1

© 2023 Zscaler, Inc. All rights reserved.

Agenda
• Secure Access to Internet
⁃ Accessing the Lab Environment
⁃ Lab 1: Securing Access to Internet
• Browser Isolation
⁃ Lab 2: Reducing Risk by Isolating Risky Websites
Break
• Cloud Sandbox
⁃ Lab 3: Inspecting Unknown Files through Advanced Cloud Sandbox
• Content Filtering
⁃ Lab 4: Enforcing Safe Access to Internet & SaaS Applications using Content Filtering &
Access Control
• Deception
⁃ Lab 5: Extending Zero Trust with Deception-Based Active Defense

Missing Lab Access Information? Reach out in Zoom Chat with your Last Name, First Name and we will respond.

© 2023 Zscaler, Inc. All rights reserved.

Zscaler Cyberthreat Protection Solution

© 2023 Zscaler, Inc. All rights reserved

Goals and Learning Objectives

Module Goal

In this module, gain an overview of Zscaler’s Cyber Security and protection capabilities, dive deeper into specific cyber functions, and gain
knowledge on how to configure Zscaler’s cyber security services as they relate to best/common practice.

From this module, you will be able to:

● Identify the current threat landscape and nature of bad actors and how Zscaler solves these challenges

● Discover how to configure Zscaler products and services to defend against attacks

● Recognize the cyber functions Zscaler has in place to analyze organizational risk and defend against cyber attacks

© 2023 Zscaler, Inc. All rights reserved.

Understanding the current cyber security landscape

zzzzz

Use of automation by Point products introduce Increasing Adoption Gap

attackers complexity Customers continue to struggle with
Mounting attacks have become Using too many best of breed products introduces adoption gap and not use the technologies
exceedingly easy for the adversary operational complexity and creates an adoption gap the right way to protect themselves

© 2023 Zscaler, Inc. All rights reserved.

Every attack has the same story

Attack surface Initial Compromise Lateral Movement Data Loss

Recon Malicious Docs Unrestricted Access Data Exfiltration

Misconfiguration Ransomware Scanners Data Encryption
Exposed Assets Exploit Kits Advanced Tooling Data Extortion
Zero Day Exploits Manual Files Compromised user

© 2023 Zscaler, Inc. All rights reserved.

Zscaler for Users
Fast, secure and reliable access to the Internet, SaaS and Private Apps

Internet IaaS/PaaS
Direct Connect
SaaS
ExpressRoute
Connector

Secure Internet / Secure Private App

1 2
SaaS Access (ZIA) Access (ZPA)

API-CASB Enforce Policy

Allow, Block, Isolate, Prioritize

Connector
150 DCs Worldwide Zero Control Risk
Trust Exchange
Cyber Threat and Data Protection
Application Peering Data
Center
Verify Identity and Context

IDP

3 Digital User Experience (ZDX)

Connectivity: Browser, Client Connector, SD-WAN or Router

Any User: Workforce, Any Device: Corp Any Location: HQ,

Contractor, B2B Customer Managed, BYOD Branch, Factory, Home

Great User Experience Superior Threat and Data Protection Reduced Cost and Complexity
© 2023 Zscaler, Inc. All rights reserved.
Key differentiator: The world’s largest security cloud

300B Stop zero day &

Daily signals AI-powered emerging threats
analytics
7+ billion threats
stopped per day
Dynamic
Risk
analysis
scoring

40+ In-line Static

ZERO TRUST
Threat Intel inspection
EXCHANGE
analysis Cloud effect
Partners 250k+ daily
protection updates
Threat
Custom correlation
rules

100+ Expert-driven
threat context
ThreatLabz expert Expert
hunters & services
researchers An early warning system for your enterprise ThreatLabz
Better data, better insights, better protection hunters

© 2023 Zscaler, Inc. All rights reserved.

