ThreatSync Best Practices

Applies To: ThreatSync This topic applies to ThreatSync.

To optimize the collection and correlation of data from your network and endpoint devices to detect and respond to threats, we recommend you follow these best practices to set up and configure ThreatSync:

• Before You Begin
• Recommended Firebox Settings
• Recommended Access Point Settings
• Recommended Endpoint Security Settings
• Configure Device Settings
• Automation Policy Configuration Best Practices
  • Default Remediation Automation Policy
  • Default Close Automation Policy
• Blocked Sites Exceptions on a Firebox
• Recommended Notification Rules

Before You Begin

Before you set up and configure ThreatSync, make sure that you meet the Firebox, access point, and Endpoint Security prerequisites specified in Quick Start — Set Up ThreatSync.

Recommended Firebox Settings

To make sure that your Firebox sends incident data to ThreatSync:

• Confirm that these security services that generate ThreatSync incidents are enabled and configured on the Firebox:
• APT Blocker
• Gateway AntiVirus
• WebBlocker
• IPS
• For locally-managed Fireboxes:
• Enable content inspection in HTTPS proxy actions. For more information, go to HTTPS-Proxy: Content Inspection.
• Enable logging for all policies and services. For more information, go to Set Logging and Notification Preferences.
• For cloud-managed Fireboxes, enable the Decrypt HTTPS Traffic option in outbound firewall policies for web traffic. For more information, go to Configure Traffic Types in a Firewall Policy.

Recommended Access Point Settings

To make sure that your access points managed by WatchGuard Cloud can send incident data to ThreatSync and perform response actions, confirm that:

• Access points have a WatchGuard USP Wi-Fi Management license.
• Access points run firmware v2.0 or higher to send data to ThreatSync.
• Access points run firmware v2.7 or higher to perform response actions against threat access points when integrated with ThreatSync.
• Airspace Monitoring is enabled to detect malicious access points and perform response actions. For more information about requirements and how to enable this feature, go to Access Point Airspace Monitoring.
• You have deployed an AP230W, AP330, or AP430CR with a dedicated scanning radio for over-the-air Evil Twin detection and ThreatSync response actions.
• All other Wi-Fi in WatchGuard Cloud access point models can detect Rogue and Suspected Rogue access points physically connected to the network, but cannot detect Evil Twin access points or perform ThreatSync response actions.
• For larger deployments, we recommend you deploy one access point with a dedicated scanning radio for every 3-5 access points in your deployment.
• Wireless scanning and response actions can potentially affect the performance of an access point during detection and response to a malicious access point.
• You cannot perform over-the-air response actions against malicious access points that use WPA3 security, WPA2 security with Protect Management Frames enabled (802.11w), or OWA security, or malicious access points that broadcast on a channel not in the current country of operation of the detecting access point.
• Make sure you adhere to local regulations for the use of over-the-air response actions to disconnect wireless clients from an access point.

Caution: Before you block connections to a malicious access point, make sure that this is not a known access point in your deployment. This might be a wireless Firebox not managed by WatchGuard Cloud, a WatchGuard Wi-Fi 5 access point, or a legitimate third-party access point in your deployment. An Evil Twin might be a legitimate access point operating in your airspace such as a guest hotspot or private wireless network from a nearby business with the same SSID. You can trust these devices to prevent future alert notifications.

About Malicious Access Points

A Rogue, Suspected Rogue, or Evil Twin Access Point is a device detected as a Malicious Access Point.

• A Rogue Access Point is an unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.
• A Suspected Rogue Access Point might be an unauthorized access point physically connected to your wired network. The device might also be a legitimate WatchGuard access point or other third-party device on your network that is not configured in your Trusted Access Points list.
• An Evil Twin is a nearby access point operating in your airspace that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network. Your clients might connect to the Evil Twin access point SSID instead of your legitimate access point SSID.

When a malicious access point is detected by ThreatSync:

• View the Incident Details for the malicious access point.
• In the Signal section of the incident, select the malicious access point signal event.
• In the Signal details pane, use the location and RSSI (signal strength) information in the Detected By and RSSI sections to locate the malicious access point and disconnect it from your network.
  
  The RSSI value corresponds to these approximate distances:
• RSSI between 0 dBm to -39 dBm = 1 to 10 feet, 1 to 3 meters
• RSSI between -40 dBm and -50 dBm = 10 to 20 feet, 3 to 6 meters
• RSSI between -50 dBm and -55 dBm = 15 to 25 feet, 4 to 8 meters
• RSSI between -55 dBm and -60 dBm = 25 to 35 feet, 7 to 10 meters
• RSSI between -60 dBm and -65 dBm = 30 to 45 feet, 9 to 14 meters
• RSSI between -65 dBm and -70 dBm = 40 to 60 feet, 12 to 18 meters
• RSSI between -70 dBm and -75 dBm = 55 to 80 feet, 16 to 25 meters
• Below -75 dBm = Greater than 70 feet, Greater than 21 meters
• For Rogue access points, if you cannot find the device, you can also disable switch ports or use MAC address blocking on your network switch to isolate the access point from the network.
• You can Block Connections to a malicious access point. When you block wireless client connections to a malicious access point, wireless clients already connected to the malicious access point are disconnected from the device, and further connection attempts are blocked. For more information, go to Perform Actions in ThreatSync.
• If you find that ThreatSync blocks the MAC addresses of legitimate access points in your deployment, for example, access points from a third-party vendor, or WatchGuard Wi-Fi 5 access points managed by WatchGuard Wi-Fi Cloud or a Firebox, you can trust these devices to prevent future incident notifications or response actions by an automation policy. To trust an access point, select the Trust Access Point action. Make sure this is a known access point on your network. If this is a malicious access point and you trust it, ThreatSync no longer creates incident alerts on the device's actions.
  For more information, go to Configure Trusted Access Points in ThreatSync.

