Phantom App & Playbook Challenge – Round 2

Contest Banner Round 2

DEADLINE: Friday December 2, 2016

If one thing sets us apart, it’s our open community approach to Security Automation & Orchestration.  We think it’s the only way to build a platform, and we’re not alone – judging from the support in the community.  Many thanks to all who are contributing!

We’re doing our part to contribute with our free Phantom Community Edition, App Store, GitHub repo for Playbooks, and the new Community Portal, as well as sponsoring events like Coding for Security Pros at Black Hat.

The Phantom App & Playbook Challenge has also been a great way support the community, and we are excited to announce Round 2 of the challenge today!

Much like Round 1 which finished in May, Round 2 of the Phantom App & Playbook Challenge is a great opportunity to help protect your organization, showcase your skills, share with the community, and maybe win a $2,500 prize!

Contest Criteria

Submissions should include a Playbook and the required Apps that can be executed by the Phantom Community Edition product.  In short, we are looking for the most impressive Playbook and App combinations; those exhibiting the most sophisticated and impressive use of the platform.   Both individual & team entries are accepted, and multiple entries are allowed.  All will be judged based on the following weighted criteria:

Phantom App (50% of score)

  • Completeness (e.g. complete structure, code is clean, test connectivity, has proper error handling)
  • Complexity & Variety of Actions (e.g. on_poll, long running actions, etc.)
  • UI (e.g. default vs custom widgets, contextual actions, etc.)
  • Production Ready
  • Documentation (e.g. description, complete datapaths, etc.)

Phantom Playbook (30% of score)

  • Serves a practical / real world impact – an automation scenario that saves time and money
  • Uses a variety of actions (e.g. investigative, containment, etc.) and integrates with multiple technologies
  • Completes IR Process / Trigger to Resolution (e.g. incidents are closed)
  • Follows suggested guidelines for efficiency (e.g. sequential vs parallel actions, debug statements, logging, etc.)

Other (20% of score)

  • Presentation of the finished product / submission (e.g. video demos, blog posts, etc.)
  • Support and guidance required throughout the contest

Contest Process

The contest kicks off on August 4th and runs through December 2, 2016.  Contestants can attend our semi-monthly webinar series, and join the Phantom Community Slack Channel to request support.

  • Register for the Phantom Community Edition (or use your existing Phantom account).
  • Attend an upcoming webinar and watch video tutorials in the Phantom Portal (requires a Phantom Community Edition login).
  • Follow-us @TryPhantom and visit our blog during during the contest period for hints, contest updates, and more.
  • Submit your Playbook and Apps by email to contest@phantom.us by midnight EDT on December 2, 2016.
  • Contact us on Slack or at contest@phantom.us for any questions!  We are here to help and are happy to guide you through the process of learning the Phantom platform.

Contest Award

Winners will be announced at the sole discretion of the judges based on the criteria outlined.  A prize of $2,500 will be paid to the winning individual or team.

Contest Judges

Entries will be judged by leaders in security from the media and practice.  We will announce them during the contest.

Contest Terms

All judging, eligibility, and award decisions are final, not subject to review and at the sole discretion of the judges and Phantom. Contestants acknowledge that Phantom reserves the right to (i) fund or award all, some, or none of the responses received, and (ii) determine all award amounts.  The award determination will be made by Phantom with the guidance and recommendations of the judges convened for this purpose, to ensure relevant expertise and diversity of perspectives.

CP Morey
VP, Products & Marketing
Phantom

Series: Defining Security Automation & Orchestration – Automatic Action & Remediation

We started a series on the blog in May to explore Security Automation & Orchestration as a new technology.  We enabled comments on the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Providing “Automatic Action & Remediation” was one of the characteristics, and the focus for today’s post.

As previously explained, automation and orchestration begins with the ingestion and enrichment of data, but that’s only part of what’s needed to address most security events.  Once an analyst understands the context around an event, some action is typically required.   For example, with a malware event, the action may include changing a policy on the Firewall or quarantining an endpoint device.

gears-1236578_960_720

This is an area that really distinguishes Security Automation & Orchestration Platforms from solutions like SIEM (Security Incident & Event Management) and TIP (Threat Intelligence Platform).  While these solutions often automate the ingestion and enrichment of data, they fall short of taking action.

