1

Advanced Email Protection

Overview
Defenders don’t focus on people, attackers do

SECURITY SPENDING ATTACK VECTORS

Endpoint

Network
19%

Email 8%
93%
61% all breaches are attacks
Web targeting people,
12% 96% via email

Source: Gartner Information Security, Worldwide Source: 2018 Verizon DBIR

2016 – 2022, 1Q 2018 update (2018 forecast)

10
Who represents risk to your organization?
PROBABILITY

Who gets targeted by

serious threats?
LIKELIHOOD ATTACK Receive highly targeted,
very sophisticated, or
Who is likely to high volumes of attacks
fall for threats?
Clicks on malicious content,
fails awareness training,
People IMPACT
or uses risky devices or
cloud services Risk
Who has access to
VULNERABILITY PRIVILEGE
valuable data?
Can access critical systems or
sensitive data, or can be a vector
for lateral movement

© 2021 Proofpoint. All rights reserved. | Proofpoint, Inc. – Confidential and Proprietary 12
Email Protection

13
Proofpoint Advanced Threat Protection
SaaS, VM (Esxi), HW

SaaS, VM (Esxi, AWS) Email Protection

TRAP Blocks the vast majority of
email threats, both known and
Threat Response Auto-Pull unknown, including imposter
automatically removes
Respond Prevent and phishing emails
delivered malicious emails
from the mailboxes and
places them into quarantine
SaaS

Targeted Attack
Detect Protection (TAP)
Detects email with suspicious
URLs and attachments.
Provides forensic details and
visibility into attacks
16
Unique visibility drives efficacy, powers ML/AI models

#1 DEPLOYED SOLUTION OF THE F100, F1000, G2000

8,000+ ENTERPRISE CUSTOMERS 156,000+ SMB CUSTOMERS 120+ WORLD’S LARGEST ISPS

35M+ cloud Global threat research 6.3K+ 400M+ domains

2.2B+ daily emails
accounts and data science teams IDS sensors monitored

46k+ apps 12 detection engines Deployed at key

35B+ URLs
in catalog (static, ML, behavior, etc.) internet backbones
112k+ social media
accounts
200M+ 500K+ daily unique
2.5K+ cloud tenants Tracking 100+ threat actors
attachments malware samples

1 TRILLION+ NODE NEXUS THREAT GRAPH

Impostor/BEC Malicious URL/HTML/ Computer Vision AI-Generated Cloud Nexus AI for

Detection File Detection Phish Detection Threat Detectors Compliance

NEXUS AI: PROOFPOINT’S 3RD GENERATION MACHINE LEARNING

© 2022 Proofpoint. All rights reserved. | Proofpoint, Inc. – Confidential and Proprietary 17
Proofpoint Detection Ensemble New Capability (2018) New Capability (2019) New Capability (2020-21)

VISIBILITY Full In-line Telemetry Potential Threats Full API Telemetry

Multipurpose Supervised Machine Learning Models Composite

Threat Detection (CLX + MLX)
Threat Graph Intelligence
Reputation Classifiers
Engines
Attachment and URL Defense BEC Defense Cloud Threat Defense
Static Analysis Memory Analysis ML User
Models Activity Malicious 3PAs
Targeted Threat Multi-Platform Sandboxes ML Model: Files
Supernova
Detection Engines Network Detection ML Model: URLs Supplier Content Compromised Accounts
Risk NLP
Cred Phish Sandbox ML Model: HTML

Threat Intel Extraction

Campaign Analysis
Threat Researcher Manual Analysis

Allow / Deliver
ACTION the Good
Block / Remediate the Bad

© 2022 Proofpoint. All rights reserved. | Proofpoint, Inc. – Confidential and Proprietary 18
Supernova- New Threat Detection Platform
Powering Advanced BEC Defense

Supernova

Data Sources Platform Capabilities Key Outcomes

Unfiltered Email Gateway Multiple Supervised ML Models Detect BEC with Unparalleled
Telemetry Efficacy
Multiple Unsupervised ML Models
Deeply Understand BEC Threats
Graph API Telemetry
Expressive Rulesets with Forensics

User Activity Profiling Simplify and Automate BEC

Supplier Risk Analytics
Workflows
Content Authoring Velocity Analysis

Stateful/Behavioral Analytics

Threat Classification/Labeling 23
 Advanced BEC Defense powered by Supernova
Combining world class threat intelligence with over 20 years of ML experience
Sender/ Recipient
Relationship

In-depth Header Analysis Sender Reputation

Forensics on the headers; inconsistent
Reply-to pivot, x-originating-IP, etc.

