Transition Safely to Best Practice Security Profiles
Apply Security profiles to allow rules to protect against
malicious traffic without risking application availability.
Security profiles enable you to inspect network traffic for threats such as vulnerability
exploits, malware, command-and-control (C2) communication, and unknown threats, and
prevent them from compromising your network using various types of threat signatures,
machine learning, and AI (some protections require a
subscription).
The end goal is to reach a best practice state for all of your Security profiles. However, to
ensure the availability of business-critical applications, it might not be feasible to
implement a full best practice Security profile configuration from the start. In most
cases, you can safely block some signatures, file types, or protocols while alerting on
others until you gain the information and confidence to finish a safe transition to best
practice Security profiles without affecting availability.
The path to implementing best practice Security profiles is:
Use the following safe transition steps to move toward the
best practice state for your Security
profiles.
Ask yourself the following questions to help determine the right
approach to enabling Security profiles for a given network segment
or set of Security policy rules:
Do I already have Security profiles enabled on rules that protect similar applications or network
segments? If the answer is yes, you might be able to duplicate those profile
settings, including block actions you already deem safe to enable.
Is the network segment I’m protecting critical for my business? If the answer is yes and you
don’t have proven profiles enabled in similar segments, you might prefer to
alert first, examine the traffic that causes the alerts to ensure the profile
doesn't block critical applications, and then block when you're comfortable.
Am I deploying Security profiles to counter an immediate threat? If the answer is yes, you might
want to block as the initial action instead of alerting.
Is there a firewall change process in place that allows investigation and remediation of false
positives in a timely manner? If the answer is yes, you might be able to block
as the initial action instead of alerting.
The majority of “false positives” are attempted attacks against a vulnerability that doesn’t
exist in your network. The attack is real, but the danger is not because the
vulnerability isn’t present, so the attack is often seen as a false
positive. Brute-force attack signatures can also cause false positives if
you set the attack threshold too low.
Consider your current security posture in combination with the guidance for each type of Security
profile to decide how to deploy the profiles initially, and then move to the best
practice guidance.