Community Magic

Phantom is the first company to provide an open community for security automation and orchestration, and this is something we take very seriously.  It’s one thing to talk about it, and it’s another to invest in it.

When we announced the 2016 Phantom Playbook & App Contest in January, we saw it as a way to invest in the community.

We’ve seen a number of great contest entries from the community.  I wanted to share one with you today.  Though not required, Joel King at WWT submitted a video with his entry to showcase the work:

It’s a great example of what you can do with Phantom.  You don’t have to take Joel’s word for it (or mine).  See for yourself.  Join the contest or just sign-up for the free Community Edition of our product.  Here are a few links to help:

The contest runs through the end of May.  Interested in participating?  (get info & register)  When you register, you’ll automatically get a Community Edition account.

Just want to skip the contest and get access to the Community Edition?  (get Phantom)  Once you have an account, sign in to the portal and click  “Learn” on the menu.  You’ll see full documentation, the knowledgebase and helpful videos.

Building a Phantom Playbook or App and have questions?  Sourabh Satish (our CTO) holds “Office Hours” to help.  Simply send an email to sourabh@phantom.us.  He has opened his calendar daily from noon – 12:30 PDT… first come, first serve.

Have you been to a Phantom Tech Session?  We host them every two weeks.  Our next session on April 8th will focus on App Development (register).

Hope to see you in the Community!

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Playbook Series: Evil Insiders

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight Playbook for today helps identify a possible inside job.  Not the ‘prison tatt’ variety, but the case when a breach committed by or with the assistance of a person working on the premises where it occurred.

Evil Insider Playbook(Note: Products in diagram are for illustrative purposes. Phantom supports these & others.)

This scenario is fairly simple, but useful.  For every failed login attempt:

  • Identify the user and target system.
  • It the user has not successfully logged in to the system in the last 3 months, send a “suspicious login” email and open a ticket.

The savings are substantial for an organization that sees even an average volume of events.   You can read more about the ROI of Automation & Orchestration here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.  Interested in a Playbook we haven’t already covered?  Submit your request for future coverage.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

We Can’t Hire Our Way Out

A few days ago we wrote a post about a research project Phantom just finished with the Enterprise Strategy Group (ESG) where we surveyed IT and cybersecurity professionals with knowledge of or responsibility for incident response processes and technologies at their organizations  (Download the full report).

Russell shared his take on a topic in the report that he thought was interesting: why Incident Response has become more difficult over the past two years.  Today, I’ll share another insight from the report that relates to the talent shortage we see in security (We’ve blogged about this topic in the past as well).

We asked participants in our research project what actions with regards to incident response they will take over the next two years?

ESG_palnned actions for IR

Let’s start at the bottom of the list.  Hiring more people is certainly one approach to deal with a growing problem, though in security this is a tough proposition.  There is much discussion on the global shortage of information security professionals with some estimates topping out at over a million jobs in 2016 alone, and others claiming even double that by 2017.  So as much as we might like to hire our way out of this problem, we might not be able to find the qualified candidates when we need them.

Two of the remaining responses relate to training the team you already have in place.  It’s hard to argue with developing employees.  It’s a great investment on many levels.  The reality is that your competitors recognize this as well.  I’m certain you’ve trained someone only to have them poached for a better opportunity.  We all have seen this happen.  So training is necessary and wise, but still somewhat fleeting on it’s own.

That leaves us with automation, where a third of the respondents indicated they planned to automate as much as possible in the next 2 years.  It actually can address the talent shortage by helping your team get more from less.  It also plays a role in training.  We have clients that view platforms like Phantom as a common environment to share knowledge across the team and develop more junior employees into seasoned pros.

If you are Interested in seeing how Phantom can help your organization address challenges like those identified in the research project, get the free Phantom Community Edition, and attend one of our Tech Sessions.

CP Morey
VP, Products & Marketing
Phantom

About Phantom

Phantom, an award-winning company, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Top 5 Reasons IR Has Worsened in Last Two Years

I recently joined Phantom because I saw the opportunity to affect a trend in the industry that shows no sign of abating: security teams simply can’t keep up anymore.

The telltale signs of this issue are everywhere, including a research project Phantom just finished with the Enterprise Strategy Group (ESG) where we surveyed IT and cybersecurity professionals with knowledge of or responsibility for incident response processes and technologies at their organizations  (Download the full report).

In one question, we asked participants why Incident Response has become more difficult over the past two years.  While I’m not surprised by the responses, it’s interesting to see that the top five responses are equally challenging, for the most part:

ESG Fig 1

Security teams are deluged in nearly every way possible.  More stuff on the network means more traffic to inspect.  More security products mean more devices to manage and alert traffic to analyze.  More incidents mean more specialized skills needed to address to respond and remediate.

It just isn’t possible to address this challenge without automation & orchestration.  Our adversaries are using it against us, should we use it too?

If you are Interested in seeing how Phantom can help your organization address challenges like those identified in the research project, get the free Phantom Community Edition, and attend one of our Tech Sessions.

Russell Hubby
Region Sales Manager
Phantom

About Phantom

Phantom, an award-winning company, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

 

Playbook Series: Unauthorized IP Alert from a Mobile Device

Today’s post continues an ongoing series on Playbooks; which Phantom uses to automate and orchestrate your security operations plan.

