Scribd
Upload
10 views2 pages

Overview of Proofpoint Spotlight ITDR

Uploaded by

Dương Dương
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views2 pages

Overview of Proofpoint Spotlight ITDR

Uploaded by

Dương Dương
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Spotlight Overview

Welcome. In this video, we provide a high-level overview of Proofpoint Spotlight.


Proofpoint Spotlight uncovers identity vulnerabilities in your network by gathering data
from your Active Directory, endpoints, and Privileged Account Manager (or PAM)
solution.

When you first configure Spotlight in the ITDR console, you give it access to your Active
Directory and external tools, such as your PAM and SIEM. You also identify the assets
in your network that you consider to be critical to your business. The ITDR system calls
these assets crown jewels. A crown jewel can be identified using an IP address, URL,
or host name. And finally, you define which domains are to be covered by ITDR
Spotlight. Once everything is connected and defined, you can write a policy directing
Spotlight to collect and analyze data on your network.

To gather information from endpoints, we use an agentless method. Instead of installing


a persisting agent that can be detected and sometimes bypassed by attackers, the
ITDR server sends a dissolvable binary executable to each endpoint. Through this
process, Spotlight collects information on local admin accounts and cached credentials
and connections. This information allows us to surface poor cyber hygiene and identify
service accounts and service account abuse.

This is typically done every 20 hours, but depending on your configuration, you may be
able to adjust this schedule. The executable runs for less than two seconds and then
dissolves.

ITDR queries your Active Directory and PAM directly. Integrating your PAM with ITDR
provides valuable information about identities collected from these sources. This
information allows ITDR to identify the domain user and local user accounts managed
by your integrated PAM tool. By comparing this information against the information
collected from your endpoints, we can expose domain and local privileged accounts that
are not managed by your PAM solution.

© 2023 Proofpoint, Inc. - All rights reserved. Confidential and proprietary. 1


All of the data collected by ITDR’s management server is sent to the Spotlight IDI Linux
server to be analyzed. It looks for identity risks, account violations, and
misconfigurations. It also analyzes the trust relationships between domains, endpoints,
and identities.

Spotlight then works to prioritize the risks that it finds. A risk can be categorized as
critical, high, medium, or low. For example, a cached credential that could grant an
attacker easy access to a critical asset or privileged account is likely to be marked as a
critical risk.

Through the ITDR console, analysists can quickly exam risk factors, trust relationships,
identity vulnerabilities and misconfigurations. Spotlight provides best practices and
suggestions you can use to best remediate all found risks.

© 2023 Proofpoint, Inc. - All rights reserved. Confidential and proprietary. 2

You might also like