Series: Defining Security Automation & Orchestration – Automatic Action & Remediation

We started a series on the blog in May to explore Security Automation & Orchestration as a new technology.  We enabled comments on the series as we are hoping to see participation from the community.

In that first post, we shared a list of key characteristics for Security Automation & Orchestration.  Providing “Automatic Action & Remediation” was one of the characteristics, and the focus for today’s post.

As previously explained, automation and orchestration begins with the ingestion and enrichment of data, but that’s only part of what’s needed to address most security events.  Once an analyst understands the context around an event, some action is typically required.   For example, with a malware event, the action may include changing a policy on the Firewall or quarantining an endpoint device.


This is an area that really distinguishes Security Automation & Orchestration Platforms from solutions like SIEM (Security Incident & Event Management) and TIP (Threat Intelligence Platform).  While these solutions often automate the ingestion and enrichment of data, they fall short of taking action.

Security Automation & Orchestration Platforms, SIEMs, and TIPs can actually complement one another by providing a “closed loop” system that includes collecting & analyzing data, decision making, and acting.  All or some of the the steps can be automated with checkpoints for human approval along the way.

We’ll continue to elaborate on each of the key characteristics and solicit input from the community.  For now, we’d like to hear your thoughts on the importance of supporting automatic action and remediation.

  • Do you agree that it is important?
  • What actions should be automated to remediate issues?
  • When thinking about automation, what other benefits would you associate with products that provide automatic action and remediation of events?


CP Morey
VP, Products & Marketing

About Phantom:
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit:

2 thoughts on “Series: Defining Security Automation & Orchestration – Automatic Action & Remediation

  1. 1. Absolutely agree. One question I feel is important is how to keep these systems complementary by focusing on what they do best instead of trying to “do it all”. For example when I want to move to a next generation SIEM I don’t want to have to rebuild all my orchestration. When I move to a next gen orchestration tool I don’t want to rebuild all my SIEM rules.
    2. As to what actions should be automated next, anything that uses software or configuration updates to quarantine, clean, or increase visibility into an event should be automated, even if it’s currently going to be manually activated while the human is still questioning the validity of the automation.
    3. A major benefit, if implemented right, is showing the security pro that they’re not being replaced, rather they’re being augmented through software and hardware in a way that extends their ability beyond what they can do on their own. It’s on the verge of a sci-fi mech suit but for the cyber security professional.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s