Cybersecurity has become a major concern in the past few years. In fact, organizations across the world are set to spend $101.6 billion on cybersecurity in 2020. Cyber threats are no longer run-of-the-mill and have become increasingly sophisticated. As the complexity of the threats increases, the tools to fight them also become smarter. Phantom Security is one such cutting-edge cybersecurity solution.
Oliver Friedrichs, the CEO of Phantom says that more than 75% of security teams deal with so many alerts that they begin suffering from alert fatigue and routinely ignored alerts. The NSA, for instance, addresses tens of thousands of alerts every day, up from just 65 a day. This is because there are many security analytics providers today, all of whom provide different kinds of alerts. This makes it very difficult for understaffed security departments to keep up, and important alerts often get ignored.
About Phantom security
Phantom is a cutting-edge security automation platform that helps organizations dramatically scale their security platforms. To begin with, let’s understand why security automation is so important. Cybersecurity today faces three main challenges that Phantom’s security automation platform tackles so effectively.
The increasing complexity of cyber threats means that highly skilled security professionals are needed to combat these threats. This has led to a global shortage of cybersecurity talent. In fact, according to recent estimates, there will be 3.5 million unfilled cybersecurity positions by 2021. Since cybersecurity departments everywhere are woefully understaffed, they need to be as efficient as possible, and that’s where Phantom’s security automation platform comes in. It increases the productivity of skilled security engineers by automating repetitive tasks so that they can work smarter.
Delays can be costly
Using manual processes can cause a significant delay between detection and response. With cyber attacks, even a small delay can cause significant losses. If too much time elapses, enough data can be hacked to either be sold in the black market or hold the company ransom. Phantom can reduce detection-to-response time significantly, thereby preventing major losses.
Numerous vendors help create a comprehensive strategy
In today’s day and age, most companies have to work with cybersecurity solutions from numerous vendors to create a comprehensive defense against agile threats. This best-of-breed strategy is helped by security automation. Phantom security integrates diverse products so that they can seamlessly work towards the defense of your organization.
The Phantom security platform “combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools together.” Here are the major features of Phantom’s security platform.
Integrating security infrastructure
Phantom supports 225+ apps and 1200+ APIs. This allows security teams to connect the different security solutions and coordinate complex workflows. Teams need to just focus on the goals they want to achieve; Phantom’s powerful abstraction translates these goals into actionable tasks for different tools.
Automating repetitive security tasks
Phantom is able to automate tasks like detonating files and quarantining devices across the entire security infrastructure. This automation allows these tasks to be completed in seconds instead of the hours it takes when done manually. For instance, with Phantom, companies can process malware email alerts in about 40 seconds, vis-a-vis 30 minutes or more. Security teams can even codify their workflows into automated Phantom playbooks. This can be done using the Visual Editor or the integrated Python development environment.
Incident response and management
Phantom has integrated collaboration tools that drive efficient communication across security teams. Phantom’s event and case management can be used to rapidly triage events. Events that are confirmed are then aggregated and escalated to cases within the platform. This allows for proper tracking and monitoring of the cases. Teams can measure and report on all SecOps activities through the platform so that proper human oversight and audit becomes possible.
About Phantom platform version 4.0
Phantom was acquired by Big Data firm Splunk last year for a whopping $350 million. Since its acquisition, the Phantom platform, version 4.0 is Phantom’s first big product release. Phantom Security version 4.0 is part of Splunk’s comprehensive suite of security solutions. Along with Splunk Enterprise Security (ES) and Splunk User Behaviour Analytics(UBA), Splunk Phantom 4.0 completes Splunk’s security portfolio. The idea is that this portfolio will provide companies with the comprehensive one-stop security solution that they’re looking for.
Released in October last year, Splunk Phantom 4.0 has better SOAR(Security Orchestration, Automation and Response) technology to help security teams respond quicker and work smarter. Phantom Platform 4.0 enables SOCs (Security Operations Center) to automate workflows, orchestrate tasks and be supported in a number of functions ranging from reporting and collaboration to event and case management. Phantom 4.0 also has a whole new range of functionalities that have greatly enhanced its value to security teams all over the world.
The new functionalities added in Phantom platform version 4.0
Here are the three major functionalities that have been added to Phantom platform version 4.0.
Clustering Support for added performance and redundancy
With talent shortages and multiple alerts, the biggest challenge for security departments is to scale up their security platform without fatigue and burnout. The clustering support feature enables them to do just that. It allows Phantom to scale horizontally by using additional instances for both, redundancy and added performance. The workload gets distributed among the different nodes of a Phantom cluster. This helps achieve added performance. Redundancy is increased by replicating data across different nodes of a cluster. This ensures the continuity of critical security operations.
Indicator view for threat intelligence style analysis
A major challenge security teams face is the sheer number of events and alerts they deal with on a daily basis. This can cause alert fatigue and lead to important alerts being ignored. The Indicator View is a new way of dealing with this problem. Indicator View provides a different way of visualizing security data. Security data on the Phantom platform is now presented in such a way that it’s organized by indicator and not event. This makes threat-intelligence style analysis much easier. Indicators that are used for this kind of data visualization include domain names, file hashes, IP addresses, and any other artifact field which is defined.
Native Splunk search support
After Splunk’s acquisition of Phantom in 2018, Splunk became the default search engine that is part of Phantom 4.0. Of course, the Elasticsearch engine continues to be an option for users who still prefer using it. However, the advantage of Splunk search support is that people can use either existing or new external Splunk instances to achieve just one source for storing all their security data.
Apart from the major features described above, there are also numerous enhancements to the overall user experience and functionality of the platform. The user interface has also been updated to reflect Phantom’s integration with Splunk.
Benefits of using this version
Here are some of the major benefits that the new version comes with.
A complete suite of security solutions when used with Splunk’s other security products
Phantom’s latest version is a key piece in the data-analytics driven security solution that Splunk stands for. Splunk’s offerings include its Enterprise Security(ES) product which focuses on identifying and remedying threats quicker. It also includes its User Behaviour Analytics(UBA) product that focuses on analytics-driven cybersecurity. Phantom 4.0 is the last piece of this puzzle as it enables an automated, integrated, and scalable security platform. When used together, all three products can provide a comprehensive cybersecurity solution that most organizations need urgently.
Improved scalability of your security platform
The new version enables horizontal scalability of the platform by enabling clustering support for added performance and redundancy. This is a great feature for those security teams that have been struggling with this issue.
A different approach to threat intelligence analysis
Most traditional cybersecurity solutions believe that events are the best way to drive threat intelligence analysis. Phantom’s new version turns that on its head by using an indicator view. This kind of data visualization can provide meaningful threat intelligence to security teams without overwhelming them.
Phantom’s automated orchestrated security platform has definitely helped fill some critical gaps in cybersecurity operations. It integrates and automates existing security infrastructure in a way that allows for faster response. The Phantom Security Version 4.0 has some new functionalities that enhance scalability and enable intelligence-style analysis of cyber threats. Combined with Splunk’s other security solutions, the Phantom platform version 4.0 is definitely a step forward in cybersecurity technology.
...(download the rest of the essay above)