Proofpoint Threat Response Reviews

Proofpoint Threat Response was initially implemented on-premises as Proofpoint Threat Response Auto-Pull, integrated with Proofpoint Email Protection service and TAP, Proofpoint Targeted Attack Protection. The solution has since been migrated to Proofpoint Cloud Threat Response, a cloud product, and whenever any malicious emails arrive in a user's mailbox, flagged by TAP or the information security team, those emails are auto-pulled by Threat Response Auto-Pull.

A specific example of how I have used Proofpoint Threat Response in my daily work is when an email contains a URL that was initially not malicious, but Proofpoint TAP identified it as spam or malicious during sandbox analysis. The email gets delivered to the user's mailbox and triggers an alert. Since Proofpoint Threat Response is integrated with TAP as a source, those emails delivered to the user's mailbox are auto-pulled by Proofpoint Threat Response.

Regarding additional aspects of the main use case and how it fits into the daily workflow, it is not only about pulling emails from Proofpoint Threat Response using TAP. When we find many malicious emails that have been delivered and the user forwarded those emails, we conduct a message trace in Exchange Online, collect those messages and the message ID, upload it as a CSV to Proofpoint Threat Response, and create a condition, forward, and CC. Proofpoint Threat Response pulls those emails as well, which is a valuable feature because previously we had to run eDiscovery, and during that process, there was a high chance of removing legitimate emails and introducing human error. This is not happening now because Threat Response only pinpoints those emails mentioned and malicious in nature based on the CSV and its intelligence. We are using this feature extensively.

Proofpoint Threat Response offers the best features through creating a workflow that deals with different types of emails, including identifying spam. If any user identifies an email as malicious, it triggers a workflow to the information security team, who will analyze it and determine whether to inform the user that it is not malicious or trigger a flow. A flow can be created for different types, where high spam emails are auto-pulled, low spam emails are quarantined for analysis, and integration with Proofpoint TRAP and Proofpoint TAP allows auto-pull for emails declared malicious. Additionally, I can revert changes if an email initially declared as spam is later found not to be spam, restoring it to the user's mailbox without user intervention. This complete feature encompasses threat response, prediction, activations, deletions, and sometimes restorations.

I find myself using the integration with TAP and the integration with the Abuse Mailbox the most because those are utilized daily. Users often confuse whether an email is malicious or not, prompting them to use Proofpoint Abuse Mailbox via the report phishing button. As spammers grow more intelligent, Proofpoint TAP is also useful by flagging those emails. No action is required on our side because it is the collaboration between Proofpoint Threat Response and Targeted Attack Protection, making the SOC team's work easier, with reduced false positives, allowing them time for more productive tasks.

Proofpoint Threat Response has positively impacted the organization by improving security posture, providing breathing space for the SOC team with fewer false positives, and offering a tool for users to report any malicious email using the Abuse Mailbox, which the SOC team can analyze. Proofpoint intelligence can then declare emails malicious or not and pull them from the user's mailbox. The solution has impacted us positively, safeguarding against spam while giving the SOC team the capacity to analyze needs without being overwhelmed by false positives.

In previous days without Proofpoint Threat Response Auto-Pull, the SOC team spent more than two or three hours analyzing emails, checking hash values, verifying the nature of emails, and conducting eDiscovery for malicious emails. During mass spam attacks, the entire day was consumed in firefighting mode. Now, with Proofpoint Threat Response Auto-Pull, integration with TAP, Abuse Mailbox, CSV integration, and other data sources, the team can perform tasks that once required hours in just a minute.

To improve Proofpoint Threat Response, I suggest adding support for other email protection services such as Cisco IronPort, IronMail, and Abnormal, which would enhance its capabilities. This would be seen as a strong mechanism working in collaboration with other tools, giving it a competitive edge in the market.

In terms of improvements, I believe integrating with a chatbot or creating an interactive dashboard would be advantageous, allowing users to access features without needing to navigate the portal.

Proofpoint Threat Response is a stable product.

Scalability is currently limited, as it only integrates with Proofpoint Email Protection, Proofpoint TAP, and the Abuse Mailbox, although there is potential for further scalability with additional integrations.

Proofpoint customer support is top-notch, as they are very cooperative during setup and troubleshooting.

I would rate customer support a ten because they are prompt with solutions, provide advice during troubleshooting, and their documentation is excellent.

Previously, eDiscovery was used for email removal, but it was not designed for malicious emails and served merely as a workaround. The decision to switch to Proofpoint Threat Response Auto-Pull was based on the fact that it was designed for its intended purpose.

