The purpose of this document is to provide customers of Proofpoint Threat Response Auto-Pull (TRAP) and Threat Response Cloud with the information necessary to assess how the service can support and enhance their data privacy strategy.
TRAP and Threat Response Cloud – Product Statement
TRAP is an on-premises email security solution used to respond to threats through automated and manual processes. The solution ingests threat information from multiple alert sources and integrates with the customer’s mail server (Exchange, Office 365, G Suite, or Domino) to retrieve and move messages and optionally with the customer’s identity and access management solution (Microsoft Active Directory or Okta).
Threat Response Cloud is the SaaS version of TRAP with minor differences. Threat Response Cloud is a cloud-based email security solution used to respond to threats through automated and manual processes. The solution ingests threat information from multiple alert sources and integrates with the customer’s mail server (Exchange, Office 365, G Suite) to retrieve and move messages.
The most common use cases are the following:
- Using threat detection data obtained from Proofpoint TAP, the solutions remove copies of malicious emails from user mailboxes and implement business logic to find and remove internal copies of the message that were forwarded to others in your company. Additionally, TRAP can act on indicators of confirmed interaction with the message, such as permitted clicks on malicious URLs, to reset the user’s password/lock a user account in Microsoft Active Directory/Okta, if configured to do so.
- Removal of malicious/unwanted messages from user mailboxes based on uploads of custom CSV files or search exports into the console by the customer’s security team.
- Monitoring end-user submissions to an internal abuse mailbox email address typically monitored by customer security teams. The solutions provide automation benefit by analyzing messages sent to the customer’s abuse mailbox and provides security teams with a disposition on the contents of the message; messages found to be malicious can be subsequently removed from end-user mailboxes.
Email Data Processed by TRAP and Threat Response Cloud
TRAP and Threat Response Cloud help prevent email attacks by effectively processing and analyzing the information they receive from the alert sources. This includes limited personal data.
The following is an example of a dangerous email that could be sent to your employees. Utilizing data aggregated by alert sources, TRAP and Threat Response Cloud identify the malicious content found in the email and remove it from the original recipient’s mailbox as well as any mailboxes to which it was forwarded. The text in the blue boxes is representative of the steps taken by TRAP and Threat Response Cloud using information received from any source of alerts. It is not a comprehensive review.
Customer Access to TRAP and Threat Response Cloud Data and Privacy Options
Organizational, user, and threat specific analysis results are available to the customer’s authorized users through the Threat Response Dashboard.
How Proofpoint Retains Records
TRAP is an on-premises solution deployed by the customer on their own VMWare or AWS infrastructure. Records are maintained in TRAP based on the customer’s data retention policies. Telemetry and diagnostic data can optionally be reported to Proofpoint to monitor the health of the appliance and diagnose configuration problems and is retained in an aggregated form until securely deleted.
Threat Response Cloud is a SaaS solution hosted by Proofpoint. To protect organizations from on-going threats, Proofpoint analyzes the data collected through Threat Response Cloud and applies the results to its scanning and filtering process. Data collected is retained in an aggregated form.
Proofpoint’s Use of Subprocessors
Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site here.
Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53. Security controls include the following:
- Data in transit is protected using HTTPS/TLS.
- Encryption at rest is accomplished using AES 256.
- Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
- Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services. Please see https://www.proofpoint.com/us/security.
- Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
- Security alerts are automatically directed to on-call staff for triage and review 24x7.
© 2023. All rights reserved. The content on this site is intended for informational purposes only.
Last updated September 20, 2023.