CEO Oliver Friedrichs discusses the evolution of Phantom – a security orchestration tool company that is riding high on technical innovation awards and respect from early adopters. Learn how you can accelerate your security operations and improve the return on your security tool investment though orchestrators like Phantom. Find out where this front-runner in the adaptive security market is headed in this interview with ActiveCyber.net.
I have been attending the Johns Hopkins University (JHU) Applied Physics Lab (APL) community days for Integrated Adaptive Cyber Defense (IACD) for the last couple of years. Each community day, speakers lay out the recent achievements of the IACD effort, with special focus on the ability to automate some aspect of security defenses. Often the usage of security orchestration tools is highlighted and Phantom is repeatedly cited as a tool of choice by the program participants. So to find out more about this tool, I reached out to the marketing director of Phantom who arranged an interview with Oliver Friedrichs – the Founder and CEO of Phantom. He has had great success with new start-ups in the security space and deep insight in the security orchestration market. So read the interview below to learn why a security orchestrator is an indispensable tool for making your cyber defenses proactive and adaptive.
Spotlight on Oliver Friedrichs, CEO Phantom
April 11, 2017
Chris Daly, ActiveCyber: Why did you start Phantom and when? What are some of the key benefits / return on investment that enterprises can obtain from deploying Phantom?
Oliver Friedrichs, CEO Phantom: The fundamental concept of Security Automation and Orchestration isn’t new. When I was at McAfee in the late 1990’s I helped develop one of the first examples of this technology – a platform called Event Orchestrator, and a concept McAfee named Adaptive Security. The concept was covered as far back as 1998 in this Network World article.
Unfortunately, the concept of automation and orchestration was ahead of it’s time and enterprises were not yet prepared to automate. In 1998 the typical large enterprise had relatively few security products, with anti-virus on the endpoint, and firewall on the network. Most technologies were closed, with no external interface or API to drive them. In addition, the notion of an analytics or SIEM platform had not yet arrived, a necessary step and prerequisite for security automation and orchestration.
As a result, the security industry forgot about this concept for almost 15 years. Fast forward to today, and many enterprises have an army of over 50 discrete security technologies, most security technologies are API driven, and all large enterprises have a mature analytics or SIEM capability. That, coupled with a large shortage in security professionals, leaves little option but to automate.
Phantom was founded in 2014 after key conversations with members of the National Security Agency’s Information Assurance Directorate. These conversations led to Phantom’s participation in research that was being sponsored by NSA and DHS at Johns Hopkins Applied Physics Lab, a project called Integrated Adaptive Cyber Defense (IACD).
Although Phantom is still an active participant in the IACD project, the company has greatly expanded the scope of customers served. Phantom is proud to protect some of the world’s most prestigious Fortune 500 companies and federal government agencies. Phantom reference accounts such as Blackstone Group ($361B+ Private Equity firm), Uber Technologies, Rackspace, Medibank, and In-Q-Tel characterize the size and caliber of our client list which also includes well known names in telecommunications, technology, healthcare, manufacturing, financial services, energy, and the federal government.
Customers describe a number of benefits from deploying Phantom including:
1. Automating repetitive tasks to force multiply their team’s efforts and better focus their attention on mission-critical decisions.
2. Reducing dwell times with automated detection and investigation, and reducing response times with playbooks that execute at machine speed.
3. Integrating their existing security infrastructure together so that each part is actively participating in the defense strategy.
Return on investment is another important measure, and Phantom customers report time savings of up to 99% when automating routine, labor intensive tasks.
ActiveCyber: What level of growth do you see over the next five years in adaptive security? How do you see the market evolving? What market segments are you seeing the largest uptick of adoption?
Friedrichs: The market accelerated significantly in early 2016 after Phantom was named the most innovative company at the RSA Conference. Increased customer interest was met with increased investment in startups and by established companies all vying for a share of this new market. Analysts are forecasting 50%+ annual growth through 2020 with an estimated market size exceeding $1 billion (source: BTIG).
Initial adoption has been highest among large enterprises as these entities are most severely impacted by limited resources, increased threat surface & incidents, and the overwhelming complexity of their technology infrastructures. In time the market will evolve to address smaller organizations served by companies like Phantom via product innovation (e.g. UX) and partnerships with managed service providers.
ActiveCyber: Where is your current focus on investment / product development for Phantom?
Friedrichs: Given the complexity of this problem we have invested heavily in the user experience. Beyond continued enhancements to the user interface and other current functionality, one area of direction is platform intelligence that will educate and guide a security analyst on what to do next; a concept we call Mission Guidance™ technology. This will evolve Phantom beyond how it is used today, where the analyst directs the platform on what to do via the Visual Playbook Editor. The current approach is fit for handling known threats with a known procedure and effectively solves security at scale challenges. In the future, providing guidance to an analyst will enable a new level of security handling where threats with no associated procedures can be handled effectively through intelligent guidance from the platform.
ActiveCyber: What types of data and interoperability standards do you follow to provide the “connective tissue” for active defenses? How are these standards evolving over the next year?