A return on investment can be stated in terms of time saved, as the SOC team previously spent days on spam analysis and deletion activities. Now, it is all taken care of by Proofpoint with zero human error, allowing hours of work to be completed in minutes.

For pricing, setup cost, and licensing, it is necessary to purchase Proofpoint professional services if assistance is desired during setup, which is quite easy. A license is purchased, and a technical account manager will guide throughout the journey.

My advice for others considering Proofpoint Threat Response is that if anyone seeks a solution for spam attacks or removal of spam emails from user mailboxes without human intervention and wants to avoid using eDiscovery due to the risk of deleting legitimate emails, Proofpoint Threat Response is an autonomous and effective tool. If you already have Proofpoint in the environment as an email gateway or protection, implementing this feature will yield significant results. I give this product an overall rating of nine.

We use Threat Response Autopull (TRAP) version. It uses Exchange connectors, including the cloud, to pull messages out of Office 365. So, that's how I use it.  We're a healthcare company.

Auto pull and auto restore are valuable features. Auto restore isn't quite what it should be, but it's a lot better than someone having to manually release mail back to everyone. 

If something's pulled and then it's later declared a false positive, it will automatically restore. They also take automatic feeds from their advanced threat detection modules. 

Anytime Advanced Threat Protection finds something that was allowed to go through, either a URL or attachment, it will send out a signal, and Threat Response will automatically pull all of that out of the mail files. The automation is the big thing for us.

Integration capabilities:

There's an API, but most of it is around how you handle incidents. We're also not using the whole Threat Response suite, just the subset. So, we've never had to or could integrate anything else. We're limited to the Exchange portion only.

The whole Threat Response should be labeled as a SOAR tool. The portion we have, I would call it "SOAR-lite." I know there are a couple of others that offer a SOAR-lite, but we're just starting to look at them.

There are areas of improvement. The on-premise version doesn't scale well for large companies. If you're a small company, it will work just fine. But with a large company, they run into all kinds of memory issues, software update issues with big databases, and so on. 

We can't seem to get every released upgrade because we can't get to one that will upgrade correctly. That's what's causing us to consider switching to Proofpoint's cloud product or other choices.

I have been using it for three years. 

I would rate the stability a six out of ten. We've had some issues, but it's all tied back to the same thing: our size and the scalability of their database.

I would rate the scalability a seven out of ten. If you're a large company and you get a lot of influx, it can be difficult to keep the database and everything clean to run within their memory modules. This is for on-premise. I don't know about the cloud yet because we're just looking at moving there. Hopefully, they don't have the same issues in the cloud.

Most stuff has to go to a higher level for someone more experienced to deal with.

Neutral

CoFense was going to be our first, but we couldn't do anything there. The operations team has since brought in XSOAR and is doing a fair amount with it, automating processes. It's working fairly well for us, but it's all custom code.

The company brought in a Proofpoint Professional Services guy who, in my opinion, didn't know what he was doing. He told us things that were later deemed wrong. We complained about it. 

There were two people involved in the deployment. I was there part-time, keeping things moving. We're a fairly large company, so we were looking at 200,000 people at the time. Now we've grown to about 280,000.

We've had to write some maintenance scripts, but Proofpoint does the bulk of it. We don't use the product exactly as intended. Their idea is that you'll manage all your alerts through their incident front end, but we use our own system (Splunk) and another tool for automation. 

This also means we can get most things to auto-close, but not everything. So, we have to run some special purge routines occasionally to keep the database clean.

We had an operational impact. We probably saved the salaries of two to three mid-level people who would have had to be hired for our security operation team.

I have a vague idea because I don't know what others are charging. But we felt that putting up with the pains and having to spend more time keeping it running than we expected is still better than trying to have an operations team pull messages manually. 

So we still feel like there's good value there. It's just taking more manpower out of our team than we would like to keep the software running.

Currently, we can't get it updated. So, if you're a smaller company, it would probably work just fine for you. But when you get to our size, there could be challenges.

If you built it from scratch to be spread out more, with more nodes doing dedicated functions, it might work a little better. But, ultimately, that causes additional issues, instead of having one instance to integrate, you now have to integrate with all of them, which is a pain for Splunk and other tools to deal with.

Overall, I would rate it a six out of ten. It can work. When it does work, it works well. But right now, outages and issues are higher than we would like to see.