Zscaler Zero Trust Exchange - Functional Diagram
Managed by others Managed by you

SaaS Internet Data Center Factory IaaS/PaaS

App Connectors
Inside-out
Connections

Digital Endpoint Monitoring Network Monitoring Application Monitoring UCaaS Monitoring

Experience

Cyber Protection Data Protection

Antivirus Deception Cloud DLP Inline CASB

Adv. Threat Protection WAF Endpoint DLP Out of Band CASB

Security
Services Sandbox Browser Isolation Browser Isolation SSPM

IPS CSPM/CIEM/IaC

DNS Firewall URL / Web Filtering App Segmentation Micro-Segmentation

Access Control
Services
Tenant Restrictions Bandwidth QoS Private App Access Adaptive Access

API Integrations
Incident Response /
TLS Decryption (Proxy) Policy Framework Discovery Device Posture • Identity
Platform Workflow
Services • SIEM
Reporting / Logging Risk Score Analytics / UEBA AI/ML Private Service Edge • SOAR
• EDR/MDM

Zero Trust Exchange (IPv6 Support)

Connectivity
Services Browser Access Client Connector Branch Connector Cloud Connector SD-WAN / Any Router

Remote Employees, Third-Party Contractors HQ, Branch or Factory

© 2023 Zscaler, Inc. All rights reserved.

The world’s most comprehensive cyber risk reduction platform

Eliminate Prevent Stop Stop

the attack surface Compromise Lateral Movement data loss

Prevent attackers from discovering or Protect users, servers, applications, and Connect users and devices directly to apps Stop data loss caused by accidental
exploiting apps by making them invisible connected devices no matter where they without ever exposing the network. exposure or malicious exfiltration with the
and only accessible to authorized users or are with full traffic inspection and AI- Misdirect attackers and learn of their most holistic data protection solution that
devices through the Zero Trust Exchange. powered security at the edge. presence with proactive lures and decoys. spans managed and unmanaged devices,
servers, public cloud, and cloud apps.

© 2023 Zscaler, Inc. All rights reserved.

Unlock Visibility into TLS Traffic - TLS Inspection
SSL Inspection Modes in the Zero Trust Exchange
Client Internet Client App Connector Private App

Client Hello Client Hello

Server Handshake Server Handshake

Server Real Server

Certificate Certificate

Client Handshake Client Handshake

MITM Real Server

Certificate Certificate

Client-side Tunnel Server-side Tunnel Client-side Tunnel Server-side Tunnel

ZIA Forward SSL Proxy (MITM) - traffic going to ZPA Reverse Proxy (SSL Termination) - traffic
the Internet going to private applications
© 2023 Zscaler, Inc. All rights reserved.
Certificate Chain with SSL Inspection

Description Private Key Storage

Zscaler Root CA Zscaler root CA (pre-installed on clients) Zscaler Offline Key Store
Zscaler Intermediate Root CA (zscalertwo.net)
Zscaler Issuing CA (zscalertwo.net) (t)
Zscaler Central Authority
Zscaler’s Intermediate CA
DB

Zscaler’s shorted-lived issuing CA Zscaler Central Authority

(14 day expiry, 7 day rotation) DB & ZEN memory

MITM end-entity certificate issued on the fly ZEN memory

© 2023 Zscaler, Inc. All rights reserved.

Granular policy framework for effective exemption management

• Granular rule-based engine

- User/group/department
14
Criteria
- URL Category/Cloud App
- Destination IP/FQDN group
- Device: Name, OS, Trust Level

• Avoid breaking cert pinned apps

- Client OS, User Agent, Device

• Enforce secure TLS usage

- Minimum TLS versions
- Certificate validation/revocation for inspected and
uninspected traffic

• Exclude from M365 One Click

- Inspect OneDrive, Sharepoint
TLS
Versions

© 2023 Zscaler, Inc. All rights reserved.

Anti-virus / Malware Protection

© 2023 Zscaler, Inc. All rights reserved.

Malicious File Protections

• Virus
• PUA
• Trojan
• Worm
• Ransomware
• Adware / Spyware
• File Reputation
• Active Content
• Undetectable
• Unscannable

© 2023 Zscaler, Inc. All rights reserved.

Advanced Threat Protection

© 2023 Zscaler, Inc. All rights reserved.

Advanced Threat Protection: C2, Phishing

● Block known phishing sites

● Block unknown phishing sites with
AI/ML
● Block adware / Spyware callbacks
● Block access to web SPAM pages
● Block crypto mining activity

• Connections to known C & C servers

• Command traffic (sending / receiving)
• Unknown C&C using AI ML

© 2023 Zscaler, Inc. All rights reserved.