Built on Data Deep Content Analysis

5B+ daily emails seen, powering a Message body: words, phrases
1-trillion node Nexus Threat Graph e.g. payment, invoice

Dynamically detect Business Email Compromise (BEC)

24
 Proofpoint Supernova Microsoft Spoof Intelligence
Relationship Graph

Basic
Header Analysis

Sender In-depth
Behavioral Header Analysis
Insights
Sender
Reputation

Built on Data Deep Content

& Threat Intel Analysis / NLP

Stops More BEC Threats by Combining Basic Detection Delivers More

Anomaly Detection & Threat Intelligence Advanced & Costly BEC Campaigns

Invoice & Supplier Internal Account Invoice & Supplier Internal Account
Payroll Fraud Compromise Compromise Payroll Fraud Compromise Compromise

© 2022 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary 25
Smart Search
Swiftly trace where the emails come from and go to

• Speedy search result, in seconds

• Summary stats and granular details

of investigative searches- metadata
with 100+ attributes

• Rich search criteria

• “Unlimited” search result export

27
Granular Policy Control
Flexibility to create any security and mail routing policies

▪ Security policies and mail routing rules can be

written granularly based on customer needs

▪ Enforce unique policies at the global, group,

and user level

▪ Easily scale for large enterprise

▪ Greater flexibility with more deployment

options, including on-prem, VM, and SaaS
End-User Quarantine

• Give end users the ability to

Individual Control: Bulk mail
manage low priority email
promoted and delivered to inbox
Subject
Sender
IP Address • Allow end users to review
Content
URL/Attachment quarantined message and take
Email content analyzed, Individual Control: Bulk mail actions accordingly
relegated and put in quarantine
and delivered
• Free up email admin’s time
Crowd-sourced feedback
improves accuracy of bulk
detection and classification

29
Unified Outlook Add-ins
Enhance both admin and end user experience

• Save time and effort for admins

to deploy, manage, and update
the products

• Provide end users with an

integrated Outlook experience
o Group actions into menu
o Launch end user web within Outlook
o Manage encrypted message

• Support mobile engagement

Secure Message Center

30
Email Warning Tag
• Reduce risk of potential compromise
by enabling end-users to make more
informed decisions

• Allow users to take action directly from

the warning tag

• Customize tags with additional text

• Protect against common BEC and

EAC attack tactics
o Email spoofing
o Lookalike domains
o Credential phishing

• Provide short description of the risk

31
What this Means for Our Customers

Improved protection for email fraud

• Dynamic protection from impostor and phishing email threats
• Machine learning changes over time

Flexibility with granular control

• Easily scale for large enterprise
• Enforce unique policies at the global, group, user level

Better end user experience

• Manage all emails including encrypted message within Outlook
• Improved detection of spam
Email Protection:
Continued Leadership and Innovation

Best in Class Rich, Actionable User Experience

Effectiveness Intelligence and Flexibility

Visibility to Global Advanced Machine Learning Granular Filtering, Custom Rich Reporting, Visualization
Threat Campaigns at with Content, Context, Configuration and Control and Ecosystem Integration
F1000 Companies Behavior Analysis
Targeted Attack Protection
 Industry’s most effective detection

Detection Intel Extraction Analysis and Correlation

POTENTIAL ALL THREATS
THREATS
Composite Reputation IOC Curation +
Mutli-Platform Intel
Correlation Threat Ops Actor/Campaign
Extraction Sandboxes
Analysis
MALWARE
Code Analysis Bare Metal Alerts from Campaign
Network Detection Correlation
TAP Intel Team

Multi-Platform
Malware Sandboxes TAP Ops Analyst-Assisted Customer-Initiated
Execution Research (PTIS)
NON-MALWARE
SaaS TAP Ops Threat Ops
Classifiers Credential Phish
(Phishing, BEC) Sandbox

Proofpoint Nexus Platform

35
 TAP Attachment Defense architecture

Reputation Threat Graph

Proofpoint
Protection
Server (PPS)
Unknown
Threat
Clean
File Hash Data

Attachment Integrated threat

password protected intelligence
zip file Defense
Module If Unknown
Sandbox
Hold email until
receive verdict.
Output
Timeouteither Clean / Threat
TAP
Malware Behavior Code Protocol Dashboard