I am a senior information security analyst working with a healthcare company and we use a suite of products from Proofpoint including Proofpoint Threat Response, Proofpoint TAP (Targeted Attack Protection), Proofpoint Browser Isolation, Proofpoint Protection Service (AKA PPS) — essentially, everything except for the DLP solutions.

We mainly use Proofpoint Threat Response along with our main email firewall to pull (i.e. remove) specific emails that get delivered internally. For example, if a user gets any kind of malicious email, such a phishing email or another kind of email that poses a threat to the security of user credentials and which passes through our email filters for some reason, then Threat Response will come into play in one of two ways: either you can do a manual intervention and pull the emails yourself, or it will automatically get pulled by the Targeted Attack Protection part of Proofpoint.

With the automatic intervention, let's say the system was still busy analyzing the email and, before a verdict was reached, the email was released. If, a few minutes later, that email had been found to be malicious, it needs to be pulled back. This is where TAP sends the email ID to Threat Response and signals it to withdraw the email from the user's mailbox. If that same email was delivered or forwarded to anywhere else internally, then it will pull those emails back as well.

The team that uses Proofpoint Threat Response in my company is rather small, consisting of about four or five people, and we are all information security analysts in terms of our job role.

I personally maintain the back-end of our product migrations, and perform duties such as updating and so on. From time to time, we also have to deal with tickets and incident response. As an aside, I'm also a PhD student currently doing my dissertation, and I do research on machine learning, data analytics, and data science.

The best part of Proofpoint Threat Response is the Auto-Pull feature. Being able to pull an email back from a user's mailbox is very useful, yet I have noticed that not a lot of organizations use this kind of feature. I've seen organizations that use Cisco Email Security or Barracuda Email Security and while these solutions may also include such a feature, I have very rarely seen any organizations implement it for some reason (possibly because of its perceived downsides).

Compared to these other solutions, I think that Proofpoint's version of the Auto-Pull feature is superior in my experience.

For an example of where it really comes in useful, I have seen a case in one company where a malicious email was delivered to 24,000 users internally. I believe it was auto-forwarded from only one user to all these other 24,000 users at once. Now, imagine how many days it would take for that company to pull the email using a legacy Exchange PowerShell script or by using Exchange Online. It would take forever, and there isn't much you could do to track or analyze how many other users it was being sent to at that moment in real time. It's simply impossible to do all that just by using Exchange PowerShell scripts.

But with Threat Response, all you have to do is input the details of the malicious email (e.g. the email ID) and upload these details via CSV file or similar, at which point Threat Response will call the vectors of the email and it will go in and pull those 24,000 emails instantly.

This is truly a top-notch feature, and I have not seen such good functionality from the same kind of feature in any other tool so far. Looking at four or five of the industry's top email security solutions, none of them even come close to matching Proofpoint's version of this feature.

The interface within Threat Response could be made simpler. To give a specific example, let's say you have uploaded the details of a malicious email to Threat Response in order to pull all the instances of that email being delivered internally, and it turns out that there have been something like 10,000 emails delivered already.

When you dig into "patient zero" (i.e. the mailbox that first received the malicious email and forwarded it onward) within Threat Response, Threat Response will synthesize the data and you will be able to see the user's vectors such as who the sender is (e.g. some attacker at example.com) and all 10,000 recipients of the email.

Now, if this incident was set up with alerts, then for every single user it creates a corresponding alert, such that you now have 10,000 separate alerts that you have to scroll through to view. I propose that Threat Response should be able to simplify this a bit, even though I don't know what kind of solution it would entail. That's for them to figure out; I just know that scrolling through 10,000 alerts doesn't make things simple for me.

Going further with the idea of improving the interface, when you look at any big company, most of them already have some kind of a centralized platform when it comes to ticketing tools, such as ServiceNow, BMC Remedy, Jira, or Splunk. The platform is there to provide a single pane of glass, where you can integrate everything and assign tickets to the team from that platform.

When it comes to Threat Response, it has its own separate portal and once you have set up your security team in there, you can assign tickets within it. However, I think that this is an unnecessary extra dashboard and there should be more opportunities to tie the portal data into something like ServiceNow and then simplifying from there onward.

Again, I can only wonder what the solution here would look like, but let's take the incident with 10,000 alerts; how could we sync or integrate that incident in ServiceNow, and what would it look like? Ultimately, I think being able to more easily integrate Threat Response incident data into other kinds of ticketing platforms would really help improve our experience.

I have used Proofpoint Threat Response for more than three years.

