Series: Defining Security Automation & Orchestration – Automatic Ingestion & Enrichment of Data

We started a series on the blog in May to explore Security Automation & Orchestration as a new technology.  We enabled comments on the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Providing “Automatic Ingestion & Enrichment of Data” was one of the characteristics, and the focus for today’s post.


Automation and orchestration begins with the ingestion of data which can originate from several different sources.  Common examples include security incidents, vulnerabilities, threat intelligence, emails, and others.  Though modern products tend to be built around open standards for storing and exchanging data, products with older architectures might be more limited.

This is another area where vendors offering workflow or ticket management products can lag the market (also discussed here).  Though useful in managing the incident response process, integration with other products may have been an afterthought in their design, making it more difficult to ingest data.  Even some SIEM products may fall short in this area despite being built as platforms to manage security data.

Given the wide range of security data sources and the rapidly changing conditions of the market, it’s best to select technologies that embrace open standards for ingesting data and enriching it.  Further, best in class automation and orchestration platforms will enable users to easily push data to or pull it from a number of 3rd party products and services.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of supporting automatic ingestion and enrichment of data.

  • Do you agree that it is important?
  • What formats should be supported for ingestion and enrichment of data?
  • Are open standards such as JSON important?
  • When thinking about automation, what other benefits would you associate with products that provide automatic ingestion and enrichment of data?

CP Morey
VP, Products & Marketing

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit:

3 thoughts on “Series: Defining Security Automation & Orchestration – Automatic Ingestion & Enrichment of Data

  1. One of my biggest complaints about today’s security product landscape is that some vendors continue lagging behind in creating extensible apis. By doing this they position their possibly top of the industry product to be left behind when we select one that might be second or third best at its security function, but can be integrated the way we want it integrated.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s