36
Layered Detection for the Modern Threat Landscape

Proofpoint Attachment Defense Microsoft Safe Attachments

Reputation Analysis

Password File Analysis

Download / Redirect Following Reputation Analysis

Macro & Script Detection Password File Analysis

Download / Redirect Following
Evasion Prevention Detection
Macro & Script Detection
Network & Protocol Analytics

Ecosystem Partnerships

ML Feedback Loop

Automated Expert Systems

URL Extraction

Protection Against Sophisticated Attacks Requires Targeted Threats Evade Detection

a Layered & Sophisticated Detection Stack Using Both Simple & Advanced Tactics

© 2022 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary 37
TAP URL Defense Architecture

Clicked

Reputation

Proofpoint
Protection
URI Blacklist
Server (PPS)
Threat
Unknown/Clean Integrated threat Unknown/Clean
Threat
Check reputation. intelligence
Quarantine known Redirector
threats
Sandbox (urldefense.
proofpoint.com)
URL Defense If Unknown If Unknown
Module
Malware Behavior Code Protocol
Predictive
Rewrite URLs Defense

Threat Graph

TAP Data 302 Redirect

Dashboard
38
Layered Detection for the Modern Threat Landscape

Proofpoint URL Defense Microsoft Safe Links

Reputation Analysis

Predictive Sandbox Engine

Reputation Analysis
Static Analysis
Static File Analysis
Dynamic Analysis
Dynamic File Analysis
ML Feedback Loop

Automated Expert Systems

Browser Isolation

Protection Against Sophisticated Attacks Requires Targeted Threats Evade Detection

a Layered & Sophisticated Detection Stack Using Both Simple & Advanced Tactics

© 2022 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary 39
The Attacker’s POV

[email protected] [email protected] [email protected]

Jack Barker Laurie Bream • 2nd Richard Hendricks • 3rd

Executive at Bank Co Financial Advisor at Bank Co Senior System Administrator
500+ connections 500+ connections
Top 20 Very Attacked People: Financial Institution
(Ranked by Attack Index)

Executives

Branch Managers

VP of IT

Mortgage Processing

Administrative
Assistant
Proofpoint Attack Index

Attack Index
Threat Severity
Understand the risk your users
face & prioritize the most effective
Actor Sophistication compensating controls

Attack Targeting

Type of Attack
Volume of Attacks • 0-1000 score per threat sent
Receive reporting & metrics
on the threats your users
• Weighted composite score face
People-Centric Visibility Drives Better Protection
VAP Scores
VULNERABILITY ATTACK PRIVILEGE
MEDIUM HIGH HIGH
[email protected]
Phish Simulation
Max threat: 850 VIP: yes
test: no action
(top 10%) Sensitive data:
Risky device /
30 day total: 9,143 yes, CASB DLP
network use: yes
(top 5%) AD Score: High
MFA: inconsistent

Laurie Bream Adaptive Controls

Financial Advisor at Bank Co
500+ connections + Access + Threat + Training
Control Control Control

CASB: steps up Email Protection: Training: data

authentication turn on classifiers protection
44
 Office 365 credential – your cloud identity

People-centric security Compromised credential detection

• Attacker’s perspective • Threat detection
• Attacker’s methods • Enterprise behavioral analysis
• VIP designation • Campaign threat correlation
• VAP (Very Attacked Person) • Post login analysis
• Multi-cloud/multi-channel DLP
• Integrated into TAP (targeted protection)
46
Targeted Attack Protection:
Pulling Ahead With Industry Leading Solution

Powerful Advanced Threat Swift Response Superior Threat Insights

Protection Against New Vectors and Visibility

Discern Broad Campaigns Identify Targeted, Impacted Inspect All Attachments, Detailed Forensics Insights
and Targeted Attacks and At-Risk Users URLs at Delivery and at Click and Reporting
Solving your phishing and remediation problems
Typical Results: a month of analyzing O365 email at a large global consulting firm customer
Proofpoint Protection Gateway Targeted Attack Protection Organization
Inbound Email
Reputation Content Attachment URL Mail Store

196M 100M 6.4M 14K 70K 89.5M

Emails Emails Blocked Emails Blocked Threats Blocked Threats Blocked Emails Delivered
• IP Reputation Check • TAP feeds • Attachment detonation • URL detonation • 1,985 attachments
• Signatures • Static/Dynamic/Protocol • Static and behavioral detected post-delivery
• Classifiers: Phish, Virus, detection ensemble detection of phishing kits • 35,980 URLs detected
Spam, Impostor, Bulk, etc. • ML detection of phishing post-delivery
pages using HTML, URL • 1,866 clicks blocked

