Proofpoint Plugin

CoLab Plugins
, ,
1

Proofpoint-logo-reg-K
Proofpoint-logo-reg-K2575×887 73.5 KB
:spiral_notepad: Description Attach Very Attacked Persons scores from Proofpoint to Identities, to provide extra governance controls to risky users.
:balance_scale: Legal Agreement By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: Repository Link GitHub - sailpoint-oss/colab-proofpoint-plugin: Attach Very Attacked Persons scores from Proofpoint to Identities
:open_book: New to IIQ Plugins in the CoLab? Read the getting started guide for IIQ Plugins in the CoLab.
:hospital: Supported by SailPoint Certified
:email: Contact SailPoint Technology Alliance

Overview

The Proofpoint Plugin provides a mechanism for IdentityIQ administrators to increase the governance of individuals within an organization that are frequently targeted by malicious email campaigns. These users may be targeted by their high profile, or their access to privileged information within an organization. The plugin also interfaces with the Proofpoint Security incident and event management (SIEM) API to create Identity governance alerts in response to malicious events detected by Proofpoint.

Requirements

  • IdentityIQ 8.0 or higher
  • Proofpoint
  • Valid Proofpoint TAP license
  • Service Principal (received from Proofpoint)
  • Authentication Secret (received from Proofpoint)

Guide

Components

When the plugin is installed, several artifacts will be deployed into the IdentityIQ environment. This section explains the critical components

Database Tables

Table Name Purpose
iplus_proofpoint_settings Contains plugin specific settings
iplus_proofpoint_data stores information regarding reset and alerts received
iplus_proofpoint_vap_data local storage for VAP list received from Proofpoint

XML Artifacts

XML artifacts are imported into IdentityIQ when the plugin is installed. Some of these are required for retrieving data from Proofpoint, others are included as examples for implementers who would like to extended their governance capabilities using information from Proofpoint. These examples can be discarded or deleted from the environment if not needed.

Artifact Name Display Name Purpose
Proofpoint_Application.xml Proofpoint Alert Application Used in creation of alerts - alerts in IdentityIQ must be tied to an application
Proofpoint_SPRight.xml Proofpoint Plugin Administrator (Capability + SPRight) Used to limit which IdentityIQ users can access the Proofpoint Plugin components
Proofpoint_Task_Definition_Alerts.xml Proofpoint - Get Alerts Task used to retrieve alert data from Proofpoint SIEM API
Proofpoint_Task_Definition_VAP.xml Proofpoint - Get VAP List Task used to retrieve VAP data from Proofpoint People API
Proofpoint_Rule_AlertMatch_Example.xml Example alert match rule
Proofpoint_Rule_Certification_Entity_Selector Proofpoint Very Attacked Persons Example rule for creating targeted certification for VAP users (See appendix B)
Proofpoint_Rule_VAP_Attribute.xml VAP Attribute Rule Example rule showing how to set an Identity attribute for users on the VAP list from Proofpoint
Proofpoint_WF_LCM_Provisioning_Example.xml LCM Provisioning Proofpoint Example Example workflow that contains step to add additional approvals for requestee on the VAP list from Proofpoint
Proofpoint_WF_Update_Password_Example.xml Proofpoint Update Password Example Example workflow that contains step to launch password reset flow using the Proofpoint rule library
Proofpoint_AlertDefinition_Password_Update_Example.xml Proofpoint Password Update AlertDefinition Example Example alert definition that will launch the ‘Proofpoint Update Password Example’ workflow when activated
Proofpoint_Rule_AlertMatch_Example.xml Proofpoint Password Update Alert Match Rule Example alert match rule that checks an Alert received from Proofpoint - if it is of type ‘Malware’ or ‘Phish’ the match will be made and the alert will be processed

User Interface

The plugin installs a small user interface, reachable by clicking the ‘email’ icon in the top navigation bar of IdentityIQ.

image

*Note - this icon will only appear to identities with the System Administrator, or Proofpoint Administrator capabilities assigned to them

The actual user interface contains two tabs - ‘Password Reset’, and ‘VAP List’.

Password Reset

image
image999×478 41.8 KB

The Password Reset tab contains a list of all applications in IdentityIQ that are able to process password change requests. Administrators can then select which of these ‘supported’ applications they would like allow Proofpoint to initiate password change requets for, as a result of a security event detected in Proofpoint.

VAP List

image
image999×550 104 KB

The VAP list tab contains information about users that are currently on the Proofpoint ‘Very Attacked Persons’ list. The grid shows the Identity name, display name, and email address of each user. There is a handy option to refresh the list, as well as information on when the list was last refreshed.

  1. The ‘name’ column contains the Identity name of the user that appears on the VAP list
  2. The ‘Display Name’ column contains the displayable name of the Identity that appears on the VAP list
  3. The ‘Email’ column contains the email as it appears on the VAP list, that was used to correlate to an existing Identity cube
  4. The ‘Select’ column allows administrators to decide which Identities from the VAP list to include in any governance processes that utilize the list. Selecting this field for an entry will ‘enable’ VAP list processing for that Identity. By default, all users on the VAP list should be selected. Un-select the users that should not be included.

Steps

  1. Navigate to the plugin configuration page of IdentityIQ

image

  1. Click the ‘New’ button

image

  1. Click the area around ‘Drag and drop a file or click in this box to install a plugin’

image

  1. Select the ProofpointPlugin.X.X.X.zip archive that can be downloaded here

  2. The plugin will install - confirm that there is now an ‘email’ icon in the top navigation bar of IdentityIQ (visible only to Admins or users with the ‘Proofpoint Administrator’ capability

image

General Configuration

In order to communicate with Proofpoint, a couple plugin settings are required.

