Threat and Data Protection for RBI
Threat and Data Protection for RBI
This feature provides support for DLP and Threat Protection policies for file upload and download traffic through RBI. Admins can safely enable uploads and downloads in isolated browsing sessions, creating additional real-time protection policies to scan files for Threat Protection and DLP.
The integration of RBI with Netskope Threat Protection and Data Protection Microservices allows NG-SWG to process all traffic generated in isolation and brings additional benefits such as:
- Configurable File Uploads and Downloads settings in RBI templates
- Full visibility of user activity in isolation, leveraging app inline connectors to detect user activities
- Leverage Threat Protection and DLP profiles for isolated and not-isolated traffic
- Increased visibility over potential threats stopped by RBI
- Localized content in isolation
The workflow for this feature includes:
- Review your isolate policies and RBI templates to enable uploads and/or downloads (prerequisite).
- Set up security policies (Threat Protection or DLP) to control uploads and downloads.
- Review Skope IT Events (Page, Application) and Alerts.
- Review Malware and Malicious Sites Incidents.
- Review DLP Incidents.
- Review Best Practices.
Enable File Downloads / Uploads in RBI Templates
RBI template settings for FIle Upload and File Download control whether users can initiate an upload or download operation within an isolated browsing session.
“File Upload / File Download” settings in RBI templates must be enabled as a prerequisite prior to creating Real-time Protection policies for Isolation (Threat Protection and Data Protection policies). Admins have to create or edit existing RBI templates that are used in conjunction with the isolate policies.
Navigate to Policies > Real Time Protection > Review Suggestions. This displays only the existing policies that have the Action = Isolate applied.
You can identify the RBI templates attached to the existing Isolate policies.
Tip
By default, Filed Upload and File Download settings are disabled in all existing RBI templates: “Predefined” and “Customer defined” RBI templates. If File Upload / File Download is not enabled, users browsing in isolation will see a warning message if they initiate uploads or downloads. To learn more: Isolation in an End User’s Browser
- Navigate to Policies > Templates > RBI > click New Template or edit an existing template. The RBI Template window displays.
- Click File Upload and/or File Download.
- Click Save.
To learn more: RBI Templates
Create a DLP Policy for RBI File Upload and File Download
You can create a new or edit an existing DLP policy to control uploads and downloads in isolated traffic. To detect and prevent data loss (DLP) in isolated traffic the RBI template associated with the isolate policy should have the File Upload / File Download settings enabled. Netskope DLP service scans uploads and downloads for any data protection violations while browsing in isolation and applies the appropriate action.
Navigate to Policies > Real-time Protection > New Policy > DLP to create a new DLP policy.
To identify the scope (Destination “categories”, “cloud apps”) of existing isolation policies, navigate to Policies > Review Suggestions. This displays only the existing policies that have the Action = Isolate applied.
Optionally, click +ADD FILTER to search for a specific policy or filter by Action > Isolate or RBI Template.
To learn more:
In general, all source and destination criteria for DLP policies are supported. Find below the most relevant criteria and supported values for DLP policies processing isolated traffic:
- Destination: Category, Application NoteTo learn more about the list of supported categories and applications for Targeted RBI and Extended RBI see: RBI categories definitions, Extended RBI – web categories, Extended RBI – cloud apps
- Activities: Download, Upload
- Action: Alert, Allow, Block, User Alert
- Activity Constraints: File Type, File Size
Create a Threat Protection Policy for RBI File Upload and File Download
You can create a new or edit an existing Threat Protection policy to control uploads and downloads in isolated traffic. To detect and prevent data loss (DLP) in isolated traffic the RBI template associated with the isolate policy should have the File Upload / File Download settings enabled. Netskope Threat Protection service scans uploads and downloads for any data protection violations while browsing in isolation and applies the appropriate action.
Navigate to Policies > Real-time Protection > New Policy > Threat Protection to create a new Threat Protection policy.
To identify the scope (Destination “categories”, “cloud apps”) of existing isolation policies, navigate to Policies > Review Suggestions. This displays only the existing policies that have the Action = Isolate applied.
Optionally, click +ADD FILTER to search for a specific policy or filter by Action > Isolate or RBI Template.
To learn more:
In general, all source and destination criteria for DLP policies are supported. The following criteria are the most relevant supported values for Threat Protection policies processed in isolated traffic.
- Destination: Category, Application
- Activities: Download, Upload
Note
Only Download and Upload are supported for isolated traffic. Any other activity (e.g. Edit, Share, etc.) is not supported.
- Action: Alert, Allow, Block, User Alert
- Activity Constraints: File Type, File Size
Activity Constraints
Skope IT Events
Once a violation / match of a Threat Protection or DLP policy is detected for a file upload or download, Netskope policy, Data Protection, and Threat Protection engines generate Skope IT application events, page events, and alerts.
