Thanks to a couple of users who have provided this excellent tip for reducing the initial number of alerts that come in when you first deploy HoneyPoint Wasp as it learns it’s environment.
The tip is to load an initial copy of Wasp on a trusted, fresh desktop workstation image and then execute all of the applications your organization generally supports. Then, let the Wasp run for about 48 hours and populate its database with the accepted applications and the like from the default image.
Once complete, use copies of this database in your installation across the enterprise. You will then get delta alerts instead of the base alerts for things you already know and trust. This eliminates the initial set of alerts from each Wasp workstation you deploy and greatly reduces the management load of the initial roll out.
Thanks to the two folks who really worked out this method, tested it and wrote up notes for us to share the idea with you. Much appreciated!
To learn more about using Wasp to extend your malware protection, gain security visibility easily to the workstation layer and create anomaly detection techniques for your security program, give us a call or drop us a line. We look forward to sharing tips like these and success stories with you as they come in from users.