Automation & Orchestration in the Research Community

The commercial market is a major focus for us at Phantom, and we spend a considerable amount of time helping clients implement automation and orchestration.  All of the examples in our Playbook Series on the blog are from the commercial market.

The research community is also very interested in security automation and orchestration.  Though we haven’t covered it as frequently on the blog, Phantom is active in this community as well.

We’ve been fortunate to participate in projects like Integrated Adaptive Cyber Defense (IACD) along with the Department of Homeland Security (DHS), the NSA Cyber Task Force and Johns Hopkins University Applied Physics Lab (JHU/APL).  IACD is a project intended to “radically shift the mentality and status quo in cyber defense to secure integration and automation to enable faster response times and increase community prevention.”  Here’s a great Federal Times article on the scale of the problem.

Phantom is also working with the team responsible for NSA/IAD’s Active Cyber Defense (ACD) program.  They summarize the initiative as “a program that seeks to develop a collection of synchronized, real-time capabilities to discover, define, analyze and mitigate cyber threats and vulnerabilities.”

Phantom is a strong partner in the OpenC2 Forum.  OpenC2 is an industry driven forum chaired by the NSA that addresses issues as they pertain to command and control.  Phantom has been very active in the development on a reference implementation.  Phantom, in conjunction with the NSA/IAD/ACD program, a representative from SPAWAR and a major hardware vendor have drafted and shared the following architectural diagram:

Open C2 Use Case

The scenario makes use of 2 Phantom instances.  Phantom 1 ingests alerts and handles all investigation Playbooks, while Phantom 2 executes Playbooks to automate action for the FW, SDN Controller, and the Endpoint Defense agents.

The two instances are to demonstrate cross organizational/cross orchestrator interoperability, which is one of the goals for this working group (i.e. developing a language that multiple orchestrators can understand).

Whether it’s commercial or research/public sector, it’s always interesting to see how products are implemented to meet the unique requirements of an environment.  It’s easy to experiment with Security Automation and Orchestration.  Get the free Phantom Community Edition, and attend one of our Tech Sessions to get started.

Rob Truesdell
Director, Product Management

About Phantom:
Phantom automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit:

2 thoughts on “Automation & Orchestration in the Research Community

Comments are closed.