Effective in phishing analysis - Always room for improvement
July 27, 2021
Effective in phishing analysis - Always room for improvement
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with Cofense Triage
Cofense Triage is used by the InfoSec team specifically in the Security Operations Center (SOC) to analyze emails reported by employees company-wide when a user suspects an email is malicious or are simply unsure about the content in an email (links, attachments, etc.). The SOC receives these emails in a format which is pre-parsed by Cofense Triage separating the text, HTML, headers, Mail Exchange (MX) records, URLs, and attachments contained within an email. This application allows the SMC an effective way to investigate suspected emails company-wide and provide easy ticketing and tracking. This application addresses the primary entry-point often attempted by malicious actors through phishing and fraud.
- Parsing email content into a logically organized format
- Organizing reports
- Creating tickets in third-party application
- Responsive support team
- Large amount of community YARA rule contributions
- With most update roll-outs, there are often new bugs introduced which affect functionality of the application. I.e. Trouble with categorizing or sending reports, parsing reports, or issues with YARA rules.
- Cofense Reporter (Report Phishing button) commonly runs into issues where users are unable to report messages as phishing and automatically include email headers.
- Cofense Reporter does not work well with Shared Mailboxes by default.
- Report Clusters (grouped emails showing to match similar content) are not very accurate and often emails matching the same content and sender are not grouped together in a cluster.
- The application provides the ability to set up rules and recipes which facilitate automations with categorizing previously observed benign and internal emails reported and/or suggesting when an email has suspicious content. This has provided a positive impact and reduced the analysis time required by the InfoSec team.
- Identical emails are not always grouped which introduces additional analysis time for the duplicate reports. This item could be improved upon to save more time and reduce staffing needs.
Cofense Triage has consistently maintained its effectiveness as being the centralized location for receiving and analyzing reported emails. This application satisfies the initial phase in detection when relating to the phishing threat vector. It is also effective in alerting reporters when an email was identified as malicious by the InfoSec team. Lastly, it provides a point to pivot from when performing Incident Response and remediation.
Reliability scores have not been determined to be effective. Each email reported requires analysis which is unbiased and does not make assumptions based upon reporter and ratio between false-positives and true-positives. With this, the InfoSec team only judges reported emails based upon content and sender (when sender authenticity is validated).
Do you think Cofense Triage delivers good value for the price?
Yes
Are you happy with Cofense Triage's feature set?
Yes
Did Cofense Triage live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Cofense Triage go as expected?
I wasn't involved with the implementation phase
Would you buy Cofense Triage again?
Yes