A Perfectly Timed Playbook

I joined Phantom a few weeks ago to lead sales on the West Coast.  I’ve found success in early stage companies before, and saw a great opportunity to do it again at Phantom.  There are a number of factors to consider anytime you make a change like joining a new company.  As I ran my playbook, three factors stood out:

  1. Security Automation & Orchestration is a huge opportunity. We see it every day.  Companies are struggling to reduce the response and remediation gap caused by limited resources, increased threat surface & incidents, and the overwhelming complexity of their technology infrastructure.  Industry analyst firms like ABI Research say, “security policy orchestration sits at the core of the transition from static defense to agile and adaptive response,” and forecast the market to hit $1 billion in global revenues by 2020.
  1. It’s a great team. The people at Phantom don’t just think they are solving the latest problem, they believe Phantom is redefining security.  They are accomplished without being arrogant, and driven by important principles like innovation, community, and enthusiasm.  Building a company in a new market isn’t easy, but I’m looking forward to doing it with this team.
  1. The product has to be strong. Phantom went GA in February, took top honors in the RSA Innovation Sandbox in March, announced a strategic partnership with In-Q-Tel in April, shared customer wins & community momentum in May, and frankly hasn’t slowed down.  Earlier this week, we launched the new Phantom Community Portal, and you’ll see Phantom 2.0 in July!  Here’s a preview of the new Playbook Editor coming soon:

New Phantom Playbook Builder

There is no shortage of hard work ahead of us, but I’m excited by the opportunity at Phantom and the chance to make an impact.  Be sure to tune in tomorrow, for a preview of Phantom 2.0 with our CEO, Oliver Friedrichs (register).  He’ll share more on the new Phantom Portal, momentum in the community, and a sneak peak at the new release.

Eric Rogers
Regional Sales Manager
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

At the Center of a Phantom App Explosion

Earlier this month, we announced the Phantom App Explosion.  It’s time to share another big announcement.  Have you seen the totally new Phantom Portal?

You could say that the new Phantom Portal is at the center of the App Explosion.  We’ve launched major changes to the UI as well as other great new features.

I’ll share highlights in today’s post, but you should also tune in for our 1st ever Phantom in Focus (register) with our CEO, Oliver Friedrichs.  On Friday, Oliver will share more on the new Phantom Portal, momentum in the community, and a sneak peak at Phantom 2.0.

Now on to the highlights.

New Phantom Community Portal

Besides the new look, we’ve also included a number of great new features. The most noteworthy is the organization of Phantom Apps and Playbooks that drastically improves the browsing experience.

For example, check out the new Playbook listing page.  It includes a short summary of the Playbook objective, the number of actions executed, and a logo list of all the technologies supported by the Playbook.

alert triage logo list screen cap

When viewing the details of a Playbook, you’ll also see a new workflow-based illustration of the Playbook.  (Spoiler alert: This is a snapshot of the new editor that will be featured in Phantom 2.0.)

alert triage workflow screen cap

For those familiar with the last version of the portal, the information shared for each Playbook was limited to just a few words on functionality with nothing on how the Playbook executed or which Apps were required to run it.  The new portal simplifies navigation by including the execution order and required Apps front & center in the Playbook descriptions.

Another major change comes with the organization and presentation of Apps in the portal.  For instance, now you can easily view supported actions and associated Playbooks via dropdown lists.  With this layout you can quickly determine if an App works with a Playbook before downloading and installing the App.

supported actions and associated Playbooks screen cap

You may notice the word “Certified” next to many of the Apps.  This indicates that the App has been tested and certified by Phantom.  Apps that are not “Certified” are still ok to use.  It just means the App has not yet been tested and certified, so compatibility with different platform versions of Phantom is unknown.

We encourage the community to use all Apps and share feedback on the community Slack channel.

Other changes to check out:

  • Improved search engine
  • Featured Playbooks on the home page of the portal
  • 3-column view of Blogs, Knowledge Base Articles, and Video Tutorials
  • Organization of Playbooks by category (e.g. Use Case Samples, App Samples)
  • Ability to sort by Phantom version so only Playbooks and Apps supported by that version are presented

Last but certainly not least, you will find several new Phantom Apps and a few enhancements to old favorites – many of these were developed by the Phantom Community!

