A few lucky attendees at RSAC took home one of our customer commissioned Phantom LEGO SOC kits thanks to a casual comment by Sourabh, our CTO. He remarked how Phantom’s open and extensible architecture works like LEGO for the SOC since you can assemble our playbooks, apps, and actions to support just about any use case imaginable.
As a father of twin boys, we’re avid LEGO users. I’ve been thinking more about Sourabh’s analogy. It rings true in many ways.
Building a LEGO set follows a defined process. Thankfully, instructions are supplied, so you finish the process with something that matches the photo on the front of the box. As I tell my boys, skipping or overlooking a step in the process introduces errors. Your final result may not match the desired outcome.
SOC workers follow a process too, and Phantom Playbooks can drive accuracy and consistency in that process. For example, as analysts become overwhelmed with increasing alert volume, they may overlook key indicators. Similarly, experienced analysts might be tempted to make “gut calls” to skip key parts of the process based on previous incidents and incomplete information. With a Phantom Playbook, the same data is gathered for every alert, and every alert is investigated and memorialized the same way, every time. In simple terms, your final result matches the desired outcome.
Sourabh’s analogy related how Phantom’s Playbooks & Apps can be mixed to support a wide range of use cases. There is an important corollary to this point. When my boys invariably ask for a new LEGO set, I urge them to first see how their existing LEGOs (and we have boxes full of them) can be used to create any structure they can imagine. Ultimately, this also saves Dad money!
Similarly, automation harnesses the power of your existing security investment by integrating the products and services you already use. In fact, the back of our LEGO SOC box (below) shows a sample of the products and services Phantom supports. Though it is a bit dated as we have nearly 120 Phantom Apps available now. See my.phantom.us for an updated list.
Southeast Sales Manager