Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
One theme we’ve explored on the topic of SOC automation relates to going beyond investigation. The analogy being don’t just tell me the building is on fire, turn on the sprinklers, close the doors to limit draft, and call the fire department – automatically.
Here is an interesting variation on an investigation Playbook:
The first 6 steps haven’t changed, but we’ve added a seventh. Based on the outcome of the investigation (steps 1 – 6), we may want to run another Playbook that takes action. We’ve not explored the concept of “chaining” Playbooks together on the blog yet, but it is an interesting use case.
Further, notice the Duo two factor authentication. The Remediation Playbook takes actions like quarantining a host, and blocking a hash, URL or IP. Before it runs though, a human confirms the action. We’ve described this as an “in the loop” scenario in the past, where an analyst approves the action before it happens.
Duo provides a wide range of options for authentication including support for mobile devices. With fingerprint scanners and facial recognition, I’m expecting to see some interesting implementations in the community!
If you didn’t already know it, Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations. Sample community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository. You can read more about Phantom and Playbooks here.
Interested in seeing how Phantom Playbooks can help your organization? Get the free Phantom Community Edition.
----------------------------------------------------
Thanks!
CP Morey
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.