Security Automation & Orchestration Platforms, SIEMs, and TIPs can actually complement one another by providing a “closed loop” system that includes collecting & analyzing data, decision making, and acting.  All or some of the the steps can be automated with checkpoints for human approval along the way.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of supporting automatic action and remediation.

  • Do you agree that it is important?
  • What actions should be automated to remediate issues?
  • When thinking about automation, what other benefits would you associate with products that provide automatic action and remediation of events?

 

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Automating Ethics

I joined Phantom as few weeks ago to lead our partner program.  A number of factors attracted me to automation and the opportunity at Phantom.

When it comes to automation, saving time is clearly a big driver.  Customers are routinely taking manual, labor intensive processes that can take hours and reducing them to automation tasks that run in seconds.  We’ve shared several examples in the Playbook Series on our blog.

Faster security is nice.  It’s not the only benefit that comes with automation though.  Security can also be improved, like using automation to drive accuracy and consistency in the incident response process.  You can imagine that as alert volume increases, junior analysts become overwhelmed with information, causing them to overlook key indicators. Even experienced analysts might be tempted to make “gut calls” based on previous incidents and incomplete information. With automation, the same data is gathered for every alert, and every alert is investigated and memorialized the same way, every time.

Coverage of security automation is growing.  This recent article in SC Magazine introduces yet another angle.   Here’s a stat from that article that caught my attention:

Over a quarter (28 percent) of cyber-security professionals compromise their ethics to pass audits, likely due to growing network complexity and disparate technology, security and more to keep cyber-criminals at bay.

 

Saving time is one thing, compromising ethics to get your job done is something entirely different.  No one should be faced with such a dilemma, and I think automation can help here as well.  No doubt, we’re just starting to understand the impact automation and orchestration can have on the industry.  I’m looking forward to being part of the team leading this change at Phantom

Eric Hoffman
Partner Manager, North America
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Announcing Phantom 2.0 – Early Access!

It’s been a very busy summer for Phantom, our users, and the community.  So far, we have announced the winners in the Phantom App & Playbook Contest, added more than 15 new Apps (thanks to many community contributions), and revamped our Community Portal.  Well, we’re adding to that list…   We are very pleased to announce the early access availability of Phantom 2.0!

The GA for our first Phantom release was in February of this year, and it is amazing how much the product has grown in such a short time.  This accelerated evolution of the product is credited to the great feedback from our customers, users, and the community.  A big thank you to all.

There are several new features to start using immediately.  The feature that represents the most drastic change is the BPMN-style Playbook Editor (60 second demo)

This new editor now allows users to create fully functional Phantom Playbooks with complex decision making logic represented with BPMN-style visual blocks without having to edit the underlying Python code.  Said another way, Python experience is not required to develop complex playbooks on the Phantom platform.

Below is an example of a playbook that incorporates action execution as well as decision logic, all built in a visual way without manual Python coding.  The playbook execution path is as follows:

  • (Action) Execute a Geolocate IP Investigative Action
  • (Conditional IF Block) Check if Country Code is Equal to North Korea
  • (Action) Execute a WHOIS Investigative Action
  • (Conditional IF Block) Check Latitude of Geolocation
  • (Action) Block IP on Firewall

Example: Specify Action Using Searchable Action Pane

v2 blog Specify Action Using Searchable Action Pane

Example: Populate the Parameters for the Action

v2 blog Populate the Parameters for the Action

Example: Build Conditional Logic

V2 blog Build Conditional Logic

Example: Insert Containment Action (Block IP)

v2 blog Insert Containment Action

While the above playbook is a simple example, it demonstrates the power of the new Playbook Editor through the use of conditional statements and the BPMN visual.  This capability completely changes how playbooks are developed, as well as who can develop, maintain, and enhance playbooks.

This is not the only enhancement to the platform, however.  Below is a summary of the other key features introduced in Phantom 2.0:

Delete Containers and Artifacts: The platform supports the ability to delete containers and artifacts from the UI. There is now a related user privilege ‘delete containers’ for the role.

