The security industry has evolved over the last few decades with many lessons learned along the way. One lesson that resonates well is – “the only constant is change”. Attacks and counter security solutions have constantly changed with new security solutions to defend against new attack techniques. The result is an abundance of security solutions deployed to defend the digital enterprise.
With the average enterprise now using an estimated 75 distinct security products, security operations teams are clearly overwhelmed with all the knobs they need to turn to prevent, contain, and remediate security incidents. It’s no surprise that 85% of organizations have not achieved their required/expected maturity levels according to HPE’s survey of 114 different SOCs titled, “State of Security Operations, 2016 Report of Capabilities and Maturity of Cyber Defense Organizations”.
It’s critical for a Security Automation and Orchestration platform to be architected such that it can thrive even in this constantly changing technology landscape. It must enable security operations teams to use the latest and best-of-breed security solutions fearlessly while giving them the confidence to automate processes and procedures to improve SOC maturity levels.
Another challenge that we face in the security industry is the lack of consistent terminology. Every day brings a new term for a new technique or simply a new feature or even a variation of an old technique that is the new solution to the new attack. This adds further confusion slowing down the security operations team. Is blacklisting a hash the same as blocking a hash? SOC teams just need to prevent the malicious process from running on the endpoints; how that is achieved by the point products is immaterial when they are working to respond fast.
Phantom Security Automation and Orchestration has been built with these challenges in mind. Two key characteristics of the Phantom architecture address it head on:
- Product Agnostic Simplified Vocabulary
- Adaptive Playbooks
Product Agnostic Simplified Vocabulary
When faced with an attack or a breach, the security operations teams have a good idea of how to contain and control the attack. However, they are challenged with choosing from the many options available on many different products, perhaps not even knowing if two options have the same effect. The same capability or function may have different names and settings on different products in the same category. Phantom abstracts this complexity and exposes similar capabilities across different vendor products via a much simpler ‘noun/verb’ construct. For example, to block an IP, a user implements an action called ‘block ip’. Phantom handles the mapping of that action to various APIs, functions, REST endpoints, etc. and delivers the expected functionality to the products the user has deployed. This results in an intuitive product and gives users the advantage of speed since actions are naturally found by the users in the process of responding fast.
Digital Infrastructure is forever evolving and changing for many reasons. New technologies replace old technologies; new products are introduced for newer/better capabilities. Mergers and acquisitions often lead to a mix of technologies from many different vendors which usually don’t interoperate. For example, it’s not surprising to find many different versions of the same firewall or many different firewalls used in different parts of the same corporate infrastructure. Phantom Playbooks/APIs have been designed to be tolerant or resilient to these differences.
If a new firewall has been introduced in the infrastructure, the Playbook need not change. The intention to block the IP on all firewalls will be executed on all firewalls including the newly added devices without changing the Playbook. Phantom facilitates this agility by design to include and orchestrate the response plan and actions on this newly added firewall automatically. Phantom allows users to design and implement the Playbook such that it automatically works with these constant changes. ‘Asset-less Actions’ (i.e. the action API (phantom.act()) not specifying an asset) imply that the Playbook should execute the action on all assets that support the requested action, thus automatically including the newly added asset. Optionally, specifying tags on assets allows the automation API and Playbooks to act on groups of assets. Users are only expected to add the assets and tag them appropriately. The user always has the option of specifying the specific asset to execute the action. To mitigate the risk of unforeseen changes, Phantom allows users to overlay human intervention to any part of the Playbook execution via the API phantom.prompt() and/or by specifying asset owners and/or action reviewers in the action call such that the automation waits for human approval where necessary.
These two important features allow the Playbooks to function without disruptions while being cognizant of the evolving digital infrastructure of the enterprise, also allowing it to leverage new capabilities as they are added to the environment.
Interested in seeing how Phantom Playbooks can help your organization? Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.
CTO & Co-founder
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: http://www.phantom.us.