Attack signature updates.
can anyone confirm best practices for Attack Signature updates? I would like to know if when working with a production environment if it would be safer to implement in the below stated layout as opposed to just importing it in to production. the retailer that I am doing this work for has fears that it may block traffic after the signature update. does anyone have insight into this?
•Export Attack Signature Policy from production •Import production Attack Signature Policy into TEST environment •Update Attack Signatures in TEST •Clear Traffic Learnings in TEST •Evaluate and Modify Attack Signatures if site functionality is impaired (Disablement method based on severity of attack signature type) •Export Attack Signature Policy from TEST •Update Attack Signatures in PROD •Import TEST Attack Signature Policy into PROD
This seems to be the least riskiest way to do this, though in my opinion with the updates being so frequent I cant see this being rational in order to maintain the updates every six weeks.