Cybersecurity vendor Proofpoint has upgraded its email protection with the announcement of the availability of Proofpoint CLEAR [Closed-Loop Email Analysis and Response]. CLEAR utilizes technology acquired with Wombat Security earlier this year to provide a complete closed-loop approach to instant end user email reporting, analysis, and remediation.
Proofpoint has made many acquisitions over its history, but Wombat, at $225 million, was by far the largest, over double what they paid for anyone else.
“Wombat provides phishing awareness capability, as well as specific security awareness and training against it, something that has become critical as phishing has become an extremely large problem,” said Ryan Kalember, SVP, Cybersecurity Strategy at Proofpoint. “Customers asked us for this. When we made the decision to acquire, there were three leading companies. They were the one that had the most depth. Running a simulated phishing campaign itself is fairly simple. We didn’t need to acquire that. How you then modify behavior once you identify vulnerabilities is more interesting, and something they were good at. They have a more academically rigorous approach to training.”
CLEAR is a new product which adds some of Wombat’s capabilities into what had previously been TRAP [Threat Response Automation Pull], Proofpoint’s automation and orchestration platform.
“What amounts to a core bundle has emerged for us,” Kalember said. “These are our Proofpoint Enterprise Protection, our Targeted Attack Protection, and what was TRAP, our purpose-built automation product. Everyone bought those three. CLEAR extends what TRAP did. It now becomes part of that core bundle that we think everyone will go with.”
The core capabilities of CLEAR were also in TRAP – the capability to use automation to analyze messages against multiple intelligence and reputation systems, to reduce an organization’s typical threat remediation time from days to minutes.
“CLEAR leverages that automation capability that we had before, and integrates Wombat’s PhishAlarm email reporting button, as well as their PhishAlarm Analyzer,” Kalember said. The reporting button lets employees report suspected malicious messages, which are then automatically processed, and which increases the visibility of phishing campaigns. PhishAlarm uses machine learning to check emails against multiple security sources to identify and prioritize reported phishing emails for incident response teams, greatly decreasing triage time required against phishing attacks.
“Phishing is one of the best cases for automation in all of cybersecurity,” Kalamber noted.
He also emphasized that not only does CLEAR not require a SOC or even dedicated security analysts to provide value, but can provide more value specifically in environments where there is no security expert at all.
“We’ve seen it work with no security person whatsoever, or where the security responsibility is a part-time aspect of someone’s job,” he said. “This closed loop automation can work if they have no dedicated security resources because very few false positives make it through the reporting cycle. CLEAR is important because it has value to the 99 per cent of organizations who don’t have dedicated security personnel, who don’t have the proverbial body to throw at every problem that comes up. It has really only been in automated phishing responses specifically that we have seen success downmarket.”
Not all of Wombat’s capabilities are in CLEAR, Kalember indicated.
“CLEAR adds the response capability and the reporting button,” he said. “It doesn’t include any of the training content, which is something that can be purchased extra.”
Proofpoint sells through partners from the large enterprise to the SMB, and Kalember expects that the channel will be able to sell CLEAR effectively to all parts of the market. Starting out in the large enterprise and with a direct model, Proofpoint has evolved to move more into the midmarket and managed service providers, particularly through MSP partners, moving to a channel model and becoming the fifth largest cybersecurity company by market cap in the process.
“Historically, we have been top of the pyramid, particularly in the Fortune 100, and have made efforts to go downmarket,” Kalember said. “Today we have about 7,000 enterprise customers and 50,000 SMB. We were not channel at all at the beginning, and when it did come in it was more opportunistic. About four or five years ago, we made an effort to be more systematic about the channel, and we are now a 100 per cent channel-focused company, with the only direct business being legacy renewals. Some of this transition has also been because of a change in the channel attitude towards our 100 per cent subscription approach to our go-to-market. They are much more comfortable with that now. Earlier, VARs tended to be more comfortable with boxes, like firewalls. We address the SMB market entirely through MSP channels.”
Kalember noted that the partner approach differs greatly between enterprise — where Proofpoint works with a more limited number of strategic partners with whom they focus on aligning with what they are doing from services perspective – and the more volume play for the SMB channel, where they tend to be white-labelled by MSPs. Still, he emphasized that phishing has resonance in both these markets.
“Attacks often start with phishing, and this is becoming better understood,” he said. “Being able to close the front door is importance in the enterprise, and is even more important further downmarket, where they don’t have five other solutions and a SIEM in place. It makes this an easy conversation. The channel is well-placed to provide value to customers here. People now emphasize the need for automation and orchestration, and in the midmarket, partners understand what’s possible for companies that size to automate. CLEAR works nicely with companies that size, the companies who can’t afford to hire their way out of this problem.”
Proofpoint CLEAR is available now.