Pass the Netskope NCCSA NSK101 Questions and answers with ValidTests

A benefit that Netskope instance awareness provides is that it differentiates between an IT managed Google Drive instance versus a personal Google Drive instance. Instance awareness is a feature in the Netskope platform that allows you to define and identify different instances of the same cloud application based on the domain name or URL. For example, you can define an instance for your IT managed Google Drive instance (such as drive.google.com/a/yourcompany.com) and another instance for your personal Google Drive instance (such as drive.google.com). This way, you can differentiate between them and apply different policies and actions based on the instance. This can help you prevent data leakage, enforce compliance, or improve visibility for your cloud application activities. Preventing movement of corporate sensitive data to a personal Dropbox account, preventing the user from copying information from a corporate email and pasting it into a GitHub repository, or differentiating between an IT managed Google Drive instance versus an IT managed Box instance are not benefits that Netskope instance awareness provides, as they are either unrelated or irrelevant to the instance awareness feature. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 5: Real-Time Policies, Lesson 4: App Instances.

The exhibit shows that Group A is allowed only SSH traffic, while Group B is allowed both SSH and RDP traffic. Since users in Group A need access to a third-party server using TCP port 3389 (RDP), you need to create a specific policy to allow this traffic without granting unnecessary access.

Creating an Allow policy using a custom application that includes the destination IP and TCP port 3389 will precisely target the required traffic and ensure that only the necessary connections are permitted. This method avoids broader policy changes that could introduce unnecessary access.

References:

Netskope documentation on creating and managing Cloud Firewall policies.

Best practices for configuring application-specific policies to control network traffic effectively.

=================

In a CASB-only deployment of Netskope, there could be several reasons why Dropbox.com traffic is not visible in SkopeIT:

Certificate Pinning:

The Dropbox Web application might be using certificate pinning, which means it only accepts specific certificates for its connections. This can prevent the traffic from being steered to the Netskope tenant because the proxy's certificate might not match the pinned certificate​​​​.

Configuration of Dropbox Domains:

If the Dropbox domains are not properly configured to be steered to the Netskope tenant, then the traffic will bypass the Netskope inspection and will not be visible in SkopeIT. Ensuring that the domains are configured correctly is essential for the traffic to be captured and analyzed by Netskope​​​​.

References:

"Certificate pinning prevents the interception of traffic by requiring that the presented certificate matches a known good certificate. This can interfere with traffic steering in CASB deployments."​​​​.

"Proper configuration of application domains is necessary to ensure traffic is steered to the Netskope tenant for inspection and visibility."​​​​.

In this scenario, there are three probable causes for the issue of users not being able to access external websites from their browsers after attempting to steer traffic to Netskope using GRE tunnels. One cause is that the configured GRE peer in the Netskope platform is incorrect, which means that the Netskope POP that is supposed to receive the GRE traffic from the customer’s network is not matching the IP address of the customer’s router that is sending the GRE traffic. This will result in a failure to establish a GRE tunnel between the customer and Netskope. Another cause is that the corporate firewall might be blocking GRE traffic, which means that the firewall rules are not allowing the GRE protocol (IP protocol number 47) or the UDP port 4789 (for VXLAN encapsulation) to pass through. This will result in a failure to send or receive GRE packets between the customer and Netskope. A third cause is that the route map was applied to the wrong router interface, which means that the configuration that specifies which traffic should be steered to Netskope using GRE tunnels was not applied to the correct interface on the customer’s router. This will result in a failure to steer the desired traffic to Netskope. The pre-shared key for the GRE tunnel is incorrect is not a probable cause for this issue, as GRE tunnels do not use pre-shared keys for authentication or encryption. Netskope does support GRE tunnels, so this is not a cause for this issue either. References: [Netskope Secure Forwarder], Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 3: Steering Configuration, Lesson 3: Secure Forwarder.

To locate information pertaining to a DLP violation on a file in your sanctioned Google Drive instance, you can use the Incidents dashboard in Netskope. The Incidents dashboard provides a comprehensive view of all the incidents that have occurred in your cloud environment, such as DLP violations, malware infections, anomalous activities, etc. You can filter the incidents by various criteria, such as app name, incident type, severity, user name, etc. You can also drill down into each incident to see more details, such as file name, file path, file owner, file size, file type, etc. The Incidents dashboard can show DLP violations for files that are in a deleted state, as long as they are still recoverable from the trash bin of the app. If the file is permanently deleted from the app, then the incident will not be visible in the dashboard. References: Netskope Incidents Dashboard

Three security controls that are offered by the Netskope Cloud platform are: C. cloud security posture management, E. threat protection, and B. data loss prevention for SMTP.

