We've been using PhishRIP for well over a year now and love the functionality that it provides. However, pulling out meaningful metrics from the platform is difficult to impossible. When I look for reporting, I want data that will help me make meaningful decisions about my environment and how we want to protect it moving forward. I want to be able to showcase what this product has been able to do for our organization's security and help build that value proposition as we go through our yearly budget discussions. The current reporting features of PhishER simply fall short of both of those goals.
- Attachments: Every single report that hits our platform records our company's signatures as a .png attachment. So our .png is 10x higher than any other report.
- Suppose I wanted to dive deeper into our .html attachments that got reported so I could understand what % of those were marked as clean vs. malicious so that I could make a decision on if I wanted to block said attachments from my environment? You can't click on anything dynamically to get a list of what's populating that number. I have no idea of those were clean, malicious, or other. This data doesn't help me make any decisions.
- That feedback can be repeated for mostly all items in the "Reports" tab. As a company that is leveraging business intelligence and analytics to constantly adapt based on the data we see, I feel there is a distinct lack of actionable data in this portal.
What would I like to see?
- Report that showcases common phases, verbiage, or other identifiers based on it's classifications. That way, I can do a quarterly review of which emails I received that are consistently malicious and build a YARA rule to automate how we handle those emails to better protect our environment.
- Reporting to showcase how effective PhishRIP is. As we go into budget reviews with senior management and determining what's gonna get $$ next year, I'd love to show a report of PhishRIP emails removed to date to help build that value proposition. I have absolutely no visibility outside of me clicking through each tab of PhishRIP and adding up the removed messages manually. Even then I need to click into each PhishRIP entry to determine if it was quarantined, deleted, etc. This makes communicating PhishRIP success purely anecdotal which is underwhelming at best.
- Ability to clean up some of these sections. I have 1391 PhishRIP queries right now. Many of which Found 0 and Opened 0. There is absolutely no reason I should have to constantly sift through these entries when they're just blank line items. Give us the ability to delete PhishRIP entries that have no data.
- Let us filter PhishRIP data based on date. I'd like to see if the YARA rules we're constantly trying to grow and adapt to our environment are helping with automated removals. I have no way to compare where we were last year to this year to see if our PhishER environment is more effective than it was before we spent the time to create more rules. An easy solution would be to just let me export the data as a .csv so that I can manipulate it in Excel.
I was hoping these features would continue to expand over the past 18 months of using the product, but it's disappointing to have seen no new features come to reporting over that time.
Please sign in to leave a comment.