Imperva Cyber Community

Expand all | Collapse all

Tuning Security Policies

Jump to Best Answer
  • 1.  Tuning Security Policies

    Posted 02-18-2020 12:53

    Hello,

    Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

    What are some best practices with tuning the policies? Wondering how others have had success?

    One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

    Policy enabled: Recommended Signature Policy for Database Applications 

    Thanks!


    #DatabaseActivityMonitoring

    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    ------------------------------


  • 2.  RE: Tuning Security Policies

    Community Manager
    Posted 02-19-2020 12:34
    @Jason Park, @Robert Miller, @Sabajete Elezaj, @Alex Aguilas, @Mayuranathan Palanichamy, @rakesh ch, @Martin Schmitz any thoughts on Alex's question?  ​​​​​​​

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: Tuning Security Policies

    Imperva Employee
    Posted 02-20-2020 20:36
    Hello Alex,

    what are the most common alerts you're trying to triage?
    Are they related to a MSSQL service?

    Can you list a few examples you're facing?

    Thanks,
    p.

    ------------------------------
    Pal Balint
    ------------------------------



  • 4.  RE: Tuning Security Policies

    Posted 02-25-2020 11:54

    Hey Pal,

    Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

    This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

    I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.



    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    WI
    ------------------------------



  • 5.  RE: Tuning Security Policies
    Best Answer

    Imperva Employee
    Posted 30 days ago
    Hi Alex,

    In this case, I recommend clicking Add as exception and then modifying the exception to be more "wide/loose" based on your preference.

    In the screenshot posted above, the exception will be added to the "Recommended Policy for Database Applications - Legacy"

    After the exception has been added, click the "Recommended Policy for Database Applications - Legacy" link (as a shortcut) to access this policy directly, and then select the Exceptions tab.

    From here, you will be able to make adjustments to the policy exception as you see fit to be more inclusive or exclusive based on specific criteria.

    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 6.  RE: Tuning Security Policies

    Posted 30 days ago

    Hey Jaired,

    Thanks for this information! I see now where I can expand the criteria for the exception.

    Is there a way to add further exception criteria to that area, such as a lookup data set?

    Appreciate the help!



    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    WI
    ------------------------------



  • 7.  RE: Tuning Security Policies

    Imperva Employee
    Posted 29 days ago
    Hi Alex,

    Unfortunately not.

    The available predicates will vary according to the type of policy that has been triggered, but even with those variations I have never seen a lookup data set available for use within an exception.

    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 8.  RE: Tuning Security Policies

    Posted 26 days ago

    One last question...

    I am trying to use this full query field to add an exception to this monitoring software. All of the queries have a similar object naming showing up throughout all of the operations. "##redgate_sqlmonitor_querywaitstats"


    Example query selection:

    --RedGateIgnore RedGateNoLog..SET NOCOUNT ON;....IF OBJECT_ID(N'tempdb..[##redgate_sqlmonitor_querywaitstats_SERVER1_SERVER2.(local)]').....

    Are wildcards an option in the 'Full Query' exception area, or can you think of any other way I could match this?



    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    WI
    ------------------------------



  • 9.  RE: Tuning Security Policies

    Community Manager
    Posted 29 days ago
    @Alex Kasprzak Thanks for making this the best answer. This helps the community go directly to the answer when they need it.  ​



    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------