Forum Discussion
NimbostratusBest practices for attack signature update/maintenance on ASM
We are looking for suggestions regarding best practices for attack signature update/maintenance on ASM in an university environment. We would like to have inputs for the following questions
- How often the attack signatures should be updated
- Is it a best practice to move updated attack signatures from blocking to staging state or to leave the signatures in blocking state while applying the updates
- We have similar policies on ASM for QA and prod environment. Could we first apply the attack signature updates to only QA environment policy and test before pushing the updates to production environment.
19 Replies
Thomas_GobetHi,
-
Attacks signatures should be updated as often as you can. You won't need to apply each version, it will depend on what you have to protect.
-
Again it depends on which security management you apply. To avoid some false positives, you have to change blocking signatures to staging mode. I usually do that, you'll avoid to be waked up at 3am for "nothing".
-
Yes you can do that. Each ASM policy is isolated from others. So on your QA policy, you can update a policy whereas on your prod one you don't apply the update.
Rajit_171155Thank you for your response. I was wondering if there is any document that suggests the step by step process to push the attack signature updates per policy. We do not want to apply the attack signature updates gobally. Thank you again!- dennypayne
Employee
Actually I don't think 3 is possible on the same device. Attack signature updates are global and there doesn't appear to be any way to update them on a per policy basis (at least not as of 11.5.1). - nathe
Cirrocumulus
I agree with Denny on that. Once you apply signatures, after the enforcement period is over you'll get a suggestion to Enforce Signatures on each policy in the Policies Summary screen
-
- Thomas_Gobet_91
Cirrostratus
Hi,
-
Attacks signatures should be updated as often as you can. You won't need to apply each version, it will depend on what you have to protect.
-
Again it depends on which security management you apply. To avoid some false positives, you have to change blocking signatures to staging mode. I usually do that, you'll avoid to be waked up at 3am for "nothing".
-
Yes you can do that. Each ASM policy is isolated from others. So on your QA policy, you can update a policy whereas on your prod one you don't apply the update.
- Rajit_171155Thank you for your response. I was wondering if there is any document that suggests the step by step process to push the attack signature updates per policy. We do not want to apply the attack signature updates gobally. Thank you again!
- dennypayneActually I don't think 3 is possible on the same device. Attack signature updates are global and there doesn't appear to be any way to update them on a per policy basis (at least not as of 11.5.1).
- natheI agree with Denny on that. Once you apply signatures, after the enforcement period is over you'll get a suggestion to Enforce Signatures on each policy in the Policies Summary screen
-
- Thomas_Gobet
Hi,
-
Attacks signatures should be updated as often as you can. You won't need to apply each version, it will depend on what you have to protect.
-
Again it depends on which security management you apply. To avoid some false positives, you have to change blocking signatures to staging mode. I usually do that, you'll avoid to be waked up at 3am for "nothing".
-
Yes you can do that. Each ASM policy is isolated from others. So on your QA policy, you can update a policy whereas on your prod one you don't apply the update.
-
- Thomas_Gobet_91
I think there isn't any step by step documentation to do that by policy.
What you have is updating process by platform.
The only thing which is different is you have to update manually your policy with only what you want to activate. One problem would be on modification during your QA tests.
If you want to modify your prod policy it will load changes from your attack signatures update.- Rajit_171155I would appreciate if you could elaborate more on how to update the policy manually. We have two exactly similar policy one for QA environment and for Prod. Once I update the attach signature ( security>options>attack signature update) how can I push the updates to the policies? I am not able to find any options in the menu to apply the attack signature updates to individual policy. Running code 11.2 and 11.5.1
- natheyou won't, all policies will be updated. once the staging period is over (enforcement readiness) you'll see that you can enforce those attack signatures on each policy. see the Overview - Application - Action Items screen
xunil321_122934Sorry for my ignorance! Let's say the 'Generic Detection Signature' set released 1st of Nov is assigned to my policy app_test. Once I update the Attack Signature on 1st of Dec does this mean that the former 'Generic Detection Signature' set will be overwritten by the new one automatically?
- Thomas_Gobet
I think there isn't any step by step documentation to do that by policy.
What you have is updating process by platform.
The only thing which is different is you have to update manually your policy with only what you want to activate. One problem would be on modification during your QA tests.
If you want to modify your prod policy it will load changes from your attack signatures update.- Rajit_171155I would appreciate if you could elaborate more on how to update the policy manually. We have two exactly similar policy one for QA environment and for Prod. Once I update the attach signature ( security>options>attack signature update) how can I push the updates to the policies? I am not able to find any options in the menu to apply the attack signature updates to individual policy. Running code 11.2 and 11.5.1
- natheyou won't, all policies will be updated. once the staging period is over (enforcement readiness) you'll see that you can enforce those attack signatures on each policy. see the Overview - Application - Action Items screen
- xunil321_122934Sorry for my ignorance! Let's say the 'Generic Detection Signature' set released 1st of Nov is assigned to my policy app_test. Once I update the Attack Signature on 1st of Dec does this mean that the former 'Generic Detection Signature' set will be overwritten by the new one automatically?
