Proofpoint Security

I use Proofpoint Enterprise DLP  for outbound email data leakage control and threat monitoring purposes, as well as for app data protection in environments like M365 and Google Workspace . I have also worked on security projects where Proofpoint Enterprise DLP  is used to maintain regulatory compliance.

Proofpoint Enterprise DLP  helps us stop and control sensitive data from leakages and prevents users from uploading proprietary documents or source code. This applies to both existing employees and departing employees who might email or upload sensitive materials. In terms of regulatory compliance, we use this solution for structural detecting and automatically encrypting or blocking outbound communication.

We also perform a little bit of insider risk monitoring by identifying abnormal data movements, such as file uploads of legitimate or non-legitimate files. We use this monitoring to take appropriate actions based on the use case or scenario at that point in time.

Proofpoint Enterprise DLP 's prevention and detection of user policies is very effective. It is effective in preventing accidental data leakage through email and cloud sharing when the policies are properly tuned. The blocking and auto-tuning feature works reliably, and the encryption works reliably for structured data such as PCI, which we use in the finance industry.

However, there is a chance that insiders will use bypass attempts if poor policies are created for certain users, which can reduce effectiveness and cause some issues. From an effectiveness standpoint, it makes sense that Proofpoint Enterprise DLP helps a lot with accidental data leakage prevention and prevents a lot of data leakages. It also helps with tuning insiders from sharing unencrypted data.

Initial policy tuning takes a lot of time to tune the policies according to the connecting application. Out-of-box rules can create a lot of noise in terms of triggering emails, which require careful refinement based on the approaches and based on the output it delivers. From the pricing standpoint, I learned from my senior management team that Proofpoint Enterprise DLP is a little higher compared to other basic DLP tools.

Case management and the reporting workflow should be more streamlined for larger SOC operations where the enterprise has more assets, such as one thousand or two thousand assets. The workflows could be streamlined in a way that makes more sense for these larger deployments.

Problematic Copilot use is something we could use for analysis of email triggerings where you can summarize what data could be overshared in M365 if permissions are misused or exposure increases. There is a lot of data in our accounts that can be overshared. Copilot surfaces whether users already have access to data, and if permissions are missing, there is a chance that exposure increases. A stronger user access control mechanism is needed if you want to use this Copilot feature effectively. It should be aligned with existing policies, such as M365 policies, so you can use it for its real purpose where it makes a lot of sense. Otherwise, a lot of enforcement gaps appear where it creates new data risks.

I have been using Proofpoint Enterprise DLP for two years.

From a stability standpoint, most of the things are stable in production. I do not see any major downtimes. There is minimal downtime due to ongoing cleanup activities or upgrades. A tough point is that the endpoint agents occasionally require troubleshooting during upgrades. All of these issues depend on or are interlinked with the policy tuning and the current deployment. From a stability standpoint in production, Proofpoint Enterprise DLP is overall stable with minimal disruption and downtime.

Proofpoint Enterprise DLP is scalable and can be used in a large environment, especially for emails and cloud workloads. The cloud-native architecture that Proofpoint has definitely handles user growth without any major performance impact. Endpoint scaling requires planning, which is one thing we have to follow religiously. Proofpoint Enterprise DLP supports overall enterprise expansion without any re-architecting of the existing workflows or existing plans. However, it requires planning on how we can integrate it and how we can manage to add these things over a period of time.

I used a tool called Endpoint Protector from Netflix in the past before Proofpoint Enterprise DLP. I used that a few times, but later a migration happened and everything moved to Proofpoint Enterprise DLP.

Initial deployment is moderate in terms of difficulty. It needs a lot of training. If you have hands-on training before the migration of the product, that would make it a little easier to get familiarized with the context of what you are needing. From a general standpoint, it is moderate to complex because it is not a plug-and-play solution. You cannot use it as is, but it requires a lot of initial training. Email integration could be straightforward, but other things are policy tuning, endpoint rollout, false positive tuning, and false positive reductions, which take a lot of effort. If you know the real context of how to use the tool, what use case you are pursuing, and the data classification of what could be pushed into the tool and what could be the output, then the governance of all these could make it moderate to complex.

Compared to basic DLP tools, Proofpoint Enterprise DLP is higher in cost. I can say it has its own capabilities where we can use it to the fullest. It can be a little customized where it could be quoted at the beginning of the contract. It is a little bit higher and not very cheap compared to other DLP tools, but it also has a lot of value if you use it properly.

From a maintenance standpoint, we rely on Proofpoint Enterprise DLP where we need to have continuous policy tuning for false positive reduction, business process changes, and regular updates. It is a little moderate thing for us where integration checks will happen and we need to have dedicated ownership for this person who will be liaising between the Proofpoint team and our team. That makes sense to effectively use the tool. Otherwise, it increases a lot of gaps in terms of the tool and the governing content.