Advanced Threat Protection: Malicious Active Content & Server Side Vulns

Downloading dangerous content via the browser (ex. exploit Vulnerabilities in web server applications allowing malicious
kits, malicious adware) or vulnerable ActiveX controls without users to inject their code into the site.
user knowledge.

© 2023 Zscaler, Inc. All rights reserved.

Advanced Threat Protection - Anonymizers and P2P

Suspicious Destination Protection

P2P Protection
• P2P File Sharing (BitTorrent)
• P2P Anonymizer (Tor)

© 2023 Zscaler, Inc. All rights reserved.

PageRisk engine Detection via web page and domain features

• Suspicious Content Protection (aka PageRisk)

• Multi data algorithm applied to web page (not file)
• The algorithm determines the riskiness
• Blocked based on customer set threshold

• Risk (0-100) is based on several factors

• Risk TLD (.tk, .ru, etc.)
• Unknown user agent
• Missing HTTP headers (User-Agent, Accept, etc.)
• High entropy domain name
• zero-pixel IFRAME
• Script or IFRAME before the tag or after the tag (code injection)
• Obfuscated Javascript
• Signatures for suspicious URL path, HTML/Javascript/CSS code

© 2023 Zscaler, Inc. All rights reserved.

Accessing the Lab

© 2023 Zscaler, Inc. All rights reserved

Lab Topology

• ZIA Admin Portal

• Deception Admin Console

In this workshop, you will

access the ZIA Admin Portal
as a Read-Only Administrator.
This role affects what you will
see in the Admin Portal.

© 2023 Zscaler, Inc. All rights reserved.

Accessing the Lab Environment

5 min.

37

© 2023 Zscaler, Inc. All rights reserved.

Lab 1: Secure Access to Internet

20 min.
• Task 1: Review SSL Inspection Policy & Verify SSL Decryption
• Task 2: Review Threat Protection Configurations & Risk Reports
• Task 3: Check Your Security Posture

38

© 2023 Zscaler, Inc. All rights reserved.

Browser Isolation

© 2023 Zscaler, Inc. All rights reserved

Binary policies risk being overly permissive or overly restrictive

Medium user risk

Low user risk Unknown/Miscellaneous URLs
Newly Registered Domains Critical user/device risk
Known good URLs
Newly Categorized Domains Known malicious URLs
Managed devices
Unmanaged devices Illegal/illicit content
Enterprise apps
Personal email/websites
Social networking

ALLOW BLOCK

© 2023 Zscaler, Inc. All rights reserved.

What is Browser Isolation?

© 2023 Zscaler, Inc. All rights reserved.

Browser Isolation: Enhancing Security and Boosting Productivity
Internet Sanctioned SaaS and
Corporate Private Web Apps

SaaS Public Data

Internet Center
Sanctioned Cloud

Isolate Risky Internet Content Protect sensitive data

With Web, Email URLs, and Files Isolation, Granular controls
integration with Zero Trust Exchange and 1-click (BYOD, Third-party, M&A, VDI)
Isolated Browser
AI-powered Isolation

Isolate Risky Users Session

Prevent Data Protect business-critical apps
High-value executives or based on user
risk score or device posture Loss & Reduce From exploitation by vulnerable endpoints
by obfuscating the anatomy of the app

Boost User/Admin Productivity

App Attack Boost user/admin productivity
Easy, secure agentless access
by Isolating risky sites (otherwise blocked)
and simplifying policy exceptions Surface
ZERO TRUST EXCHANGE

Cyber Threat
Protection Safe Pixel Streaming

Managed BYOD/Unmanaged
Endpoints Endpoints
Employees Employees, Third-party

Providing an Unmatched Experience for Users and Admins

© 2023 Zscaler, Inc. All rights reserved.

Cyber Threat Protection - Use Cases
Isolate Risky Internet content

Isolate NRDs,
Misc &
Unknown
Destinations
Isolate
risky internet
content
(Maintain
Security Posture
while
1-Click
Maintaining User
AI-Powered
Productivity) Smart Isolation
Of Suspicious sites

© 2023 Zscaler, Inc. All rights reserved.

