Technical Lab Guide

A Step-by-Step Lab Guide to Learning the

Basics of the Netskope Cloud Platform

Pg. 1
THE LAB ENVIRONMENT
The NetSkope solution is natively implemented in a NetSkope-managed cloud environment.
These labs involve exercising the management UI and the installation of a NetSkope traffic
steering client that redirects traffic to the NetSkope training tenant. We strongly recommend
you perform these labs on our provided virtual windows client accessed via RDP. This ensures
that none of your personal traffic is redirected to the training environment. The instructor will
provide an RDP connection address and credentials to make this connection. You must have
previously provisioned RDP client software and locally defined security allowing an external
RDP connection to our training environment.

Authenticate into the remote Windows machine using the following username and password:
 Login: Administrator
 Password: Knowledge4u!

LOGIN CREDENTIALS
Once you are connected to the remote Windows client you will connect to the NetSkope
Management Console using the browser found on the remote desktop. The instructor will
assign you a student number consisting of 2 digits (e.g. student 1 will be 01). Use the following
information to authenticate into the Management Console.

 URL: https://uberknowledge.goskope.com
 Login: stu<assigned student number>@uberkstudent.com
 Password: Psych0pest012!

These accounts have been created for your use during the Workshop:

● A Box account. All students will use the same account. https://account.box.com/login
User Name: stu01@uberkstudent.com Password: Knowledge44u!

Pg. 2
 USE CASE 1: GUI INTRODUCTION
CCI Risk Analysis

OVERVIEW
In this lab, you will explore how to discover what applications are being used on your network
and what risks these apps are exposing your enterprise data to. You will also discover which
users are engaging in risky cloud activities. You can use these steps on your own network to
discover where your enterprise stands in terms of risk in the cloud.

Applicable Use Cases

● Cloud application discovery
● Cloud application risk insight

Prerequisites
● Access and credentials to the Netskope tenant (https://uberknowledge.goskope.com)

Pg. 3
WALKTHROUGH

Step 1 Login to the Netskope tenant. Dismiss any User Interface update notices (if any are
presented) by checking the “Don’t show me again” checkbox and clicking the GOT IT button.

NOTE
A data mocker was enabled for this tenant, so expect some data to be already present in the
instance without having sent data through the instance. This data is for appearance only and
is not fully integrated into the Netskope tenant. Use it with caution.

Step 2 Make yourself familiar with the Netskope Active Platform. This is also commonly
referred to as the customer tenant representing the customer’s instance of the Netskope
platform.

Pg. 4
REVIEW QUESTIONS

1. In the default Home dashboard, what is the default time period? What is the longest
time period selectable?

2. How many Apps are currently in use?

3. How many Users?

4. What are the Top Applications by Total Bytes?

Step 3 Switch the main graph on this dashboard from Total Bytes to Bytes Uploaded.

Looking at the Bytes Uploaded, that is the amount of your corporate data going to the cloud.
Once this data is in the cloud, you do not have control over it unless you have visibility.

Step 4 Change the view to # Users.

a) Which are the top applications being used by the greatest number of your enterprise
users?

Pg. 5
Step 5 If it does not already exist, add a new widget for “Top Users” and their Data Usage by
clicking the EDIT button in the top right. Enter “Top Users” into the search bar. Click and drag
the matching graph displayed below into the dashboard screen.

What happens when you click or hover over any of the top usernames? What area does the UI
take you to if you click on the user name?

Please continue onto the next lab.

Pg. 6
 USE CASE 2: CLOUD RISK INSIGHTS
CCI Risk Analysis

OVERVIEW
In this lab we are going to walk through the Netskope Cloud Confidence Index™ (“CCI”) to see
how Netskope provides risk insights for different cloud applications. After a quick walkthrough
of the CCI, you will investigate several applications and determine the risk they pose to the
enterprise based on the data available to you.

Applicable Use Cases

● Cloud application discovery
● Cloud application risk insight

Prerequisites
● Access and credentials to the Netskope tenant (https://uberknowledge.goskope.com)

Pg. 7
WALKTHROUGH
Step 1 Navigate to SkopeIT > Applications.

Step 2 Find higher risk applications.

Step 3 Find higher risk applications by clicking the blue button, select CCL and
check Medium, Low and Poor. Click the APPLY button.

Step 4 Identify the Top 3 “High Risk” applications.

Step 5 Change the “Sort By” setting to see the list of applications sorted by the number of
bytes uploaded to the internet.

a) Are these sanctioned or unsanctioned apps?

Step 6 Hover your mouse over the name of an application in the Low to Poor category to see
additional information about the service by clicking the APPLICATION PAGE link in the pop up.

