Transition Vulnerability Protection Profiles Safely to Best
Practices
Apply Vulnerability Protection profiles to allow rules
to protect against malware exploits and vulnerabilities without
risking application availability.
The decision to block or alert on traffic
when you first apply Vulnerability Protection profiles to traffic
depends on your current security posture and your business requirements
regarding security vs. availability. Use the following guidance
to help determine whether to start with block or alert actions as
you begin the transition to best practice Vulnerability Protection
profiles.
Vulnerability Protection requires a Threat Prevention subscription.
- False positive rates for critical and high severity signatures are typically low and usually indicate an attack against a vulnerability that doesn’t exist on your network. For applications that aren’t critical to your business, such as internet access, block critical and high severity signatures from the start.
- Medium severity signatures may generate false positives and require initial monitoring. Start by alerting on medium severity signatures and monitor the Threat logs () to see if you can block applications for which you receive alerts or if you need to allow them.
- Set signatures in the brute-force category initially to alert and then fine-tune them to your environment before transitioning to blocking them.
- The default action for most low and informational severity signatures is alert or allow. Unless you have a specific need to alert on all low and informational signatures, configure the default action from the start.
- For business-critical applications, it’s usually best to set the initial action to alert to ensure application availability. However, in some situations you can use the block action from the start. For example, when you’re already protecting similar applications with a Vulnerability Protection profile that blocks on vulnerability signatures, and you’re confident the profile meets your business and security needs, you can use a similar profile to block vulnerabilities and protect the similar applications.The alert action enables you to analyze Threat logs and create exceptions when necessary before moving to a block action. Alerting and monitoring before moving to blocking gives you confidence the profile won’t block business-critical applications when you deploy the initial profile and that you’ll maintain application availability by creating necessary exceptions as you transition to the best practice blocking state. Keep the length of time you maintain the initial alert action to a minimum to reduce the chance of a security breach. Transition to the best practice state as soon as you’re comfortable you’ve identified any exceptions you need to make and configure the profile accordingly.
Enable extended packet capture for critical,
high, and medium severity signatures. Enable single packet capture
for low and informational severity signatures. Enabling packet capture
allows you to investigate events in greater detail if necessary.
As you move to best practice profiles, if informational events create
too much packet capture activity (too large a volume of traffic)
and the information isn’t particularly useful, you can transition
to disabling packet capture on informational events.
When you have the initial profiles in place, monitor the Threat
logs for enough time to gain confidence you understand whether any
business-critical applications cause alerts or blocks. Create exceptions
(open a support ticket if necessary) in each profile as needed to
remediate any confirmed false positives before you implement full
best-practice Vulnerability Protection profiles for the internet gateway or for
the data center.
