跳到主要內容

Advanced SWG: Implement Threat Intelligence filtering

Implementation Effort: Low

User Impact: Medium

Overview

In a Zero Trust security model, implicit trust is eliminated, and every access request is continuously validated based on identity, risk, and context. Threat Intelligence (TI) filtering is vital in this paradigm, as it enables dynamic, real-time protection against emerging internet threats—without assuming that any network traffic is inherently safe.

By integrating TI into Secure Web Gateway (SWG) policies, organizations can ensure that users and devices are rigorously evaluated before accessing resources. This process leverages up-to-date threat data from both Microsoft and multiple third-party sources to identify and block connections to destinations classified as "High Severity" risks—such as phishing sites, malware distribution points, botnets, and command-and-control servers—at the FQDN or URL level.

Key Zero Trust enhancements include:

  • Continuous Validation: Every web request is checked against the latest TI feeds, ensuring only legitimate traffic is allowed and malicious destinations are proactively blocked.
  • Minimized Attack Surface: Blocks known malicious domains and URLs, reducing the risk of compromise from external threats.
  • Identity-Centric Controls: Integrates with Conditional Access policies to enforce user and context-aware decisions, so access is dynamically granted or denied based on identity, device posture, and session risk.
  • False Positive Management: Allows administrators to configure granular allow lists of FQDNs, minimizing disruption to legitimate business activities while maintaining strict threat protection.
  • Comprehensive Visibility: Enriches traffic logs with threat type metadata, enabling security teams to understand the nature of threats detected and respond more effectively.

This approach supports Zero Trust principles by requiring explicit verification of users, devices, and destinations, continually assessing risk, and giving organizations the agility to respond to real-time threat intelligence—dramatically improving their security posture in an ever-evolving threat landscape.

  • Identify and block access to destinations labeled as "High Severity" threats based on FQDN or URL. -- Threats identified according to Microsoft and 3rd Party Threat intel sources
  • Configure allow list of FQDNs to handle false positives. (This is the first feature fully shipped in GSA Object Model v2!!)
  • Enrich the traffic log with the Threat Type (e.g., Botnet, C2, Phishing, Malware, etc.) of the matched indicator.
  • Provide user and context aware-policy through the Identity-centric Conditional Access policy integration.

Reference