SandBlast Agent - Learning Mode To Best Practice

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk153713
Technical Level
Product	Harmony Endpoint
Version	R80.20, R80.30, E80.90 (EOL), E80.92 (EOL), E80.94 (EOL), E80.96 (EOL), E81.x (EOL), R80.40, E81.10 (EOL), E81.20 (EOL), E81.30 (EOL), E81.30_HF, E81.40 (EOL), E82.x (EOL), E82.10 (EOL), E82.20 (EOL), E82.30 (EOL), E82.40 (EOL), E82.50 (EOL), E82.55 (EOL), E83.x (EOL), E83.10 (EOL), E83.11 (EOL), E83.20 (EOL), E83.30 (EOL), R81
Date Created	25-May-2019
Last Modified	07-Jan-2021

Solution

Refer to the following articles before you begin

sk152772 - Learning mode to best practice methodology

Table of Contents:

Pre-requisite
Important information
Before you Begin
How to start
Learning mode to best practice - Education is a key success factor

Pre-requisite

Endpoint management - Cloud or On-premise
Recommended version is R80.40 + with latest JHF
Endpoint management license (Cloud Endpoint Management as a service does not require any additional license)
SandBlast Agent (Standard, Advanced or Complete) licenses for the amount of devices that will be installed

Important information

Please note that learning mode is not mandatory for all assets and all components and it is possible to start with best practice configuration while understanding the impact it might create.

It is recommended to use learning mode through all of the solutions deployment until a high enough level of confidence is achieved.

There is a possibility to work in 2 modes of operation:

Learning Mode - Security Focus, this is the recommended mode that will allow a faster execution to best practice, but might create more impact as critical enforcement is performed.
Learning Mode - Impactless Focus, this is for organizations that want to create as minimal impact as possible, with no security enforcement, only visibility. The process to best practice will be longer.

It is possible work in a hybrid mode and to use different modes of operation per rule base or per organizational unit. For example: some groups/policies can start with the security focus settings such as the Test/POC group and other general groups. The critical business groups, levels and other important assets can start with impactless focus.

Pay attention: Every rule base is composed out of action profiles, and the action profiles can be shared between rules. To change an action profile that is not under the entire organization, always follow these steps

Clone the profile at the desired rule and give it a meaningful name (that can indicate the change in the profile without opening it) and save itOpen the new action profile, perform the change and save

*That action profile is now written in bold letters if it is different than the entire organization action profile.

It is recommended utilizing the entire organization action profiles as much as possible. It will reduce the operation load and the endpoint solution will be easier to manage.

Before you Begin

Learning mode is recommended for all levels of deployment and starts with planning, assets importance and value mapping.

Learning mode is an ongoing effort that is constantly being performed and should guide the organization before any deployment, upgrade or policy changes.

The plan should include:

Mapping all relevant assets that will be influenced by the endpoint, such as: user endpoints, servers and specialized systems, Active directory connected to the management and more...The goal is to protect all assets, so you must understand and map the critical assets, important assets and general assets. The assets map is in the aspect of business impact.Also take into account offline assets, as they will not be able to communicate with the management at all times.It is possible to divide the assets to additional groups and areas, but remember that more groups and different rules mean more complexity

The second part will be to create a Test/POC group inside the organization that will include few members of every area. They will be used as test subjects for changes in the deployment and security policy before they are widely enforced through the entire organization.

The third part will be to understand the level of protection for each group of assets. Looking at this from business perspective, in most cases additional layers of security might introduce an impact to the users' experience.

In case there is a lab, it is recommended that everything will be tested in the organizational lab and that the lab will include a super set of all organizations OS and applications

Example of a simple deployment rule base:

Assets Description

Asset type	Type examples	Comments
POC/Test	Lab assets – super sets that represents all of the organizational OS and applications Individuals from different areas with little impact on organizational performance IT/Security/Endpoint team members that operate and support the solution	It is recommended to have gradual deployment between POC/Test/Lab assets as well
General	Most of the users and non-critical systems
Important	Important users and systems DR sites	DR sites are important measurement on how the change will effect critical assets
Critical	Servers C-level employees Critical users with high impact to the organization operation Critical systems that cannot have downtime	It is recommended to separate servers from other critical assets

How to start

Deployment

Best practice is to use the entire organization rule for the general assets
Test/POC assets will be created as a second rule
Important assets will be created as a third rule
Critical assets will be created as a forth rule

Additional rules shell be created for servers, exceptions and basic granularity between desktops and laptops For large organizations it is recommended to separate different areas using different deployment rules Rules enforcement is from first to last starting with the second rule while the entire organization rule will always be the last to be taken into account (default rule if no other match was found) Learning mode components deployment

There are 2 levels of deployment to start from

First level is to add forensics to the existing AV solution Anti-Malware + Forensics, or if there is a 3rd party AV solution in place and it is not being replaced, then just add forensics and make sure that the 3rd party AV is supported by forensics
- sk116024 - SandBlast Agent Integration with Third Party Anti-Virus Vendors
- sk105122 - How to configure Forensics blade to analyze an incident that was detected by external system
Second and recommended level is to deploy all of the SandBlast Agent components and control their security policy using Learning mode configuration

*Please note that this is just the components deployment, not the security policy or any type of enforcement.

It is possible to deploy all components and to disable their security policy. It is recommended that before the initial deployment all users will be notified and alerted to save their work in case a reboot will be needed It is recommended to minimize user interaction as much as possible, and use the deployment rules to push the components once ready to deploy. The initial client can be deployed whenever is needed as it will only install itself and communicate with the management

For SandBlast Agent Deployment it is recommended to change the Log Upload intervals

Log Upload interval should be set to 1
Minimum number of events before attempting an upload should be set to 1

*Please note that higher frequency creates additional load on the management and log servers. This is why it is recommended to add policy servers for deployments of more than 1000 endpoints and to use a dedicated Smart Event server to host and correlate all events

Client Settings

Deployment and Upgrade Best Practice

sk154072 - SandBlast Agent Deployment and Upgrade Best Practice

Learning mode to best practice - Education is a key success factor

During the first week or 2 weeks with the learning mode policy, monitor the following

Logs and events to understand if there are True Positives or False Positives
1. For TP perform remediation according to the forensics report
2. For FP create exclusions as immediate troubleshooting and open a ticket to support if a fix is needed
Users experience, understand how the current solution and settings impact the users
1. If no impact or tickets opened then proceed
2. If there are tickets opened, solve them by exclusions or policy changes with support tickets when needed
3. Performance and business continuity experience by users, such as: slow browsing, latency in opening specific programs, like office, and general performance issues.
Administrator experience, understand what will happen with each component when moving to best practice configuration
1. Will there be FPs quarantined or blocked, if so follow section 2
2. Will there be file quarantined or more user experience, if so make sure to prepare for it and educate the users
3. How to map and separate between critical security events that need immediate resolve, important events that don't need resolution right away and need to know events

Learning mode period depends on the organizational process and can be shorter or longer depends on the confidence with the solution.

An internal process needs to be established to decide what it means to have high enough confidence.

For example:

No critical tickets or complains from users, No crashes of applications directly related to a change in the Check Point endpoint, Minimal to no False Positives, and if False Positives exists they are excluded and reported back to Check Point, Internal certification process and more...

Refer to the following for Learning mode and Best Practice step by step configuration

Start with Learning mode configuration

sk153714 - SandBlast Agent Learning Mode Configuration

sk154052 - SandBlast Agent Best Practice Configuration

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating