© 2015 Proofpoint, Inc. threat protection | compliance | archiving & governance | secure communication Next-Generation Email Security Jasper [email protected]

© 2015 Proofpoint, Inc.© 2015 Proofpoint, Inc.

threat protection | compliance | archiving & governance | secure communication

Next-Generation Email Security

Jasper Evertzen [email protected] Sales Director Benelux & NordicsCharles Rami [email protected] SE Manager Benelux & Nordics

mailto:[email protected]

mailto:[email protected]

© 2015 Proofpoint, Inc.

Proofpoint (NASDAQ: PFPT)

Security-as-Service Leader

Key PartnersWhat We Do

Leaders Quadrant:2013-2014-2015 Magic Quadrant for Secure Email

Gateways & Enterprise Information Archive

Champions Quadrant & Innovation Award, 2012

Accolades

Select Partners & CustomersDemonstrated Success

3 of the 5 largest US Retailers

5 of the 5 largest US Banks

3 of the 5 largest US Defense Contractors

2 of the 5 largest Global Pharmaceuticals

Companies

4000+ Customers

Protect the Most Sensitive Data of the World’s Most Successful Companies

Comprehensive Data Protection Portfolio

Scalable Security-as-a-Service platform

Advanced Threat Protection


Leaders in Gartner’s 2015Magic Quadrant for Secure Email GatewaysJune 29, 2015

“Proofpoint continues to lead the market with R&D investments in innovative features and corporate acquisitions to complement its enterprise capability.”

“It clearly has the sharpest focus on email security issues…“

“Spam and malware accuracy has always been a consistent Proofpoint strength...The company continues to invest in new, innovative techniques for spam detection, and gets high marks in this capacity from reference customers.”

“Proofpoint's Targeted Attack Protection service provides time-of-click URL protection and Attachment Defense.”

“The Web-based management interface continues to be one of the best…”

“DLP features are very strong, and include numerous prebuilt policies, dictionaries, number identifiers and integrated policy-based encryption.”

Read the full report at: www.proofpoint.com/mq

This slide for Proofpoint INTERNAL use only.

http://www.proofpoint.com/mq


Comprehensive Suite


Security-as-a-Service

SuiteFull-life cycle data protection

Big Data PlatformAdvanced data processing, search, and analytics

Cloud InfrastructureInnovative hybrid architecture with global data center footprint


Threat ResponseAutomate threat remediationSingle pane of glass for security operationsRespond in minutes instead of hours

Proofpoint Protection

Enterprise

Protection

Threat

Response

Targeted

Attack

Protection


Enterprise ProtectionStop SPAM, viruses and other forms of malware

Targeted Attack Protection

Identify and block advanced threats from penetrating the enterprise


Office 365 deployment

*Okta integrations


Office 365 offer

Software Email Collaboration Security Compliance

Core Services Data Protection

EOAFOPE / EOP

Message Encryption eDiscovery Center


Proofpoint is the MX Record

EOPExchange

OnlineInbound Email

Office 365 Suite

Proofpoint on Demand

ACTIVE FILTERING

MX Records: Proofpoint (clusterid.pphosted.com)


Datacenters in Europe


Proofpoint Email Security Suite

Known, Emerging Threats

Proofpoint Enterprise Protection

DETECTBLOCK

Targeted, Previously Unknown Threats

Proofpoint Targeted Attack

Protection

RESPOND



Known, Emerging Threats

Proofpoint Enterprise Protection

BLOCK


Unmatched Visibility and Control

Powerful threat classification• Phish, Malware, Spam, Adult,

Bulk, Suspect

Rich policy• Flexible options, discard, delay,

quarantine• Separate, configurable

quarantines

Real-time analysis• SmartSearch enable rapid

message tracing and tracking• + 60 reports by domain, AD

group, etc.

BLOCK



DETECT

Targeted, Previously Unknown Threats

Proofpoint Targeted Attack

Protection


The Industry Challenge


Breaches Keep Happening

ALL PHISH


Email Is the #1 Threat Vector

“There is ample evidence that email is the preferred channel to launch advanced targeted attacks.”- GARTNER, JULY 2013

“Criminals who pursue a career in phishing can reap millions of dollars a year, even if they only manage to snag just a few victims per scam.”- Brian Krebs, KrebsOnSecurity and investigator who revealed Target breach

“Median time-to-click [is] 1 minute and 22 seconds across all campaigns.”- Verizon 2015 Data Breach Investigations Report

“A BUSINESS’ REPUTATION CAN BE AFFECTED IMMENSELY BY A PHISHING ATTACK ... IRRELEVANT OF A COMPANY’S SIZE, IT CAN TAKE A LONG TIME FOR PEOPLE TO REGAIN CONFIDENCE IN A BUSINESS”- Rachel Ark, Hacksurfer


We Think “Malware”Attackers Think “Monetization”

Every PC is valuable to cybercriminals

Source: Brian Krebs, “Value of a Hacked PC,” krebsonsecurity.com


Email-Borne Threats: Exploit Techniques

URL-Based

Drive-by Downloads: Compromised sites, exploit kits, malware

Credential-seeking: false sites, Google Doc forms, phone number scams

.URLs pointing to zips

Attachment-Based

.exes inside archives (.zips, rar etc.)

