topic IPS false positives/negative in Firewall and Security Management

IPS false positives/negative

praveshnayal — Thu, 03 Jun 2021 08:13:02 GMT

How can we prevent false positives and false negatives from occurring? We are usually creating exceptions but that is the reactive measure. Can anyone help me understand the preventive measure here?

What are the configuration and steps required here?

Thanks in advance 🙂

Re: IPS false positives/negative

kitetsu89 — Thu, 03 Jun 2021 10:31:17 GMT

This is the sad truth of all the wonderful Security Tooling we have: False Positives and False Negatives, due to the dynamic threat landscape, it is a continuous process of evaluating logs and act accordingly.

From my own experience: implement the best-practice policy (for CP is the Optimized) and use a period to monitor the alerts on a daily basis that are generated (Prevent and Detect) and use Exception as narrow as possible (specific scope and protections). After sometime the monitoring less false positives will occur. Also implement like a recurrent NGFW review to see which exceptions are not hit anymore.

Re: IPS false positives/negative

PhoneBoy — Thu, 03 Jun 2021 21:40:19 GMT

This is one of the goals of Infinity Threat Prevention (available from R81): threat prevention with minimal tuning required.
That said, false positives do occur and, unfortunately, have to be handled in a reactive manner.
False negatives generally mean existing protections and/or protection mechanisms need to be improved.
Appropriate segmentation and access policies go a long way here.