Cloud security posture management is a service that provides continuous assessment and remediation of public cloud deployments for risks, threats, and compliance issues. Netskope CSPM leverages the APIs available from cloud service providers such as AWS, Azure, and GCP to scan the cloud infrastructure for misconfigurations, such as insecure permissions, open ports, unencrypted data, etc. Netskope CSPM also provides security posture policies, profiles, and rules that can be customized to match the security standards and best practices of the organization or industry.

Threat protection is a capability to detect and block malware, ransomware, phishing, and other cyber threats that may compromise cloud data or users. Netskope threat protection uses advanced techniques such as machine learning, sandboxing, threat intelligence, and behavioral analysis to identify and prevent malicious activities in real time. Netskope threat protection also integrates with third-party solutions such as antivirus engines, firewalls, SIEMs, etc., to provide comprehensive defense across the cloud and web1.

Data loss prevention for SMTP is a feature that allows you to protect sensitive data that is sent or received via email. Netskope DLP for SMTP can scan email messages and attachments for predefined or custom data patterns, such as credit card numbers, social security numbers, health records, etc., and apply appropriate actions, such as block, quarantine, encrypt, notify, etc., based on the DLP policies. Netskope DLP for SMTP can also support multiple email domains and routing rules for different groups of users2.

When comparing data in motion with data at rest, the following statements are correct:

Data in motion requires the Netskope client: To inspect and enforce policies on data as it is being transmitted across the network (data in motion), the Netskope client is required. The client steers the traffic through the Netskope cloud where it is analyzed and policies are applied in real-time.

Data at rest requires API integration: To scan and enforce policies on data stored in cloud applications (data at rest), API integration is required. This allows Netskope to directly interact with cloud services and perform actions such as scanning for malware, applying DLP policies, and ensuring compliance.

References:

Netskope documentation on data protection strategies, including data in motion and data at rest.

Best practices for implementing API integrations for data at rest and using the Netskope client for data in motion.

A Netskope Virtual Appliance is a software-based appliance that can be deployed on-premises or in the cloud to provide various functions and features for the Netskope Security Cloud platform. One use for deploying a Netskope Virtual Appliance is as an endpoint for Netskope Private Access (NPA), which is a service that allows users to securely access private applications without exposing them to the internet or using VPNs. Another use for deploying a Netskope Virtual Appliance is as a Secure Forwarder to steer traffic from on-premises devices or networks to the Netskope platform for inspection and policy enforcement. Using a Netskope Virtual Appliance as a local reverse-proxy to secure a SaaS application or as a log parser to discover in-use cloud applications are not valid uses, as these functions are performed by other components of the Netskope Security Cloud platform, such as the Cloud Access Security Broker (CASB) or the Cloud XD engine. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 2: Architecture Overview; [Netskope Private Access]; [Netskope Secure Forwarder].

API-enabled Protection traffic is sent to the Netskope Data Plane. The Netskope Data Plane is responsible for processing and inspecting data in real-time, applying security policies, and ensuring that the traffic conforms to organizational policies.

Netskope Data Plane: This component handles the inline inspection and enforcement of security policies, including API-enabled protection. It ensures that all traffic is securely processed and monitored according to the defined policies.

References:

Netskope architecture documentation describing the roles of different components.

Detailed guides on how API-enabled protection integrates with the Netskope Data Plane for real-time traffic inspection.

=================

To detect files containing sensitive data that are shared outside of the organization, the administrator should select both "Shared Externally" and "Public" sharing options. These settings ensure that any files shared externally (outside the organization) or publicly are scanned for sensitive data. This comprehensive approach covers all potential scenarios where data could be exposed outside the organization.

Step-by-Step Configuration:

Select Specific Sharing Options:

Navigate to the CASB API-enabled Protection policy configuration page.

Choose the option for "Specific Sharing Options" to limit the scan to files shared under certain conditions.

Enable Shared Externally and Public:

Check both "Shared Externally" and "Public" options. This setting ensures that files shared either publicly or with external domains are included in the scan.

Configure Advanced Options:

For further granularity, configure the advanced options under each sharing type if needed (e.g., specifying particular external domains).

This configuration aligns with the best practices for CASB policies and ensures that all files potentially leaving the organization are scanned for sensitive data.

References:

Netskope CASB Policy Configuration Documentation ​