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight Playbook for today relates to an unauthorized IP alert.  In this use case, it occurs when a mobile device attempts to access an unauthorized site, where authorization is defined via an access list.  This policy violation is an indication of a possible insider threat.

unauthorized IP
(Note: Products in diagram are for illustrative purposes. Phantom supports these & others.)

In this scenario, the user is a repeat offender, so the action is perhaps a bit aggressive, but warranted.  As the diagram shows, the devices is wiped and then blocked.  This is a precautionary step taken in case the user is preventing the wipe command from reaching the mobile device.

The use case starts with an event logged to Splunk which in turn triggers Phantom to orchestrate the following actions automatically:

  • Pull the device and user profile from the MDM and directory systems.
  • Wipe the phone via the MDM system and block it at the firewall.
  • Open a ticket for further investigation by the security team who can retrieve the mobile device and perform the required forensics.

The savings are substantial for an organization that sees even an average volume of events.   You can read more about the ROI of Automation & Orchestration here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.  Interested in a Playbook we haven’t already covered?  Submit your request for future coverage.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, an award-winning company, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

 

New Research Finds Companies Ignore Majority of Security Alerts

In early 2016, the Enterprise Strategy Group (ESG) completed a research survey of 125 IT and cybersecurity professionals with knowledge of or responsibility for incident response processes and technologies at their organizations.

Phantom sponsored this project, so we’re sharing the executive summary below.  You can also download the full report.

ESG Report Banner

The research project was intended to assess the current practices and challenges associated with incident response processes and technologies. Furthermore, respondents were asked about their future strategic plans intended to improve the efficacy and efficiency of IR activities. Based upon the data collected, this paper concludes:

Incident response is increasingly difficult. Two-thirds of organizations believe that incident response is significantly more difficult or somewhat more difficult than it was two years ago. Why? Survey respondents point to things like more IT activities, including cloud and mobile computing, the addition of new security management and threat detection tools, and the growing volume of security alerts.

Large organizations face multiple IR challenges. Cybersecurity professionals describe IR challenges such as security alert volume, manual and informal IR processes, and misalignment between cybersecurity and IT operations teams. These challenges make it extremely difficult to modify security controls, detect attacks in progress, or remediate problems in a timely manner.

CISOs are embracing IR automation and orchestration. More than half (57%) of enterprise organizations are already taking actions to automate and orchestrate IR processes while another 42% are currently automating/orchestrating incident response processes, plan to automate/orchestrate incident response processes, or are interested in automating/orchestrating IR processes sometime in the future. What’s driving IR automation and orchestration? Survey respondents say they want to automate simple remediation actions, use automation and orchestration to create more formal IR workflows to improve collaboration between security and IT operations teams, and leverage IR automation and orchestration as an integration hub for disparate threat detection tools.

Cybersecurity professionals predict robust IR spending and activity in the near future. A vast majority (80%) of enterprise organizations plan to increase spending on incident response over the next two years. CISOs will use these funds to increase IR training, hire personnel, create a dedicated SOC/CERT, and purchase and deploy commercial incident response automation platforms.

If you are Interested in seeing how Phantom can help your organization address challenges like those identified in the research project, get the free Phantom Community Edition, and attend one of our Tech Sessions.

Erich Baumgartner
VP, Field Operations
Phantom

About Phantom

Phantom, an award-winning company, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

How do you handle a billion incidents per day?

Last week, Oliver was on a panel at RSAC to discuss the future of Security Orchestration where he was joined by colleagues from both the public and private sector.

IMG_20160303_105232

(Note: Security Orchestration has roots in a federal project known as IACD.  Phantom is an active participant in this project which is led by the Department of Homeland Security, NSA and Johns Hopkins University Applied Physics Laboratory.)

One interesting aspect the federal agencies often bring relates to scale.  During the panel discussion, Phil Quade, special assistant to the director of NSA for cyber, offered a startling perspective explaining how one agency has no other choice than to orchestrate.

Phil shared a before & after view of a federal agency dealing with an incident volume of more than one billion per day!

Before Security Orchestration, the agency was able to handle approximately 65 incidents per day through manual processes… out of one billion!  A manual review of an incident took anywhere from 11 minutes to 11 hours.

After Security Orchestration, they were able to handle tens of thousands of incidents simultaneously with each “review” taking between 0.1 seconds and 1 second.  Ultimately they weren’t just working faster, but providing better security too. Security Orchestration isn’t about removing analysts from the equation, it’s about reducing the clerical work so they can focus on analysis; stronger, faster & smarter security.

We’re written about the ROI Security Orchestration before, though certainly not to this scale!

While new to security, orchestration is common in other technology markets.  There was some discussion on the panel with respect to why the time is right for automation in security.  This is also a topic we’ve blogged about in the past.

Like anything new, there is an adoption curve and some will move up the curve faster than others.  Peter Fonash (one of the panelists) described how orchestration is similar to the rollout of autonomous vehicles.  We may see accidents at first, but it will improve in time.  Oliver added that early use cases are focused on investigation vs. blocking, similar to early autonomous vehicles following another car at a safe distance vs. fully independent driving.

In wrapping-up the session, someone asked “where to start”, and the panelists seemed to agree on a pragmatic approach: Where are you wasting the most time?

If you are Interested in seeing how Phantom can help your organization recover wasted time and improve security, get the free Phantom Community Edition, and attend one of our Tech Sessions.

 
CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.