My Journey to Security Automation & Orchestration

I’ve been involved in information technology and the information security space for over twenty years and have seen an industry that’s been constantly trying to solve common IT security threats with a plethora of software and hardware tools.

In the early days, antivirus appeared to be the right solution to the problem. As the sophistication of attacks increased, however, the solutions that came to market to mitigate new threats became increasingly complex, expensive, and required talented IT professionals to use them properly.

I was fortunate to be part of a company that was at the genesis of enterprise patch management known as PatchLink (and later known as Lumension). As employee number five, I got to see first hand how known vulnerabilities were being exploited in operating systems, applications, databases, and hardware via firmware. Back in the early 2000’s, I watched our concept of enterprise patch management become an effective use against unpatched and often known vulnerabilities. 

In 2004, a nasty buffer overflow exploit known as the Sasser worm really got companies to understand that they old way of patching systems and applications was ineffective especially for companies that had 5,000- 400,000 endpoints; hence, a new sector in the InfoSec space was born and fast-tracked to be a standard. While that turned out to be really the first line of defense for companies to mitigate IT security threats to operating systems and applications, it was only part of the answer because the sophistication and frequency increased much faster than software companies could respond properly. 

Zero-days, phishing, DDoS attacks, and sometimes just simple social engineering threats derailed some of the most protected computer environments. The response to these threats? More InfoSec software companies were created with each offering a compelling “best of breed” solution for a subset of unique problems. Some matured to offer “best of suite” platforms, which provided a more aggregated approach, but the problem still has gotten worse and more complex than ever before. Today we’re in a battle to keep corporate enterprises and the data that flows secure, maintaining up-time to ensure productivity, all while attempting to do it on constrained budgets. Further, even mature IT and SOC departments at some of the largest and best funded companies can’t escape the reality that there’s a huge employee pool shortage to map the right skills to the problems. It’s a vicious circle and one that every large company, federal department, and state and local municipality faces today.

After PatchLink/Lumension was sold in 2014 and merged into Heat Software in 2015, (which is now part of Ivanti via a 1.1B acquisition of LanDesk), I helped to divest their IT GRC product. I spent 18 months with the IT GRC solution provider that purchased the asset in an effort to help that company offer both an impressive and true IT GRC product that was coupled with true IT risk practitioners to deliver a complete offering to customers. During this period, I continually saw and learned of the tremendous skills shortage of not only the IT GRC segment, but more importantly and perilously, the shortage of folks in SOCs at some of the largest companies both domestic and abroad. Furthermore, these same companies were trying to manage 25-75 different IT security products that detected threats and often times allowed for the remediation and reporting. There was and still is a human capital demand and supply mismatch for all F-5000 companies. To make the situation worse, most of these companies are competing for the same talented folks within the communities and cities where they’re located.

It appeared to be a tremendous challenge and one that possibly could have some form of resolution. So, as I transitioned out of the IT GRC company, I began to look for companies that were trying to solve this problem with “real” solutions. I knew that simply adding more people to the problem wasn’t the answer. I also knew that there were/are some really good products in market today that can significantly reduce the “pain” companies have, but that still didn’t alleviate the pressure to hire the right people that had the right knowledge of security threats and the product knowledge to use the tools properly. At RSA this year, there were about 1,500 independent InfoSec software vendors that participated in some capacity. Completely insane. I know there are great companies and great products, but how does a company filter all the noise, procure the right solutions, and then get the right people to use the products as intended? A daunting tasks for sure…

So, after about six months of really getting my arms wrapped around the problem and starting to identify possible solutions, I reached out to my network of InfoSec pros all around the globe and just started to ask questions. What I heard time-and-time again was “security automation and orchestration.” Companies are looking to maximize their headcount, decrease the real-time to filter actual threats, and decrease the mean time to resolution (MTTR); thus, having greater assurance that an enterprise is secure while not increasing costs and often lowering expenses by reducing the actual number of FTEs required to perform tasks. This is not a replacement of skilled people, but a recollection of headcount while allowing those skilled employees to use automation tools to perform more tasks and be more productive while inherently decreasing their actual workload and stress! 

Once I believed that this was a way to improve efficiencies and optimize the InfoSec and SOC departments, I set out to determine which company had the best and brightest engineers, who had the most experienced team that’s been successful in the past, who had a dedicated pre and post sales team that ensure a high level of customer satisfaction by actually using the products in production, and who had the financial strength to build out the necessary infrastructure to support their customers. I looked at everyone in the space, I reviewed all the white papers, spoke to analysts, spoke to customers, spoke to the investors, and most importantly I spoke to many members of the executive, engineering, and sales/marketing teams. 

I found that there are several decent companies in market today, but most only focus on a few areas like incident response or case management. Very few have a real strong automation and orchestration platform that integrates with over 120 application currently and soon to be over 200…essentially the key security software companies that the majority of F-5000 companies use today. Further, most companies don’t have the depth and breadth to support all aspects of the business and/or are backed by some of the best and brightest minds in the InfoSec space; both from a technology advisory capacity to a financial-backed support capacity.

I found a company that was led by a fantastic team that truly wants to have the best Security Automation and Orchestration product on the market and they work tireless to ensure that it meets and/or exceeds customer’s expectations. They really listen to customer feedback and incorporate that information into the product roadmap and new builds. After all my due diligence and what I personally believe was a journey to find a real solution that provides concrete ROI, bridges many of the desperate InfoSec products into a platform, and has truly an extraordinary team of people, I am happy to say that I’m now a part of Phantom: The leader in Security Automation & Orchestration.

In my role in Business Development, I’m excited to be working with the “who’s who” in the InfoSec space—building key strategic partnerships with our Independent Software Vendor (ISV) ecosystem and working with other members of the Phantom Community to ensure that the business partners we’re working with are aligned to the community’s needs.

Onwards and upwards!

Rich Hlavka in-2c-14px
VP, Business Development
Phantom