JSON Widget view: In Mission Control, all widgets now support an option to view the full JSON view of the action results. This can be toggled from the widget’s top right “gear” menu, which also has the option to resize widgets.

DUO Two Factor Authentication: The platform now supports integration with DUO Two Factor Authentication, which can be enabled in the Administration / Authentication section.

New Automation APIs have been enabled that facilitate the new Playbook Editor auto-generated Python code.

REST APIs for ‘Custom Lists’ have been added so that custom lists can now be retrieved and their data can be updated via newly added REST endpoints.

Filtering Containers: The Container listing page now supports the ability to search and filter containers. This facilitates multi-selecting containers to be edited, deleted, or execute playbooks on.

We want everyone in our growing community to download this release, use it in your development or test environment, and let us know your feedback.  It is located in the usual place – in the ‘Product’ section of our portal.  You will see an Early Access release that is Phantom version 2.0.67.

As always, utilize the Slack channel as much as possible – everyone at Phantom is active on Slack and it’s a great place to get best practices from other users as well as collaborate on Playbooks.

Thanks!

Rob Truesdell
Director, Product Management
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

Series: Defining Security Automation & Orchestration – Automatic Ingestion & Enrichment of Data

We started a series on the blog in May to explore Security Automation & Orchestration as a new technology.  We enabled comments on the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Providing “Automatic Ingestion & Enrichment of Data” was one of the characteristics, and the focus for today’s post.

Big_Data

Automation and orchestration begins with the ingestion of data which can originate from several different sources.  Common examples include security incidents, vulnerabilities, threat intelligence, emails, and others.  Though modern products tend to be built around open standards for storing and exchanging data, products with older architectures might be more limited.

This is another area where vendors offering workflow or ticket management products can lag the market (also discussed here).  Though useful in managing the incident response process, integration with other products may have been an afterthought in their design, making it more difficult to ingest data.  Even some SIEM products may fall short in this area despite being built as platforms to manage security data.

Given the wide range of security data sources and the rapidly changing conditions of the market, it’s best to select technologies that embrace open standards for ingesting data and enriching it.  Further, best in class automation and orchestration platforms will enable users to easily push data to or pull it from a number of 3rd party products and services.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of supporting automatic ingestion and enrichment of data.

  • Do you agree that it is important?
  • What formats should be supported for ingestion and enrichment of data?
  • Are open standards such as JSON important?
  • When thinking about automation, what other benefits would you associate with products that provide automatic ingestion and enrichment of data?

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.

A Security Architecture for Constant Change

The security industry has evolved over the last few decades with many lessons learned along the way. One lesson that resonates well is – “the only constant is change”. Attacks and counter security solutions have constantly changed with new security solutions to defend against new attack techniques. The result is an abundance of security solutions deployed to defend the digital enterprise.

change is constant

With the average enterprise now using an estimated 75 distinct security products, security operations teams are clearly overwhelmed with all the knobs they need to turn to prevent, contain, and remediate security incidents. It’s no surprise that 85% of organizations have not achieved their required/expected maturity levels according to HPE’s survey of 114 different SOCs titled, “State of Security Operations, 2016 Report of Capabilities and Maturity of Cyber Defense Organizations”.

It’s critical for a Security Automation and Orchestration platform to be architected such that it can thrive even in this constantly changing technology landscape. It must enable security operations teams to use the latest and best-of-breed security solutions fearlessly while giving them the confidence to automate processes and procedures to improve SOC maturity levels.

Another challenge that we face in the security industry is the lack of consistent terminology. Every day brings a new term for a new technique or simply a new feature or even a variation of an old technique that is the new solution to the new attack. This adds further confusion slowing down the security operations team. Is blacklisting a hash the same as blocking a hash? SOC teams just need to prevent the malicious process from running on the endpoints; how that is achieved by the point products is immaterial when they are working to respond fast.

