ESG Validation

ESG Lab Review: Proofpoint Advanced Threat Protection


This ESG Lab Review examines how Proofpoint addresses advanced threat protection with Targeted Attack Protection (TAP). ESG Lab also evaluated how Proofpoint addresses the growing number of attack vectors using deep, verified threat intelligence to detect and stop threats before they can cause lasting harm. ESG Lab also looked at Proofpoint’s remediation process for active threats.

The Challenges

In today’s dynamic business environment, organizations are challenged to keep pace with the evolving threat landscape. Employees are using more devices and collaborating in new ways. At the same time, bad actors are growing more sophisticated. These converging trends add up to a daunting situation. Organizations must monitor their environments for suspicious activities and malicious behavior to respond to problems quickly. But many enterprises simply lack the right level of security analytics skills or staff to perform these tasks effectively.

Even enterprise-class organizations find themselves lacking in security analytics skills, thanks to a bigger problem—the global cybersecurity skills shortage. Per ESG research, 46% of organizations claim to have a problematic shortage of cybersecurity skills—the biggest skills gap of all types of IT skills.[1]

Figure 1. Top Ten IT Skills Shortages for 2016

Source: Enterprise Strategy Group, 2016

Workplace mobility has boosted productivity and collaboration. It has also put corporate data at risk. Using multiple devices, anywhere, at any time, workers may unknowingly expose themselves and their organizations to risk. They access information and apps on compromised hardware. They click on infected URLs. They open malicious email attachments.

Unfortunately, these are common scenarios—bad actors constantly exploit human nature to steal sensitive and critical company data. These attacks hurt companies’ bottom line, brand and reputation. They also open the door to compliance and legal problems.

As many organizations proactively work to address these issues amid a growing number of incidents, they must consider whether traditional security tools can keep pace. That task becomes more complicated as business moves to applications and data consumed outside the corporate data center—email, mobile, and social platforms. To deal with advanced threats, businesses must consider a different path.

IT needs to improve visibility beyond its immediate network, and into the full threat landscape. In many cases, that means leveraging the experience and competency of technology partners that spend every waking moment detecting, interpreting, and evaluating potentially dangerous activity. This partnership will enable IT teams to prepare for the threats that exist today—and new ones that are constantly emerging.

IT needs to protect against potential incoming threats through traditional open doors, such as email. But today’s threats also come through mobile and social entry points. Threat actors are exploiting these new vectors, and organizations aren’t effectively protecting them. Businesses must devise a means to defend against these increasingly common threats.

IT must not only be able to detect malicious content and behavior, but must also be prepared to act on them quickly. The remediation process should begin before a threat executes. Ideally, this process can be automated to minimize resource-consuming manual intervention from an IT administrator. Reacting after a threat has landed is often too late and can put undue strain on an already-stretched IT organization. Organizations need visibility through constant monitoring and reporting. Business owners and executive teams need insight into their level of risk, remediation activity, and defense activity. This insight should include real-time and historical views into the frequency of threats and the impact of proactive detection and remediation across the organization.

The Proofpoint Advanced Threat Protection Product Suite

A cloud-based security vendor, Proofpoint has combined its years of capturing intelligence and its experience remediating threats to help protect customers from advanced threats across more than 4,000 companies. By its own account, the company scans over a billion messages for threats every day. Proofpoint has also scanned more than 21 million iOS and Android applications to identify high-risk behaviors. And it protects more than 200 million social users and accounts around the clock. This breadth of threat insight and protection can be formidable for any IT organization to replicate in-house. That’s why they should consider the assistance and depth of knowledge of a company that is razor-focused on capturing and remediating potential threats before they can do real damage.

Proofpoint Threat Intelligence

Proofpoint threat intelligence is designed to complete a major part of the security puzzle. It gathers intelligence by dynamically analyzing threats, positively identifying malicious behavior, and correlating data across a fabric of attackers and attack campaigns. This process enables organizations to detect, analyze, and respond to any threat before it can hurt their business. As an example, when the Locky strain of ransomware emerged, Proofpoint was able to block the attack at the onset, thanks to intelligence on the actors and distribution; that speed would not have been possible with malware analysis alone. Analysis performed after the event fed back into the Nexus Threat Graph to further predict and protect against subsequent attacks and variants. The Nexus Threat Graph is a massive database comprising more than 800 billion data points. It provides in-depth, real-time, forensic information to detect and mitigate threats effectively.

The Proofpoint threat intelligence pipeline (Figure 2), shows how the company’s products, tools, and security researchers work together across email, social, and mobile vectors. Proofpoint collects threat data from multiple sources. It dynamically analyzes the threats and feeds the data into the Nexus Threat Graph. From there, Proofpoint researchers extract and correlate that threat intelligence. Proofpoint identifies actors and campaigns, feeding this intelligence back into Proofpoint’s suite of products to improve detection, analysis, and response.

Figure 2. The Proofpoint Threat Intelligence Pipeline

Source: Enterprise Strategy Group, 2016

ESG Lab Tested

ESG Lab surveyed a real-world Proofpoint installation, evaluating the features and functionality of the Targeted Attack Prevention (TAP) dashboard, the Nexus Threat Graph, and Proofpoint’s ability to aggregate disparate information to identify malicious actors and their campaigns of nefarious activity.

TAP Dashboard

The TAP dashboard, shown in Figure 3, uses a tabbed display format. The primary tab shows all identified threats. Additional tabs provide filters for threats that present a risk or are currently impacting users.

Each tab contains a table listing of the threats. It includes the name, type, most recent activity, and the number of users who were targeted by the threat, are at risk from the threat, and are being impacted by the threat. Also included is a thermometer graph providing a visualization of the spread of the attack as seen by all Proofpoint customers. In addition, all the information provided through the Proofpoint user interface is available through an API. The API enables administrators to develop their own automated processing and responses to threats.

Figure 3. The Proofpoint Targeted Attack Prevention Dashboard

Next, ESG Lab clicked on a threat name in the table. This action brought up detailed information on the threat, as shown in Figure 4. The threat detail page includes a long-form description of the threat, written by Proofpoint’s security analysts. It is designed to impart critical knowledge about the threat to the security admin. The description provides a summary of the attack, common payloads, known CVEs targeted, and other relevant details. The attack-spread thermometer graph provides additional details on the extent of the threat across Proofpoint’s customers. This detail helps indicate whether the attack is part of a widespread campaign or targeted at the specific organization or individual. The forensics section includes the attack technique—such as exploiting an Office VBA macro—the malware used in the threat, and the threat actor.

Additional information is available by scrolling down the screen. It includes screenshots from the sandbox simulation of the threat, the propagation of the attack within the organization, and a list of at-risk users who may have downloaded the malicious attachment or clicked on a malicious link.

Figure 4. Threat Details

Objects on the page are actionable. They either expand to fill the screen or drill down for more details when clicked. ESG Lab clicked on the actor, which brought up the specifics for the actor identified as TA511, as shown in Figure 5. The actor details page provides a description of the actor as developed by Proofpoint security researchers. This description details the actor’s modus operandi: objectives, targeting, delivery execution, and preferred malware.

Figure 5. Malicious Actor Details

The right side of the page provides a list of campaigns associated with the actor. A campaign represents a set of threats that are in some way associated with each other or linked together to achieve the malicious actor’s goal. For example, an organization suffering multiple phishing attacks may see those attacks as unrelated. Using their forensic data and the Nexus Threat Graph, Proofpoint security researchers may be able to identify actors that work in concert. A pair of phishing attacks, for instance, may be related and coordinated, with the goal of obtaining the identity and credentials of key senior managers of the targeted organization. Because Proofpoint has visibility into the threats targeting all their customers, the researchers may also identify campaigns targeting multiple organizations simultaneously—or even campaigns that target individual organizations or industries.

Nexus Threat Graph

The Nexus Threat Graph is Proofpoint researchers’ internal dynamic visualization tool. ESG Lab observed some features of the Nexus Threat Graph in a demonstration of the advanced techniques used by Proofpoint’s more than 100-strong team of security researchers. The demonstration showed how researchers delve into the forensic intelligence uncovered by and supporting all Proofpoint’s solutions. The results of this research are delivered through the TAP dashboard and Proofpoint’s complete suite of products.

Here’s a typical use case: a Proofpoint security analyst points the Nexus Threat Graph to a Proofpoint-discovered Word document containing malware. The tool shows the document as a red dot in the center of the graph, as seen on the left of Figure 6. Each of the icons directly linked to the document represents various attributes or activities of the malware.

