We are looking for suggestions regarding best practices for attack signature update/maintenance on ASM in an university environment. We would like to have inputs for the following questions How often the attack signatures should be updatedIs it a best practice to move updated attack signatures from blocking to staging state or to leave the signatures in blocking state while applying the updatesWe have similar policies on ASM for QA and prod environment. Could we first apply the attack signature updates to only QA environment policy and test before pushing the updates to production environment.

Hi, Attacks signatures should be updated as often as you can. You won't need to apply each version, it will depend on what you have to protect. Again it depends on which security management you apply. To avoid some false positives, you have to change blocking signatures to staging mode. I usually do that, you'll avoid to be waked up at 3am for "nothing". Yes you can do that. Each ASM policy is isolated from others. So on your QA policy, you can update a policy whereas on your prod one you don't apply the update.

Thank you for your response. I was wondering if there is any document that suggests the step by step process to push the attack signature updates per policy. We do not want to apply the attack signature updates gobally. Thank you again!

Best practices for attack signature update/maintenance on ASM

19 Replies

Thomas_Gobet
Nimbostratus
Sep 22, 2014
Hi,

Attacks signatures should be updated as often as you can. You won't need to apply each version, it will depend on what you have to protect.

Again it depends on which security management you apply. To avoid some false positives, you have to change blocking signatures to staging mode. I usually do that, you'll avoid to be waked up at 3am for "nothing".

Yes you can do that. Each ASM policy is isolated from others. So on your QA policy, you can update a policy whereas on your prod one you don't apply the update.
- Rajit_171155
  Nimbostratus
  Sep 23, 2014
  Thank you for your response. I was wondering if there is any document that suggests the step by step process to push the attack signature updates per policy. We do not want to apply the attack signature updates gobally. Thank you again!
- dennypayne
  Employee
  Sep 24, 2014
  Actually I don't think 3 is possible on the same device. Attack signature updates are global and there doesn't appear to be any way to update them on a per policy basis (at least not as of 11.5.1).
- nathe
  Cirrocumulus
  Sep 24, 2014
  I agree with Denny on that. Once you apply signatures, after the enforcement period is over you'll get a suggestion to Enforce Signatures on each policy in the Policies Summary screen
Thomas_Gobet_91
Cirrostratus
Sep 22, 2014
Hi,

Attacks signatures should be updated as often as you can. You won't need to apply each version, it will depend on what you have to protect.

Again it depends on which security management you apply. To avoid some false positives, you have to change blocking signatures to staging mode. I usually do that, you'll avoid to be waked up at 3am for "nothing".

Yes you can do that. Each ASM policy is isolated from others. So on your QA policy, you can update a policy whereas on your prod one you don't apply the update.
- Rajit_171155
  Nimbostratus
  Sep 23, 2014
  Thank you for your response. I was wondering if there is any document that suggests the step by step process to push the attack signature updates per policy. We do not want to apply the attack signature updates gobally. Thank you again!
- dennypayne
  Employee
  Sep 24, 2014
  Actually I don't think 3 is possible on the same device. Attack signature updates are global and there doesn't appear to be any way to update them on a per policy basis (at least not as of 11.5.1).
- nathe
  Cirrocumulus
  Sep 24, 2014
  I agree with Denny on that. Once you apply signatures, after the enforcement period is over you'll get a suggestion to Enforce Signatures on each policy in the Policies Summary screen
Thomas_Gobet
Nimbostratus
Sep 22, 2014
Hi,

Attacks signatures should be updated as often as you can. You won't need to apply each version, it will depend on what you have to protect.

Again it depends on which security management you apply. To avoid some false positives, you have to change blocking signatures to staging mode. I usually do that, you'll avoid to be waked up at 3am for "nothing".

Yes you can do that. Each ASM policy is isolated from others. So on your QA policy, you can update a policy whereas on your prod one you don't apply the update.
Thomas_Gobet_91
Cirrostratus
Sep 24, 2014
I think there isn't any step by step documentation to do that by policy.

What you have is updating process by platform.

The only thing which is different is you have to update manually your policy with only what you want to activate. One problem would be on modification during your QA tests.

If you want to modify your prod policy it will load changes from your attack signatures update.
- Rajit_171155
  Nimbostratus
  Sep 25, 2014
  I would appreciate if you could elaborate more on how to update the policy manually. We have two exactly similar policy one for QA environment and for Prod. Once I update the attach signature ( security>options>attack signature update) how can I push the updates to the policies? I am not able to find any options in the menu to apply the attack signature updates to individual policy. Running code 11.2 and 11.5.1
- nathe
  Cirrocumulus
  Sep 26, 2014
  you won't, all policies will be updated. once the staging period is over (enforcement readiness) you'll see that you can enforce those attack signatures on each policy. see the Overview - Application - Action Items screen
- xunil321_122934
  Nimbostratus
  Nov 27, 2014
  Sorry for my ignorance! Let's say the 'Generic Detection Signature' set released 1st of Nov is assigned to my policy app_test. Once I update the Attack Signature on 1st of Dec does this mean that the former 'Generic Detection Signature' set will be overwritten by the new one automatically?
Thomas_Gobet
Nimbostratus
Sep 24, 2014
I think there isn't any step by step documentation to do that by policy.

What you have is updating process by platform.

The only thing which is different is you have to update manually your policy with only what you want to activate. One problem would be on modification during your QA tests.

If you want to modify your prod policy it will load changes from your attack signatures update.
- Rajit_171155
  Nimbostratus
  Sep 25, 2014
  I would appreciate if you could elaborate more on how to update the policy manually. We have two exactly similar policy one for QA environment and for Prod. Once I update the attach signature ( security>options>attack signature update) how can I push the updates to the policies? I am not able to find any options in the menu to apply the attack signature updates to individual policy. Running code 11.2 and 11.5.1
- nathe
  Cirrocumulus
  Sep 26, 2014
  you won't, all policies will be updated. once the staging period is over (enforcement readiness) you'll see that you can enforce those attack signatures on each policy. see the Overview - Application - Action Items screen
- xunil321_122934
  Nimbostratus
  Nov 27, 2014
  Sorry for my ignorance! Let's say the 'Generic Detection Signature' set released 1st of Nov is assigned to my policy app_test. Once I update the Attack Signature on 1st of Dec does this mean that the former 'Generic Detection Signature' set will be overwritten by the new one automatically?