Demo - Netskope and Carbon Black
Netskope and Carbon black have partnered to deliver advanced cloud threat protection. With this integration you can expand your kill chain view and response to include cloud-propagated malware, make endpoint threat protection smarter by incorporating intelligence from the cloud and close the cloud threat remediation loop by alerting and coordinating with endpoints.
The first step is to configure Carbon Black server instances in the Netskope tenant. Next we will configure a remediation profile that we can use as part of a threat protection workflow.First we will choose to send files to the Carbon Black instance we just configured. Next we choose the action to take as part of this remediation workflow.
We can search and isolate, which enables us to perform endpoint isolation. This will prevent further spread of malware from a compromised endpoint and allows security analysts to initiate their remediation workflow. Search and Alert helps in understanding the scope of potential compromise and will verifying the presence of malware. Search and ban will help us prevent malware infection by avoiding known malware from ever downloading or executing on the endpoints. Let’s go ahead and choose search and isolate and we want to prevent the spread of malware from compromised endpoints.
The final step is to enable malware inspection on Netskope and specify the remediation profile that we just configured. In this case, let’s focus in on Box.
With the configuration in place, Netskope will inspect Box for the presence of malware and when malware is detected, it will leverage the integration with Carbon Black to search for compromised endpoints and isolate them from the network so they cannot infect others.
Let’s test this threat protection workflow by uploading malware to Box. Once the malware is uploaded, Netskope scans the file and detects it is malware and performs the remediation action that we just configured. In this case, the infected endpoints should have been isolated.
Let’s verify the activities first in Netskope by going to SkopeIT, which is Netskope’s event by event monitoring tool. Here we can see the activity and see that remediation was performed. We can also verify the malware inspection worked by going to the Netskope Threat Protection dashboard. Here we see users infected and the file involved.
The final step is to login to the Carbon Black console to verify that the compromised endpoints were isolated from the Network. It looks like that is the case here.
With the combination of Netskope and Carbon Black, we were able to protect against the spread of cloud-based malware.