One of the things I’m most proud of when I talk about the Phantom security orchestration, automation, and response (SOAR) platform is its flexibility to adapt to just about any security operations (SecOps) use case. Another great thing I’m proud of is the large and active Phantom Community of users who have built and implemented automation playbooks that solve real-world problems—problems that I never conceived of when I originally architected the platform.
To be clear, orchestration of disparate security products that were never really intended to work with each other is not a simple task. There’s a tremendous amount of engineering on the backend that makes sure that the right action is executed at the right time. On the front-end however, we wanted a user experience that makes the hard problem of building an automation playbook easy. And so our visual policy editor did just that, enabling users with little to no coding experience to use the platform to assemble actions into playbooks and, in turn, solve some of their biggest security problems.
Mike Hughes, the Director of Information Security at Starbucks and I will co-present a session at .conf18 next week on automation use cases implemented with the Phantom platform. We’ll cover the background and thought process that goes into identifying the ideal use cases and walk through several examples like the one below.
The example shown above is a nontraditional security use case that involves responding to user reports of URLs blocked by a proxy. If you want to get a security analyst’s attention, explain how you can reduce or eliminate these kinds of tasks from their workload! While it’s exciting to talk about use cases that really push the envelope of what’s possible, the most useful automation use cases are often those that eliminate highly repetitive and boring security tasks.
While I’ve been an attendee in years past, I’m super excited to participate in my first .conf as a Splunker. I’m also excited to co-present these security automation use cases with Mike. If you’re attending .conf18, be sure to register for the session and join us!
SEC1979 - Splunk Phantom at Starbucks
Tuesday, Oct 2, 4:45 p.m. – 5:30 p.m.
Follow all the conversations coming out of #splunkconf18!