Defining Progress & Proffering a Better Tomorrow

verb (used with or without object), orchestrated, orchestrating.
1 – to compose or arrange (music) for performance by an orchestra.
2 – to arrange or manipulate, especially by means of clever or thorough planning or maneuvering.

I’ve been in the security trenches for the last 16 years. I’ve designed, built, consulted on, and operated information security solutions for both government and commercial entities. One truth has always rung clear – there is no single product to solve the problem – firewalls, IDS/IPS, application firewalls, endpoint protection, and the list goes on & on.

We need enforcement & enrichment solutions. We need IPS & endpoint malware protection, firewall & risk mitigation tools, intel feeds, hardened platforms, risk plans, mitigation plans, etc. – because they all solve our security problems.

With this “security stack” in every organization, we need to evolve our thinking to connecting the layers of the stack – rather than just adding the next new product to the top – before the stack falls over.  Maybe it already has?

Imagine a wall built from bricks – no bricks, no wall – but what about the mortar?  A wall is just a stack of bricks without the mortar.

They say the sum is greater than the individual parts. Today, the sum is the analyst or operator. The operator collecting data, who has to correlate and then react to the data from each layer of the stack – continuously on a mission to enrich the event in order to determine if corrective action needs to happen at an enforcement, end, or access control point.

As engineers, we are wired to solve the problem at hand, but that focus has led us to this point where we are forced to manually work the security stack. Advanced operations teams, have invested time and resources to connect some layers of the stack.  They have written scripts that pull the data we need based on correlation activities.  Though it feels like progress when we are in the trenches, it simply does not scale. These operations teams are faced with the challenge of moving capable security analysts into development and maintenance activities, rather than secops.  Continuing this way won’t solve the problem.  It just makes it more complex. We try to throw more people at the problem, but even that is reaching a point of diminishing returns – all while we are seeing fewer qualified applicants in the job market.

After 16 years in the trenches, I see the power of Automation & Orchestration.  It’s the mortar that connects the bricks to make the wall bigger and stronger.  It has to be an open model though.  One where the community is free to create and enhance the solutions needed to solve this problem.  That’s how me make progress.

Please accept my invitation to join the Phantom Community.  Visit  Let’s work together on a better tomorrow.

Director, Security Engineering
Phantom Cyber
About Phantom:

Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

While not strictly open source, Phantom is extensible. Phantom Apps allow you to create connectors to in-house or more obscure security technologies and expose their APIs back to the platform. Phantom Apps are Python modules, allowing anyone to expand the platform and contribute Apps to the Phantom App store.  Similarly, Phantom Playbooks are also written in Python and can be customized at will.  Playbooks are synchronized via Git and published on our public GitHub repository.

Visit to register for Phantom Community Edition, a free version of Phantom.