Transition Vulnerability Protection Profiles Safely to Best Practices

Apply Vulnerability Protection profiles to allow rules to protect against malware exploits and vulnerabilities without risking application availability.
The decision to block or alert on traffic when you first apply Vulnerability Protection profiles to traffic depends on your current security posture and your business requirements regarding security vs. availability. Use the following guidance to help determine whether to start with block or alert actions as you begin the transition to best practice Vulnerability Protection profiles.
Vulnerability Protection requires a Threat Prevention subscription.
  • False positive rates for critical and high severity signatures are typically low and usually indicate an attack against a vulnerability that doesn’t exist on your network. For applications that aren’t critical to your business, such as internet access, block critical and high severity signatures from the start.
  • Medium severity signatures may generate false positives and require initial monitoring. Start by alerting on medium severity signatures and monitor the Threat logs (
    Monitor
    Logs
    Threat
    ) to see if you can block applications for which you receive alerts or if you need to allow them.
  • Set signatures in the brute-force category initially to alert and then fine-tune them to your environment before transitioning to blocking them.
    vuln-prot-profile-brute-force-sigs.png
  • The default action for most low and informational severity signatures is alert or allow. Unless you have a specific need to alert on all low and informational signatures, configure the default action from the start.
  • For business-critical applications, it’s usually best to set the initial action to alert to ensure application availability. However, in some situations you can use the block action from the start. For example, when you’re already protecting similar applications with a Vulnerability Protection profile that blocks on vulnerability signatures, and you’re confident the profile meets your business and security needs, you can use a similar profile to block vulnerabilities and protect the similar applications.
    The alert action enables you to analyze Threat logs and create exceptions when necessary before moving to a block action. Alerting and monitoring before moving to blocking gives you confidence the profile won’t block business-critical applications when you deploy the initial profile and that you’ll maintain application availability by creating necessary exceptions as you transition to the best practice blocking state. Keep the length of time you maintain the initial alert action to a minimum to reduce the chance of a security breach. Transition to the best practice state as soon as you’re comfortable you’ve identified any exceptions you need to make and configure the profile accordingly.
Enable extended packet capture for critical, high, and medium severity signatures. Enable single packet capture for low and informational severity signatures. Enabling packet capture allows you to investigate events in greater detail if necessary. As you move to best practice profiles, if informational events create too much packet capture activity (too large a volume of traffic) and the information isn’t particularly useful, you can transition to disabling packet capture on informational events.
When you have the initial profiles in place, monitor the Threat logs for enough time to gain confidence you understand whether any business-critical applications cause alerts or blocks. Create exceptions (open a support ticket if necessary) in each profile as needed to remediate any confirmed false positives before you implement full best-practice Vulnerability Protection profiles for the internet gateway or for the data center.

Related Documentation