Series: Defining Security Automation & Orchestration – Decision Making Support

We started a series on the blog in May to explore Security Automation & Orchestration as a new technology.  We enabled comments on the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Providing “Decision Making Support” was one of the characteristics, and the focus for today’s post.

Decision making

Automation & Orchestration is a promising new category in security, and as often happens, vendors are quick to take advantage of the ambiguity that sometimes exists when new technologies are introduced.  It’s common to see companies reposition their products as being perfectly suited for whatever happens to be the popular, new technology.

One area where this has been pronounced is with vendors who offer products designed for workflow or ticket management.  While these systems can help to speed response time, they fall short of full-fledged Security Automation & Orchestration platforms mainly due to the lack of decision making support.  The challenge is similar with SIEM (Security Incident & Event Management) and TIP (Threat Intelligence Platform) products as well.

Best in class Security Automation & Orchestration platforms support a range of decision making support capabilities where administrators may be in, on or out of the loop.  When functioning as an “in the loop” platform, certain actions may need to be approved by an analyst before the platform completes its orchestration.  For example, a automation playbook might ingest and enrich threat intelligence before presenting it to an analyst for review.  With the analyst’s approval the playbook continues to execute perhaps blocking an IP address at the firewall based on the intelligence.  In an “on the loop” scenario, the playbook is fully executed automatically, though the analyst has oversight and the ability to stop or even reverse a specific action.  An “out of the loop” deployment is where automation and orchestration platforms separate themselves from related products.  Playbooks execute at machine speed with details tracked for overall reporting.  Analysts can use scripting languages like Python to fully support decision logic as part of the workflow.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of supporting decision making.

  • Do you agree that it is important?
  • What is the best way to provide decision making support in an automation platform?
  • When thinking about automation, what other benefits would you associate with products that provide decision making support?

CP Morey
VP, Products & Marketing

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit:

5 thoughts on “Series: Defining Security Automation & Orchestration – Decision Making Support

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s