Imperva Cyber Community

Expand all | Collapse all

Tuning Security Policies

Jump to Best Answer
  • 1.  Tuning Security Policies

    Posted 02-18-2020 12:53

    Hello,

    Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

    What are some best practices with tuning the policies? Wondering how others have had success?

    One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

    Policy enabled: Recommended Signature Policy for Database Applications 

    Thanks!


    #DatabaseActivityMonitoring

    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    ------------------------------


  • 2.  RE: Tuning Security Policies

    Community Manager
    Posted 02-19-2020 12:34
    @Jason Park, @Robert Miller, @Sabajete Elezaj, @Alex Aguilas, @Mayuranathan Palanichamy, @rakesh ch, @Martin Schmitz any thoughts on Alex's question?  ​​​​​​​

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: Tuning Security Policies

    Imperva Employee
    Posted 02-20-2020 20:36
    Hello Alex,

    what are the most common alerts you're trying to triage?
    Are they related to a MSSQL service?

    Can you list a few examples you're facing?

    Thanks,
    p.

    ------------------------------
    Pal Balint
    ------------------------------



  • 4.  RE: Tuning Security Policies

    Posted 02-25-2020 11:54

    Hey Pal,

    Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

    This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

    I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.



    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    WI
    ------------------------------



  • 5.  RE: Tuning Security Policies

    Imperva Employee
    Posted 02-26-2020 20:49
    Hi Alex,

    In this case, I recommend clicking Add as exception and then modifying the exception to be more "wide/loose" based on your preference.

    In the screenshot posted above, the exception will be added to the "Recommended Policy for Database Applications - Legacy"

    After the exception has been added, click the "Recommended Policy for Database Applications - Legacy" link (as a shortcut) to access this policy directly, and then select the Exceptions tab.

    From here, you will be able to make adjustments to the policy exception as you see fit to be more inclusive or exclusive based on specific criteria.

    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 6.  RE: Tuning Security Policies

    Posted 02-27-2020 11:30

    Hey Jaired,

    Thanks for this information! I see now where I can expand the criteria for the exception.

    Is there a way to add further exception criteria to that area, such as a lookup data set?

    Appreciate the help!



    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    WI
    ------------------------------



  • 7.  RE: Tuning Security Policies

    Imperva Employee
    Posted 02-28-2020 10:22
    Hi Alex,

    Unfortunately not.

    The available predicates will vary according to the type of policy that has been triggered, but even with those variations I have never seen a lookup data set available for use within an exception.

    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 8.  RE: Tuning Security Policies

    Posted 03-02-2020 10:05

    One last question...

    I am trying to use this full query field to add an exception to this monitoring software. All of the queries have a similar object naming showing up throughout all of the operations. "##redgate_sqlmonitor_querywaitstats"


    Example query selection:

    --RedGateIgnore RedGateNoLog..SET NOCOUNT ON;....IF OBJECT_ID(N'tempdb..[##redgate_sqlmonitor_querywaitstats_SERVER1_SERVER2.(local)]').....

    Are wildcards an option in the 'Full Query' exception area, or can you think of any other way I could match this?



    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    WI
    ------------------------------



  • 9.  RE: Tuning Security Policies

    Community Manager
    Posted 02-28-2020 12:00
    @Alex Kasprzak Thanks for making this the best answer. This helps the community go directly to the answer when they need it.  ​



    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 10.  RE: Tuning Security Policies
    Best Answer

    Posted 04-09-2020 08:23

    Just wanted to update my post here.

    - You can not use a wildcard in the full query are to match what you're looking for
    - You can not add any other match criteria into the exceptions

    The default security policies are limited in this manner. I finally found success by reaching out to support. We were able to exclude this traffic by removing the signature from the default policy, and building a custom policy for that specific signature WHILE excluding the specific 'Source Application'. In this case, Redgate SQL Monitor source app was "sql monitor - monitoring"

    Support states that this was something they have had to do for other customers. Might be helpful for the community to write up an article on something like this. It required a bit more work, custom dictionary, few other steps.

    Either way thanks for all the answers. I will definitely be using this method to further reduce false positive alerts in bulk.



    ------------------------------
    Alex Kasprzak
    Brookdale Senior Living
    WI
    ------------------------------