A good thing about Threat Response in terms of stability is its ability to set limits. It's not like some Windows Servers where you can easily run out of resources, causing lagging or freezing. It's simply a stable Linux VM, and you don't really have to look at the actual VM itself. All you do is go onto the dashboard check your information there. One time, I pulled 30,000 emails in one go and not once did it freeze or lag even for a second.

We're a small team of about five information security analysts who implement Proofpoint Threat Response, and I personally maintain the back-end of our product migrations.

The way most big companies work with Proofpoint is that they try to tie everything into an enterprise license. I can't comment on the actual costs, however I do know that alternative solutions such as Abnormal Security can be much more expensive than Proofpoint Threat Response. 

The other solutions I've seen that offer a similar product include Cisco Email Security, Barracuda Email Security, and Abnormal Security.

For the actual email firewall, Proofpoint has an admin console where you can go in and search emails, see what has been delivered to whom, and all sorts of different metrics. It's a good analytics dashboard, but when you compare it to the kinds of dashboards you see in cloud-hosted solutions, it doesn't even come close to these dashboards in terms of simplicity. The cloud dashboards I've seen are the simplest I have ever encountered so far.

On the other hand, none of the dashboards (for email filters, etc.) from solutions such as Cisco Cloud Email Security, Cisco Ironport Email, Barracuda Security, or McAfee are as simplified as Proofpoint's main dashboard. These other dashboards are old-fashioned, take more time to load, and require lots of clicking. In contrast, the Proofpoint dashboard is very advanced and feature-rich, and if they could make the Threat Response dashboard more similar to this main dashboard, that would be lovely. 

I would rate Proofpoint Threat Response a nine out of ten.

We use the product to verify and manage emails sent and received through our Microsoft Exchange server in Azure cloud now, focusing on blocking potential spam emails.

Saving our organization from many Phishing and Spoofing Attacks

The platform's most valuable include the ability to check emails and block potential spam.

The platform's technical support services and pricing need improvement. 

I have been working with Proofpoint Threat Response for approximately seven years.

Proofpoint is part of our broader security strategy, alongside tools like IPS, IDS systems, Forescout, and Palo Alto firewalls. It integrates well with our security framework.

We have around 918 executives using the platform across all mailboxes. I rate its scalability a nine. 

No

The installation process was quite straightforward. It took a few hours to complete. However, tuning the system required a longer period.

The product was implemented with the help of a third-party vendor. They provide support and maintenance as well. 

No

The pricing it's a bit expensive, setup and licensing are simpples

I rate the product stability a nine.

My primary use case of this solution is as an anti-malware tool.

Proofpoint has reduced the number of major attacks on our systems.

The product has some quirks that could be improved.

I've been using this solution for about eight years.

Proofpoint's support is very responsive, especially in comparison to Microsoft. Proofpoint commonly has a specialist available within 24 hours and is generally more professional.

I would rate this solution as seven out of ten.

Our main use case is to automatically remove and pull the malicious, phishing and spam emails from each user's mailbox. We have also integrated this with Proofpoint TAP and PPS for more feeding.

It has reduced our manual efforts to remove emails from each user's inbox, and in this case, we do not have to ask our IT department or users to do so. We can simply do it without any team's involvement. 

Auto-pulling the emails and phishing are the most valuable features, plus also we can randomly pull the emails based upon our own requirements.

If the reporting gets improved then it would be better, but the product is running amazing as it is.

The product is very stable, we haven't seen any issue within the last two years. It is 99.9% stable.

This product can be easily scaled up to any number, depending on the hardware resources.

So far we have connected to support twice in the last two years, which shows that this product is so stable that you don't even need support, because issues don't really happen. Overall, the support from the OEM is awesome, and they are always available to help you whenever you need it.

As of now, there is no other product available on the market that delivers the same functionality, so we haven't switched from any other product.

The setup is very easy, you only need to integrate it with LDAP, Exchange, Proofpoint PPS, and TAP if you have them.

It can be installed on VMware without any issue.

We have implemented and installed the solution with the help of the vendor. Their expertise is outstanding and they were super quick.

Our ROI is100%. Our entire management and decision makers are very impressed and happy with this product. The SOC team is very satisfied to have this product at their disposal.

It's quite easy to implement the solution. It takes only two to three days max, and we can run it on virtualization. It requires fewer resources.

The product cost is low. It's quite affordable to have it with this much functionality and it's easy to administrate.

The administration and management of the solution are very simple.

We did try to find a solution that can automatically pull the emails, but as of now, there is no such product in the market.

As of now, the OEM is developing new features every quarter, so I don't see or feel anything new or better is required, other than some improvements in the reporting.