  1. Navigate to the plugin settings page for the Proofpoint Plugin

image

  1. Next, enter the following information

image

  1. Enter the URL for the Proofpoint API
  2. Entering the ‘Service Principal’ - this is the ID used for authenticating to Proofpoint and should be retrieved from Proofpoint
  3. Entering the ‘client secret’ associated with the above Service Principal value - retrieved from Proofpoint

Thats it - the rest of the settings on this page will be explained in the following use-case sections.

Aggregating Proofpoint Alerts

In addition to email security scanning, Proofpoint also maintains the ability to generate Security Incident and Event Management (SIEM) style alerts. The Proofpoint plugin can be configured to allow Proofpoint to create Identity governance alerts in IdentityIQ in response to these security events when detected. Once the identity alerts have been created in IdentityIQ, implementers can configure an appropriate behavior in response - launching a governance workflow, creating a targeted certification, or simply alerting an administrator that an alert has occurred. The identity alerts can be configured as outlined here.

To configure IdentityIQ for Proofpoint alert consumption

  1. Navigate to the plugin settings

image

  1. Click ‘Enable Alert Creation’ in the settings options

image

  1. Now, Navigate to the ‘Setup->Tasks’ interface

image

  1. Next, run the ‘Proofpoint - Get Alerts’ Task. This will retrieve event and alert data from the Proofpoint SIEM API. If the administrator would like to set this as a scheduled task - Proofpoint recommends doing so at a rate of 1 execution per hour.

image
image999×79 12.6 KB

After successful execution, navigate to the ‘Setup->Alerts’ user interface

image

  1. Make sure to adjust the filter settings on this page to see alerts that have not yet been acted upon

image

image
image999×203 23.2 KB

  1. Clicking a Proofpoint generated alert will give basic information about the event

image

  1. Once alerts have been successfully imported into IdentityIQ from Proofpoint, implementers can configure specific Alert Definitions - these contain alert match criteria, and alert governance actions when an alert is matched. More on the process of creating and configuring alert definitions can be reviewed here.

Specific to Proofpoint alert definitions, administrators can create a specific ‘selector’ to match against alerts of a particular type. To constrain an alert to match against Proofpoint ‘phish’ or ‘malware’ type alerts, simply add the match terms to the ‘selector’ section of the alert definition

image
image999×311 23.8 KB

  1. Setup a new task of type ‘Alert Processor’

image

  1. (Optional) In the ‘Optional filter string to constrain the alerts processed’ enter:
Alert.type == "malware" || Alert.type == "phish"

  1. Save and execute the task. If the alert definitions are valid, and the any of the alerts received match against the match criteria defined on the alert definition - then the configured action from the definition will take place.

  2. When an alert is matched during the Alert Processor task, whatever ‘Behavior’ that was specified in the Alert Definition will be launched.

image
image723×180 19.2 KB

Utilizing Proofpoint ‘VAP’ Lists

Proofpoint maintains a concept of ‘Very Attacked Persons’ or ‘VAP’s’. These are users in an organization that are frequently targeted by malicious email attacks - emails that contain phishing links, or other malicious content. Specifically, these are users that are generally in sensitive or elevated roles that may have elevated access profiles within an organization. The Proofpoint plugin contains a library of helper functions that allow systems integrators an easy to access and use from within IdentityIQ beanshell rules. For instance, an organization may find it prudent to take a more aggressive stance when certifying individuals with sensitive access that are frequently the target of malicious emails. In this case, an identity-based certification can be configured to be populated with only users whose emails exist on the Proofpoint VAP list. Alternatively, integrators can use the Proofpoint VAP list to adjust the levels of approval required when an access request is submitted for a user who appears on the VAP list. This section will outline the ways in which IdentityIQ implementers can utilize the Proofpoint Plugin rule library in order to quickly configure a certification.

Viewing the VAP list

IdentityIQ administrators, or those with the capability ‘Proofpoint Plugin Administrator’ have the ability to navigate to a new user interface that is installed with the plugin. This interface displays the enterprise identities that currently (as of last execution of the task ‘Proofpoint - Get VAP List’). To the view list:

  1. Click the ‘email’ icon that now appears in the main navigation bar of IdentityIQ

image

  1. Next, click the ‘VAP List’ tab

image
image997×317 38.4 KB

  1. Click the ‘VAP List’ tab of the interface
  2. This date shows the last time that the VAP list was retrieved from Proofpoint
  3. The grid will show the Identity name, displayname, and email address of all identities that appear on the Proofpoint VAP list and can be correlated by email address back to an Identity

Creating a Certification

  1. Click 'Setup->Certification

image

  1. Selected ‘Targeted’ from the dropdown

image

  1. In the ‘Who do you want to certify’ wizard, select ‘Rule’

image

  1. The plugin ships with an example rule, called ‘Proofpoint Very Attacked Persons’ - implementers can use this rule as a launching point for their implementation. See ‘Appendix B - Proofpoint Very Attacked Persons Example Rule’ for a printout of what this rule does. This rule is of type ‘CertificationScheduleEntitySelector’.

image

  1. Fill out any other relevant options for the certification, as you would any other targeted certification. Select primary certified, and backup etc.

  2. Once launched (either immediately or on a schedule), the certification will be generated and sent to the appropriate reviewer

image
image999×496 87.3 KB