Threat Response
Auto-Pull

80%
Fewer incidents
Known Threats Targeted Threats for SOC
• Automatically quarantine
and remediate malicious
messages from end-
user's inbox
© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary 48
 Agility to keep up with the threat landscape FEATURE RELEASE
PRODUCT INTEGRATIONS
ECOSYSTEM INTEGRATION

Palo Alto
URL Defense Networks Impostor Security VMware
and Visibility Emerging Partnership Classifier Email Carbon Black Nexus People
Awareness VAP Threat Guided
(Q2 2012)
Threats (Q1 2016) (Q2 2016) Warning Partnership Risk Explorer
Attachment (Q1 2018) Visibility Training
(Q1 2015) (Q4 2018) Tags (Q1 2021) (Q2 2021)
Defense CASB Domain (Q2 2020) (Q4 2020)
(Q1 2014) CyberArk (Q4 2016)
Discover
SOAR Partnership CLEAR CrowdStrike Supplier Risk
(Q3 2017)
(Q2 2014) (Q2 2016) (Q3 2018) Partnership SailPoint Explorer
Browser (Q3 2019) Partnership (Q4 2020)
Advanced BEC
Inbound DMARC and Email Okta (Q3 2020) Defense
DMARC Authentication
(Q1 2016) (Q3 2016)
Isolation Partnership Verified Isolation (Q2 2021)
(Q4 2017) (Q3 2018)
DMARC for VAPs
(Q2 2020) (Q4 2020)

PROOFPOINT: MAJOR INNOVATIONS

2013 2014 2015 2016 2017 2018 2019 2020 2021

MICROSOFT: MAJOR INNOVATIONS

Azure RM ATP Security AIR Inbound

Office 365 ATP Center
(Secure Islands) (Hexadite) DMARC M365 Defender
SafeLinks and (Q2 2018) (Q2 2020)
(Q4 2015) (Q3 2019) Portal
SafeAttachments
(Q2 2016) Spoof Intelligence Azure ATP (Q2 2021)
(Q1 2018) (Aurato)
CAS (Q4 2018)
(Adallom) Attack Simulator
MICROSOFT’S INNOVATION DELAY (Q4 2016) (Terranova)
(Q4 2020)

URL Defense 48 months SOAR 63 months

Attachment Defense 27 months Inbound DMARC 51 months
Threat Dashboard 96 months Attack Simulator 34 months
Impostor Protection 24 months

© 2022 Proofpoint. All rights reserved. | Proofpoint, Inc. – Confidential and Proprietary 49
Email Security Feature Comparison
Microsoft Proofpoint
Features / Tools / Products

Connection Filter √ √

Inbound Email Authentication √ √ Proofpoint’s

Basic Email Hygiene (AV/AS) √ √
Unique Security:
Email Basic Email Fraud Protection (domain spoof, display name) √ √
Hygiene
Advanced BEC Protection √ ✓ Advanced BEC Protection
Contextual Email Warning Tags √
✓ VAP Browser Isolation
User-Report Message Automation √ √

Attachment Reputation √ √
✓ Threat & Campaign
Attachment Sandboxing √ √ Correlation
URL Rewrite √ √
Advanced Comprehensive URL Sandboxing √ ✓ Forensics / IOC Details
Threats
Manual Message Remediation √ √
✓ Threat Attacker Analytics
Automatic Message Remediation (URLs & Attachment) √ √

Browser Isolation for Very Attacked People √ ✓ Very Attacked People

Comprehensive Campaigns & Threat Insights √ Insight
Delivered Threat Alerting √ √

Forensics / IOCs (URLs & Attachments) √

✓ People Risk Explorer
√
Visibility
Campaign Correlation
✓ Adaptive Controls
& Threat Actor Analytics, Reports, and Trending √
Reporting
Very Attacked People Reporting √

SaaS App Visibility √ √

People Risk Explorer √

Adaptive Controls to combat Targeting Trends √

© 2019 Proofpoint. All rights reserved 50

Adaptative Email Security
Controls with Isolation
 Isolation Integration with TAP

Balancing security with end user experience

Gateway

Inbo Click
x
Protection + TAP TAP + TRAP TAP Isolation
TAP URL Defense + Isolation = TAP URL Isolation

Redirector
1. Check Isolation Policy
2. Make Decision to
Clicked Isolate (Risky URL or
VAP)
Proofpoint
Protection
Server (PPS) Redirect
Check reputation
Quarantine known
threats