Friedrichs: In April of 2016, Phantom announced a strategic investment and development agreement with In-Q-Tel, the independent, non-profit strategic investor that identifies, adapts and delivers innovative technology solutions to support the mission of the U.S. Intelligence Community. In support of that agreement, Phantom is working to normalize the inputs and outputs to actions across a disparate group of vendors with similar classes of devices (e.g. firewalls, IDS/IPS, endpoint, etc.). Projects such as this one aid the user in staying focused on the overall process and driving action instead of the syntax of the interface.
As further support for interoperability, Phantom has standardized on Python for interface development as it is a common language in the industry. This approach also allows our abstraction layer to easily map to the interface needed for the active security products while keeping a standard interface schema for the playbook. Most interfaces and messaging is handled via REST or will be in the near future.
Phantom also participates in the OpenC2 industry standards body. The OpenC2 Forum is an industry driven group that is currently chaired by the Technical Director of the National Security Agency’s Capabilities Directorate. The forum is open to cyber security stakeholders such as product vendors, system integrators, and academics. It defines a language at a level of abstraction that will enable unambiguous command and control of cyber defense technologies. It has 33 member organizations from across the world and counting.
ActiveCyber: How does cyber orchestration provided by Phantom interact with SDN controllers and VM orchestration tools?
Friedrichs: We consider control of software defined networks to be equal in importance to that of physical network infrastructure. It is all about agility and interacting with the environment in order to investigate, enrich, hunt, contain, and recover from cyber attacks.
The Phantom App framework allows the platform to cleanly interact with any API that an SDN controller or VM orchestration tool makes available.
Here are just an example set of commands that could be issued on an SDN controller:
● test connectivity – Validate the asset configuration for connectivity.
● block ip – Block traffic to/from the matching IP.
● unblock ip – Unblocks traffic to/from the matching IP
● block mac address – Block traffic to/from the matching MAC
● unblock mac address – Unblocks traffic to/from the matching MAC.
● block subnet – Block traffic to/from the matching IP subnet.
● unblock subnet – Unblocks traffic to/from the matching IP subnet.
● block arp – Block ARP packets sourced from this MAC.
● unblock arp – Unblock ARP packets sourced from this MAC.
● block flow – Block network traffic matching flow parameters.
● unblock flow – Unblock network traffic matching flow parameters.
● get firewall status – Get the enable/disable state of the firewall.
● enable firewall – Enable the firewall.
● disable firewall – Disable the firewall.
● delete firewall rule – Delete a firewall rule.
● list firewall rules – List firewall rules stored in the controller.
● list switches – List SDN switches managed by the controller.
● list internal links – List single-hop links discovered via LLDP.
● list external links – List multi-hop links discovered via BDDP.
● list devices – List devices tracked by the SDN controller.
● get uptime – Get time since SDN controller startup.
● list static flows – List static flow rules.
● add static flow – Add a static flow rule.
● delete static flow – Remove a static flow rule.
● clear static flows – Remove all static flow rules.
Additional actions and capabilities can be easily supported based APIs made available by the SDN or VM orchestration tool.
ActiveCyber: How important is an open ecosystem approach to the success of Phantom? Have you experienced significant third party participation in using and sharing playbooks on GitHub? Do you believe that M2M sharing of playbooks similar to STIX/TAXII for threat sharing is a viable approach?
Friedrichs: An open ecosystem approach is critical to the success of Phantom and Security Automation & Orchestration in general. Customers prefer to control their own destiny and not be tied to one particular vendor when it comes to security tools. Phantom’s open integration framework assures customers that there will be an ever-expanding roadmap of integrations via partner contributions (i.e. other security tool vendors) as well as a large community of users. Should an integration for a particular tool not be available, an open ecosystem empowers the customer to quickly create the integration themselves ensuring their tool selection will not be omitted from orchestration. This is often the case with internally developed tools not publically available.
M2M sharing of playbooks is absolutely a viable approach for playbook sharing. A critical requirement to supporting this trend is the inclusion of repository management systems such as Git. It is often the case where an orchestration system will link to one or more Git repositories to sync playbooks with internal groups or an external community. The latter is true with Phantom’s community playbook repository today.
ActiveCyber: Can you describe how your playbooks are constructed and provide some examples about how they can be organized to handle complex security automation tasks?
Friedrichs: Phantom playbooks are constructed using Phantom’s Visual Playbook Editor (VPE). The VPE provides a business process model and notation (BPMN) interface that most analysts and managers already know. This BPMN-style interface allows the playbook author to include very sophisticated operations without ever interacting with source code. Operations in Phantom’s VPE include action execution, decision blocks (if/else if/else), data filtering, data formatting, manual task insertion, human approvals, and invoking automation APIs. The instantiation and logical flow of these operations are all expressed visually. While the playbook author is visually building the playbook, the VPE is building Python code in parallel. The Python code is ultimately interpreted and executed by the automation engine. If a playbook author wanted to write a playbook completely in Python, he or she is free to do so. Playbook authors are also permitted to operate in a hybrid mode where they construct the playbook visually and modify the resulting Python code appropriately. When operating in the hybrid mode, the playbook author retains the ability to modify the playbook at the visual level, a feature highly desirable by Phantom customers.
