Question & Answer
Question
What do the various Protection Levels in the X-Force Virtual Patch and Trust X-Force Defaults mean?
Answer
For Security Network IPS (GX) sensors, there is an X-Force Virtual Patch policy that is used to determine which signatures are enabled by default (this feature is enabled by default but can be disabled). On QRadar Network Security (XGS) sensors, this same Protection Level can be specified for each IPS Object in the Intrusion Prevention Policy.
You will find four Protection Levels that can be configured (on the GX, the None option is not available in the list, but you can select Never in the Enable X-Force recommended blocks section for this option). An explanation of each of the four levels is specified below:
None
Do not enable any signatures by default. This option is for a user that wants complete control over which signatures get enabled.
Moderate
The moderate policy enables most attack events for a good level of security protection with minimal chance of false alarms. The moderate policy is designed for users who intermittently monitor security events and minimally manage the IPS configuration.
Aggressive
The aggressive policy enables a high percentage of attack events for a high level of security protection with a chance of false alarms. The aggressive policy is designed for users who test and tune before IPS deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration.
Paranoid
The paranoid policy enables almost all attack events (including events from the latest XPUs) for a very high level of security protection with significant chance of false alarms. The paranoid policy is designed for users who do considerable testing and tuning before IPS or XPU deployment, and who closely monitor security events and frequently fine-tune the IPS configuration.
You will find four Protection Levels that can be configured (on the GX, the None option is not available in the list, but you can select Never in the Enable X-Force recommended blocks section for this option). An explanation of each of the four levels is specified below:
None
Do not enable any signatures by default. This option is for a user that wants complete control over which signatures get enabled.
Moderate
The moderate policy enables most attack events for a good level of security protection with minimal chance of false alarms. The moderate policy is designed for users who intermittently monitor security events and minimally manage the IPS configuration.
Aggressive
The aggressive policy enables a high percentage of attack events for a high level of security protection with a chance of false alarms. The aggressive policy is designed for users who test and tune before IPS deployment, and who closely monitor security events and occasionally fine-tune the IPS configuration.
Paranoid
The paranoid policy enables almost all attack events (including events from the latest XPUs) for a very high level of security protection with significant chance of false alarms. The paranoid policy is designed for users who do considerable testing and tuning before IPS or XPU deployment, and who closely monitor security events and frequently fine-tune the IPS configuration.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
23 January 2021
UID
swg21701441