CyberArk & Proofpoint Integration: Real-Time Response to Suspicious Privileged User Activity

August 28, 2017 Tim Sullivan

As attack sophistication and frequency increase, the likelihood of an attacker breaching an organization’s defense has never been higher. Increasingly successful in their attempts, attackers seek privileged accounts to achieve their mission. Privileged accounts proliferate throughout an organization’s IT environment, granting access to highly sensitive resources and paving the path of successful cyber attacks. To prevent a threat from escalating into a full-blown security breach, security teams must prioritize alerts for privileged accounts, quickly investigate these critical threats and take immediate action to stop attackers in their tracks.

By integrating the CyberArk Privileged Account Security Solution with Proofpoint Threat Response, security analysts can rapidly disrupt critical, in-progress attacks involving privileged accounts. Here is a high-level overview of how our technology integration empowers organizations to focus their efforts and resources on the highest priority targets to identify the most significant risks.

Overcoming Alert Fatigue

Today’s security professionals are overwhelmed with alerts that require manual analysis (and ultimately, time) to validate and prioritize. This time presents an opportunity for attackers to exploit a system and gain privileged access—all before a complete investigation can be conducted.

Once a privileged account, such as domain or database administrator, is captured, an attacker can move laterally at-will, disabling security controls to avoid detection and persist long term. In fact, valid privileged access is one of the most effective tools an attacker can add to his/her arsenal. To mount an effective defense, security programs must be bolstered with automation capabilities to increase incident response efficiencies and decrease response time. This provides the visibility, context and response that matters most to an organization.

The Need for an Integrated Solution

Security teams seek solutions that provide context and enriched insight, as well as the tools needed to investigate, contain and remediate incidents. Multiple joint customers of CyberArk and Proofpoint requested we combine the incident response and automation of Proofpoint Threat Response together with the Privileged Account Security of CyberArk—and we listened. The way our integrated solution works is both simple and effective.

Real-Time Response to Suspicious Privileged User Activity

Proofpoint Threat Response is an incident response automation platform that provides analysts with alert enrichment, forensic collection and comparison as well as the ability to contain users, hosts and malicious emails—automatically or at the push of a button—without complex playbooks or custom scripts. In this joint solution with CyberArk, Proofpoint Threat Response receives an alert about malicious activity, from a correlated search in Splunk, for example, then automatically enriches the alert data with critical intelligence-driven context. Threat Response then validates the user account by email address or associated IP address, providing the full user identity and attributes such as department, job title or network access and takes action by synchronizing with relevant security groups in Active Directory.

The CyberArk Privileged Account Security Solution provides privileged credential protection, session security, least privilege and application control and continuous monitoring to rapidly detect threats and report on privileged account activity. In this integration, CyberArk automatically retrieves the user group affiliation from Active Directory and provides controls to access privileged accounts according to an organization’s policy. CyberArk also provides security teams the ability to provision custom access policies for restricted users. For example, blocking a user from accessing specific databases containing sensitive cardholder data, while access to less sensitive databases are still valid.

The CyberArk solution can implement an organization’s policies that restrict a user’s access to critical assets only through CyberArk Privileged Session Manager, while blocking all other access options. The CyberArk Privileged Session Manager is a secure proxy server that separates endpoints from target systems and isolates privileged sessions to help prevent the exploitation of the critical system. This level of granularity provides an appropriate level of protection without significantly impacting operations or preventing employees from being productive.

Today’s security teams must do more with less and gain maximum benefit from the tools they already have. The partnership between CyberArk and Proofpoint provides joint customers with a combined best-in-class privileged account security solution and incident response automation and orchestration platform, stopping attackers before they stop business. The best part is this integrated solution is available to joint customers today—at no additional cost.

To learn more, watch our recent webcast/demo: “Proofpoint & CyberArk: Detect, Prioritize and Block Attacks from Escalating on Privileged User Machines.”

Editor’s Note: Tim Sullivan is a Threat Response Solutions Engineer at Proofpoint.

Previous Article
How do you spell Credential Theft Protection…EPP, NGAV, or EPM?
How do you spell Credential Theft Protection…EPP, NGAV, or EPM?

It’s 2017 and time to realize that cyber attackers have the advantage of time, resources and motivation. Th...

Next Article
Locking Down the Remote Vendor Attack Pathway through Privileged Account Security
Locking Down the Remote Vendor Attack Pathway through Privileged Account Security

Remote vendors are everywhere, and they’re not limited to help desk services, storage and application servi...