  • Screenshot Machine
  • DNS
  • F5 Big-IP
  • Cisco Meraki
  • Shodan
  • Duo
  • BlueCoat
  • Floodlight SDN Controller
  • NMAP
  • PassiveTotal
  • Carbon Black

It’s great to see this collaboration in the community.  Building and contributing Phantom Apps is one of the best ways to learn about automation and orchestration.  Thanks to all who participate regularly in our competitions and on the Slack channel – please keep it up!

Rob Truesdell
Director, Product Management
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Defining Security Automation & Orchestration – Community Driven

Last month, we started a series on the blog to explore Security Automation & Orchestration as a new technology.  We enabled comments on the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Being “Community Driven” was one of the characteristics, and the focus for today’s post.

community purple

Automation and orchestration platforms require integration with security products and services to function.  These platforms also require “playbooks” or instructions to guide how the orchestration occurs by codifying a security operations (SecOps) plan.  Traditionally, software assets like playbooks and technology integrations have been considered proprietary; intellectual property owned by the developer and shared only with licensed users.

Though still appropriate in some cases, this “closed approach” may not be best for automation and orchestration for several reasons.  Coverage of security products and services may be limited when a single vendor is responsible for developing all integrations.  Ultimately, this limits use case coverage when a required product isn’t supported, or forces a user to develop costly, one-off code for their environment.  Users may also be tasked with developing all playbooks required to support their automation and orchestration requirements, versus sharing this non-proprietary information in a community library such as GitHub.  A “closed approach” may also hamper a user’s opportunity to share tips and ask questions of other users via a mail list or collaboration tools.

A community driven approach works well with security automation and orchestration platforms.  Product integrations and playbooks can be developed by anyone and freely shared in the community.  Users have the option of using community developed assets entirely or as a starting point for developing their own.  Software assets can even be certified by known entities in the community to ensure quality and security standards are met.  Communication and collaboration is encouraged as a way for users to address challenges, share information and showcase their skills.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of being community driven.

  • Do you agree that it is important?
  • Are there limitations on what can be shared in a community approach?
  • When thinking about automation, what other benefits would you associate with products that are community driven?

 

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Playbook Series: Anomalous Geo Location on a Mobile Device

Today’s post continues an ongoing series on Playbooks, which Phantom uses to automate and orchestrate your security operations plan.

This Playbook automates the process for alerts like anomalous geolocation; when a mobile device reports its location on successive check-ins where it appears to be traveling at a speed faster than possible.  It could indicate a cloned mobile device or even malware.

Anomalous Geo Location on a Mobile Device

Once Phantom receives the alert from Splunk, the first action is to contact the user to determine if they have any information on the violation.  Phantom sends an automated email to the user.  The email is populated with data enriched from MobileIron and the Windows Active Directory server.

Phantom allows the user 160 minutes to respond before taking further action.

This example takes an aggressive approach when the user does not respond by opening a ticket in ServiceNow, blocking the device on the Palo Alto Networks firewall while simultaneously locating and wiping the device with MobileIron.

Less aggressive approaches are also possible.  For example, Phantom could pause for further approval after opening a ticket in step 4, giving an analyst a chance to review the case before proceeding with the action to block and wipe the phone.

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Series: Defining Security Automation & Orchestration – Vendor Agnostic

Last month, we started a series on the blog to explore Security Automation & Orchestration as a new technology.  Comments are enabled for the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Being “Vendor Agnostic” was one of the characteristics, and the focus for today’s post.

By its nature, automation and orchestration requires integration with security products and services that investigate, contain, correct and remediate threats; this is how it serves as “connective tissue”.  The integration challenge is daunting based on number of vendors in the market alone.

“I have categorized 1,440 IT security vendors in 35 countries.”
– Richard Stiennon, IT-Harvest, 2016

Stiennon_Vendors by country graph

Even when the list is narrowed to focus only on the most widely deployed vendors, there are cases when coverage for security products and services may fall short of what’s required for effective automation and orchestration.  For example, integration can sometimes present a conflict of interest to companies that offer a suite of security solutions.  One can image how a vendor that provides an automation & orchestration platform as well as other security products may not offer the same depth of support for products from competitors (e.g. a sandboxing vendor that also offers security automation & orchestration may not support all sandboxing vendors consistently).