Isolate Risky Users and Devices

Define granular
Isolation of policies based on user
High-value group – execs, human
users resources, accounting,
IP holders etc

Dynamically
Mitigate Business
Risk (Isolation Risky
Users and
devices) User Risk Isolate internet traffic
and Device based on user’s risk
Posture score or device
posture.
based
Isolation

© 2023 Zscaler, Inc. All rights reserved.

Boost User and Admin Productivity

Allow secure access to

Avoid a wider set of URL
categories and cloud
Overblocking
applications via
Boost User and isolation to ensure
Admin need for fewer
exceptions.
Productivity

. industries
Highly regulated
follow the whitelisting approach
Manage security
or have extremely restrictive
Exception exceptions via
internet access.
Management isolation instead of
via Isolation allowing traffic
directly.

© 2023 Zscaler, Inc. All rights reserved.

Integration with ZIA
Fully integrated Cloud Browser Isolation with ZIA
• Isolate action now part of the URL filtering, Cloud
Application policy frameworks.

• Isolation Profile can now be configured within ZIA

Admin Dashboard (New)

• User SSO between ZIA and Cloud Browser Isolation

• Unified logging – all isolated browser events are

logged

• Isolated browser, user location, and IP address: all

context is carried forward and can be tied back to
the original source

• Scanning of all traffic from the isolation browser by

the entire security stack (malware, AV, sandbox,
etc.) and enforcement of uniform policies (DLP,
content type policies) on isolated traffic

© 2023 Zscaler, Inc. All rights reserved.

Isolation Feature Set
Security & Data Protection Controls

Persist the cookie store on the isolation container across user

sessions. This ensures user preferences for isolated web pages
are stored and user experience is enhanced.

Granularly control users’ ability to share clipboard between the

native computer and the isolated webpages.

Granularly control user’s ability to upload and download files

to/from the isolation container.

Seamlessly allocate isolation containers to users depending on

their proximity to the nearest available infrastructure to ensure
optimal performance.

Render office files within the isolation container. Convert office

files to PDF and view. Allow download of converted PDF files
with all active content suppressed.

© 2023 Zscaler, Inc. All rights reserved.

Key security control features - Browser Isolation

Restrict Key strokes to isolated webpages.

Great way to protect against potential
phishing sites.

Restrict printing of isolated webpages.

Note: If printing is disabled on the isolation
profile, the user would still be able to print the
content displayed on the canvas, but not the
full webpage or documents displayed on the
isolated browser.

© 2023 Zscaler, Inc. All rights reserved.

Key security control features, continued...

Customizable End User Notification

Change color, text, and logo

Manage Root Certificates

Install Custom CA Certificate for the Isolation Browser to use
while accessing web servers

Local Browser Rendering

Let admins decide whether or not hyperlinks clicked by users
within the isolation browser are rendered as an additional tab in
the Isolated browser or on users’ native browser.

© 2023 Zscaler, Inc. All rights reserved.

Lab 2: Reduce Risk by Isolating Risky Websites
15 min.

• Task 1: Test Browser Isolation User Experience & Threat Prevention Capabilities
• Task 2: Review Browser Isolation Configuration & Settings

55

© 2023 Zscaler, Inc. All rights reserved.

15 Minute Break

© 2023 Zscaler, Inc. All rights reserved

Zscaler Academy

© 2023 Zscaler, Inc. All rights reserved

Zscaler Academy
● Free eLearning
● Self paced labs
● Exams and certification

© 2023 Zscaler, Inc. All rights reserved.

Training Journey for Customers

CONCEPTUAL AWARENESS PLATFORM FOUNDATIONS Zscaler Digital Transformation PLATFORM PROFICIENCY

Administrator Exam (ZDTA)
PROCTORED ONLINE: 2HRS
Zero Trust Certified Zscaler for Users Zscaler for Users
Associate (ZTCA) Essentials (Z4U-E) Advanced (Z4U-A)
eLearning + Exam eLearning + Lab eLearning + Lab + Exam
ONLINE - 5+1 HRS ONLINE - 14.5+8 HRS ONLINE - 12.5+8+2 HRS

Specialization

Data Protection Cyberthreat Ransomware

Workloads (ZWL)
(DP) Protection (CP) Protection

eLearning + Lab + Exam eLearning + Lab + Exam eLearning + Lab + Exam eLearning + Lab + Exam
ONLINE - 5+4+1 HRS ONLINE - 5+4+1 HRS ONLINE - 2+1+0.5 HRS ONLINE - 5+4+1 HRS

Endpoint DLP COMING

(EDLP) SOON

eLearning + Lab + Exam

ONLINE - 2+1+0.5 HRS
ZDX
Operationalization

© 2022 Zscaler, Inc. All rights reserved

Cloud Sandbox

© 2023 Zscaler, Inc. All rights reserved

Why implement Zscaler Sandbox?

