Advancing Security Operations at Penn State University with Phantom Automation

The following is a guest blog post from Chris Decker, Enterprise Security Manager at Penn State University.

Consider information security at an organization that has 17,000 employees, 100,000 inhabitants, an airport, a power plant and a police force. You might think we're talking about protecting assets for a mid-size city or large corporation—that'd be a good guess. A large university; well, that might surprise a few people.

Large universities present their own unique information security challenges. In some ways, their size and scope are like a mid-size city; in other ways, they are even more complex. Universities have large, legacy administrative systems, cutting edge research, intellectual property and lots of sensitive data. In other words, they have valuable information assets. Now consider the fast, open networks, a diverse user base and decentralized IT support—along with the expectation of autonomy to support free-thinking. It can be easy to imagine the risks.

As you can imagine, threat detection in this environment and at this scale can be challenging. Penn State’s Office of Information Security is tasked with detecting threats in our environment, while not impeding the primary mission of the University.

Higher education resources are often limited and we have to work to make the most of available resources. A growing challenge in higher education information security is staffing a SOC with qualified, experienced personnel. Penn State is no different. In contrast, there seems to be an unlimited supply of adversaries operating in a 24x7 fashion. This creates significant workloads that can burn out or even overwhelm our analyst. It quickly became evident that we needed to turn to automation to supplement our analysts.

In the past, each analyst used their work experience to “duct tape” together a variety of Python, Perl and bash scripts, but that was very time consuming as systems and APIs changed and quickly became difficult to maintain. It also was a huge barrier for less experienced personnel who had no scripting or programming background. Finally, while we have “plays,” occasionally a step would be overlooked or forgotten.

Earlier this year we purchased the Splunk Phantom platform to help address these problems.

The first challenge we threw at Phantom was to automate our Tier-1 phishing workflows. We receive more than 50 phishing reports daily, many of which are duplicates. A team of analysts pours through the submissions, takes appropriate action and then provides a tailored response to the submitter. This process is tedious, time consuming and frankly it ties up analysts whose time is better spent elsewhere.

With Phantom, this workflow is now automated. Previously-known threats are automatically triaged and a tailored response is sent back to the submitter with no human interaction required. All other submissions are sent to Phantom Playbooks to enrich the data so an analyst has all of the necessary information at their fingertips:

  • Submitter information (department, title, priority, etc.) from Splunk
  • URL reputation information from Virus Total and Google Safe Browsing
  • Screenshot and copies of the source code for each URL

If a response is necessary, Phantom runs a series of remediation playbooks to interact with our various security appliances, using the Phantom-provided “apps.” This saves us from having to learn the various APIs and ensures consistency. Phantom also has a tight integration with Splunk Enterprise, allowing us to feed the results back to Splunk so we can use the power of SPL to aid in future detection efforts. The end result is then added back to Phantom so that related submissions are automatically triaged in the future.

Although it's early, Phantom is already freeing up analysts to work on tasks that a computer is not (yet) good at solving. If you find that your organization is also struggling to keep up, consider an automation platform. Phantom is the right tool for our needs.

Catch Chris talk more about his automation journey on the webcast, "A Tale of Two SOCs: Regaining Control Using Automation."

Posted by