Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Threat Prevention Policy Overview

 

Threat prevention policies provide protection and monitoring for selected threat profiles, including command and control servers, infected hosts, and malware. Using feeds from Sky ATP and optional custom feeds that you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached.

Once policies are configured, the following fields are available on the Security Director main page to provide an overview of each policy.

Table 1: Threat Prevention Policy Fields

Field

Description

Name

The user-created name for the policy.

Feed Type

The feed type selected during the malware profile configuration for a policy.

The feed type is shown as generic if the malware profile is not configured for a policy.

C&C Server

Threat score settings overview if selected for the policy. (Otherwise this field is empty.) For example:

Block: 8-10

Monitor: 5-7

Permit: 1-4

Infected Host

Threat score settings overview if selected for the policy. (Otherwise this field is empty.)

DDoS

The DDoS action configured for the policy.

Malware HTTP

Threat score settings overview if selected for the policy. (Otherwise this is empty.)

For the JATP feed type, the device profile name is shown.

Malware SMTP

Threat score settings overview if selected for the policy. (Otherwise this field is empty.)

Status

This displays the status of the policy. This status is a clickable link you can use to change the policy status. When you first create a policy and assign it to a group, this field reads View Analysis. Read Threat Policy Analysis Overview for more information on this field.

If the status is Update Failed, click Retry to perform the rule analysis again. You can click the Update Failed status to see the corresponding job details. The rule analysis retry option is available only when the status is Update Failed.

Note: If the policy has been updated after it has already been pushed to the endpoint, the status here is Update with a warning icon to notify you the policy has been changed but not pushed.

Policy Enforcement Group

This is the group to which the policy is assigned.

Log

This field displays the log setting for the policy.

Description

The user-created description for the policy.

Benefits of Threat Prevention Policy

  • Enables you to define and enforce policies for controlling specific applications and embedded social networking widgets.

  • Reduces the need for manual updates and automatically applies policies and enforcement rules, driving down the costs of managing network security.

  • Leverages the network for multiple enforcement points across the infrastructure. Enables you to stop threats closer to infection points and to prevent threats from spreading, which greatly improves the efficacy of security operations.