Will automation take away all our jobs?

It’s a theme that seems common in TED Talks lately, and one we’ve even covered before on the blog.  Though this particular talk sheds light on an angle which I hadn’t considered before watching David’s talk.

“The number of bank tellers has DOUBLED since the ATM was invented.”


It seems so counterintuitive, until you consider how bank tellers have evolved their role to include other services ultimately becoming more valuable to their employers and teammates along the way.

The same lesson applies to the Security Operations Center.  Automation helps to augment SOC teams, enabling them to keep pace with the volume and velocity of security events they are not able to process otherwise.

Automation allows teams to reduce the clerical workload, focusing more time on the actual analysis of complex security events that require human decision making, versus the mundane, routine events that are ripe for automation.  This aids in employee development since analysts get the opportunity to build new skills, and helps with retention as employees are less likely to leave a job due to monotony or boredom.

Besides the obvious efficiency and accuracy gains, employers also see personnel related improvements resulting from automation.  Though it rarely means a reduction in force, it can slow the rate of growth required to staff the SOC at full capacity.  Most companies are pleased to see this affect as more care can be given to employee recruiting and development at a measured pace.

Finally, similarly to how bank tellers have evolved their craft, security automation leads to completely new jobs like the Tier 4 SOC Engineer or even Automation Engineers responsible for overseeing the Security Automation & Orchestration platform.

Interested in seeing how Phantom can help your organization keep pace or enable you to develop new skills?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see the platform in action.

CP Morey
VP, Products & Marketing

App Spotlight: Farsight Security DNSDB—Incorporate DNS intelligence into automated investigations

farsightsecuritylogoThe App Spotlight series highlights new or recently updated Phantom Apps. Today we’re highlighting the integration between Phantom’s Security Automation and Orchestration (SA&O) platform and the Farsight Security DNSDB threat intelligence solution.

Two of the most popular investigational security actions automated with the Phantom platform are lookup ip, which provides reverse DNS information, and lookup domain, which provides important details about a domain name. With the recent release of the Farsight Security DNSDB app, Farsight subscribers can now use those abstracted Phantom actions to access Farsight’s expansive historical database of DNS intelligence from within their Phantom playbooks.

Phantom playbooks connect your workflow to the new Farsight DNSDB App. You can try out the integration with one of two standard playbooks: the Phishing playbook, which can be used to investigate and remediate phishing emails; and the Investigate playbook, which queries several external reputation and intelligence services to enrich events. You can also leverage the Farsight App from any playbook shared throughout the community or from the custom playbooks you or your team creates.

The new Farsight Security DNSDB app for Phantom supports standard Phantom playbooks like the Phishing playbook example shown here.

The investigation of suspicious IP addresses or domains is standard practice in security investigations. Before automation this task was handled manually and took 20 minutes or more of an analyst’s time per investigation.  By leveraging the Phantom Security Automation and Orchestration platform and the Farsight DNSDB App, you can automate this critical task and reduce investigation time down to seconds. Through the Phantom App model and automation, Farsight DNSDB now seamlessly integrates with other incident response tasks so that  no alert ever goes untouched and investigations can advance quickly and accurately.

About Farsight Security, Inc.
Farsight Security, Inc. provides the world’s largest real-time threat intelligence on changes to the Internet. Leveraging proprietary technology with over 200,000 observations/second, Farsight provides the Internet’s view of an organization and how it is changing purposely, inadvertently or maliciously. For more information on Farsight, please visit https://farsightsecurity.com

Playbook Series: Triage Reconnaissance Alerts

Your existing security infrastructure probably observes lots of scanning, or reconnaissance, activity every day. While a great portion of this activity can be attributed to the noise generated on the Internet, it can also be an early warning signal to a full on attack. A classic problem for security teams is dealing with this type of high volume activity in a way that doesn’t consume the team’s time and doesn’t miss these early indicators of more nefarious activity.

This is a perfect scenario where Phantom can help. The Phantom platform can receive these alerts and automate key investigation steps on the source IP and DNS domain. If one or both of the source attributes is determined to be malicious, Phantom can enrich the alert with the results of its investigation and escalate it up to a human analyst for further action.

Screenshot of a Phantom investigation playbook as viewed in the Phantom visual playbook editor.

As shown in the above diagram, the Phantom platform ingests the reconnaissance alert and triggers the Reconnaissance Investigation playbook automating the following steps

  • Query for the IP address and Domain reputation from configured intelligence provider(s)
  • Automatically dismiss alerts which are false positives
  • Automatically escalate alerts which indicate malicious activity

Automating this process in Phantom has several benefits including

  • Increased efficiency by automating routine investigations
  • Reduced time-to-know from minutes / hours to seconds for malicious activity
  • Ensuring your processes are handled accurately and consistently every time

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition, and attend one of our Tech Sessions to see playbooks in action.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.  You can read more about the Phantom platform and playbooks here.