Effective last-line defense Intelligent threat Improved investigations

prevention & response
Inline, AI-powered quarantine Continuous and globally Gain deep intelligence on
detects and blocks threats and shared protection with adversarial tactics, techniques
targeted attacks before they’re integrated threat intelligence and procedures, enriching
allowed into the network, to stop the stealthiest threats context to speed incident
eliminating patient zero at scale investigation and response
infections and lateral movement

© 2023 Zscaler, Inc. All rights reserved.

Zscaler Advanced Security Protections
Known Threats Unknown Threats

Advanced Threat Protection Malware Protection Sandbox

• Block known Command & Control
• Block unknown file-based
destinations • Block known file-
⁃ IP
based threats threats
⁃ Domain ⁃ Full report of Activity
⁃ URL ⁃ Known pattern ⁃ Malware Family attribution
⁃ Pattern Match Signatures match
• Block known file, browser and • Ransomware
other vulnerabilities ⁃ YARA • Keylogger
• Block known and unknown • Extraction of C2:
Phishing destinations ⁃ IP
⁃ Category ⁃ Domain
⁃ Pattern Match
⁃ AI/ML ⁃ URL

Advanced Threat Protection Advanced Sandbox

Sandbox Command & Control Analysis Results

© 2022 Zscaler, Inc. All rights reserved 63
Zscaler Cloud Sandbox
Secure the enterprise by preventing unknown files from infecting your users

Inspect all content

• Inspect all files to prevent malicious files for all
users, apps, devices, and locations
AI-Driven Quarantine
Prevent Ransomware and Malware Attacks
• Malicious files are prevented from delivery to end
users, protecting the business

Prevent Patient Zero Infections

Instant Protection • Identify all suspicious files and prevent user
execution until Sandbox analysis is complete
Infinite Scale
Enable SOC to prevent future threats
• Understand who is targeting your enterprise (Threat
Actor) and their motivations
• Extract meaningful Threat Intelligence for security
posture improvement
© 2023 Zscaler, Inc. All rights reserved.
Cloud Sandbox Workflow

Cloud Effect Pre-Filtering Behavioral Analysis Post-Processing

Check hash against Scan sample using Sample is sent through Once a verdict is
blacklists from threat feeds engines optimized to detection pipeline in the determined, threat
and other observed identify known bad such sandbox database is updated for the
samples in the cloud as AV/Yara/ML Cloud Effect and policy
enforcement occurs

© 2023 Zscaler, Inc. All rights reserved.

AI-Driven Quarantine Effect - Customer Use Case

AI/ML

© 2023 Zscaler, Inc. All rights reserved.

Full coverage policy

• Scan everything
▪ ALL File Types
▪ First-Time Action: Quarantine + Turn on AI Quarantine
switch

▪ Subsequent Downloads: Block

© 2023 Zscaler, Inc. All rights reserved.

Granular Policies

Hold and sandbox before delivering

from suspicious destinations

Allow Word and PDF file downloads,

but also sandbox in parallel

Only allow .exe file downloads

for IT Helpdesk

Quarantine: Hold and only deliver sandbox clean files

© 2023 Zscaler, Inc. All rights reserved.

Advanced Sandbox file types
Secure the enterprise by preventing unknown files from infecting your users
○ Archive ○ Mobile
○ 7-Zip ○ Android Application
○ Bzip2 Package
○ Tar ○ Other Documents
○ RAR ○ Portable Document
○ ZIP Format
○ ZIP with Suspicious Script File ○ Web Content
○ Executable ○ Adobe Flash
File ○ Visual Basic Script ○ HTML Application
Types ○ Windows Executable ○ Java Applet
○ Windows Library
○ Windows PowerShell Script
○ Microsoft Office
○ Microsoft Excel
○ Microsoft PowerPoint
○ Microsoft RTF
○ Microsoft Word

© 2023 Zscaler, Inc. All rights reserved.

