Development / Security

Phantom Coordinates Security Software for Playbook Automation

23 Jan 2017 7:48am, by

Security startup Phantom tackles the notorious interoperability challenges enterprises face as they add ever more security technologies to their arsenals.

The company likes to point to a Cisco report that found the average enterprise uses 56 different security products.

“None of it works together. And large companies expand through acquisitions,” said CP Morey, Phantom’s vice president of products and marketing. “You have all this gear. It doesn’t interoperate. It’s throwing off tons of alerts. The team you have can’t keep up with it.

“With the shortage of security talent, can’t even hire enough people to deal with this. Automation is really the only way to approach it.”

Private equity company Blackstone, one of Phantom’s investors, for instance, uses the technology to automate the steps it uses to determine whether a piece of malware requires action:

  • Determining all recipients of the malware
  • Using Active Directory to collect context from the profiles of all affected users
  • Orchestrating a “hunt file” action in Carbon Black and querying iSIGHT Partners’ threat intelligence database before concluding with a file reputation check on VirusTotal and an assessment by Cylance’s Infinity model.

It then presented the results to the security team, which will determine whether to take action.

This process, which takes about 40 seconds with Phantom, previously took 30 to 45 minutes, according to Blackstone.

Python Base

The keys to Phantom are playbooks and apps, both written in Python. What it calls apps abstract the APIs to various security products allowing Phantom to connect to them. It has more than 100 apps that connect to 80 different security technologies. Playbooks are the “recipes” or instructions that users automate from. Playbooks script more than 120 common security actions, such as geolocate IP, terminate process, disable user ID.

Assets such as firewalls, endpoints, sandboxes, and directory services can be configured to have owners, either individuals or groups, who are notified about actions taken and the context surrounding those actions. Those owners can then approve, change or deny these actions.

Government agencies, for one, tend not to want to share their playbooks, Morey said, but most users do. Playbooks are shared on GitHub, and some users like to set up their own repositories, such as this and this.

Connecting to all the various security products is labor-intensive, making community input vital to the success of such a small company, 451 Research points out in an evaluation of Phantom.

Rise of Automation

“Niche and point-product security vendors seem to be committing to robust interoperability as never before, likely because customer surveys point to skills shortages, manual and complex workflows, massive data volumes, low product interoperability and an unsustainable spending trend,” according to 451 Research.

The company’s co-founders have a long history in security. This is serial entrepreneur Oliver Friedrichs’ fourth security startup. Among them, Immunet was acquired by Sourcefire in 2010, which subsequently Cisco purchased in 2013. Phantom Co-founder and Chief Technology Officer Sourabh Satish is a prolific inventor and holds more than 160 patents, with about 60 more pending.

The company, founded in 2014, made its platform GA in January, then three weeks later, won the Innovation Sandbox at the RSA Conference.

Phantom competes with the likes of Invotas, acquired by FireEye; Hexadite; CyberSponse and ForeScout. Its focus on community is its primary differentiator, Morey said. While Phantom can be used in the cloud, most clients use it on-premise. One of its key benefits is ensuring consistent handoffs as operations and security teams work together more closely, he said.

Phantom appeared at an opportune time, according to 451 Research, with increased attention to automation in security. It also predicted Phantom will be an acquisition target.

A survey from Hexadrite found 62 percent of respondents said their organizations are pushing toward incident response automation and orchestration for data collection, to reduce human error and to improve their ability to respond to incidents.

Phantom is part of Splunk’s Adaptive Response Initiative, announced earlier this year, which aims to help organizations adapt their response to attacks across multiple technologies.

It’s also involved with the Integrated Adaptive Cyber Defense (IACD) project, a collaboration between the Department of Homeland Security, the National Security Agency  and Johns Hopkins University aimed at automating security in very large-scale environments; and In-Q-Tel, a U.S. government-led venture-capital-like organization that acts as a conduit between startups with the potential for high impact on national security and federal agencies, Morey said.

Cisco is a sponsor of The New Stack.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.