Phantom Announces $13.5 Million Series B Financing Led by Kleiner Perkins

Friends and Phantom Community Members –

It’s been over a year since we launched Phantom, and it’s amazing to see how it has grown.  Phantom is now trusted by the world’s largest commercial enterprises and government agencies.  While that is a big responsibility, our mission and community focus hasn’t changed and thousands of you now use or have explored our Community Edition platform.

Today I’m pleased to share the news on our $13.5M Series B investment led by Ted Schlein of Kleiner Perkins.  The full release is included below and on Business Wire.  This investment allows us to accelerate our mission and continue to make all of you Smarter, Faster, and Stronger through automation!

Join me on a webinar this Friday to learn more about our mission & strategy

With 2016 as a benchmark, the bar is set high for 2017.  We’re excited to lead the industry with the first  open, extensible, and community powered Security Automation & Orchestration platform – the heart of your next-generation SOC.

I’d like to share just a few of the accomplishments that made us proud in 2016:

Q1 2016

  • Launched the 1st version of Phantom.
  • Named most innovative company at RSA Conference 2016.
  • Published first research showing that companies routinely ignore over 75% of security alerts.

Q2 2016

  • Announced In-Q-Tel Strategic Funding Agreement.
  • Awarded $10,000 in prizes to the community in the Phantom Playbook & App Challenge.
  • Launched Phantom Community site which boasts more than 100 Apps – the most in the industry.

Q3 2016

  • Announced industry icon and former CEO of RSA, Art Coviello, as Phantom’s newest advisor.
  • Recognition by SINET16, CRN’s 10 Coolest Startups and Dark Reading’s Best of Black Hat.
  • Delivered first Coding for Security Pros course at Black Hat, awarded $2,500 for best Playbook.

Q4 2016

  • Launched Phantom 2.0 fueled by your feedback with more than 500 enhancements including a new Playbook Editor, Mission Control, and Onboarding experience.
  • Announced strategic relationship with Booz Allen Hamilton.
  • Won GSN Magazine Top Security Orchestration Solution.
  • Crossed the 100 App milestone, supporting over 100 distinct security technology integrations.

Add to that hosting twenty-three Tech Sessions, sponsoring dozens of industry events, and nearly 100 blog posts.  We couldn’t have accomplished so much without your support.  Our commitment is equally strong through investments like our free Community Edition platform and access to the growing library of Phantom Playbooks and Apps.

Thanks for your continued interest and support!.. Oliver

Phantom Announces $13.5 Million Series B Financing Led by Kleiner Perkins

Investment Fuels Continued Growth for the First Community-Powered Security Automation & Orchestration Platform

Palo Alto, Calif. — January 10, 2017 07:30 AM Eastern Time — Phantom, the first company to provide a community-powered security automation and orchestration platform, announced it has raised $13.5 million in Series B funding to accelerate growth in sales, marketing, and engineering. The latest round brings Phantom’s total funding to more than $23 million and is led by Kleiner Perkins. Existing investors TechOperators Venture Capital, Blackstone (NYSE: BX), Foundation Capital, In-Q-Tel, Rein Capital, Zach Nelson, and John W. Thompson also participated in the round.

“Security teams are suffocating from the growing volume and velocity of security alerts,” said Ted Schlein, general partner, Kleiner Perkins. “Lack of integration between point products and a shortage of skilled security professionals only exacerbates the problem and makes it all but impossible to respond. Most enterprises are looking at security automation and orchestration to address these challenges.  Phantom’s open and extensible platform is the clear leader in this emerging market.”

“We are extremely excited to partner with Kleiner Perkins,” said Oliver Friedrichs, Founder & CEO of Phantom. “Ted Schlein has been a force of nature in the security industry and has helped to build great companies such as Mandiant, ArcSight, Internet Security Systems, Lifelock, Carbon Black and Fortify.”

Join Phantom Founder & CEO, Oliver Friedrichs, to Learn More About Our Vision & Strategy

The Phantom platform automates and orchestrates security operations enabling analysts to achieve in seconds what may normally take hours or days to accomplish manually. Phantom Apps drive this by acting as the connective tissue to integrate the dozens of discrete point products that enterprises have deployed to secure their environment.

Phantom recently reached an important milestone in surpassing 100 Apps, or distinct product integrations, supporting almost every category of security technology: reputation services, endpoint technologies, sandboxes, firewalls, and common mobile, virtual and cloud-based security solutions.  With the largest number of apps in the industry, Phantom customers can automate nearly any security use case including investigation, hunting, enrichment, containment, resilient regeneration, patch & vulnerability management, and more.

Join the Phantom Community to Learn More About Security Automation & Orchestration

Phantom’s community-powered approach was critical to reaching this milestone as it enables apps to be developed or extended by anyone and shared with other users; more than 25% of Phantom Apps now come from partners, customers, and the community at large.

“By providing an open platform we’ve given people building blocks to automate an almost infinite number of security use cases,” said Friedrichs.  “We’re seeing creative Apps that connect services and technologies we had never considered. Engineers in the world’s largest commercial enterprises and government agencies use our platform and extend it to solve some very complex problems.”