Through the use of decision blocks (if/else if/else), data filtering, and data formatting in the VPE, very complex security tasks can be automated. As actions are executed by the automation engine, the data results from those actions may be passed to follow-on actions, decision blocks, data filters, and data format blocks to create very powerful automated playbooks that include interpretation and decision logic. Such logic allow Phantom automation to extend beyond just task execution and data fetching, allowing automation to programmatically take action and bring security events to closure. The VPE functionality allows for the entire security event life cycle, including closure of the event, to be automated.
ActiveCyber: How are risk metrics incorporated into cyber orchestration decisions and prioritization of cyber orchestration activities by Phantom?
Friedrichs: For each security event ingested into the Phantom platform, a severity and sensitivity is applied. Severity is in the form of low, medium, and high values, and the sensitivity value is red, amber, green, or white as per the Traffic Light Protocol (TLP) that provides classification and sharing of sensitive information. Each security event ingested into Phantom is broken into artifacts that contain all of the data or evidence associated with the event. Each artifact also has a severity (i.e. low, medium, high) associated with it. The security event, as well as its artifacts, both contain kill chain information about the incident. This metadata together or in isolation may be used to determine the risk associated with the event and therefore the prioritization and course of action taken through the automation engine. In cases where customers apply highly customized risk thresholds that are calculated via internal methods, Phantom provisions for those scenarios by enabling the customer to modify the playbook at the Python source code level.
ActiveCyber: How do predictive analytics and threat sharing tools work in conjunction with Phantom? Do you find that these capabilities are essential elements to an effective deployment of Phantom? Are there any other tools or capabilities that are a “must have” when deploying an orchestrator like Phantom?
Friedrichs: Phantom is flexible enough to work with any security tool with an accessible API. There are endless use cases that Phantom can support, therefore there is not a list of minimum capabilities or “must have” tools. With orchestration, the “must have” is quickly becoming the orchestrator. The “must have” to integrate all the tools a customer has in their environment.
In practice, we are finding that there are tools sets in place that are common across most environments. They are as follows:
● Data source: The data source can supply structured as well as unstructured data to the Phantom platform. The data ingested is ultimately automated on using Phantom playbooks. Data sources can be SIEMs, Email systems, Threat indicators from TIPs or STIX/TAXII files, or any log or data type.
● Investigative Tools: It is common to utilize data enrichment and hunting tools in automation. Examples include reputation services, sandboxing environments for file/URL detonation, indicator hunting services, indicator enrichment through threat intel, domain searching tools, and several other investigative tools.
● Containment Tools: To take action on an event, some level of containment is usually employed. This can come in the form of manipulating access control of a node using endpoint technology, or restricting user-based access control using directory services, or manipulating network and application policy by tuning configurations on switches, routers, firewalls, proxies, among other network-based devices.
● Reporting Tools: At the end of a playbook run it is common practice to notify an entity of the results of the automation and share any meaningful data discovered during the process. Typically this is done through interfacing to a ticketing system or through email communication.
ActiveCyber: Understanding mission impacts prior to performing a response or mitigation action is critical to ensuring that an orchestrated response doesn’t end up in creating a bigger problem. What best practices do you recommend with regards to this issue to enterprises that want to accelerate and amplify cyber responses using security automation tools?
Friedrichs: The optimal way to navigate these type of scenarios are to enable a level of supervised automation. The orchestrator must allow the ability for a human to be inserted into the automation loop. This is done by inserting a human approval, with responses, into the playbook. On Phantom, this can be done within the Visual Playbook Editor. When a human approval is reached in the execution chain, automated execution is paused until the appropriate human response is provided. The system should be flexible enough to allow for variable responses that can be interpreted. Examples included text based responses (yes/no) as well a number-based responses and scoring. Flexible responses can be interpreted to drive specific courses of action that may have varying degrees of containment and risk. In either case, the human ultimately has the opportunity to control the path taken by the automation engine in advance of execution taking place.
Thanks Oliver for describing the incredible progress your company and the Phantom tool in particular are making in the area of adaptive security defenses. I believe that orchestration is the best path out of the data and cyber incident swamp that most SOC teams face today. I look forward to following Phantom as it moves forward in the open ecosystem it is building to make orchestration easy to adopt and pervasive in the industry.
And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at ActiveCyber.
About Oliver Friedrichs
With a remarkable record in building three successful enterprise security companies over the past two decades, Friedrichs serves as the CEO of Phantom. Prior to Phantom, Friedrichs founded Immunet, acquired by Sourcefire in 2010 and a key component to Cisco’s $2.7b acquisition of Sourcefire in 2013; now thriving as Cisco’s Advanced Malware Protection (AMP) business. Friedrichs co-founded SecurityFocus (Bugtraq) and led DeepSight, the world’s first Internet early warning system, acquired by Symantec in 2002, and a recognized leader in security intelligence to this day. He also co-founded Secure Networks and led Ballista (CyberCop), one of the industry’s first vulnerability management solutions, acquired by McAfee in 1998. Friedrichs architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and recipient of 8 patents.