Winter is Coming: Will You Be Ready?

In IT security today, there are two deeply disturbing trends that when looked at together should strike fear in the heart of any CISO. For those who are fans of the HBO series, Game of Thrones: Winter is coming.

First, the world is seeing an increase in attacks (malware, DDOS, APT) of all types. For GOT fans, you can think of this army of hackers as white walkers and the tools they use as their ever-growing zombie army. At Carbon Black, we see 250,000 new malicious files every day and AVTest believes the total number of new malware samples this year has nearly eclipsed 20 million already for 2016.

avtesttotalmalwaregraph

Secondly, back up the wall at the Night’s Watch while the number of attacks is increasing, the skills gap for qualified security professionals only continues to rise. According to ISACA, today it takes the average organization over six months to fill security related positions and analyst firm Frost & Sullivan only sees the problem is going to get worse estimating a 1.5 million person job shortfall by 2019.

frostresearchgraph.png

Phantom’s Erich Baumgartner posted a strong article on this issue of job shortages earlier in the year, but when you step back and think about the potential implications of these two trends on existing security teams you can’t help but be a bit terrified at the prospects for the future.

A growing number of smart, dedicated and targeted attackers attempting to exploit vulnerabilities in a rapidly expanding attack surface against a hugely understaffed IT security team, just like on TV, the odds of success are not good. In this environment, it should be no wonder that it takes the average organization nearly six months to discover a breach.

At Carbon Black, we’re on a mission to provide organizations with the best endpoint security possible. We believe the only way organizations can do this is by enabling people and technology to better work together. It’s why we support robust open APIs across our platform and continually push ourselves and our clients to see new use-cases and continue to deliver new capabilities through technology alliances.

With its potential to change the economics of security and serve as a force multiple to under-staffed security teams, we at Carbon Black believe strongly that organizations need to begin considering how to automate and orchestrate parts of their environments, today.

To help make this possible, we’ve partnered with leaders in the space like Phantom to make it easy to incorporate Carbon Black Enterprise Response’s continuous visibility, threat detection and remote incident response capabilities into the Phantom platform as part of a broader workflow.

phantominvestigateimage.png

The flexibility and broader vendor support of the Phantom platform opens up new doors for security teams. Above is an image outlining one example of how you could leverage Phantom and CbER to orchestrate a response to a malware compromised system.

As you can see above, the power from the Phantom platform comes from being able to tie in other security tools such as EDR, SIEM, sandboxes, and others to quickly respond to detection events, or other common security use-cases, in an orchestrated and automated manner.

With a growing threat and qualified employees in short supply, having an automation and orchestration platform working in conjunction with best-of-breed tools like Carbon Black can help pump up your IT defense at a critical time by squeezing more from less.

If you are interested in learning more about how Phantom and Carbon Black are partnering to simplify incident response and to see a demo in action, stop by the Carbon Black (S1535) or Phantom (S2621) booths at RSA next week.

Ian Lee
Product Marketing Manager
Carbon Black

About Carbon Black:
Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance of power back to security teams. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to: Disrupt. Defend. Unite.

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Announcing Phantom GA

Our Phantom GA is an exciting milestone.  The team worked extremely hard on this first major release and is already making progress on the next.

We’re really the first to provide an open community for Security Automation and Orchestration, and in contrast to other companies touting automation, we address everything from preventative protection and incident response, to regeneration of the environment.  Another important distinction relates to what we automate and orchestrate.  Phantom goes one step further than merely ingesting and enriching security data, we also execute investigative and containment actions to control the environment and remediate security events.

But let’s get back to the GA.  If you already have an account, then you can access the GA release from the portal in the “Product / Releases” section. If you don’t have an account, then please register on our web site via the “Get Phantom Now” option and we will activate an account for you.

If you haven’t attended a semi-monthly Phantom Tech Session, be sure to register.  We share use cases and insights on new features.  I’d also encourage you to join the Phantom Community by sending an email to users+subscribe@phantom.us.  When you receive a response, reply to that response to complete your subscription.

OK, so what’s new in the GA release?