Weaponized Documents (PDF, Office)


TAP UD vs TAP AD


The human factor


The human factor - Where Do Users Click?On and off the network

1-in-5 clicks occur off the corporate network


The human factor


Example #1 Credentials seeking

How it worksTo target defense company Academi, the attacker registered two typosquatted domain names:• tolonevvs[dot]com (real news domain: tolonews.com (news site about

Afghanistan))• academl[dot]com (real company domain: academi.com)

When the target opens the email through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site.


Credentials seeking Fake Outlook Web Access login pages



The typosquatted domain tolonevvs.com actually contained a mildly obfuscated JavaScript code:

This JavaScript is not malicious because it simply sets the windows open property to point to a URL:window.opener.location = “hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.academi.com%2fowa%2f&tids=lkdmfvlkd”




threat protection | compliance | archiving & governance | secure communication

How it works ?


The Cybercrime Attack Chain


Proofpoint Targeted Attack ProtectionURL Defense Service

2

http://malware

Email is received

1

All urls are rewritten and sent to the recipients

PROOFPOINTSANDBOX INFRA

https://urldefense.proofpoint.com/v1/url?u=http://onesourceprocess.com/...Proofpoint

Protection Server

DETECT



https://urldefense.proofpoint.com/v1/url?u=http://onesourceprocess.com/ab3bp5r/index.html&s=abeb44ac1/&k=CPgDZ%...Click to follow link


Proofpoint Targeted Attack ProtectionURL Defense Service

2

http://malware

In parallel, a predictive analysis is done for some

urls3

Email is received

1

When user clicks on the link, the dynamic

analysis is activated4

5

Depending on the analysis, user is redirected to the destination web

site or to a blocking page

7The Threat Dashboard provides

all the details and forensics results

« Follow-me Protection » to protect users inside and outside

their corporate networks6

All urls are rewritten and sent to the recipients


https://urldefense.proofpoint.com/v1/url?u=http://onesourceprocess.com/...Proofpoint

Protection Server

DETECT


Dridex 220 – 3/16/15

10:00 12:00 14:00 16:00 18:00 20:008:00

Threat Instances

Hash: db3e6308564335022e38de73bdf6357e9879a0cc6af05d8aac33e7cc62b6a96a

Proofpoint detection via Attachment Defense (10:26)

5 hours later1/10 Top 10 AV vendors*3/57 All AV vendors on VirusTotal

*Top 10 AV: McAfee; Symantec; Kaspersky; F-Secure; Sophos; Trend Micro; Bit Defender; Avira; Microsoft; Malware Bytes

Summary:• 112,888 Messages Seen• 95 Customers Impacted


Proofpoint Targeted Attack ProtectionAttachment Defense Service

3

Depending on the analysis result and the policy, the message is sent or quarantined

5The Threat Dashboard provides all

the details and forensics results

Proofpoint Protection

Server

If the hash is unknown, the document is sent to our DC for sandboxing analysis

Dynamic analysis is performed on the file to detect malicious threats.

4

2


The document is hashed and compare to our database

1

5:00

DETECT


Proofpoint TAP Dashboard







RESPOND


Incident Response Process Today

1INVESTIGATE

4CONTAIN

2VERIFY

3PRIORITIZE

123

Now repeatfor EVERY

security alert

RESPOND


Automatic Context, Prioritization and Containment

Correlate & Confirm

AssessPrioritize response

ContainContain & Quarantine

AUTOMATED

CONSISTENT

INSTANT


ET IntelligenceThreat Database for Enriching Context

• Access to 5 years of observed threat activity, updated in real-time

• Search on IP, Domain Name, MD5 hash, text string, and ET Pro signature ID (SID)

• Drill down, pivot• Web Portal and API

Use stand alone or integrate into SIEM/TIP

In-depth global context for Incident Response and Threat Research

RESPOND


Summary: Proofpoint Protection

Predictively Block more attacks

DETECTBLOCK

Quickly detect targeted, polymorphic and zero-day attacks

RESPOND

Full visibility into targets, methods and exposure


Audit or Proof of Concept

Deploy Proofpoint behind your current solution• Can be deployed to remain

passive within mail flow

Quickly determine your current risk exposure and effectiveness

Results within weeks


Q A&threat protection | compliance | archiving & governance | secure communication