McAfee M4050 Troubleshooting Guide - Page 43

Determining False Positives, Tune your policies

Get McAfee M4050 - Network Security Platform PDF manuals and user guides
UPC - 731944582832
View all McAfee M4050 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 43 highlights

CHAPTER 5 Determining False Positives This section lists methods for determining and reducing false positives. Reducing false positives Your policy determines what traffic analysis your McAfee® Network Security Sensor (Sensor) will perform. McAfee® Network Security Platform provides a number of policy templates to get you started toward your ultimate goal: prevent attacks from damaging your network, and limit the alerts displayed in the Threat Analyzer to those which are valid and useful for your analysis. There are two stages to this process: initial policy configuration and policy tuning.Though these are tedious tasks, McAfee has extended its blocking options to include SmartBlocking, which only activates blocking when high confidence signatures are matched, thus minimizing the possibility of false positives.Network Security Platform is replacing its present Recommended for Blocking (RFB) designation with Recommended for SmartBlocking (RFSB) because this new level of granularity enables McAfee to recommend many more attacks - the list of RFB attacks is a subset of the list of RFSB attacks. The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming quantities of legitimate, but anticipated alerts. Tune your policies The default McAfee Network Security Platform policy templates are provided as a generic starting point; you will want to customize one of these policies for your needs. So the first step in tuning is to clone the most appropriate policy for your network and your goals, and then customize it. (You can also modify a policy directly rather than modifying a copy.) This process is involved, and is discussed in IPS Configuration Guide. Some things to remember when tuning your policies:  We ask that you set your expectations appropriately regarding the elimination of false positives and noise. A proper Network Security Platform implementation includes multiple tuning phases. False positives and excess noise are routine for the first 3 to 4 weeks. Once properly tuned, however, they can be reduced to a rare occurrence.  When initially deployed, Network Security Platform frequently exposes unexpected conditions in the existing network and application configuration. What may at first seem like a false positive might actually be the manifestation of a misconfigured router or Web application, for example.  Before you begin, be aware of the network topology and the hosts in your network, so you can enable the policy to detect the correct set of attacks for your environment. 34

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
34
C
HAPTER
5
Determining False Positives
This section lists methods for determining and reducing false positives.
Reducing false positives
Your policy determines what traffic analysis your McAfee
®
Network Security Sensor
(Sensor) will perform. McAfee
®
Network Security Platform provides a number of policy
templates to get you started toward your ultimate goal: prevent attacks from damaging
your network, and limit the alerts displayed in the Threat Analyzer to those which are valid
and useful for your analysis.
There are two stages to this process: initial policy configuration and policy tuning.Though
these are tedious tasks, McAfee has extended its blocking options to include
SmartBlocking, which only activates blocking when high confidence signatures are
matched, thus minimizing the possibility of false positives.Network Security Platform is
replacing its present Recommended for Blocking (RFB) designation with Recommended
for SmartBlocking (RFSB) because this new level of granularity enables McAfee to
recommend many more attacks – the list of RFB attacks is a subset of the list of RFSB
attacks.
The ultimate goal of policy tuning is to eliminate false positives and noise and avoid
overwhelming quantities of legitimate, but anticipated alerts.
Tune your policies
The default McAfee Network Security Platform policy templates are provided as a generic
starting point; you will want to customize one of these policies for your needs. So the first
step in tuning is to clone the most appropriate policy for your network and your goals, and
then customize it. (You can also modify a policy directly rather than modifying a copy.)
This process is involved, and is discussed in
IPS Configuration Guide.
Some things to remember when tuning your policies:
We ask that you set your expectations appropriately regarding the elimination of false
positives and noise. A proper Network Security Platform implementation includes
multiple tuning phases. False positives and excess noise are routine for the first 3 to 4
weeks. Once properly tuned, however, they can be reduced to a rare occurrence.
When initially deployed, Network Security Platform frequently exposes unexpected
conditions in the existing network and application configuration. What may at first
seem like a false positive might actually be the manifestation of a misconfigured router
or Web application, for example.
Before you begin, be aware of the network topology and the hosts in your network, so
you can enable the policy to detect the correct set of attacks for your environment.