Intelligent Patient Zero Protection with Cloud Sandbox

© 2023 Zscaler, Inc. All rights reserved.

 Complete visibility into Malware behavior

Malware Severity

MITRE ATT&CK

Evasion Attempts Callback behavior

Process Graph

Analysis Screenshots

File & Network Artifacts

© 2023 Zscaler, Inc. All rights reserved.

MITRE ATT&CK Reporting

Automated Mapping
Automated MITRE ATT&CK
technique mapping from observed
behaviors

© 2023 Zscaler, Inc. All rights reserved.

Lab 3: Inspect Unknown Files through Advanced Cloud Sandbox

15 min.
• Task 1: Review Sandbox Configuration
• Task 2: View Sandbox Activity Report

73

© 2023 Zscaler, Inc. All rights reserved.

Content Filtering

© 2023 Zscaler, Inc. All rights reserved

Safely Enable Web Access - URL Filtering & Isolation
What is URL Filtering?

• One of the most commonly used web

filtering technique that helps to restrict the
kinds of content a user may access
• Protects the end users from inappropriate
or harmful web content while boosting
employee productivity and performance
• Considered as the ‘First Line of Defence’
for users
• Restricts access to specific URLs by
comparing addresses of sites that users
are attempting to visit against a database of
either permitted or blocked sites

© 2023 Zscaler, Inc. All rights reserved.

Why is URL Filtering important?

• Key benefits:
1.86B+ Total websites on the • Define Acceptable Use Policy
Internet for your users
• Block inappropriate or high
risk URL categories
• Increases employee
New domain names productivity
120,000
register every day • Network bandwidth efficiency
• Minimizes company liability

Domains are deleted

100,000 every day

© 2023 Zscaler, Inc. All rights reserved.

 How is Zscaler URL Filtering different than others?

• Inline ML/AI based URL categorization

• Priority Categorization Service to categorize miscellaneous URLs proactively for our customers
• Cloud Browser Isolation integration with URL filtering
• Empowering end users to submit URL category suggestions directly to Zscaler

© 2023 Zscaler, Inc. All rights reserved.

URL Filtering

• Core proxy URL rules

• 100+ URL categories to select from –
Categories are used in many other policy
panels
• Misc Category cascades into Newly
Registered Domains for tighter control
• Allow, Block, Caution, Isolate,Quota and
redirect actions

© 2023 Zscaler, Inc. All rights reserved.

Lab 4: Enforce Safe Access to Internet & SaaS Applications
using Content Filtering & Access Control

15 min.
• Task 1: View Content Filtering Controls
• Task 2: Test End User Experience with Content Filtering

85

© 2023 Zscaler, Inc. All rights reserved.

Deception

© 2023 Zscaler, Inc. All rights reserved

The Funnel Of Fidelity

100s of alerts to triage

Analysts are paralyzed

1s of incidents to remediate
Containment takes weeks

10s of leads to investigate

Inadequate root-cause analysis

1,000,000s of events collected

Big data, not good data.
Huge effort to collect and tune

© 2023 Zscaler, Inc. All rights reserved.

Deception in a Zero Trust Architecture

Castle and Moat State Zero Trust State Zero Trust + Deception State

Limited visibility. Multiple attack paths. Connect users directly to apps and Create false attack paths. Detect lateral
Several opportunities for lateral movement. services. Minimize attack paths. movement. Derail attacks.

© 2023 Zscaler, Inc. All rights reserved.

How Deception works

TARGET

???

ATTACKER Traditional Deception

Defenses Defenses

Attackers know your strategy. Decoys and traps make your environment
Predictable defenses are easily bypassed unpredictable, disrupt attacker playbooks

© 2023 Zscaler, Inc. All rights reserved.

Zero Trust + Deception

Privilege Lateral
Escalation Movement

© 2023 Zscaler, Inc. All rights reserved.

Lab 5: Extend Zero Trust with Deception-Based Active Defense

15 min.
• Task 1: Review the Zscaler Deception Administrator Console

92

© 2023 Zscaler, Inc. All rights reserved.

 THANK YOU!
Join the conversation at community.zscaler.com and follow Zscaler Academy on
Linkedin.

© 2023 Zscaler, Inc. All rights reserved