We started a series on the blog in May to explore Security Automation & Orchestration as a new technology. We enabled comments on the series as we are hoping to see participation from the community.
In that first post, we shared a list of key characteristics for Security Automation & Orchestration. Providing “Automatic Action & Remediation” was one of the characteristics, and the focus for today’s post.
As previously explained, automation and orchestration begins with the ingestion and enrichment of data, but that’s only part of what’s needed to address most security events. Once an analyst understands the context around an event, some action is typically required. For example, with a malware event, the action may include changing a policy on the Firewall or quarantining an endpoint device.
This is an area that really distinguishes Security Automation & Orchestration Platforms from solutions like SIEM (Security Incident & Event Management) and TIP (Threat Intelligence Platform). While these solutions often automate the ingestion and enrichment of data, they fall short of taking action.
Security Automation & Orchestration Platforms, SIEMs, and TIPs can actually complement one another by providing a “closed loop” system that includes collecting & analyzing data, decision making, and acting. All or some of the the steps can be automated with checkpoints for human approval along the way.
We’ll continue to elaborate on each of the key characteristics and solicit input from the community. For now, we’d like to hear your thoughts on the importance of supporting automatic action and remediation.
- Do you agree that it is important?
- What actions should be automated to remediate issues?
- When thinking about automation, what other benefits would you associate with products that provide automatic action and remediation of events?
VP, Products & Marketing
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.