Phantom Apps are available for a wide range of industry-leading security technologies from partners including Cisco, McAfee, Palo Alto Networks, RSA Security, Symantec, Splunk, HPE, IBM and many others.  In cases where a Phantom App is not yet available, the community-powered approach supports rapid development and sharing.

About Phantom

Phantom, which was recognized as the most innovative company at the 2016 RSA Conference, automates and orchestrates key stages of security operations from prevention to triage and resolution; delivering dramatic increases in productivity and effectiveness. Ranging from simple automation to fully autonomous response, Phantom lets you choose the best balance that fits your organization’s needs while increasing security and accelerating security operations. Focused on closing the security skills gap by enabling enterprise security operations to be smarter, faster and stronger; Phantom provides the flexibility to connect in-house and third-party systems into one open, integrated, and extensible platform. Phantom was founded by enterprise security veterans Oliver Friedrichs and Sourabh Satish who have helped propel companies like Symantec, Sourcefire, Cisco and others to success. For more information visit: http://www.phantom.us and follow us @TryPhantom.

About Kleiner Perkins Caufield & Byers

Kleiner Perkins Caufield & Byers (KPCB) partners with the brightest entrepreneurs to turn disruptive ideas into world-changing businesses. The firm has helped build and accelerate growth at pioneering companies like Alphabet, Amazon, Flexus Biosciences, Nest, Slack, Snap Inc., and Uber.  KPCB offers entrepreneurs years of operating experience, puts them at the center of an influential network, and accelerates their companies from success to significance. For more information, visit http://www.kpcb.com and follow us @kpcb.

Security Automation – A Free Puppy?

I joined Phantom just before the holiday, and I’ll be working with our clients in the Southeastern US.  The end of year season offers a rare luxury of time when joining a new company to reflect on the big picture as much as the details.

I had one of those “big picture” moments over the holiday when I saw a sign for “Free Puppies”.  Our twin 6-year old boys wanted a new puppy for Christmas. I told them that puppies are expensive and require lots of care & feeding. Their response, “Dad, seriously who wouldn’t want a free puppy from Santa?”

If you’ve had a free puppy, you already know the answer. There are acquisition costs like trips to the vet for check-ups & medications, ongoing maintenance costs like food, training, & equipment, plus the unexpected costs of damage to the furniture or worse, your house.  Free is never what it seems.

So how does this relate to security automation?

I’ve be in the security industry for several years.  As a new category like security automation becomes popular, everyone rushes to show how they address it.  Many will claim they’ve been doing automation for years, and that it is even available in their existing product.  Unfortunately, this is where software can seem like a free puppy costing much more in the long run after considering what is required to deploy and manage it.

Though enterprise software is never simple, in getting to know Phantom, I’ve noticed how care has been given to reduce the friction in deploying and using a security automation platform.  Our onboarding assistant helps configure system settings, connect to a data source, and activate your first few Playbooks to quickly show Phantom in action (watch a short video on Phantom’s onboarding).  Once deployed, our visual IDE makes it easy to edit existing Playbooks or create new ones – even if you can’t write code (watch a short video on Phantom’s Playbook editor).

Though Phantom is by no means a free puppy, choosing a purpose-built platform for security automation brings a number of benefits related to implementation and ongoing use.  Ultimately this translates to faster time to value and lower overall cost.  While free puppies from Santa are great, I’d rather see a clear and quick Return on Investment when deploying new enterprise software.  If you’ve ever had a free puppy, I’ll bet you feel the same way.

Sandy Dlugozima
Southeast Sales Manager

Playbook Series: Secure Compromised Accounts

If you are one of the many security analysts that receives threat intelligence about compromised user accounts, you understand the significant amount of time it takes to investigate and respond to each report. In many practices the manual process might include:

  • Parsing the inbound threat intelligence for Indicators of Compromise (IoCs) like username and password pairs
  • Hunting for the IoCs in your local environment
  • Disabling and/or resetting compromised accounts
  • Communicating with affected users to recover access

In the pursuit of greater efficiency and scale, this process is well suited for automation by the Phantom security automation and orchestration platform.

Flashpoint Phantom Playbook
Sample playbook where Phantom automates Flashpoint threat intelligence to secure compromised accounts.

With Phantom, compromised account threat intelligence can be ingested via email to trigger an Investigation Playbook automating the following steps:

  • Identify users who have been compromised
  • Obtain user attributes
  • Query for suspicious activity
  • Notify the user of the compromise
  • Force a password reset
  • Optionally disable the user account

Automating this process with the Phantom platform has several benefits including:

  • Frees up human resources for other critical investigations
  • Reduces the response time for the threat from minutes or hours down to seconds
  • Ensuring the process is handled accurately and consistently every time

Mitigating threats that might use compromised accounts is just one of the many mission-critical use cases where Phantom can help you work smarter, respond faster, and strengthen your defenses.  You can read more about the Phantom platform and playbooks here.

Chris Simmons
Director, Product Marketing

Did you know that Phantom playbooks are Python based? The Phantom platform interprets playbooks in order to execute your mission when you see something that you want to take action on. They hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample community playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.