Today’s post continues an ongoing series on Playbooks, which Phantom uses to automate and orchestrate your security operations plan.
Last week, we featured a Playbook that automates malware analysis triggered by an email alert from FireEye.
It’s a common scenario, and one with a demonstrable ROI – many companies say the investigation process takes upwards of 30 minutes manually, when automation completes the work in just seconds.
Another theme we’ve explored on the blog relates to going beyond investigation. The analogy being don’t just tell me the building is on fire, turn on the sprinklers, close the doors to limit draft, and call the fire department – automatically.
Here is an interesting variation on the Playbook we shared last week:
The first 6 steps haven’t changed, but we’ve added a seventh. Based on the outcome of the investigation (steps 1 – 6), we may want to run another Playbook that takes action. We’ve not explored the concept of “chaining” Playbooks together on the blog yet, but it is an interesting use case.
Further, notice the Duo two factor authentication. The Remediation Playbook takes actions like quarantining a host, and blocking a hash, URL or IP. Before it runs though, a human confirms the action. We’ve described this as an “in the loop” scenario in the past, where an analyst approves the action before it happens.
Duo provides a wide range of options for authentication including support for mobile devices. With fingerprint scanners and facial recognition, I’m expecting to see some interesting implementations in the community!
If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations. Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository. You can read more about Phantom and Playbooks here.
The use cases that can be addressed with Phantom Playbooks are nearly limitless. Be sure to check the blog regularly for posts on other great Playbooks.
VP, Products & Marketing
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.