Allow policies

Allow policies provide administrators the ability to designate URLs that ConcealBrowse will always allow users to visit as exceptions to Conceal analysis. These allow (whitelist) policies can be created to address cases where Conceal intervenes on trusted sites that administrators don't want to be blocked or placed in isolation (i.e. to address false positives). Adding an allow policy informs ConcealBrowse extension not to intervene on the site, and to always allow it. Refer to How to implement policies in the ConcealBrowse dashboard for details on how to enter policies.

When starting out with ConcealBrowse, administrators should consider allow listing certain trusted URLs to help ensure a more seamless user experience. Considerations should include the following:

• Are you using external email security applications such Mimecast or Safelinks?

  • Some external email applications will replace URLs in emails with a “safe” link that redirects users to the destination site only if determined as safe by the security vendor (aka “safe links”). Safe links can create unintentional false positives because (i) they often are flagged as malicious by other security vendors and included in threat intelligence blocklists used by Conceal, and (ii) they create a redirect path that conflicts with the sequence of how ConcealBrowse is analyzing and making a decision on the redirects. Because the rewrite link is coming from an external application, the rewrite link can be detected as suspicious/malicious and the destination site placed in isolation. We suggest adding an allow policy in place for all safelink URLs in use by your organization to avoid the destination site being intervened on.

  • Note that even where a safelink URL is allow listed, ConcealBrowse will analyze the destination site to ensure it is indeed safe. The safe link URLs are that are allow listed would only create exposure if the safe link provider infrastructure was used to conduct an attack. Thus, ConcealBrowse will still analyze the destination sites and will protect users from malicious sites that the safe link provider may have not detected. This ensures you are not giving up security efficacy when allow listing safe links. We've provided some syntax examples below:

  • *://*.safelinks.protection.outlook.com/*

  • *://*.mimecastprotect.com/*

• Similar to the above, link shorteners such as bit.ly are commonly used in some organizations and due to the same reasons as safe links, Conceal does often intervene on the shortened URL. If your organization uses bit.ly or other link shorteners, we suggest adding the policy below (or similar for other providers). Just as with safe links, ConcealBrowse will still scan the final destination as mentioned above:

  *://bit.ly/*

Other allow list policies we suggest considering prior to deployment:

• Internally hosted applications that you know are safe
• Business critical SaaS applications
• Any IP addresses with non-common port numbers
• Other applications that you don't want Conceal to make a decision on such as PSA systems, ticketing systems, companywide sites that are used and would impact workflow if placed in isolation.

Allow policies can be added at any time through the Conceal dashboard with just a few simple steps, so if you aren't sure if you need to add a policy yet then no need to worry. We always suggest starting your deployment with a small subset of users and gathering feedback.

*Never hesitate to contact your Customer Success Manager for any questions or concerns. You may also open a support ticket at support.conceal.io by scrolling to the bottom and clicking Submit a request.