Phantom Security Automation and Orchestration has been built with these challenges in mind. Two key characteristics of the Phantom architecture address it head on:

  1. Product Agnostic Simplified Vocabulary
  2. Adaptive Playbooks

Product Agnostic Simplified Vocabulary

When faced with an attack or a breach, the security operations teams have a good idea of how to contain and control the attack. However, they are challenged with choosing from the many options available on many different products, perhaps not even knowing if two options have the same effect. The same capability or function may have different names and settings on different products in the same category.  Phantom abstracts this complexity and exposes similar capabilities across different vendor products via a much simpler ‘noun/verb’ construct. For example, to block an IP, a user implements an action called ‘block ip’. Phantom handles the mapping of that action to various APIs, functions, REST endpoints, etc. and delivers the expected functionality to the products the user has deployed. This results in an intuitive product and gives users the advantage of speed since actions are naturally found by the users in the process of responding fast.

Adaptive Playbooks

Digital Infrastructure is forever evolving and changing for many reasons. New technologies replace old technologies; new products are introduced for newer/better capabilities. Mergers and acquisitions often lead to a mix of technologies from many different vendors which usually don’t interoperate. For example, it’s not surprising to find many different versions of the same firewall or many different firewalls used in different parts of the same corporate infrastructure. Phantom Playbooks/APIs have been designed to be tolerant or resilient to these differences.

If a new firewall has been introduced in the infrastructure, the Playbook need not change. The intention to block the IP on all firewalls will be executed on all firewalls including the newly added devices without changing the Playbook. Phantom facilitates this agility by design to include and orchestrate the response plan and actions on this newly added firewall automatically. Phantom allows users to design and implement the Playbook such that it automatically works with these constant changes. ‘Asset-less Actions’ (i.e. the action API (phantom.act()) not specifying an asset) imply that the Playbook should execute the action on all assets that support the requested action, thus automatically including the newly added asset. Optionally, specifying tags on assets allows the automation API and Playbooks to act on groups of assets. Users are only expected to add the assets and tag them appropriately. The user always has the option of specifying the specific asset to execute the action. To mitigate the risk of unforeseen changes, Phantom allows users to overlay human intervention to any part of the Playbook execution via the API phantom.prompt() and/or by specifying asset owners and/or action reviewers in the action call such that the automation waits for human approval where necessary.

These two important features allow the Playbooks to function without disruptions while being cognizant of the evolving digital infrastructure of the enterprise, also allowing it to leverage new capabilities as they are added to the environment.

Interested in seeing how Phantom Playbooks can help your organization? Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

Sourabh Satish
CTO & Co-founder
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: http://www.phantom.us.

Series: Defining Security Automation & Orchestration – Decision Making Support

We started a series on the blog in May to explore Security Automation & Orchestration as a new technology.  We enabled comments on the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Providing “Decision Making Support” was one of the characteristics, and the focus for today’s post.

Decision making

Automation & Orchestration is a promising new category in security, and as often happens, vendors are quick to take advantage of the ambiguity that sometimes exists when new technologies are introduced.  It’s common to see companies reposition their products as being perfectly suited for whatever happens to be the popular, new technology.

One area where this has been pronounced is with vendors who offer products designed for workflow or ticket management.  While these systems can help to speed response time, they fall short of full-fledged Security Automation & Orchestration platforms mainly due to the lack of decision making support.  The challenge is similar with SIEM (Security Incident & Event Management) and TIP (Threat Intelligence Platform) products as well.

Best in class Security Automation & Orchestration platforms support a range of decision making support capabilities where administrators may be in, on or out of the loop.  When functioning as an “in the loop” platform, certain actions may need to be approved by an analyst before the platform completes its orchestration.  For example, a automation playbook might ingest and enrich threat intelligence before presenting it to an analyst for review.  With the analyst’s approval the playbook continues to execute perhaps blocking an IP address at the firewall based on the intelligence.  In an “on the loop” scenario, the playbook is fully executed automatically, though the analyst has oversight and the ability to stop or even reverse a specific action.  An “out of the loop” deployment is where automation and orchestration platforms separate themselves from related products.  Playbooks execute at machine speed with details tracked for overall reporting.  Analysts can use scripting languages like Python to fully support decision logic as part of the workflow.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of supporting decision making.

  • Do you agree that it is important?
  • What is the best way to provide decision making support in an automation platform?
  • When thinking about automation, what other benefits would you associate with products that provide decision making support?

CP Morey
VP, Products & Marketing
Phantom

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.