  • We have doubled the Action limit on our Community Edition platform to allow 100 Actions per day (up from the previous limit of 50).  To run more actions, you will need a production license.  Our sales team can help.
  • The product has undergone extensive functional testing over the last few months. Thanks to all of our beta users who gave us valuable feedback throughout the beta cycle. We have fixed hundreds of issues that were identified via this process.
  • We have performed extensive performance and longevity tests ingesting multiple streams of data and running automation via multiple active Playbooks for each of the data streams in parallel.
  • While visually the platform may look similar to beta releases, you may notice that in a few pages like “Automation”, the action results are now downloadable as JSON files.
  • A new Ingestion Status page has also been added in the “Administration” section that allows users to see their configured and scheduled ingestions and how they have been performing over a period of time.
  • The License tab in the Administration / System Settings area now shows “actions per day” that are counted towards the license limit. Actions executed while debugging a Playbook do not count towards this limit.
  • Documentation: The in-product and on-portal documentation has been updated to reflect all the new features and updates. The “Automation Engineering Manual” section that documents the APIs has been updated to embed sample Playbooks and code instead of simply referring to “API Sample” Playbooks. We have also deleted the API sample Playbooks from the Community git repo.
  • A new Playbook called “Email_PDF” has been added to “Use Case Samples” that showcases how to automate and orchestrate on emails as an input stream. This Playbook extracts PDF attachments from the email, detonates them on a ThreatGrid sandbox, extracts the detonation results and sends an email to the analyst with the results. As a reminder, all the “Use Case Sample” Playbooks are merely examples that show how to use the APIs and implement use cases.
  • We’ve disabled SSLv3 support and some weak ciphers on the web server to address the Poodle vulnerability.

The innovation the team is driving is being recognized.  If you haven’t heard the news, we were tapped as a finalist for the RSA Conference annual Innovation Sandbox Contest. The competition is dedicated to encouraging out-of-the-box ideas and the exploration of new technologies that have the potential to transform the information security industry.

Exciting times for sure!  Thank you for your support & interest!

Sourabh Satish
CTO & Co-Founder
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

 

The Intersection of Security Orchestration & Autonomous Vehicles

As an automotive enthusiast, I’ve been following the coverage of autonomous vehicles since before I joined Phantom.  Now that I’m at Phantom helping to create the first open community for Security Automation and Orchestration, the topic is even more interesting to me.

Phantom_Tesla_Nissan

I think there are a number of parallels in these two “movements” that serve as an interesting backdrop to their adoption if nothing else.  Since I don’t work in a SOC, the comparison is also useful as a way to consider the decision making employed by our customers as they embrace automation in the SOC.

One recurring theme relates to augmentation vs. automation.  The first successful uses cases for autonomous vehicles aren’t as “hands off” as getting into the car, turning your seat to face the rear, and playing board games with your kids for the next 500 miles while the car automatically delivers the family to grandma’s house.

What’s more likely to be adopted first is the automation of routine, lower risk use cases.  Tesla’s recently announced Summon feature that allows owners to park their cars without needing to be inside is a great example.  Today automation (via Summon) helps in a range of situations from pulling into the garage at home to squeezing into tight perpendicular spots.  In time, Summon will enable more sophisticated scenarios like having your Tesla sync with your calendar, wake-up at the appropriate time, and drive autonomously to greet you.

Similarly, Security Automation and Orchestration is likely to follow an “assist first, automate later” approach starting first by automating the triage of security elements like alerts, incidents, threat intelligence, vulnerabilities, and phishing emails. You can read more about simple Security Automation use cases in prior blog posts: Email-based Orchestration and Operationalizing Threat Intel.

Not to be outdone by Tesla, several other manufacturers have advanced their autonomous vehicle game.  Nissan’s Intelligent Drive is yet another example that parallels the trend towards automation and orchestration in security.  For self-driving cars to be accepted, Nissan understands that people will have to trust the technology.  Designers have devised an “Intention Indicator” which, as the name suggests, helps to project what actions the car will take before taking them.

In security, I can remember how similar capabilities dubbed “simulation modes” helped customers make the transition from IDS to IPS.  In this case, it wasn’t needed to build trust with the uninformed user, but rather a way for security pros to understand how the technology would work before fully committing.  In either case, it’s about getting people comfortable with the change.  A construct that could also serve useful as customers adopt Security Automation and Orchestration.

Phantom’s free Community Edition is a great way for security pros interested in automation and orchestration to take a test drive (pardon the pun).  A way to experiment with this emerging category and understand its impact as it becomes more critical to managing the SOC.  You can also register for a Tech Session to experience Security Automation & Orchestration before getting behind the wheel.

Thanks for your support & interest!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform.

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.

Addressing the Talent Gap with Automation & Orchestration

There is much discussion on the global shortage of information security professionals with some estimates topping out at over a million jobs in 2016 alone, and others claiming even double that by 2017.  The media has even taken a lighter-side look at the problem with cartoons like John Klossner’s of Federal Computer Week:

Klossner Cartoon

The Obama administration made reference to the issue in Tuesday’s announcement of the Cybersecurity National Action Plan which includes initiatives to better prepare college students for cybersecurity careers.

Knowing you have a problem is important, but we also wondered about the scope.  We engaged Jon Oltsik at ESG for a research project on Security Automation & Orchestration.  Not surprisingly, the results made reference to the skills shortage.

