Earlier this week, we covered Safe Mode on the blog. It’s a great new feature in Phantom 2.0, and a relevant topic for those who are just getting started with automation and orchestration. Today, we’ll touch on a more advanced topic; one suitable for those who are already on the automation and orchestration journey.
Though not a new concept in the technology industry, this is the first time that I’ve seen a maturity continuum applied to automation and orchestration. As with other continuums, it’s a useful way to benchmark your progress in adopting this new technology as well as developing a strategic vision for the future.
Incidentally, if you like this post, it’s an excerpt from a whitepaper that we’ve written, which you can download here.
Now on to the continuum:
- Automated Security Lifecycle Management – This first level of automation involves ingesting structured or unstructured data, normalizing it, assigning ownership, determining severity/sensitivity, and enforcing SLAs for actions. Additionally, the platform facilitates security analysts to take various kinds of actions on the information from a centralized incident management interface to bring security incidents to closure.
- Response Plan Orchestration (i.e. Playbooks) – The next level of automation is about enabling security operations team to be able to express and encode response plans on the platform. Response plans represent a complex decision making process and a set of conditional Courses of Actions (COA’s) across a diverse set of devices and applications known as Playbooks in the platform. Playbooks can then be executed on-demand on any security incident to quickly get the results of many actions.
- Supervised Automation and Orchestration – The next level of automation involves ingesting data in real time and configuring Playbooks to be executed automatically and continuously on any new information, but still requiring users (e.g. security operations personnel or asset owners) to approve individual actions before they are executed. At this level of automation, the platform expedites the incident handling by automatically executing actions on incidents as specified in Playbooks, but users are still engaged.
- Autonomous Orchestration – Once the users are comfortable with the system and decisions it makes, they can deploy the technology to automatically execute actions via Playbooks with minimal user engagement. The platform can replay human decisions and preferences on the basis of past interactions for the same or similar situation and engage them only when necessary or in cases of certain business conditions or types of assets impacted.
- Prioritized Response Action Recommendations – At this level, the platform is capable of ‘learning’ from past user interactions, decisions and choices along with information it has processed so far and outcomes that have been effective, and can now recommend a prioritized set of actions that can be executed with detailed Cost-Benefit-Analysis.
- Predictive Response Strategies – This level of automation leverages machine learning based predictive models to offer users recommendations for response plans to address security incidents by leveraging certain traits of the incidents, phase of the attack, types of assets being impacted, business process being impacted, temporal attributes, geopolitical and market conditions, etc.
We’ve enabled comments on this post, so you can share your thoughts:
- What’s missing from the continuum?
- Are the levels realistic?
- How do we accelerate through the continuum?
VP, Products & Marketing
Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one consolidated, integrated and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: www.phantom.us.