Abstract connections

How the Proofpoint Endpoint Agent is Designed to Avoid Major IT and Security Outages

Share with your network!

Recently, the importance of endpoint agent stability was underscored by a major IT and security outage, which disrupted business around the world. Because Proofpoint Information Protection relies on endpoint agents, this has raised questions among our customers.

In this blog, we will address some common questions that have come up about the architecture of our unified endpoint agent for Proofpoint Data Loss Prevention (DLP) and Insider Threat Management (ITM). We’ll also discuss how it’s managed.

What makes Proofpoint DLP different from other solutions?

The Proofpoint Information Protection platform combines data about content and user behaviour across the most critical DLP channels – email, cloud applications, endpoints and web. That’s why more than 50% of the Fortune 500 deploy our human-centric information protection platform. But that’s not the only reason. Proofpoint was recently named as a 2024 Gartner® Peer Insights™ Customers’ Choice for Data Loss Prevention. In fact, we were the only evaluated vendor to meet or exceed market averages for Overall Experience and User Interest and Adoption.

Legacy DLP tools often crash and frustrate users. This is because they use kernel-mode agents that require heavy processing.

In contrast, Proofpoint uses a lightweight endpoint agent to avoid this issue. Our agent minimises CPU usage, avoids disruptions and installs silently. And it does all of this while providing a wide range of capabilities, such as strong user behaviour monitoring, data exfiltration detection, insider investigation, and incident response.

How does the Proofpoint endpoint agent work?

The Proofpoint endpoint agent runs in user mode, leveraging standard Windows and macOS. Applications running in user mode are isolated. This means that they cannot modify or damage critical operating system (OS) data. If an application crashes while in this mode, the OS remains unaffected.

In contrast, kernel mode applications can interact directly with the OS. A crash in this space can lead to system instability or reboots.

Because the Proofpoint agent runs in user mode, it offers the following advantages:

  • Stability. This is because operations are isolated from the OS.
  • Enhanced user experience. No negative impact on end-user operations in this mode.
  • Performance. DLP operations are carried out on-demand rather than in the background. For example, legacy DLP solutions scan files at rest. But Proofpoint only scans files based on customer-defined events, which ensures lower CPU usage and memory footprint.

How is the deployment and update process handled?

The Proofpoint agent operates with minimal disruption to users. And it installs silently so that it does not interfere with normal operations. It has a small resource footprint and does not require a system reboot after installation. The Proofpoint agent also operates without conflicts with other endpoint agents, such as EDR agents or traffic steering agents.

Before we release a new agent, we do extensive manual and automated testing across all supported Windows and macOS versions. This helps to ensure high performance and functionality. Also, new features are initially released in limited availability using feature toggles to allow early adopters to test them in the field. This allows us to mature them before they’re widely released and thus minimise any disruption to production environments.

Customers have full control over agent deployment and updates, which can be managed through our platform or third-party tools. New agent releases are not automatically pushed to endpoints. This gives customers the ability to validate updates on a subset of devices before they deploy them across their entire environment. Additionally, Proofpoint has published best practices on how to perform staggered and ringed deployments to ensure gradual and controlled adoption of new features.

For customers that have critical systems where consistency and reliability are paramount, Proofpoint provides long-term support (LTS) releases of our endpoint agent. These releases are supported over an extended period and get regular bug fixes, security patches, and updates. Due to their stability, security, and more stringent change management requirements, LTS versions are particularly favoured by larger organisations.

Proofpoint is architected for reliability

Proofpoint is committed to good design. This ensures that our endpoint agent is stable, it performs well, and it causes minimal disruption to IT environments. These are the three design principles that are behind our endpoint agent:

  • User mode architecture
  • Low resource usage
  • Gradual and controlled deployment methodology

This design minimises the risk that performance will degrade over time or that there will be outages – like what happened recently with those industry-wide incidents. What’s more, we are committed to extensive testing and long-term support releases. This serves to make our DLP and Insider Threat Management platforms even more reliable.

Learn more

Find out more about Proofpoint DLP and ITM, and learn how it can help you stop data loss and contain insider threats. You can also read our guide to why traditional approaches to data loss prevention aren’t up to the task and how to modernise your DLP in Transforming Data Loss Prevention.