Currently, the enterprise edition of SEP (which is on-premises) allows an administrator to whitelist a computer from IPS. The small business edition that I use (cloud based) does not.
I have been implementing security monitoring of our network in addition to prevention. I have an appliance that is connected to the network and performs a number of tasks. First it monitors all network traffic at the switch to determine if there is activity that is suspicious or malicious. Secondly, it does periodic scans of all assets on the network range I specify.
When the appliance is scanning for vulnerabilities, I receive multiple e-mail messages regarding high-risk intrusions. There is no way to whitelist the appliance IP so that it is ignored by SEP. This means I get many messages that are in essence false positives. At this point I only have two choices:
1. I can let the e-mail messages come through and delete those that appear to be false positives. This results in two problems.
a. Too much time spent reading messages that are false-positives.
b. High likelihood that a true-positive will be overlooked due to the volume of e-mail.
2. I can go into the UI for each machine that has the SEP client installed and turn off notifications for the 6-7 events that keep popping up. This also is problematic.
a. If there is a true-positive I won't be notified.
b. It is time consuming to make this change at each computer.
c. If the appliance has changes to how it scans for vulnerabilities, I have to go back and once again go through the time consuming task of turning off notifications for the new event.
I don't understand why it is an option for the on-premises enterprise edition of the software to whitelist a machine for IPS but not for the cloud based version. Since I started using the product I have been happy until now. I can whitelist an IP via policy for the firewall and can exclude certain files and directories from scanning. Why can't I whitelist an IP for IPS? This makes little sense to me. I looked into upgrading to the enterprise version, but I don't want another piece of hardware to deal with (on-site), and I recently purchased 43, 3 year licenses from a reseller (I have also purchased some directly from Symantec) that I was told can't be "upgraded". I am not about to purchase hardware (which I have to maintain), pay additional money and basically throw away the roughly $2,000 spent on licenses from the reseller so the enterprise version is not the answer to my problem.
PLEASE strongly consider adding the ability to whitelist an IP via policy to the cloud based SEP Small Business Edition for IPS. This would make the product much more user-friendly. More and more businesses are doing more than just putting protection into place. Monitoring is becoming a necessity, especially in an environment where significant confidential information is stored. As the number of businesses who purchase monitoring software/services increases (something all businesses should be doing...it is great to have protection, but if you don't monitor the network there is little chance of noticing activity that was not properly blocked by all of the layers of protection in place), this will become a much bigger issue and I have a feeling could potentially cost you business. I can guarantee you that if this isn't addressed in the near future, as much as I like the product, I will be looking for an alternative and you will have lost a customer for life.
Regards,
S. Craig Kiddoo, CPA
Chief Compliance Officer, Director of IT
Cozad Asset Management, Inc.
2501 Galen Drive
Champaign, IL 61821
(217) 356-8363