(I’ll share a few interesting stats from the report today. You can also pre-register for a full copy.  ETA is before RSAC.)

We asked 125 Information Security Professionals at large enterprises in North America thirty-seven questions.  All have invested significantly in information security solutions to the point of having dozens of point products and a suffocating volume of security events from attacks that are more advanced than ever.  Most are simply at a loss as to what to do next.

In the study, nearly 75% of the group agreed that security events/alerts are simply ignored because their teams can’t keep up with the volume.  More than 50% of this group said they are ignoring as much as 75% of their alerts.

We simply can’t hire security talent fast enough to address the problem with brute force, and the staff we do have are constantly being poached for other opportunities.  While Obama’s Cybersecurity National Action Plan will eventually help to offset the problem, it still leaves a gap until those students can be trained.

In our study, more than 70% of the group said the average employee with IR responsibilities has at least 10 years of experience (see chart below).  Educational programs are certainly needed, but are really only effective when paired with real world experience. ESG Research Chart

At Phantom, we think Security Automation & Orchestration is the force multiplier needed to marshal the full power of your security investment towards solving problems like the talent shortage.

Enterprise security resources are stretched to the breaking point as attacks test your ability to respond. Phantom helps security operations reduce time to detect and respond through automation. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating the entire incident response lifecycle. Faster triage, investigation, and recovery, combined with granular control of assets, ensures security at machine speed while maintaining continuity and control.

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, attend one of our Tech Sessions to see Phantom in action, or simply read read more about Phantom here.

Have you joined our $10,000 Playbook & App Challenge?  Read more here.

The ESG Report is full of interesting insights on the skills shortage and other factors that demonstrate the need for a change.  Be sure to pre-register for a full copy when it’s published in a few weeks.
Erich Baumgartner
VP, Field Operations
Phantom

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.

 

 

Tips for Choosing an App in the $10,000 Challenge – Part 2

When we announced our $10,000 Phantom Playbook & App Contest, we promised hints and updates for those following us @TryPhantom and on our blog.

(If the $10,000 Phantom Playbook & App Contest is news to you, check out this post. You still have time to join!)

You might recall from the blog that a winning submission will include a Playbook and the required Apps that can be executed by the Phantom Community Edition product with the most impressive combinations taking home the prize money.

Playbooks represent the codification of a security operations (SecOps) plan. They are Python scripts that Phantom interprets to take action when needed. Similarly, Apps are also written in Python and used to connect Phantom to third party security products and tools. Both Playbooks and Apps can be shared across Phantom’s Open Community for Security Automation & Orchestration.

(If you need more information on Playbooks, Apps or both, check out our product page or sign-up for a Phantom Tech Session. Otherwise, keep reading.)

You already have access to more than 40 Apps in the Phantom App Store which you can find in the portal. Fortunately, (for contestants anyway) there are still Apps needed in the community. We decided to share a few hints to help our best contestants get started.

Here is a short list of Phantom Apps to help grow the community and build interesting Playbooks:

  • ThreatConnect
  • Symantec Endpoint
  • Proofpoint
  • Resilient Systems
  • Logrhythm
  • ThreatQuotient
  • eCAT
  • Imperva
  • Cymmetria
  • RiskIQ

We even have a Phantom App Technical Development Guide available in the portal.

Want to claim an App? Let us know at contest@phantom.us. This will limit multiple contestants working on the same App, and help to break a tie if needed.

Keep visiting the blog and watching us @TryPhantom for hints and updates during the contest!

CP Morey
VP, Products & Marketing
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.

Playbook Series: Operationalizing Threat Intelligence

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.  Register for our Tech Sessions to see live demos of Phantom Playbooks (e.g. this Playbook will be covered on Feb. 19th).

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample Community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight playbook for today is on Operationalizing Threat Intelligence.

Threat intelligence is everywhere around us. It comes in various forms such as IP addresses, URLs, file hashes, vulnerability reports, threat actor reports, etc. This list goes on and on. The STIX document format exists solely in order to make threat intelligence shareable.  As security operators we seek out this data wherever we can get it. With all of the sources, it has become increasingly important to operationalize this threat information and turn it into detection and protection mechanisms for the enterprise. How is this done today? Like anything else, there are several ways to solve it. The following is a common, albeit simplified scenario.

An organization has a subscription to a threat intel feed that provides threat data such as raw indicators, threat actor details, and even vulnerabilities. The reports are delivered, and an analyst will perform several steps along the path to protective action. The phases of operationalizing this data can be labeled as “Investigation (i.e. indicator enrichment and hunting) and Defending (i.e. including indicator deployment)”.

