAML IdPs support by default, which allows you to authenticate with various IdP providers in the forward proxy deployment.
SSO For Multiple IdP Support
Netskope now supports Single sing-on (SSO) from multiple identity providers to access Netskope management console.
Admin Local User Account Activation And Verification
When creating a new tenant admin local account or resetting the password for an admin local account, Netskope sends an email to the admin account for email address verification.
Deprecated Feature
SkopeIT
Data Source Selector Feature
Deprecated the Data Source feature in Settings > General > Data Source due to duplication in existing feature functionality.
Additional Documentation Updates
Creating a Cloud App Definition: Improved the content and structure on how to create Cloud app definitions.