Skope IT Application Events
Application events related to RBI include the following RBI specific fields:
- From Isolation: values include “yes”, “no”
- RBI template ID
- RBI template name
Application events that correspond to activities performed by the user while browsing an isolated webpage display “yes” in the From Isolation column.
Requests that match an isolate policy but were not isolated (not isolable content) generate an Application event “no” in the From Isolation column. To learn more about best practices for no isolated traffic, refer to: Create Real-time Protection Policies for content that you cannot isolate.
For certain generated application events, you can also view a corresponding Skope IT alert. This is signified by the orange dot by the timestamp column.
Tip
The ‘From Isolation’ column is specific to application events related to RBI. For any application event not related to RBI, values in the ‘From Isolation’ column may remain blank.
Click the gear icon to customize columns, From Isolation. The From Isolation values include:
- yes: The application event happens in an isolated browsing session.
- no: The application event corresponds to a request processed by RBI, but not isolated (not a webpage).
- empty: The application event is not related to RBI.
Click +Add Filter to filter From Isolation or Alert Type for a more granular view.
Click Export to export From Isolation activity.
View Application Event Details.
Skope IT Alerts
Alerts related to RBI include the following RBI specific fields:
- From Isolation: values include “yes”, “no”
- RBI template ID
- RBI template Name
Alerts that correspond to activities performed by the user while browsing an isolated webpage display “yes” in the From Isolation column.
Alerts corresponding to requests that match an isolate policy but were not isolated (not isolable content) generate an Alert entry listed as “no” in the From Isolation column. To learn more about best practices for no isolated traffic, refer to: Create Real-time Protection Policies for content that you cannot isolate.
Tip
RBI related alerts share the same RBI specific fields with RBI related application events. The ‘From Isolation’ column is specific to application events related to RBI. For any application event not related to RBI values, the ‘From Isolation’ column may remain blank.
View Skope IT Alert Details
Skope IT Page Events
Navigate to Skope IT > Page Events to view related activity for isolated browsing sessions.
Isolated browsing sessions generate two page events.
The first page event with the Action column showing “isolate” shows that an isolated browsing session took place and summarizes the traffic corresponding to the RBI protocol that handles communication between the user and RBI.
The second page event with the Action column left blank (for the same website) summarizes the browsing activity of the RBI browsing session on behalf of the user.
Malware and Malicious Sites
If malware is detected in an isolated browsing session, Netskope RBI creates an alert for you to review and act on.
- Navigate to Incidents > Malware to search for malware detected in isolation.
- Navigate to Incidents > Malicious Sites to search for malsites detected in an isolated browsing session.
- Click the Maliste name to view the alert information. Malsites visited in isolation are identified by the “isolate” action.
Malware infected files uploaded or downloaded in isolation are detected as malware by Netskope and generates a regular alert with “Detection” listed in the Action column.
You will see “yes” listed in the From Isolation column for Action Type “policy” alerts. And for Action Type “Malware” alerts, the From Isolation column is blank.
You will typically see two alerts, one for the policy (including the RBI specific field “From isolation”) and one for malware.
DLP Incidents
If a DLP violation is detected in an isolated browsing session, Netskope DLP detects it and creates an alert for you to review and act on. You will typically see two alerts, one for the policy and one for DLP.
1. Navigate to Incidents > DLP.
2. Click a DLP alert to view the incident details.
3. Click the Violations Alerts icon to view the alert details.
Alert details
Best Practices
This section contains best practices which will grow as input is gathered.
Policy Ordering
Policy ordering is important as outlined below:
- Admins must place the DLP / Threat policies before the isolate policy to apply controls on the activity or content of the upload / download.
- Refer to the following help topic to handle any content you cannot isolate that may reach the RBI platform: Create Real-time Protection policies for content that you cannot isolate
Netskope Browser and Client User Notifications
Users can configure both browser and client user notifications to alert the user to a given action that is blocked or requires user justification. In conjunction with Threat and Data Protection for RBI, browser notifications are supported for web applications that support them.
Client notifications will not be presented to end users in certain situations upon a policy violation if the customer configures client based notifications or if the isolated web application does not support browser based notifications.
This limitation only affects the user notification, the action assigned to the policy violation (alert, block, etc.) is applied. For blocked uploads or downloads the browser will present a file upload / download failure.
The following is an example of a browser based user notification template your end users may see upon violation in isolation.
Browser based notification for a DLP alert:
File Size and Type Limitations
RBI sets a 400 MB file size limit for file uploads and file downloads. In addition, DLP and Threat Protection services have their own default file sizes. To learn more: Advanced File Scanning