Recommended Endpoint Security Settings

Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. In this section, Endpoint Security refers generally to all products. If you do not have a setting in the Endpoint Security management UI, it is not supported by your product.

To make sure that Endpoint Security sends all necessary telemetry and incident data to ThreatSync, confirm that these Endpoint Security settings are enabled:

• Workstations and Servers Security Settings
  • Advanced Protection
    • Operating mode (Lock Mode)
    • Anti-Exploit Protection
    • Antivirus
• Indicators of Attack (IOAs)

For more information about Endpoint Security settings, go to Manage Settings.

Configure Device Settings

When you enable ThreatSync for an account, it is automatically enabled on the endpoint devices, Fireboxes, and access points allocated to the account. These devices automatically send data to ThreatSync.

We recommend you enable ThreatSync on all devices in your account. To make sure that ThreatSync receives incident data and actions from any new devices you add to your account, from the Select which device types automatically enable ThreatSync on new devices section on the Device Settings page, select the Fireboxes and Access Points check boxes.

For more information, go to Configure Device Settings in ThreatSync.

Automation Policy Configuration Best Practices

To help you organize and monitor your automation policies, we recommend you start with these best practices.

Customize Automation Policy Names

To make your automation policies easier to understand and maintain, provide a meaningful policy name that specifies the purpose of the policy, what it applies to, and any other unique characteristics.

For example, if you want to include the policy type, risk range, or action performed in your policy name, you can name your policy Remediation_6-7_Isolate or Close_1-3.

Default Automation Policies

Your ThreatSync account includes default automation policies with recommended settings. You can edit the default policies and configure additional ThreatSync automation policies based on the requirements of your network.

ThreatSync default automation policies are disabled by default. For new accounts, the default automation policies appear on the Automation Policies page. For existing accounts, you must click Generate Default Policies on the Automation Policies page to view them in your automation policy list. We recommend you enable the default automation policies so you can focus on incidents that require manual investigation and remediation.

For more information about how to enable or disable automation policies, go to Enable or Disable an Automation Policy.

Default Remediation Automation Policy

To make sure that ThreatSync automatically protects you from high-risk incidents, we recommend you enable the default remediation policy for incidents with a risk range of 7-10.

Default Remediation Policy

• Rank — 1
• Policy Type — Remediation
• Risk Range — 7-10
• Device Type — Endpoint, Firebox, Access Point
• Actions — Perform > Isolate Device

This policy automatically isolates from the network any devices affected by incidents with a score of 7 or higher to prevent the spread of the threat. This enables you to analyze isolated devices and investigate incident details. For more information, go to Review Incident Details in ThreatSync.

Default Close Automation Policy

To reduce the number of low-risk incidents in the incident list so you can focus on higher risk incidents, we recommend you enable the default close automation policy that applies to incidents with a risk score of 1.

Default Close Policy

• Policy Type — Close
• Risk Range — 1
• Device Type — Endpoint, Firebox, Access Point
• Actions — Perform > Close

This policy automatically closes incidents with a risk score of 1. We recommend you review closed incidents and decide if any other actions are necessary. To review your closed incident list, filter your incidents by status on the Incidents page. For more information, go to Monitor Incidents in ThreatSync.

If you do not have time to investigate every low-risk incident, consider a change to your close policy to increase the risk range to 1-3.

For more information about automation policies, go to About ThreatSync Automation Policies.

Blocked Sites Exceptions on a Firebox

If you find that ThreatSync blocks critical IP addresses, such as the IP address of a server used by your Marketing team, we recommend that you configure a Blocked Sites exception for the IP address on your Firebox. When you add a Blocked Sites exception for an IP address, the Firebox always allows traffic to and from that IP address, even if appears on the list of IPs blocked by ThreatSync through a manual action or by an automation policy.

For information about how to create blocked sites exceptions for locally-managed Fireboxes, go to Create Blocked Sites Exceptions.

For information about how to add exceptions for cloud-managed Fireboxes, go to Add Exceptions in WatchGuard Cloud.

Recommended Notification Rules

It is good practice to monitor incidents in the ThreatSync UI as they are generated. You can view the ThreatSync Incident Summary page for a snapshot of incident activity, and you can configure notification rules in WatchGuard Cloud to generate alerts and send email notifications for new incidents, specific actions performed, and closed incidents.

To make it easier to respond when threats emerge, we recommend that you set up a notification rule for the highest risk incidents.

Notification Rule Recommendation

• Notification Type — New Incident
• Risk Range — 7-10
• Incident Type — Select All Incident Types
• Device Type — Select All Device Types
• Delivery Method — Email
• Frequency — Send All Alerts

This notification rule generates an alert that appears on the Alerts page in WatchGuard Cloud and also sends a notification email to the specified recipients.

For more information about how to set up notification rules, go to Configure ThreatSync Notification Rules.

Related Topics

About ThreatSync

Quick Start — Set Up ThreatSync

Firebox Configuration Best Practices

About Firebox Logging and Notification

Firewall Policies Best Practices

Get Started with WatchGuard Endpoint Security