Figure 6. Nexus Threat Graph Visualization

Elements in the graph can be manipulated by moving, or clicking to expand, showing a variety of interconnected elements and information. This enables the researcher to quickly pivot through and discover relationships between seemingly unrelated objects and events. For example, malware URLs and command and control IP addresses may be used by multiple threats, or may be associated with a specific set of actors. Other actors may show preferences for types of exploits or targets, or reuse unique language in emails. Pivoting the data and exploring connections and relationships helps researchers look across the entire landscape. Armed with this insight, they can identify bigger patterns and associations, and, ultimately, the actors and their campaigns.

Why This Matters

Since 2013, cybersecurity has been the most often cited IT priority in ESG’s annual IT spending intentions survey—and was selected again by 37% of respondents in 2016. Combined with the proliferation of devices, the march to the cloud, and the advancing sophistication of malicious actors, this continued focus on security is straining cybersecurity resources. What is needed is a solution with two critical features. First, it must focus on quality of data and analytics. Second, it must enable organizations to quickly act with intelligence in a manner that simplifies tasks. This allows the IT team to perform the work without needing expert security analysts.

Proofpoint’s portfolio of security tools uses advanced technologies, including multiple layers of sandboxing, to identify and address cybersecurity threats. The TAP Dashboard gives IT visibility into data from all Proofpoint tools, along with expert analysis developed by Proofpoint’s team of more than 100 security researchers.

ESG Lab validated that Proofpoint’s TAP Dashboard enabled IT staff to quickly and simply identify and prioritize cybersecurity threats without requiring expert knowledge. The Dashboard provided relevant, actionable information. And it enabled the user to rapidly drill down to obtain any necessary details.

Proofpoint’s security researchers use the Nexus Threat Graph visualization tool to explore Proofpoint’s global threat database, pivoting the data to identify interconnections and patterns. This in turn helps researchers identify malicious actors and their attack campaigns. Proofpoint feeds this intelligence back to their customers through the TAP dashboard and through the entire suite of Proofpoint products and solutions.


The Bigger Truth

Organizations are challenged to keep pace with the evolving threat landscape. Employees are using more devices and collaborating in new ways. At the same time, bad actors are growing more sophisticated. These converging trends add up to a daunting situation.

ESG research reports that 46% of organizations claim to have a problematic shortage of cybersecurity skills—the biggest skills gap of all types of IT skills. Organizations must monitor their environments for suspicious activities and malicious behavior to respond to problems quickly. But many enterprises simply lack the right level of security analytics skills or staff to perform these tasks effectively.

Today, organizations require an integrated platform to detect, analyze, and respond to potential threats. The potential for damage and disruption to business operations due to a security breach is real, and the potential risk to the business can be massive. Many organizations’ current security measures often fall short and don’t possess an intelligence capacity to help keep threats at bay.

ESG Lab confirmed fast and easy identification and prioritization of email-based cybersecurity threats using Proofpoint’s TAP Dashboard. The dashboard provided at-a-glance summary information about each threat. More detailed information was always just a click away. The TAP dashboard provided visibility into every aspect of a threat, incorporating insights developed by Proofpoint’s team of more than 100 security researchers.

Proofpoint’s team leverages the power of the Nexus Threat Graph visualization tool to pivot through the data to rapidly explore connections, recognize patterns, and identify malicious actors and their campaigns. The results of this research are fed back into Proofpoint’s global threat analysis database. This virtuous cycle improves the quality of analysis and threat identification by all Proofpoint products, and enables organizations to maintain and improve their cybersecurity posture.

Proofpoint offers a broad suite of products to address expanding attack vectors and stop threats before they can cause lasting harm. ESG Lab validated that Proofpoint helps address potential risks that could slide through without being detected, and tackles them with a prompt remediation process.

Organizations need to carefully consider how to best protect sensitive corporate information, employee data, and the company’s reputation and brand from cyber threats. ESG Lab feels that Proofpoint can enable organizations to effectively manage the resources spent monitoring risk levels and remediation processes. That allows them to focus their time and energy on the business—employee productivity, business initiatives, and growing the organization.

  1. Source: ESG Research Report, 2016 IT Spending Intentions Survey, February 2016. All ESG research references and charts in this Lab Review have been taken from this research report.

Download the PDF version of this report

This ESG Lab Review was commissioned by Proofpoint and is distributed under license from ESG.
Topics: Cybersecurity