Osterman Research Blog

Big Data and Proofpoint’s Targeted Attack Protection
June 11, 2012, 6:32 pm
Filed under: Uncategorized

Last week, Proofpoint released its Targeted Attack Protection (TAP), a new service that takes a Big Data approach to addressing targeted attacks like spearphishing, whaling and advanced persistent threats.  Targeted attacks are very difficult to detect and remediate, largely because their creators are focused in their efforts, they send relatively few messages, and they use social intelligence to create an attack that can bypass conventional defenses.  TAP takes the following approach to detecting and remediating these types of threats:

  • First, using Big Data techniques, each message is analyzed to determine whether or not it fits the normal pattern of messages that are received by each recipient.  A message that is sent from a new IP address or from a new recipient, for example, will be treated with a higher level of suspicion than one that is received from a contact that has sent a message previously.
  • Next, any links contained in a message that a user clicks are checked by TAP in real time before the user can reach the destination.  While this stage of the process may not be able to detect sites that previously hosted or may in the future host malware, the system checks to make sure that the site is not hosting malware at the time a user attempts to access it.
  • If a link on which a user clicks passes the first two stages, the URL or attachment is inspected for the presence of malware and the content is blocked, sandboxed or otherwise managed in an attempt to minimize the possibility that malware can be activated inside the network.
  • Finally, TAP provides a feedback loop in the form of its Threat Insight Service.  This service provide administrators with real time intelligence on the types of email threats that are being received, whether or not the current threat level is higher or lower than what other Proofpoint customers are receiving, how threats are changing over time, etc.  The goal is to be able to determine if a targeted attack is underway so that individual users, as well as the entire organization, can be protected.

TAP should seriously be considered for a couple of reasons.  First, traditional threat detection systems – gateway-based, server-based and client-side malware scanners and the like – simply don’t provide adequate protection against targeted attacks.  They are an important and necessary layer in an organization’s security infrastructure, but they don’t do a good job at detecting malware on legitimate sites that may host threats for only a limited time, nor are they designed to provide the granular reputation analysis that is required to thwart highly targeted, real time attacks.  Second, because TAP is managed in the cloud, it can protect users working from home, in a Starbucks or when traveling – an important consideration in an increasingly BYOD- and telework-focused work environment.

About these ads

Leave a Comment so far
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 2,462 other followers

%d bloggers like this: