How do you or your organization use this solution?
Please share with us so that your peers can learn from your experiences.
I look at the attack analysis, which shows me which attackers try to exploit my vulnerabilities. I can check the ticket to see if it's blocked or whether it's a false positive. Whatever the case, if it already exists, I will block it. McAfee IPS has a benign engine, so this may not be a target in your environment. If you just prevent attackers from using it, they will try another vulnerability. I have physical routers, but they try to make some novel vulnerabilities. This is not applicable to my environment, so when I see this alert I know it's a false positive not related to my environment. In some cases, I change the action of these alerts or attacks to block. This is what happened in one of the use cases I take advantage of from IPS. I got an alert about some attacks in my environment, regarding the SPAN port and server traffic. I saw it and I detected the source point of this attack.
The primary use is to deploy sensors. We have two use cases: to predict the anomalous behavior and to predict the normal threshold for our network.
We use it to enhance security on our EDGE network in all of our remote offices, as well as our data centers