URL Defense
Module

Rewrite URLs Real-time

Send to user
malware
&
phish detection
Isolation
Actual Destination Branded Block Environment TAP
Without Isolation Page Dashboard
Adaptive Security Controls: Corporate Email

Clicked
Isolation Environment
All Users URL Defense (Click-time) + Risky URL’s
Isolation Policy

Clicked
Isolation Environment
URL Defense (Click-time) +
VAP
Isolation Policy All URL’s
Threat Response
 The Need for an Incident Response Solution is Growing

Alert Triage Quality and Reducing time to respond,

Evolution of Threats Centralized View
Speed contain and remediate

Everchanging Threat Alert Fatigue

Mean-time-to-respond Duplicated Work
Landscape
is too High
Manual Processes
Slow Research
Volume of Threats
Manual Processes Process
are Increasing Alert Prioritization

Source: Garner Market Guide for Security Orchestration, Automation, and Response Solutions

56
Top Incident Response Use Cases

Phishing Emails Alert Enrichment

Time-delayed Abuse Mailbox

Attacks Monitoring Who, What, Where Manual Sandbox
of the Attack Submission

Reported Email Premium Threat Intelligence

Messages Quarantine

Updates to Firewalls,
IPS/IDS, Web Gateway Custom Responses

Enforcement Controls
Out-of-the-box Security Orchestration, Automation and
Response

1 2 Threat Automated Alert Enrichment

Alert Source Response
Alerts from
various sources Threat
Intelligence

JSON Event

3 Quarantine 4 Isolate User 5 Query 6 Examine & 7 Block/Alert on 8 Custom Scripted

Messages Accounts Endpoint Isolate Host Connections Responses

Firewall

URL Filter
Extend and Customize Your Threat Response

Custom Lists and LDAP Attributes for Incident Workflow &

Reporting
Threat
JSON Alert Source
Response
Custom Script (PowerShell, VBS) for IOC Collector

Custom Team & Escalation workflow to allow IR teams to

collaborate without changing processes

REST APIs for accessing Incidents and Lists

Custom Python Scripting

Closed Loop Email Analysis and Response (CLEAR)

PhishAlarm PhishAlarm Abuse Box monitored by

Analyzer Threat Response Auto-Pull
Proofpoint
Potential Threat
Threat Intelligence

Malicious/Phishing
Employees Message

Analyst

Employee Feedback Delete/

Quarantine
Emails

60
Measure Incident Response KPIs & Risks
• Dashboards
– Incident Summary
– Threat Summary

• Reports – KPIs
– Incident Timeline (trend)
– Incidents by Assignment
– Incident Age by Severity
– Incident by Team
– Incidents – Time to Review
– Incidents – Time to Assignment
– Incidents – Time to Close
• Reports – Risks
– Threat Summary
– Impacted Users – Incident Volume
– Top Campaigns
– Top Malware Families
– Incidents by LDAP Attributes (Dept., Address, Group, ...)
 Threat Response Benefits

IR Analyst SOC Manager CISO/CSO

• Focus time on high priority incidents • Establish reliable & consistent IR workflow • Respond faster to threats
• Automate repetitive tasks • Increase analyst productivity • Gain visibility into trends, KPIs
• Achieve situational awareness in • Track analyst workload • Increase efficiency for better
minutes • Measure performance metrics ROI
• Verify endpoint infections • Eliminate alert fatigue & increased • Leverage existing SOC
• Collaborate and share notes with others coverage investments

Customer Quotes
“Automated integration of Threat
“Saves us hours of work for each “Very happy, we use it every day…” Response and TAP is big improvement
issue we investigate” for our defenses. Thank you from all of
us in IT Security.”
Leading Media Company Leading Food Distribution Leading Healthcare Provider in Texas
Company
The Results at a Typical Organization

60+
minutes
45
minutes

4.5 75%
minutes
30
seconds
Before After Before After

Confirm compromises Contain incidents Improvement in SOC

in minutes in seconds analyst efficiency

Source: Proofpoint deployments, Q2 2015.

Proofpoint Threat Response Integrations
Alert Ingestion Endpoint Email Quarantine Threat Intelligence

Enforcement Identity Access Block Lists Ticketing

Management

Authentication
Analyst Accolades as the Email Security Leader

7th Consecutive Year

Leader in Email
Market

20% or 2x industry
avg investment into
R&D

2021 Frost & Sullivan

Q3 2021 Frost Radar: Q2 2021 Forrester Wave: Global Market
Leader in Email Security Leader in Email Security Leadership Award
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores,
weightings, and comments. Forrester does not endorse any company, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
67