How we are different

- Insider threat focus: Proofpoint ITM collects its own telemetry on user activity across applications, files, data, servers, desktops and applications, whether the applications are hosted in the cloud, on the endpoint or on-premises. We detect risky insider behavior across unauthorized activity and access, risky accidental actions, system misuse and out of policy data movement. Given insiders have legitimate and authorized access to systems, they pose a different threat from external hackers and malware. From a forensics perspective, Proofpoint ITM can best respond to insider risks of the modern workforce, including remote and contract work.

- Context for investigations: Proofpoint ITM correlates all activity by user and visualizes it in an activity timeline. This is backed up by screenshots of activity before, during and after clear and obvious policy violations by the user. In effect, we paint a clear picture of the context of “who, what, where, when and why” with every event, alert and incident. Such evidence is easily understood by cybersecurity and non-cybersecurity teams alike, without any jargon. This accelerates response to user driven incidents. Before, security operations teams had to rely on alerts from traditional DLP products that lacked this level of context into user behavior. A high level of false-positives within these types of alerts slows down the pace of forensics investigations.

- Lightweight endpoint solution: Proofpoint ITM leverages a user-mode endpoint agent that doesn’t hinder users’ productivity or clash with your other security tools at the kernel level. Yet, our endpoint agents provide a granular, app-agnostic view into the user’s activity on the endpoint. These results can be packaged into easy-to-understand reports for other stakeholders, including HR, legal teams, and more. In comparison, digital forensics on endpoints can be time consuming and require repackaging the evidence to collaborate with other teams.