Proofpoint Threat Response

Additional Info

CompanyProofpoint
Websiteproofpoint.com
Company size (employees)1,000 to 4,999
Type of solutionCloud/SaaS

Overview

Proofpoint Threat Response is a force multiplier for security operations that orchestrates and automates incident response. The platform surrounds security alerts with rich contextual data to help security teams prioritize and execute response actions. It collects and analyzes security event context around incidents and investigations, and it collects endpoint forensics to confirm system infections to create actionable profiles of incidents. Based upon the enhanced context, it enables enforcement and quarantine actions automatically or at the push of a button leveraging existing infrastructure.

Threat Response collects and analyzes endpoint forensics from targeted systems to yield a rich snapshot of indicators of compromise (IOC). This information is compared to changes reported by malware analysis tools and other systems to provide insight into the health of the client. In addition, user-designed Powershell scripts can also be pushed endpoints for custom data collection or other activities. Another key capability is checking attacked systems for past infections. When Threat Response performs an on-demand endpoint collection, it checks for IOCs not only from the current attack, but from past infections seen in an organization’s environment. This approach helps quickly and effectively verify whether past infections have spread to the system being targeted now.

Based on the context and forensics collected and analyzed by the system, Threat Response presents a context rich view of the threat. This view allows analysts to take push-button response actions, identify, areas for additional investigation, or turn on automated response such as retract delivered email from users’ mailboxes, add users to low permission groups, or update blocklists of firewalls and web filters.

In addition to the core capabilities, Threat Response includes key incident management functions that enable users and teams to investigate incidents without losing that context while jumping from system to system.

How we are different

• Many security alerts lack critical information required to determine the context of a threat and next steps. Proofpoint Threat Response automatically enriches security alerts by collecting important internal and external context, intelligence, and data to create an actionable view of each alert. Armed with this insight, security teams can quickly understand, prioritize, and respond to security threats.


• When a security alert reports a system has been targeted with malware, Proofpoint Threat Response automatically deploys an endpoint collector to pull forensics from the targeted system. This data is compared to a database of known IOCs to quickly confirm whether a system is infected with IOCs related to the current attack. Teams can also gain visibility into IOCs from previous attacks that were not cleaned up. This built-in infection verification can save hours per incident. And it dramatically reduces the number of time-wasting false positives that lead to needless reimaging and backup-restoration cycles.


• Proofpoint Threat Response automatically checks every domain and IP provided in security alerts and sandbox reports against its built-in premium intelligence feeds, including Emerging Threats Intelligence. This step removes hours of tedious work and manual one-by-one searching against intelligence services to find attacking IPs and hosts leveraging known bad sites.