Alert Logic® Web Security Manager™ and Web Security Manager Premier™ customers with rapidly changing web environments can run into unique challenges securing their environments. If your organization makes changes to its web environment frequently and/or rapidly, Alert Logic recommends that you utilize one of the following below suggestions to maintain your environment's security and to meet any potential errors or tuning concerns head on when making changes to your web environment.
If changes are made rapidly or frequently to a web environment being monitored by Alert Logic and none of these recommendations are being utilized, customers may experience 404 errors on their sites or floods of incidents in the Alert Logic console.
Note: New customers whose web environments change often should come to their Onboarding meeting prepared to discuss their web environment and development environment processes. This will allow the Web Security team to tailor your web environment change experience.
Note: The following information applies only to customers with Alert Logic® Cloud Defender™ or Alert Logic Web Security Manager™ entitlements.
Include Your Development Environment in Your Alert Logic Deployments
The best option for an organization whose web environments change often is to include your development or QA environment as one of your Alert Logic deployments and commit changes to your development environment before you push them live.
The Alert Logic Security Operations Center will have access to your development environment and any changes that you make in the development environment before pushing them live. This accessibility will allow for a more proactive opportunity for Alert Logic to check that your website changes will be successfully implemented. This also gives Alert Logic the opportunity to tune in response to your changes before they go live so that you receive fewer false positives and unnecessary blocks.
With this option, you can contact Alert Logic when you have made a change to your development environment that you'd like to push live. Alert Logic can confirm that all changes to the development environment are acceptable for use, tuning, and security purposes, and you can push live with the confidence that your changes will not impact your live business environment.
Further, if the proxies are all on the same appliance, you have the option to have your policies mirrored for the development/QA and production environments so that all environments are synced when changes are made. This removes the potential for human error during environment changes.
Communicate with Alert Logic Before You Make a Change
The next best option for an organization whose web environments change often is to simply communicate with Alert Logic about changes you plan to make. If you do not have a development environment or are unable to include it in your Alert Logic deployment environments, this is a good option.
Any time that you plan to make a change to your live web environment, communicate that change to Alert Logic. Alert Logic will work with you to determine the best course of action for the expected change. The scope of the change will determine what actions should be taken in each scenario.
Create Saved Views
Creating a saved view will help you be more agile and successful when making frequent changes to your websites. This option is more reactive than the two outlined above, as traffic must be impacted for Alert Logic to receive notifications about the impact.
Saved views are custom reports that give you better oversight of traffic in your environment and how your environment is performing. Alert Logic recommends that you request an initial walk-through of creating saved views with Priority Support to fully understand how they work and how to create them in the Alert Logic console. You can also utilize the Create a Saved View documentation.
Create a Correlation Policy and Alert
Creating a correlation policy and alert will provide Alert Logic with the ability to check your block alerts. Impacted traffic will automatically create a case for the Web Security team based on your blocking acceptance criteria. Alert Logic will be able to react to your block alerts without you having to contact us in response to the alerts. With this option, you must be an Alert Logic Log Manager™ customer as well as a Web Security Manager or Web Security Manager Premier customer. This is required because Alert Logic will utilize your alerting and monitoring features.
With this option, you will create a correlation policy - as described in the Create a Correlation Policy documentation - and then create a correlation alert to send out the case creation - as described in the Create a Correlation Alert documentation.
Note: In order for a case to be created from your correlation alert, make sure that the email address email@example.com listed in the Send Alerts To: section of the correlation alert configuration example below.
Correlation policy configuration example:
Correlation alert configuration example:
If you need assistance with setting up these configurations, create a ticket in the Alert Logic Support Center.