The Road to Hell is Paved with Good Intentions

Saint Bernard of Clairvaux supposedly said it back in 1150.  He certainly wasn’t thinking about security products when he said it, but the quote may nonetheless apply.

Shelfware is a common ailment in the tech industry, and the security segment isn’t immune to the phenomenon.  Many a product has been bought, only to gather dust because it was never implemented. Whether it was internal politics, lack of staff or expertise, or employee turnover, what started as a good intention didn’t end with success.

Though a bit dated (circa 2014), Javvad Malik even presented research on the topic:

451-research_shelfwareResponses to the question: What ends up on the shelf?

Though most security technologies seem to be represented, SIEM is a standout in the bunch.  SIEM has traditionally been focused on ingesting and enriching data, stopping far short of taking action.  I’ll submit that aspect is one of the reasons for the relatively high number of SIEM/Shelfware responses in Javvad’s research.

The reality is that security analysts have plenty of data to consume already. Our research shows that even a well-trained analyst can handle only 8 – 12 incidents per day. So it’s no surprise that when large organizations receive thousands of actionable events per week, it’s tough to keep up with the volume.  Interest and use wane.  Suddenly, you and your intentions are on the road to hell.

Security Automation & Orchestration (SA&O) platforms make great complements to SIEMs, providing a way to drive remediation from correlated events.  The two platforms work as a “closed-loop system” to collect and analyze data, make decisions, and take action.   All or some of the steps can be automated with analyst checkpoints for human approval along the way.

In the simple example below, the Phantom Playbook includes decision logic that automatically blocks an IP address or notifies a human analyst to review information—depending on the outcome of the prior geolocate IP action.

playbook-editor_decision-block(Phantom UI showing the Playbook Editor in V2.0)

SA&O platforms integrate with more than SIEM platforms.  Moreover, the Phantom platform can automate nearly any product to keep it “off the shelf.”

Apps extend the Phantom platform’s capabilities by supporting integration into third party security products and tools. Most security technologies these days have REST APIs, command line interfaces, or some other management interface that Phantom Apps can connect to in order to execute investigative and containment actions.

More than 75 Phantom Apps are available today (, and our community-powered approach means that new Apps can be developed by anyone and freely shared within the Phantom user community.  In fact, we’re even running an App Contest now where one lucky contestant will win a $2,500 cash prize!

Interested in seeing how Phantom can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see Playbooks in action.

CP Morey
VP, Products & Marketing