Indicator Hunting, Investigation and Enrichment

Determine the type of report on hand:

Raw Indicators

  • Indicator reports commonly include IPs, file hashes, and additional details which allow several protective actions to be taken. This includes blocking IP addresses, URLs, and files. These indicators are usually manually validated by researching additional reputation and sandboxing sources to ensure threat validity.
  • Seek out any additional resources such as methods, or command and control nodes so that detection and protection schemes can be deployed.

Threat Actor Details

  • Determine if the threat actors are targeting nations, specific sectors, or even specific companies. Then determine if the organization falls into the target.
  • Seek out any additional resources such as methods, specific malware or exploit kits, and/or command and control nodes so that detection and protection schemes can be deployed.

Vulnerability Report

  • It is necessary to determine if the vulnerabilities can be successful against the environment. If so, build/test/deploy IP(D)S rules to alert/block. Other defense mechanisms should be leveraged as well, including application layer firewalling.
  • Find if a patch is available from the vendor and deploy.

The prior actions outline only the initial protective measures that need to be implemented. After these actions are taken the Security Operations team must switch focus from threat ingestion and deploying protection measures, to analysis of prior log data to determine if there has been any prior contact from or with the identified threats. This is perhaps the most resource intensive – both from an infrastructure as well as a manpower perspective and is often left incomplete. There are simply so many sources of alerts and threat data that require triage as well as possibly requiring all of the prior outlined steps.

Containment and Recovery (Defending):

  • Assemble list of different data types: IPs, URLs, domains, file hashes.
  • Build queries in SIEM or the data store to determine any prior contact with the threat.
  • If contact is determined, incident response is required based on the potential impact from the threat. This sequence of events will require a well defined incident response methodology. We will hold that for a future discussion, as it merits full detail.
  • Some response examples:
    • Find any running processes that match the identified malware.
    • Terminate these malicious processes.
    • Quarantine any infected hosts.
    • Notify Security Operations, and Help-desk of identification and containment.
    • Potentially even regenerate any hosts after identification of malware.
  • Identify and contain any lateral movement in the environment.
  • A full audit of the Investigation and Defending steps should be performed.

All of these steps are repeated on each intel report received by the organization, both in the “Protection” stage as well as in the “Detection” stage.

The steps above can easily be automated in Phantom, and the savings can be substantial.  You can read more about the ROI of Automation & Orchestration here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action (e.g. this Playbook will be covered on Feb. 19th).

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.  Interested in a Playbook we haven’t already covered?  Submit your request for future coverage.

Swami
Director, Security Engineering
Phantom

About Phantom:

Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.

 

 

Tips for Choosing an App in the $10,000 Challenge

When we announced our $10,000 Phantom Playbook & App Contest, we promised hints and updates for those following us @TryPhantom and on our blog.

(If the $10,000 Phantom Playbook & App Contest is news to you, check out this post.  You still have time to join!)

You might recall from the blog that a winning submission will include a Playbook and the required Apps that can be executed by the Phantom Community Edition product with the most impressive combinations taking home the prize money.

Playbooks represent the codification of a security operations (SecOps) plan.  They are Python scripts that Phantom interprets to take action when needed.  Similarly, Apps are also written in Python and used to connect Phantom to third party security products and tools.  Both Playbooks and Apps can be shared across Phantom’s Open Community for Security Automation & Orchestration.

(If you need more information on Playbooks, Apps or both, check out our product page or sign-up for a Phantom Tech Session.  Otherwise, keep reading.)

You already have access to more than 40 Apps in the Phantom App Store which you can find in the portal.  Fortunately, (for contestants anyway) there are still Apps needed in the community.  We decided to share a few hints to help our best contestants get started.

Here is a short list of Phantom Apps to help grow the community and build interesting Playbooks:

  • Archer
  • Bluecoat Proxy
  • Cylance Protect
  • RedOwl
  • StealthWatch
  • FireEye – MAS
  • Checkpoint
  • Remedy
  • McAfee HBSS

We even have a Phantom App Technical Development Guide available in the portal.

Want to claim an App?  Let us know at contest@phantom.us.  This will limit multiple contestants working on the same App, and help to break a tie if needed.

Keep visiting the blog and watching us @TryPhantom for hints and updates during the contest!

CP Morey
VP, Products & Marketing
Phantom Cyber

About Phantom:
Phantom automates enterprise security operations. In the face of problematic trends including the dramatic increase and volume of attacks, severe shortages in qualified personnel, growth in the diversity and complexity of IT security environments and unforgiving consumers, investors and regulators holding management to task for breaches, Phantom arms security operations with the automation and orchestration solutions that ready them to defend their company’s business.  

Visit TryPhantom.com to register for Phantom Community Edition, a free version of Phantom.