Creating Threat Prevention Policies

To access this page, click Configure>Threat Prevention > Policy.

You can create threat prevention policies from the policy page.

Note: If you are creating policies for the first time, you are given the option of setting up Policy Enforcer with Sky ATP or configuring Sky ATP alone. Clicking either button takes you to quick setup for your selection. See Comparing the SDSN and non-SDSN Configuration Steps for a configuration comparison.

Before You Begin

Determine the type of profile you will use for this policy; command & control server, infected hosts, malware. You can select one or more threat profiles in a policy. Note that you configure Geo IP policies separately. See Creating Geo IP Policies.
Determine what action to take if a threat is found.
Know what policy enforcement group you will add to this policy. To apply the policy, you must assign one or more policy enforcement groups. See the instructions for assigning groups to policies at the bottom of this page.
Once policies are configured with one more groups assigned, you can save a policy in draft form or update it. Policies changes do not go live until they have been updated.
If you are using Sky ATP without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. See the instructions at the bottom of this page.

Procedure

To create a threat prevention policy:

Select Configure>Threat Prevention > Policy.
Click the + icon.
Complete the configuration by using the guidelines in theTable 165 below.
Click OK.

Table 203: Fields on the Threat Prevention Policy Page

Field	Description
Name	Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.
Description	Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.
Profiles
Command and Control Server	Select and choose settings for command and control servers. A C&C is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.
Include C& C profile in policy	Select the check box to include management for this threat type in the policy.
Threat Score	Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. Refer to the monitoring pages in the UI to investigate, located under Monitor > Threat Management.
Actions	If the threat score is high enough to cause a connection to be blocked, you have following configurable options: Drop connection silently (This is the default and recommended setting.) Close connection and do not send a message Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped. Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.
Infected Host	Infected hosts are systems for which there is a high confidence that attackers have gained unauthorized access. Infected hosts data feeds are listed with the IP address or IP subnet of the host, along with a threat score.
Include infected host profile in policy	Select the check box to include management for this threat type in the policy. Note: If you want to enforce an infected host policy within the network, you must include a switch in the site.
Actions	You have following options: Drop connection silently (This is the default and recommended setting.) Quarantine—In the field provided, enter a VLAN to which quarantined files are sent. (Note that the fallback option is to block and drop the connection silently.)
Malware (HTTP file download and SMTP File attachment)	Malware is files that are downloaded by hosts or received as email attachments and found to be suspicious based on known signatures, URLs. or other heuristics.
Include malware profile in policy	Select the check box to include management for this threat type in the policy.
HTTP file download	Turn this feature on to scan files downloaded over HTTP and then select a file scanning device profile already configured through Sky ATP.
Scan HTTPS	Turn this feature to scan encrypted files downloaded over HTTPS.
Device Profile	Select a Sky ATP device profile. This is configured through Sky ATP. Sky ATP profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together under a common name and create multiple profiles based on the content you want scanned.Device Profiles Overview.
Threat Score	Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. (Note: There is no monitoring setting for malware.) Refer to the monitoring pages in the UI to investigate, located under Monitor > Threat Management.
Actions	If the threat score is high enough to cause a connection to be blocked, you have following configurable options: Drop connection silently (This is the default and recommended setting.) Close connection and do not send a message Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped. Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.
SMTP File Attachment	Turn this feature on inspect files received as email attachments (over SMTP only).
Device Profile	If you do not click the Change button to select a device profile for SMTP scanning, the device profile selected for HTTP will be used by default. Select Change to use a different device profile for SMTP. Device profile are configured through Sky ATP and define which files to send to the cloud for inspection
Threat Score	Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria.
Actions	Actions for SMTP File Attachment include: Quarantine, Deliver malicious messages with warning headers added, and Permit. This actions are set in Sky ATP.
Log Setting (Policy setting for all profiles)	Select the log setting for the policy. You can log all traffic, log only blocked traffic, or log no traffic.

Procedure

Once you have a threat prevention policy, you assign one or more groups to it:

In the threat prevention policy main page (located under Configure>Threat Prevention > Policy), find the appropriate policy.
In the Groups column, click the Assign to Groups link that appears here when there are no policy enforcement groups assigned or click the group name that appears in this column to edit the existing list of assigned groups. You can also select the check box beside a policy and click the Assign to Groups button at the top of the page. See Policy Enforcement Groups Overview .
In the Assign to Groups page, select the check box beside a group in the Available list and click the > icon to move it to the Selected list. The groups in the Selected list will be assigned to the policy.
Click OK.
Once one or more policy enforcement groups have been assigned, a Ready to Update link appears in the Status column. You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.
If you are using Sky ATP without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. Navigate to Configure > Firewall Policy > Policies. In the Advanced Security column, click an item to access the Edit Advanced Security page and select the threat prevention policy from the Threat Prevention pulldown list.

Creating Threat Prevention Policies

Before You Begin

Procedure

Procedure

Related Documentation

Help us to improve. Rate this article.