Understanding Multi-Tenancy on the Phantom Platform

We recently introduced specialized support for Managed Security Service Providers (MSSPs) in the Phantom Security Operations Platform. Now Phantom natively supports the management of multiple customers from one instance, the approach to multi-tenancy most frequently requested by MSSPs. With multi-tenancy enabled, analysts working in a Security Operations Center (SOC) at a service provider can view and process events spanning multiple customers simultaneously, thereby increasing their productivity and avoiding the wasted time that comes with logging into and out of various systems.

Multi-Tenancy
Filtering Events in the Analyst Queue by Tenant

 

How it Works

The Phantom Platform uses a tenant identifier to associate ingested security data with the appropriate tenant on the platform. While security data and ingestion sources are unique to each tenant, other items like assets, playbooks, and Service Level Agreements (SLAs) can be unique or shared across multiple tenants on the system.

Specific security considerations were also implemented for multi-tenant Phantom deployments. We have long offered granular role-based access controls for almost every aspect of the platform, from controlling access to individual assets, playbooks, configuration settings, and more. With multi-tenancy features enabled, an additional level of granularity is introduced. Administrators can grant users access to one or more tenants to ensure that only the team members who require a certain level of visibility into customer data are authorized by the system.

Realizing Economies of Scale

Having visibility across multiple tenants simultaneously has a number of benefits. One unique benefit to the service provider analyst is that they can leverage the existing knowledge from previous cases to support their investigations and decision making, allowing them to get to the appropriate course of action in an active case faster.

Another benefit from multi-tenant visibility is in earlier identification of attack campaigns. Campaigns are commonly targeted at specific industries, geographies, or organization size. Even knowing that a campaign is not targeted at multiple organizations can provide valuable insight into an active case.

Finally, there are scenarios where the service provider can develop playbooks that operate across multiple customers to accomplish a goal. Threat hunting might be one goal, where indicators or artifacts can be searched for across the widest possible dataset. A service provider can also rapidly implement a new control across all customers to prevent a rapidly propagating attack, saving precious time and dramatically reduce risk exposure.

Operations Supported

Administrators on the Phantom Platform can perform these operations unique to multi-tenant environments:

  • Create a new tenant
  • Restrict access to a tenant using Role-based Access Control (RBAC)
  • Define SLA policies per tenant
  • Create an asset for a single or multiple tenants
  • Create a playbook for a single or multiple tenants
  • Filter the analyst queue based on tenant
  • Filter the dashboard metrics based on tenant

Learn More

You can test drive the multi-tenancy features of the Phantom Platform when you join the Phantom Community and download the free Community Edition. For more info, visit https://phantom.us/join.