Cyber
Case Study
Proton

Proton began operations in 2014 with the creation of Proton Mail. Privacy protection and end-to-end encryption are at the heart of the products developed by the global company headquartered in Switzerland. 

After launching an end-to-end encrypted email service, Proton developed an entire ecosystem of products, from VPN to collaborative suites. 

“At Proton, our initial goal is to make encryption accessible to everyone by enabling the secure sharing of sensitive information. We support millions of users and businesses around the world, including high-risk profiles. As a result, Proton may be targeted by cyber threats that are common to any tech company, but also by advanced attacks carried out by organizations with significant resources to conduct such attacks.”

Patricia Egger, Head of Security

As a major player in privacy, Proton is regularly targeted by sophisticated DDoS attacks. The company is also threatened by  malware, infostealers, keyloggers, and other tools that attackers can use to steal internal information or employee credentials. 

The goal was to protect against attacks ranging from the most basic to the most sophisticated, while also improving visibility across a heterogeneous IT environment with a tool that integrates with their existing cybersecurity stack. 

Proton wanted a high-performance platform that would meet sovereignty challenges and enable On-Premises deployment and migration.

“Our workspace consists of several hundred endpoints, with a significant proportion running different versions of Windows, macOS, and Linux. We chose HarfangLab for several reasons: it is a powerful and open solution, and what’s more, it is European.”

Patricia Egger, Head of Security

Proton’s internal SOC carried out the deployment in a matter of days, first in detection mode to identify and adjust any incompatibilities in the IT infrastructure.

It then took a few weeks to refine the platform configuration for the entire workspace, from technical workstations to business users.

Finally, full integration with the SIEM took about three months, alongside other priorities, to optimize data format management and collection, as well as detection rules.

Proton’s internal SOC liaises with HarfangLab and requests support for technical issues or questions related to EDR configuration. Requests are then handled immediately by the HarfangLab teams.

Since deploying HarfangLab, Proton has improved visibility across its workspace.

The security teams centralize data in the SIEM and can further investigate directly in the EDR console when a security event generates an alert or catches the attention of analysts. For example, if there is any doubt about an application, the EDR can detect where it is installed, whether it is suspicious, and block its execution if necessary.

“Unlike some other players, HarfangLab allows you to create your own detection rules and offers a large number of connectors, particularly with our SIEM. EDR is therefore a central component of our cybersecurity shield. It is an open and transparent data source, which allows us to make correlations that we would not otherwise be able to make.

The highly flexible whitelist system has enabled analysts to quickly adjust detections to our environment, reducing the false positive rate while limiting the risk of false negatives. Another strong point is its API, which allows analysts to do everything while giving them the freedom to choose their environment and work interface. For example, we can add or modify detection rules via GitOps with a merge request and validation system, and send the logs to the SIEM. All actions can be tracked collectively without the risk of silo or black box effects.”

Patricia Egger, Head of Security

Proton’s security teams have implemented correlation rules to pool information with their other tools, enabling them to manage alerts with the desired level of granularity and continuously adapt them to the threat context and changes in the workspace.