How do you handle a billion incidents per day?

Last week, Oliver was on a panel at RSAC to discuss the future of Security Orchestration where he was joined by colleagues from both the public and private sector.


(Note: Security Orchestration has roots in a federal project known as IACD.  Phantom is an active participant in this project which is led by the Department of Homeland Security, NSA and Johns Hopkins University Applied Physics Laboratory.)

One interesting aspect the federal agencies often bring relates to scale.  During the panel discussion, Phil Quade, special assistant to the director of NSA for cyber, offered a startling perspective explaining how one agency has no other choice than to orchestrate.

Phil shared a before & after view of a federal agency dealing with an incident volume of more than one billion per day!

Before Security Orchestration, the agency was able to handle approximately 65 incidents per day through manual processes… out of one billion!  A manual review of an incident took anywhere from 11 minutes to 11 hours.

After Security Orchestration, they were able to handle tens of thousands of incidents simultaneously with each “review” taking between 0.1 seconds and 1 second.  Ultimately they weren’t just working faster, but providing better security too. Security Orchestration isn’t about removing analysts from the equation, it’s about reducing the clerical work so they can focus on analysis; stronger, faster & smarter security.

We’re written about the ROI Security Orchestration before, though certainly not to this scale!

While new to security, orchestration is common in other technology markets.  There was some discussion on the panel with respect to why the time is right for automation in security.  This is also a topic we’ve blogged about in the past.

Like anything new, there is an adoption curve and some will move up the curve faster than others.  Peter Fonash (one of the panelists) described how orchestration is similar to the rollout of autonomous vehicles.  We may see accidents at first, but it will improve in time.  Oliver added that early use cases are focused on investigation vs. blocking, similar to early autonomous vehicles following another car at a safe distance vs. fully independent driving.

In wrapping-up the session, someone asked “where to start”, and the panelists seemed to agree on a pragmatic approach: Where are you wasting the most time?

If you are Interested in seeing how Phantom can help your organization recover wasted time and improve security, get the free Phantom Community Edition, and attend one of our Tech Sessions.

CP Morey
VP, Products & Marketing

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: