orange banner

Announcing Improved Information Protection Capabilities for Incident Response: SIEM Integrations and Tag Management

Share with your network!

Are you spending days and weeks on insider threat and data loss investigations, struggling to piece together the “who, what and when” and determine user intent? Are you missing that user context when alerts pop up in the rest of your security ecosystem

You’re not alone: Lengthy and inefficient incident response and investigations burden many security teams. It takes 77 days, on average, to resolve insider threat incidents, according to the “2020 Ponemon Institute Cost of Insider Threats” report. That finding underscores why it’s more important than ever to reduce the time and cost of incident response. 

Now security teams get more control over the telemetry collected by Proofpoint’s platform through improved security information and event management (SIEM) integrations and tag management around alerts. A major advantage of our API-driven, modern SaaS Information Protection platform is that our customers can integrate it into their security ecosystem as easy as viewing the same telemetry within our platform.

Deeper integration with ecosystem partners

In many complex enterprise environments, security teams have the expertise to correlate our telemetry with insights from our security products, often within a SIEM, custom data lake or another log management tool. Proofpoint ITM and Endpoint DLP use this today, and soon, Proofpoint CASB and Email DLP will use it, too.

Customers have already integrated our alerts by sending notifications within their data management, business communication and incident response platforms. Using the webhook method, you can see the alert metadata within a Slack channel, your Splunk alert triage dashboard or your SOAR workflow.

And now, with the new Metadata Feed capability, we’ve extended our integration to meet use cases around high volumes of activity monitoring. Customers can replicate all user and data activity and alerts collected by Proofpoint ITM, Endpoint DLP, Proofpoint CASB and Email DLP into their own customized environment in near real time.

They can also store the security data within environments they control, such as AWS S3 buckets. Customers tell us they find this easier and more cost-effective than longer-term storage to meet forensics investigation and compliance needs.

This capability is available to customers who have purchased the Metadata Feed SKU. Talk to your account manager for more information.

Alert tagging and filtering capabilities that increase efficiency

Customers may need to manage multiple investigations simultaneously, and one or more users’ activity may be under review. And it’s painful for analysts to sort through all the alerts triggered by a given user over a specific time period. So, now we’ve made it possible for customers to provide custom metadata around an alert from Proofpoint ITM, Endpoint DLP, Proofpoint CASB and Email DLP so that they can tie multiple alerts to an incident or event under investigation.

With the tag management feature, analysts can, as an example, tag multiple alerts with an “under investigation” tag during alert triage. Later, during further investigations or threat-hunting exercises, teams can quickly recall or filter relevant alerts for the tag “under investigation” and export the alerts as PDF documents to share with other teams.

The tags also can be saved beyond a single investigation and reused. For instance, during threat-hunting exercises, analysts may want to filter for all alerts triggered by users on notice or in high-risk locations. They can do this when analysts regularly tag alerts with relevant keywords or phrases during alert triage.

The start of the year has already been a busy time with a bounty of new product features. Rest assured, we will continue to increase your teams’ operational efficiency while making your organizations more secure in this rapidly changing new world.

Learn more about the Information Protection platform’s incident response capabilities on our product page.