My organization would like to block the Miscellaneous/Unknown websites to cut down on users visiting malicious sites, but we have found that too many legitimate websites are mixed in and blocking the category would impact business. We currently block Newly Registered Domains and Caution Misc/Unknown. Too many users have been clicking through the caution page, however, and we would like to better protect ourselves. We also subscribe to priority categorization where Zscaler will identify the top Misc URLs for our organization each week and categorize them. We are a company of 20k employees. How are other orgnanizations handling Misc/Unknown and what has your experience been when moving that category to block?
Hi Tristan, one method that many of our customers use is our Cloud Browser Isolation feature. It’s a ZIA policy that would forward URL categories of your choosing to Cloud Browser Isolation to both protect the company but also allow users to access potentially legitimate sites.
If you’re unfamiliar with the feature, we happen to have a ZEDTalk coming up on the 28th to show Cloud Browser Isolation. The registration page is here: ZED Talk | zscaler.
Alternatively, reach out to your Zscaler sales team. They can provide a demonstration and talk about the capabilities in depth.
Hope this helps,
Yes, I am familiar but unfortunately that’s not an option for us right now. I am looking for suggestions of other controls or functionality I can utilize within ZIA to manage this problem. Thank you.
we are blocking Misc/Unknown and I definitely feel your pain
I’m also pretty interested in that topic and how other companies are handling this.
How are we handling those wrong/not categorized URLs from a technical standpoint
If an URL is only not/wrong categorized, we have a temporary whitelist to override the zscaler categorization.
Before adding the URL, we will perform a quick check to verify that the URL is somewhat trustworthy (depending on the content, I will also check the Impressum, domain registration and verify the information etc. - For me personally, this is very important, since there are so many scam pages for the financial sector and this could cause a real problem for our business).
We collect those temporary whitelisted URLs and will regularly open a ticket for Zscaler to recategorize them.
Usually this only takes a few minutes to perform. That way we try to reduce the impact on the business. If you will always open a ticket first and so on, then I guess your colleagues will get pretty frustrated soon.
How do we get informed about URLs that we should recategorize
We have customized the URL Blocking Page with information on how to report the URL to us.
The first paragraph is sth like “Is this Website wrong or not categorized?” and it will tell you how to contact us (mail/personal) in urgent cases or where you can open an internal ticket to get it done soon.
Additionally we have talked to our internal support teams, so that they know what to do. So in urgent cases they will inform us via chat/mail/personal so that we can handle it instantly. In other cases a normal service ticket will get forwarded to our Zscaler admins.
Alternative way to get the URLs recategorized
From a business standpoint I can’t recommend the use of the Zscaler Site Review Page (https://sitereview.zscaler.com/).
The page got better and sometimes there is a chance that the url will realy get categorized - but it’s nothing where you as a business could rely on from our own tests.
You mentioned the premium priority categorization from zscaler - I can’t really say something about this. But to categorize the top misc URLs each week sounds not that practical to me.
Guess it depends on your users/business case, but usually we need those webpages to work pretty quick, cause otherwise we can’t handle a case of a customer or so. In our cases, those URLs are also often only used from one oder two persons for a few trys and would probably slip trough the categorization anyway.
Things I would suggest for your case
Be transparent to your users. It’s great that you are already using the caution page - this should make it much better for the transition to blocking.
I would suggest to use the regular communication way for internal news (intranet / forum / newsletter or so) to inform them about the change and why you do this.
Also add some information on how to handle those URLs if they are needed and talk to your support/hotline about the change.
Depending on how your internal support is structured etc. you could also try to pass them some of the work (like opening a ticket to get the url reviewed by zscaler) for default cases to reduce processing time and make it more efficient. I guess it realy depends on how much security reliability you are willing to give them.
Other stuff and experience
The first one or two weeks with blocking activated were pretty rough for us. But we had no caution page before and it got activated pretty quickly after there were so much scam/phishing campaigns that would have been blocked by that category. That way we couldn’t rely on a good communication as a foundation.
But I think with your already configured caution page and a good amount of communication, you can get a smooth transition.
Besides waiting for tickets, I also scanned the logs the first 1-2 weeks to proactive recategorize quite some stuff. I also was in direct contact with some support colleagues, that would just chat me every URL that gets reported to reduce overhead.
Also you will probably have some colleagues that will “hate” you and will tell you, that they can’t work anymore.
But everytime I looked up their logs, they were quite exaggerating on how much blocks they had and I just categorized a few URLs and told them to just chat me personally/write a quick mail if something else is happening again. I mean… in theory it would be possibly to give some users acess to the category, but yeah…
Last but not least
You are not alone. The quality of the URL Categorization is a top topic in every QBR and we got assured that this topic got up in zscalers attention lately.
The categorization is also one of the top topics that come up if we are talking to our affiliated partners that are starting to introduce zscaler.
The whole URL categorization thing is a huge task and I always encourage every Zscaler Customer to report everything they find. If everyone just uses local whitelists or non-specific policies, the URL filter will probably take a long time to get better. But if every Zscaler Customer helps to improve the service, I have hope, that we can make a difference to get a better and more secure URL filtering experience for everyone.
And of course, if more customers are starting to rely on the correct categorization, this adds reasons for zscaler to get better with that service
Sorry for the wall of text, I hope some information was usefull.
Thank you for your thoughtful reply, Simon. We also thoroughly check out the URLs (use tools to scan the sites) prior to adding to our whitelist. I agree the prioritization service will not be much help once we move to block, as our users will need the sites open quickly. We are looking at updating our customized caution page to make it “scarier” as we have had a high click-through rate recently to malicious sites and our SOC is busy mitigating incidents as a result. We have implemented other policies to further protect our users when they visit miscellaneous sites, including a file type control policy to block upload/download of files to miscellaneous sites - but we are looking at what else we might due if we are not able to block the category due to impact.