Defining Progress & Proffering a Better Tomorrow

orchestrate
[awr-kuh-streyt]
verb (used with or without object), orchestrated, orchestrating.
1 – to compose or arrange (music) for performance by an orchestra.
2 – to arrange or manipulate, especially by means of clever or thorough planning or maneuvering.

I’ve been in the security trenches for the last 16 years. I’ve designed, built, consulted on, and operated information security solutions for both government and commercial entities. One truth has always rung clear – there is no single product to solve the problem – firewalls, IDS/IPS, application firewalls, endpoint protection, and the list goes on & on.

We need enforcement & enrichment solutions. We need IPS & endpoint malware protection, firewall & risk mitigation tools, intel feeds, hardened platforms, risk plans, mitigation plans, etc. – because they all solve our security problems.

With this “security stack” in every organization, we need to evolve our thinking to connecting the layers of the stack – rather than just adding the next new product to the top – before the stack falls over.  Maybe it already has?

Imagine a wall built from bricks – no bricks, no wall – but what about the mortar?  A wall is just a stack of bricks without the mortar.

They say the sum is greater than the individual parts. Today, the sum is the analyst or operator. The operator collecting data, who has to correlate and then react to the data from each layer of the stack – continuously on a mission to enrich the event in order to determine if corrective action needs to happen at an enforcement, end, or access control point.

As engineers, we are wired to solve the problem at hand, but that focus has led us to this point where we are forced to manually work the security stack. Advanced operations teams, have invested time and resources to connect some layers of the stack.  They have written scripts that pull the data we need based on correlation activities.  Though it feels like progress when we are in the trenches, it simply does not scale. These operations teams are faced with the challenge of moving capable security analysts into development and maintenance activities, rather than secops.  Continuing this way won’t solve the problem.  It just makes it more complex. We try to throw more people at the problem, but even that is reaching a point of diminishing returns – all while we are seeing fewer qualified applicants in the job market.

After 16 years in the trenches, I see the power of Automation & Orchestration.  It’s the mortar that connects the bricks to make the wall bigger and stronger.  It has to be an open model though.  One where the community is free to create and enhance the solutions needed to solve this problem.  That’s how me make progress.

Please accept my invitation to join the Phantom Community.  Visit TryPhantom.com.  Let’s work together on a better tomorrow.

Swami
Director, Security Engineering
Phantom Cyber
About Phantom:

Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

While not strictly open source, Phantom is extensible. Phantom Apps allow you to create connectors to in-house or more obscure security technologies and expose their APIs back to the platform. Phantom Apps are Python modules, allowing anyone to expand the platform and contribute Apps to the Phantom App store.  Similarly, Phantom Playbooks are also written in Python and can be customized at will.  Playbooks are synchronized via Git and published on our public GitHub repository.

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.

Is there an ROI in Automation & Orchestration?

When I finished college many years ago, I joined Ernst & Young and earned my CPA.  It only took a few busy seasons for me to realize that while public accounting was a great place to start a career, I didn’t enjoy accounting enough to do it every day.  Still, I credit E&Y with teaching me the language of business.

Though I do get excited by new technology and the spirit of innovation, sooner or later I always come back to those E&Y roots.  What’s the business value of the solution?  Admittedly, the answer to this question has not always been crystal clear in the fifteen years that I’ve been in the security industry.  I’ve seen a fair share of friendly debates over how to value the economic impact of a breach that may not actually happen.

As I started to learn more about Phantom, I saw a difference.  In the Security Automation & Orchestration market, the Return on Investment (ROI) is much more tangible.  Automation & orchestration can be a force multiplier to help marshal the power of your existing security point products to achieve in seconds what may normally take hours.  It’s about making security smarter, faster, and stronger, and with Phantom you get the only purpose-built security automation & orchestration platform to do it.

Smarter: The complexities of our IT environments often slow down our teams paralyzing otherwise highly proficient people. Phantom works like an OS to orchestrate security operations from prevention to resolution, ultimately delivering increases in productivity and effectiveness. Codifying your “rules of engagement,” approval authorities, and escalations let your skilled first responders bring to bear all of their experience to make better decisions and act quickly.

Faster: Enterprise security resources are stretched as never-ending attacks test your ability to respond. Phantom helps reduce time to detect and respond through automation. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating the incident response lifecycle. Faster triage, investigation, and recovery, combined with granular control of assets, ensures security at machine speed while maintaining continuity and control.

Stronger: Phantom helps you create a security team and environment that is worth more than the sum of its parts. Consolidation and control make static security systems agile.  Phantom works like “connective tissue” delivering the flexibility to connect in-house and third-party systems into one  integrated platform. While not strictly open source, Phantom is extensible enabling you to create your own Apps & Playbooks or use the ones we’ve created for you.

But what about the ROI, the tangible business value?  One could assert that working smarter, faster, and stronger has a multiplier effect.  Making one person look like two or even three saves money, improves job satisfaction (i.e. retention) and reduces your time to react.  While this qualitative case may satisfy the needs of some, others may look for a quantifiable gain.  Let’s consider a simple example based on a few industry estimates to illustrate the point:

Acme is a mid-sized company with ~1,500 employees.  On average, Acme receives ~127,500 emails per day.  Recent industry research suggests that as many as 0.01% of those emails are phishing attempts which equates to ~13 per day.  If we can further assume that it takes ~45 minutes to address each phish and that the fully loaded cost per employee is $90 per hour, then the cost of this security problem is $300,000+ per year.

Phishing is only of of many security issues addressable with automation & orchestration.  Our Early Access Customers are identifying 50 or more routine security problems ready for Phantom.

What’s on your list to automate & orchestrate?

CP Morey
VP, Products & Marketing
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.