SOARing with Phantom Cyber — Why Security Orchestration & Automation is Critical

Security orchestration is critical for modern security teams, but effective orchestration demands advanced analytics.

For many organizations, cybersecurity defense has never been more challenging than right now. Cyber incidents, attacks, and breaches are increasing in complexity, scope, and frequency. At the same time, organizations must move the ball forward on enhancing their security architecture and strategy, in order to achieve defense in depth.

This results in a familiar problem: too much to do, too little time. But, what if we could codify and automate the manual tasks that human analysts perform today? This is now possible with the emergence of security orchestration, commonly referred to as SOAR or SOAPA platforms. For modern security teams, security orchestration is critical but effective orchestration demands advanced analytics.

At Interset, we’ve always believed in openness and integration, which is why we’re excited to announce our latest integration with the Phantom Security Operations Platform.

Before I talk about the new integration with Phantom Cyber, let’s take a step back. What is SOAR/SOAPA? These are the latest technologies that promise to help organizations address their cybersecurity threats and cover their resource gaps. SOAR and SOAPA are conceptually the same, but as with any new technologies, the term to describe the set of capabilities is being still defined. You might see SOAR advertised as:

  • Security Operations, Analytics, and Reporting
  • Security Orchestration Automation and Response/Remediation
  • Security Orchestration Analytics and Response/Remediation

SOAPA, on the other hand, is definitively defined by the Enterprise Strategy Group as Security Operations and Analytics Platform Architecture.

All that to say: you say to-may-to, I say to-mah-to. SOAR/SOAPA essentially describes a security architecture that encompasses capabilities to process data, create intelligence, automate non-value adding tasks, orchestrate complex security processes, and ultimately enable faster and more informed decision making to mitigate risk.

Contrary to what many vendors may claim, it does not need to be a single solution or platform. Let’s not fall for the “single pane of glass” fallacy for the millionth time. It’s absolutely possible, but it is not the only way to do it.

In many ways, next-generation security architectures mirror the Hadoop ecosystem (learn more here). Any single technology such as Apache Kafka provides limited value, but when combined with other technologies, there is immense value and insight.

With our new integration, Phantom’s orchestration and automation capabilities are able to seamlessly integrate Interset’s analytics findings with playbook execution, reducing the time delay and cost of manually taking action when a risky entity is identified by Interset. Similarly, Phantom can supply information into Interset’s analytic engine for a tighter coupling between multiple security tools.

This powerful integration is bi-directional, with analytical findings feeding into Phantom and suspicious events feeding back into Interset to improve detection. In Phantom’s latest release, you’ll find a new Interset App in the Phantom App Store. With the App, components of the Phantom security ecosystem can adjust the sensitivity of Interset’s AI and machine learning models to behaviors of users, devices, machines, and other entities in your population.

Interset App Phantom

For example, you can use the Interset App to increase the importance of contractors when, according to the HR system, those contractors are within two weeks of the end of their term, making them more sensitive to behavioral anomalies. These are really simple but powerful examples, and there are many more complex use cases that can be achieved.

You’ll also find new playbooks in the Phantom playbook library, that are automatically invoked in response to analytical findings from Interset.

You can automate playbook responses to automatically perform actions such as quarantining a high-risk user or taking a snapshot of a high-risk endpoint for further investigation.

Phantom Playbook - Interset

With these new integrations, Phantom and Interset are enabling organizations to maximize their existing security investments, streamline their operations, and ultimately move faster and smarter in an increasingly complex landscape.

Pabi Ambikainathan is a product manager at Interset.