When George Santayana made this statement, he probably wasn’t thinking about Security Automation & Orchestration platforms, yet it applies.
Recent research by CERT reminded me of Santayana’s quote. The project studied how schemas ensure a repeatable, auditable process, and serve us in many other ways. In their podcast, the CERT researchers describe how schemas can help both novice and expert security analysts.
The study tracked three independent security analysts using a common schema to plan responses to incidents. The findings show that schemas can be used to train novices to become experts in less time, and to help experts respond to incidents faster by consistently structuring disparate data for analysis.
Helping junior analysts learn and seasoned analysts work faster are important benefits, but the value schemas extends even further. In organizations that are automating and orchestrating security without a common schema, analysts are still likely to write scripts that can be used to handle mundane tasks and speed response times. In an industry where employee turnover can be high, this free-form approach can lead to problems. For example, when a star analyst responsible for developing scripts chooses to move on, the company might be left with a “pile of code” vs. a schema that serves as a decision support system. In effect, the memory of the past goes out the door with the analyst and the boss is condemned to repeat the work necessary to recapture that knowledge – or at least hire someone who can.
Platforms can help to define and maintain a schema; a codification of the plan. In the Phantom platform, these schemas are represented by Python-based Playbooks that execute actions to automate and orchestrate a given scenario. Playbooks can help to train new analysts, increase the output of seasoned analysts, and provide a record of experiences to help limit the misfortune of repeating the past.
Sound interesting? Learn more about Phantom and the role it can play in defining your security schema. Start with the no-cost Phantom Community Edition, and attend one of our Tech Sessions to see Phantom in action.
VP Products & Marketing
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.