Adaptive Policy Enforcement could be used to control user-level risks or behavior patterns in terms of applying data sensitivity and static rules. By using this policy enforcement, we can reduce a large amount of false positives and focus on controls that make sense, such as strict control enforcement. I give Proofpoint Enterprise DLP a review rating of nine.

Proofpoint Enterprise DLP  depends upon an organization and what kind of organization it is. For example, if you are working for the healthcare industry, the intellectual property, confidential information, or PII includes health records numbers, personal details, account numbers, passport details, and social security numbers. When you take the service of Proofpoint Enterprise DLP , we first identify what our requirement is. If I was working for one of the banking solutions in Australia, their social security number is definitely there, as well as their passport. It depends upon the location. For the India location, we have the UID and Aadhaar identification. For Australia in the healthcare industry, they have HIPAA (Health Insurance Portability and Accountability Act), claim records, claim details, medical record numbers (MRN), and tax details numbers. All these things are required to protect.

When anyone is trying to send all this information outside, Proofpoint Enterprise DLP  provides the solution. We have created rules using Proofpoint Enterprise DLP  so that whenever any user is trying to send any emails externally, we capture the keyword from the email body. The system will scan the email, and if that keyword is identified within the DLP solution with the rules we have incorporated, it will generate an alert. The email will be moved to the DLP quarantine folder. A user will receive an automated email or response stating that they are trying to send confidential information outside of the organization, and this has been blocked due to DLP policy. An analyst will create a ticket into our solution, and then the analyst will review that incident and start investigating.

Let's say you're working for the electronics industry, and they have taken Proofpoint Enterprise DLP. For any electronics industry, they work in a situation where they want to protect the circuit design of any one of the latest or newly launched electrical or electronic devices. That electrical circuit design is a patent for them. They don't want to send this to an outside organization. The email will be scanned for the circuit design and patent information. If, for example, there is a project manager who wants to send one of the electronic circuit designs using VLSI technology and has worked for ten years in the organization and is now leaving, they want to send that patent information since they have created it, they will try to send it outside of the organization. In that case, the system will capture the alert, create an alert for that, and then the investigation starts.

Let's say there is a user who has recently resigned from the organization due to some conflict or issues. Now they want to send important intellectual property, intellectual documents, or confidential information outside of the organization. In that case, Proofpoint Enterprise DLP works in the backend, triggers an alert, and starts the investigation.

Proofpoint Enterprise DLP is a unified solution that does not work for inbound email but only works for outbound email. It can protect everything by scanning for the email and searching for specific criteria. If that criteria is matched, it can create an alert and take actions accordingly. It's easy to perform all those activities on Proofpoint Enterprise DLP.

Data loss prevention is very easy if you take the service from Proofpoint Enterprise DLP. Proofpoint Enterprise DLP works in the direction of what an organization wants to protect. It's easy to create rules and email firewall rules for outbound emails. While creating that rule, we can easily capture that and protect that. We can protect the important information from going outside the organization. It's very easy to identify all those things.

Proofpoint Enterprise DLP is already an AI-based solution that has taken features from AI from the backend for identifying, investigation, or correlations of all the solutions. The AI and machine learning work in the backend to identify these things.

One thing to highlight is that when a user is trying to send emails, rather than sending the data through email, if they insert a USB drive and start copying files within that USB drive, irrespective of the email communication, Proofpoint Enterprise DLP can also trigger an alert for that, indicating that a USB device was inserted for that specific host. That can be one of the best features for Proofpoint Enterprise DLP.

From a DLP product improvement point of view, I think if Proofpoint Enterprise DLP can provide a deep-dive investigation or user activity listed on the alert sections with details about what activity was performed by the users at the time of the alert, what checks were performed, whether any rule was created, any SharePoint  was accessed, any confidential SharePoint  was accessed, or any established connection was performed, this information would be helpful. If that information was also tagged or shown on the ticket, it would be easier to understand more details or investigation approaches and investigation concepts. If that feature can be possible from the vendor side, it will help us for the investigation and as an improvement.

I have used this solution for four to six years.

The performance stability is very good. We can see the health status every day on Proofpoint Enterprise DLP. Whenever any node is down or whenever any service CPU utilization is high, we can easily review that in the console, the PROOF console, TRAP console, or health status report. It's easy for us to identify any issues.

I had worked with Symantec and Symantec Vault for DLP solutions. That was not very good because they don't have customization features. You could only use limited tabs with minimal customization features.

It's easy for the deployment. We can easily configure that email firewall rules and information protection rules.

Creating a policy is not very difficult for us for Proofpoint Enterprise DLP. Sometimes we usually take help from Proofpoint customer or professional support services. They provide guidance on what and how we can create those policies, and that saves time in deployment and configurations. We can easily get help from Proofpoint customer support or professional support, and it would be easy to create the rule logic and the policy deployment.

For the DLP, the important thing is that the response time is very quick. The actions taken are immediate. The quarantine time and response time are efficient. When the email is getting quarantined, we can hold that in the quarantine folder for some time, such as for one month. The analyst can review, investigate, and take actions accordingly.

Proofpoint Enterprise DLP is generally a high-pricing solution, so it generally requires additional licenses for the DLP. If you are a regular customer, then you only have the email protection and email firewall, not for the information protection solution. You need to specify and provide the license, and then accordingly you should go ahead with the DLP activities.

Other solutions include CrowdStrike, Telstra, Akamai , Microsoft Office 365 , SIEM  tools, HP ArcSight, and Azure .

Proofpoint Enterprise DLP works in the synchronization of Proofpoint Production on Demand and Proofpoint IMD, which is the Internal Mail Defense solution. When any user account gets compromised or an attacker gains access to an internal user account, they will pretend to be an insider threat and start moving confidential information outside of the organization. In that case, Proofpoint Enterprise DLP plays a very important role in easily identifying all these activities from the backend, using machine learning and advanced analytics. UEBA , which is User and Entity Behavior Analytics , performs checks on the user's day-to-day activity on the backend side. It examines what is the daily routine timing, what the user is trying to do every day, and how it is different from some specific day. Based on all those things, it correlates, it identifies, and based on machine learning, it becomes very easy for the DLP solution to take decisions. It's a very good solution in terms of preventing or protecting from DLP incidents.

I think organizations should go ahead with Proofpoint Enterprise DLP. Every day they are coming with more advanced features, more scalability, and more upgraded versions. I would rate this solution as an eight out of ten.

Proofpoint Enterprise Data Loss Prevention (DLP)  is currently being used in parts. The email protection plan is used, though uncertainty exists about whether an added-on plan for the DLP specifically is included.

When first joined, Proofpoint was in the early phases of deployment and was told it was pretty straightforward, especially with the services they provide, such as white glove service. They respond quickly to questions.

The product does a pretty good job filtering out promotional emails and unwanted emails. It effectively filters specific vendors sending out mass mails, not just spam. For important emails, it catches scripts in emails and does a double check on those. Many things noticed over time have been positive, especially the impact on the SOC team, who state that it saves a lot of time and catches phishing attempts early, specifically very custom phishing.

Proofpoint Enterprise Data Loss Prevention (DLP) should probably add something more into their case management process. There are certain things that Proofpoint lacks regarding case management. When incidents come in, it classifies a specific subcategory of what that incident is and creates a ticket for the SOC team. If they could provide more details on the type of incident filing in case management, that would be helpful. This is a hard ask because it requires some form of backend automation workflow. Many tools are starting to adopt their own automation workflows, which is pretty cool.

Occasional mishaps arise related to users' devices affected by Proofpoint or when Proofpoint isn't logging specific device actions. The insider risk tool has been utilized effectively, which monitors employee actions every ten seconds, but there have been mishaps. Additionally, there are moments when specific servers require updates due to mismatched deployment updates, though this is not considered difficult because endpoint engineering counterparts assist, especially during Proofpoint calls.

I have utilized Proofpoint Enterprise Data Loss Prevention (DLP)  for approximately five years.

There was one instance of instability related to a phishing alarm connected to Outlook. It was not major and nothing caused significant downtime within the systems or applications.

Proofpoint Enterprise Data Loss Prevention (DLP) is pretty scalable. The full scalability phase has not been reached yet, as efforts are being made to formalize processes due to frequent M&As. The aim is to have new companies adhere to the same tools. So far, no issues have been encountered, particularly with the smaller companies acquired.

Technical support was contacted via a ticket and they were pretty responsive. Whenever issues arose, the team reached out and a specific TAM stayed on top of it. Initially, tickets were submitted and emails were sent, and the TAM would respond quickly, involving the right people for the tasks.

The quality of their answers is good. Issues have not really been experienced with this specific vendor regarding their responses. They are technical and provide options that help narrow down solutions.

For the deployment of Proofpoint Enterprise Data Loss Prevention (DLP), currently about three people are dedicated to the process or to maintenance and weekly TAM calls. The best estimate that can be given is two or three people. One individual has been observed managing one aspect of Proofpoint products on their own, and it seemed feasible to finish within a month.

The pricing for Proofpoint Enterprise Data Loss Prevention (DLP) is still good. When renewal occurred with Proofpoint, there were no issues with the stated price. The company works with GuidePoint Security as a VAR, which does a good job. So far, there has been no feeling of it being too expensive, which would lead to switching to another solution. Proofpoint adds value and proves its ROI based on the services they provide. Although Abnormal Security  has been pushing, the package that Proofpoint provides is better in the long run, especially since results have been seen in prevention and responses to exercises concerning external files being sent out during various departures.

Attempts have been made to use the Netskope  DLP policy, but it is bundled with whatever they offer, especially with the POP locations. Some people in the company have also looked into other solutions apart from Proofpoint, such as Abnormal Security. This is the current discussion given the many moving pieces.

The overall review rating for this product is 8 out of 10.