Why I’m Investing the Next Phase of my Career in Security Automation, Orchestration, and Response

Rich Bowen recently joined Phantom as our Vice President of Engineering. We asked Rich to provide his thoughts on the industry and what led him to join the Phantom team.

I’ve been a security guy for over 10 years now, first cutting my teeth at security vendor Fortify. Fortify is a static analysis tool used to find security vulnerabilities in code as early as possible in the development lifecycle. In 2010, I joined HP as part of their acquisition of Fortify. For the last 5 years, I’ve been in various leadership positions at ArcSight, which was also acquired into HP back in 2010. While with ArcSight, I’ve led engineering teams working on their app marketplace, security content, and ArcSight Enterprise Security Manager (ESM), the company’s Security Information and Event Management (SIEM) solution.

During my journey, one of the things that have been indelibly etched upon my brain by SOC managers is just how difficult it is to find and retain talented security professionals. There just aren’t enough of us to deal with the explosion of the modern attack surface, the volumes of data, and the proliferation of threats working to compromise the integrity of the systems that run our organizations. This shortage of resources leads to several issues, among them: an inability to deal with all of the alerts generated, consistency challenges around investigating and responding to alerts, analyst fatigue, and ultimately an inability to scale and grow in maturity. We’re under constant pressure to find and respond to more advanced security threats, while at the same time struggling to deal with the basic ones we are already able to detect.

My experience at ArcSight led me down the path of trying to tackle this problem by making more security detection content available to the community. We had to start by adopting and developing a modular and extendable framework to work from. From there, we built an environment where community knowledge could be leveraged and shared. This allowed organizations to reduce the barriers to expanding their monitoring coverage and, in turn, increase the signal-to-noise ratio in their environments. We also wanted to help security organizations mature their practice using a common framework that could be built upon as the program evolved and the team changed. I’m a huge believer in the power of community and the need to refine data into usable information whenever possible. Looking ahead, there is a vast proliferation of analytical capabilities to detect bad things, but these tools don’t always simplify things. They can also add to the volume of alerts and introduce more complexity to the process of investigating and responding to them.

We’re all technology folks, right? What do you do when you see humans struggling to keep up with a flood of machine-generated alerts, some repetitive in nature, others more complex, and all containing some degree of predictable but time-consuming research required? Ask a machine to help! Enter Automation and Orchestration. The next logical step for the security industry is helping organizations do a better job of dealing with the threats we can programmatically detect, which frees up resources to hunt for the more complex and advanced ones. Orchestration allows for us to define the best processes to follow and automation allows us to execute that best process with precision, and at machine speed, freeing up humans for critical decision making or for hunting deeper into the data. This advance allows us to scale our teams’ response capabilities, and it allows us to scale the careers of our analysts as we free their time to focus on more complex and fulfilling activities with a higher value to our security practice.

I was sold on this exciting new aspect of the security market and started looking for the right company. Security is a hot market, with a lot of Venture Capital (VC) funding fueling a crowded startup environment. This means you really need to pick the top player in any given space because they can’t all be winners. As I did my research, which included talking to a lot of VCs, security executives, and SOC managers, Phantom kept coming up in conversations. As I drilled deeper, I learned about Phantom’s head start with some very distinguished backers, and how the product had a time-to-value measured in hours. I was able to set up the product in my home lab easily and found a beautiful and intuitive UI. Other players in the space were known to require a services professional with every install. My research continued to reinforce what a unique and special opportunity that Phantom represents. As I met the team, I was blown away by the quality of the people, and I could feel how everyone had the same passion and sense of mission as I do to help advance security. I felt like I had come home and I was sure I had found my next team.

I’m honored to be leading engineering here at Phantom and I’m looking forward to building on the stellar legacy of this team and this product to help make the world a more secure place!

Rich Bowen
VP of Engineering