Pg. 8
Step 7 Look at the applications page to find out additional information.

Step 8 Click on the cloud icon for CCI. Notice that you are now in the Cloud Confidence Index
area.

a) What is the Cloud Confidence Index for this application?

Pg. 9
 b) How do you know that this is a risky app?

Step 9 Scroll down to view additional information about this application.

a) What compliance certifications does this app have? Does it have a high
GDPR readiness score? HIPAA? PCI?

b) How many users are using this app?

c) How many bytes have been uploaded to the app?

d) Who owns the uploaded data?

Use Netskope to Research a Service

Step 1 Navigate to CCI on the main menu at the left

Step 2 In the main search bar, search for the application “Zippyshare”. It should return a single
result.

Pg. 10
Step 3 Select Zippyshare to drill down into the application itself. Here you will see an overview
of the cloud application based on the results of our CCI.

Step 4 Scroll down to the CATEGORIES section in order to see the criteria Netskope uses to
evaluate each application (based on the Cloud Security Alliance Cloud Control Matrix).

Pg. 11
Step 5 Now that we’ve walked through one application, familiarize yourself with a few more by
searching for and reviewing the following cloud applications:

● Box
● Linode
● Microsoft Office 365 Suite

Step 6 For one of the applications you just reviewed, download a copy of the report (button at
the bottom left of the details page).

REAL WORLD TIP

We are currently looking at single applications. The options on the left-hand side of the CCI
allow you to also filter out the view based on the CCI level, custom tags, or an application
category. This is helpful if you are looking for a safer alternative to a particular application.

Pg. 12
REVIEW QUESTIONS

1. What is the difference between the CCI and the CCL?

2. How many risk levels are there for the CCL?

3. What standard does Netskope use to evaluate and rate applications?

4. When we say “API Activity” what do we mean? How is this different from what you
might see in a log file?

5. True or False – you can only search for applications by name?

Please let your instructor know that you have completed this lab.

Pg. 13
 USE CASE 3: SANCTIONED CLOUD APPS
Safe enablement of sanctioned cloud applications

OVERVIEW
Many enterprises have rolled out a variety of cloud applications for use such as Office 365, One
Drive, Google Drive, or Box. In this lab, you will be using Google Drive and Box for our
exploration of how to secure our sanctioned cloud applications. They offer easy and free access
to these accounts, even though the steps you will walk through can be used to secure any of
your sanctioned cloud applications.

Applicable Use Cases

● Cloud application discovery
● Cloud application risk insight

Prerequisites
● Access and credentials to the Netskope tenant (https://uberknowledge.goskope.com)
● Ability to install our forward proxy application on a lab-hosted VM provided by your
instructor.

Pg. 14
WALKTHROUGH
In this part of the lab, you act as an administrator, enrolling a new user in Netskope, and
installing the Netskope Desktop Client software onto your machine. Once installed, this
application will forward your http and https traffic to Netskope cloud servers for inspection.

Note: You are free to choose to install this client on your personal machine or on a workshop
provided VM. If you install it on your personal machine it requires admin rights to install it and
it will steer all traffic to the Netskope tenant as noted above. This behavior should be reviewed
considering your company’s usage and security policies. If it is installed on your personal
machine, please remember to remove it at the conclusion of the workshop.

NOTE
By utilizing deployment software (SCCM, JAMF, Airwatch, etc.), you can deploy the agent on
every computer/device in the domain automatically. In this exercise, you will install the
endpoint application manually via email.

Add Your User

Estimated Time: 10 minutes

Step 1 Navigate to the Home menu on the main menu at the left. Click Settings in the lower
left-hand corner. A new browser tab opens.

Step 2 Navigate to Security Cloud Platform > Netskope Client/Users.

Pg. 15
Step 3 Click NEW USERS in the upper left.

Step 4 Enter the email address built from your student number. E.g. stu01@uberkstudent.com.
Please ensure you use your student number in the email address!

Step 5 Log into the lab email system on your virtual lab machine by browsing to
https://rc.webmail.pair.com (there is a bookmark in the browser). Log in with the email ID (e.g.
stu01@uberkstudent.com) you added to NetSkope as a user with the password of
Psych0pest012!

NOTE: This is a shared email account used for training purposes and will likely have old
content. Please ensure the invitation email you select to open has a receive date of today and
is not from a previous class. In fact, when you are done with the next step consider deleting
all the emails from the inbox.

Pg. 16
Step 6 Open the enrollment email and click the appropriate OS client link for your computer to
download the client and then “Download”. Be sure to install the downloaded client on the lab
VM.