When evaluating automation and orchestration, there are advantages to choosing vendors who are technology agnostic or free from constraints that may limit their ability to offer equal support for security products and services regardless of the source.  This ensures a broad range of use cases can be created to address the heterogeneous technology environments common in most organizations.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of being vendor agnostic.

  • Do you agree that it is important?
  • Are there limitations in what can be automated or orchestrated across vendors that offer competing solutions?
  • When thinking about automation, what other benefits would you associate with products that are vendor agnostic?

 

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Winners Announced: $10,000 Phantom App & Playbook Contest

Our strategy to provide the first open community for security automation and orchestration is really taking off.  It’s more than lip service for us.  We like to say, “we’re putting our money where our mouth is to help build the community.”

The $10,000 Phantom App & Playbook Contest is a great example.  It gave community members a chance to showcase their skills and advance their efforts in protecting their organization all at once.

On Friday, we announced the winners of the contest.  I’ll share a quick recap of the winning entries today with more to come.  For example, we’ve invited the winners to share their work on an upcoming Tech Session.

I would like to congratulate not just our winners, but also all those who participated. What a phenomenal contest!  We were truly impressed by the sincere effort that was put in and more importantly the real world uses cases that were solved with your submissions.

We rated the submissions (i.e. Phantom Apps & Playbooks) with a key emphasis on their practical application and the impact they would have on security operations and incident response.  In short, could they help security teams to be faster, smarter and stronger?

We had a 2-way tie for 1st place with each winning entry taking home $4,250.  These contestants showcased not just how the platform can be extended, but how real world security use cases can be handled via automation. The Playbooks showcased complete end-to-end security automation that is already saving IR teams time and resources.

A team entry by Mauricio Velazco and Nelson Santos implemented 4 Apps (i.e. BlueCoat, Duo, FireEye CMS, Cylance) and 2 different playbooks that again automate a complete incident response use case with complex investigative actions, decision making and incident resolution:

ContestWinner1

Joel King implemented 2 Apps (i.e. Cisco Meraki and F5 Networks) and the Playbook applied the Apps, the platform and automation to solve a real world IR problem:

ContestWinner2

Ryan Kranz, our 3rd place winner, built a Shodan App that can truly help IR teams better investigate security incidents. The App was production ready and has very good documentation.  Most importantly it lends itself to automation very well because of completeness of results that can be leveraged in the Phantom Playbooks.  Third place finished with a $1,500 prize:

ContestWinner3

Thanks to everyone who entered the contest!  If you didn’t enter, but still want to join the community, start with the free Phantom Community Edition, and attend one of our Tech Sessions.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Playbook Series: Trigger a Playbook with Your iPhone

Today’s post continues an ongoing series on Playbooks, which Phantom uses to automate and orchestrate your security operations plan.

Last week, we featured a Playbook that automates malware analysis triggered by an email alert from FireEye.

It’s a common scenario, and one with a demonstrable ROI – many companies say the investigation process takes upwards of 30 minutes manually, when automation completes the work in just seconds.

Another theme we’ve explored on the blog relates to going beyond investigation.  The analogy being don’t just tell me the building is on fire, turn on the sprinklers, close the doors to limit draft, and call the fire department – automatically.

Here is an interesting variation on the Playbook we shared last week:

Duo auth Playbook

The first 6 steps haven’t changed, but we’ve added a seventh.  Based on the outcome of the investigation (steps 1 – 6), we may want to run another Playbook that takes action.  We’ve not explored the concept of “chaining” Playbooks together on the blog yet, but it is an interesting use case.

Further, notice the Duo two factor authentication.  The Remediation Playbook takes actions like quarantining a host, and blocking a hash, URL or IP.  Before it runs though, a human confirms the action.  We’ve described this as an “in the loop” scenario in the past, where an analyst approves the action before it happens.

Duo provides a wide range of options for authentication including support for mobile devices.  With fingerprint scanners and facial recognition, I’m expecting to see some interesting implementations in the community!

If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about Phantom and Playbooks here.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

The use cases that can be addressed with Phantom Playbooks are nearly limitless.  Be sure to check the blog regularly for posts on other great Playbooks.

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.