Query-Based Policy Settings in SEPM
Created: 03 Aug 2012 | 4 comments
Sometimes it would be desireable to set up a policy that would allow a query of some type to dynamically alter a policy on the fly. For examply, we normally run LiveUpdate once per day at night. I would like to have SEP/LU be able to change if THREATCON is set to a higher number than one. For example, if threatcon is slightly elevated, I may want to check for new definitions every 4 hours or, if threatcon is a lot higher, maybe check every hour. This would be able to do this without human intervention.
There are other things that would be great to change such as changing network policies during an "outbreak" condition.
Comments 4 Comments • Jump to latest comment
Hello hforman,
How you would identify an outbreak? Is really every increased Threatcon an indication also for your environment?
Probably it would make more sense when your machines are infected or something like this to trigger actions like you mentioned what could be done using the reg keys of public opstats in version 12 and the location awareness feature...
So you could make it more specific to your environment even right away when something would be discovered in your environment.
Regards,
Toby
------------------------------------------------------------------
Best regards!
toby
CISSP / STS / MCP
Hello hforman,
How you would identify an outbreak? Is really every increased Threatcon an indication also for your environment?
Probably it would make more sense when your machines are infected or something like this to trigger actions like you mentioned what could be done using the reg keys of public opstats in version 12 and the location awareness feature...
So you could make it more specific to your environment even right away when something would be discovered in your environment.
Regards,
Toby
------------------------------------------------------------------
Best regards!
toby
CISSP / STS / MCP
But, the point with that is, if was was a security admininistrator and there were some new threats that just came out, I would be manually forcing liveupdate to see if there are any new signatures to cover this. So, esentially, if the ThreatCon metyer goes from its usual "green" to "yellow" or even up to red, I may want to change things. Now, I can't always be watching ThreatCon, or the news and they generally don't want me running liveupdate during the day but, if there was a change to the general threat landscape, I might want to run liveupdate and, if the threats go on, I might want to run liveupdate more often. If the ThreatCon was all the way over, and it was a weekend, I might even want to turn off the network or tighen up the firewall settings. I suppose there is a way to create something with a script that runs on each PC that can do this and change registry settings. The thing is, once we are already infected, it's too late.
I've been through some of the BIG virus attacks: NIMDA, SQL SLAMMER, etc. and the sooner you get signatures into your system, the better.
But all that, is just an example. The point was there should be a way to change things dynamically based on realtime criteria, such as: ThreatCon or simply detection of an outbreak, as you pointed out.
Was just an idea anyway.
I understand what you mean and it makes sense! Probably in such cases it might be also a point in changing from certified to rapid release des and apply different rule in a way to isolate more your environment not to exposes at risk.
as the Threatcon sometimes moves between green and yellow there should be defenenetly more than a simple process as very often systems in a region are not affected or the type of systems, so it must be highly flexible from my point.
btw when you use the notifications and setup for outbreak you could trigger something like this already with a bit of working around as you can start scripts ...
------------------------------------------------------------------
Best regards!
toby
CISSP / STS / MCP
Would you like to reply?
Login or Register to post your comment.