THIS IS IMPORTANT!
Installing this client on your personal machine will redirect your personal traffic to the
training tenant making your personal traffic visible to all current and future students!

Step 7 Double-click on the installer in the lab VM and follow the on-screen instructions to run
the client installation. Click Run to approve.

Step 8 No reboot is necessary after installation completes.

NOTE
The client contacts the NetSkope cloud to provision an initial set of policies and settings. In
cases where this cannot be completed normally the client will not enable itself. You can
check the client status by looking in the windows system tray at the bottom right for the
NetSkope client icon. If the icon is greyed out it is disabled and has likely not made this first
connection. Please inform your instructor.

Verification of Desktop Client

Estimated Time: 15 minutes

Pg. 17
Step 1 Using your web browser, navigate to Box at https://www.box.com/. Log in with the
shared lab account, stu01@uberkstudent.com and password of Knowledge44u!

NOTE
This is a shared account credential that is used by all lab users unlike your credentials for
accessing the NetSkope management webpage.

Step 2 Click the lock icon in the URL field and then on Certificate to see if the certificate
actually came from *.goskope.com. This means the traffic is decrypted by Netskope, secured
and then re-encrypted to the final destination server.

Step 3 Navigate to SkopeIT > Application Events and select Last 24 hours in the timeframe
selector in the top right. There should be several entries listed.

Pg. 18
Step 4 Look for the Box entry for your user regarding your recent certificate test. Expand it to
see what details are available. Make a note of the source and destination location.

a) What is the Policy?

b) What is the access method? (click the “+ View More” link in the GENERAL
section)

c) What is the traffic type?

d) What is the user ID?

e) What is the application?

f) What is the Instance ID?

g) What is the CCI rating for this application?

h) From where is the user logging in?

Pg. 19
Step 5 Return to the Application Events page and select the Page Events option for the user.

Page Events are similar to a traditional Web Proxy view and render information that is more
specific to the HTTP activity of the user.

Click the magnifying glass icon to the left of a log entry to look at the details. Find the URL
information and other information about the connection.

a) How many HTTP transactions are listed?

b) How many total sessions are included?

c) How many bytes were uploaded?

Pg. 20
 USE CASE 4: INLINE
(DLP | ACCESS CONTROL | THREAT)
Safely Permit Unsanctioned Cloud Services

OVERVIEW
In this lab, you will explore how to block unsanctioned applications that are being used on your
network and prevent users from inadvertently exposing your enterprise data. You will also
provide security coaching to users who are attempting to perform risky activities. You can use
these steps on your own network to prevent users from engaging in risky behaviors in the
cloud. You will also draw up reports for analysis of activity in the network.

Applicable Use Cases

● Create category and context-based policies
● Blocky risky activities
● Block malware/virus being downloaded to managed endpoint

Prerequisites
● Access and credentials to the Netskope tenant (https://uberknowledge.goskope.com)
● Netskope steering client installed

Pg. 21
DLP Policy Creation

Step 1 Navigate to Policies > Profiles/DLP and then Edit Rules > Data Loss Prevention.

Step 2 Click New Rule.

Step 3 Enter “cc” into the search box. Click on Card Numbers (all). Click the checkbox to the left
of Card Numbers (all) to add it to the new rule. Verify it has been added in the OVERVIEW
display to the right.

Step 3a Locate another rule by entering “full name” into the search box. Click on Full Names
(US). Click the checkbox to the left of Full Names (US) to add it to the new rule. Verify it has
been added in the OVERVIEW display to the right.

Step 4 Click Next until you reach Advanced Options

Step 5 Add proximity requirements by deleting the contents of the RULE EXPRESSION box and
add new content by:

Pg. 22
 1. clicking the (P0) – Can Numbers (all) data identifier in the lower left.
2. change the default 100 value in the NEAR box at the bottom center to 300.
3. click the NEAR button to add it to the expression
4. click the (P1) – Full Names (US) data identifier in the lower left to complete the
expression.
5. Validate your expression against the graphic below.

Step 6 Click Next twice, change your severity threshold to match the graphic below.

Step 7 Click Next and name your rule “stu<student number> FullName near CC”. Then click
SAVE in the bottom right.

Pg. 23
Step 8 Click DLP link at the very top left.

Step 9 Click New Profile to add your profile. Click Next to reach the RULE|CLASSIFICATION
section. Click into the DLP Rule = box and type “stu<student number>” to find your recently
created stu01 Full Name near CC rule. Check the box next to it to select it.

Step 10 Click Next and name your profile “stu<student number> PCI Data”. Click SAVE.

Step 11 Click Apply Changes and then Apply.

Inline Policy Creation with DLP

Step 1 Navigate to Policies > Real-time Protection and then click New Policy > DLP.

Step 2 In the Source field, type or find your stu<student number>@uberkstudent.com

username in the dropdown list and check the box next to it.

Pg. 24
Step 3 In the Destination section, click the Category radio button. Type “Cloud Storage” and
“IaaS/PaaS” to find matches and check the box to select them.

Step 4 Click Edit in the Activities & Constraints and check the box next to Select All. Click
Save.

Pg. 25
Step 5 Click Profile & Action. Type in the name of your DLP profile and check the box next to it.

Step 6 Ensure the Action selection is set to User Alert.

Notice the other options for actions that you might want to take. These include:
Alert, Allow, Block and User Alert in the current context.

Step 7 In Set Policy enter “stu<student number> Coaching alert for cloud storage and IaaS-
PaaS” as the Policy Name. Verify your policy is similar to the display below.

Pg. 26
Step 8 Click Save at the top right. Change policy position to the top, Click Save.

Step 9 Click Apply Changes and then Apply to activate your policy.

Pg. 27
Create an Inline Policy to Block Risky Cloud Storage Applications

Step 1 Navigate to Policies > Real-time Protection and then click New Policy > Cloud App
Access. Create a policy with the following parameters.

Step 2 In the Source section, enter your “stu<student number>@uberkstudent.com” user

name.

Step 3 In the Destination section, select Category. In the category selection select Cloud
Storage.

Step 4 In the Activities & Constraints section choose Select All.

Step 5 Click on Add Criteria > CCL below Destination and select the unknown, poor, and low
CCL scores.

Step 6 In the Profile & Action section choose the Block action and the CSW Block Template.

Step 7 In the Set Policy section, enter “stu<student number> Block Risky Cloud Apps”. Save it
and change policy position to the top.

Step 8 Click Apply Changes and then Apply to activate your policy.

Pg. 28
Verify your Policies

Step 1 Back on your local system, download the test file called “CC Authorization for
Hilton.doc” from Amazon S3.
( https://netskopedemo.s3-us-west-2.amazonaws.com/CC%2BAuthorization%2Bfor%2BHilton.doc )

Did the file download successfully?

Why?

Step 2 Navigate to the lab email account.

Step 3 Compose a New Message.

Step 4 In the To field enter your email address and attach the file CC Authorization for
Hilton.doc that you downloaded from Amazon.

Step 5 NetSkope should display a DLP violation alert. Click Stop to acknowledge it.

Step 6 Fill out the subject line and click Send.

NOTE
The logo on the alert can be changed. You could have also blocked the upload with the
option to proceed and enter a justification.

Step 7 Exit Pair’s webmail.

Pg. 29
Viewing the Events/Alerts
Step 1 Returning to the Home Screen, navigate to SkopeIT > Application Events.

Step 2 On the Application Events page, Click +Add Filter, Click User and start typing your email
e.g. “stu<student number>@uberkstudent.com”.

Step 3 Follow the events which tells a story of how the user jumped from app to app.

Step 4 You will notice an orange dot next to some of the events – this means an alert was
generated.

Step 5 Expand the event and scroll down on the Event Details to the DLP section (if you don’t
see it click the other event).

Step 6 From here you are able to see that the file that triggered the DLP rule.

Pg. 30
Create an Inline Policy for Threat Protection

Step 1 Navigate to Policies > Real-time Protection and then click New Policy > Threat
Protection. Create a policy with the following parameters.

Step 2 In the Source section, select your stu<student number>@uberkstudent.com username.

Step 3 In the Destination section select Category and select all categories. Click into Activities
and Constraints and choose Select All.

Step 4 In the Profile & Action section, set the Threat Protection Profile to Default Malware
Scan (predefined). Set each severity action to Block using the Default Template.

Step 9 Save your policy with the name “stu<student number> Threat Protection” and position
it at the top of the list.

Step 10 Click Apply Changes and Apply.

NOTE
Policies are processed in a top-down fashion similar to the processing of an Access
Control List in a firewall or router. Remember, the first match wins.

Pg. 31
Verify Threat Protection Policy

Step 1 Back on your local system, attempt to download the following malware test file from
https://www.eicar.org/?page_id=3950. Locate the eicar.com test file in the bottom right. Click
the link to download it.

Step 2 Click OK.

Viewing the Alert

Step 1 Returning to the Home Screen, navigate to SkopeIT > Alerts. Click the button to
enter Query Mode.

Step 2 On the Alerts page, in the search panel, enter the query: “user eq ‘stu<student
number>@uberkstudent.com’”.

Step 3 Expand the event with Malware from the page and view the details as you did before.

Pg. 32
Pg. 33