Splunk Phantom Introduction & Overview

Before we try to understand the Splunk Phantom we need to understand,

What is SOAR?
How SIEM and SOAR fit together/are related, do we need both?

Ok, before you jump to any search engines, let me try to answer the above two questions in brief for you,

As you might know, the steps in ensuring the enterprise security includes the following:

Prevention > Detection > Response

Splunk has become a pretty successful and well-known SIEM product over the years. But with SIEM products your reach is to the Detection phase and you get very limited automated Response capabilities. As we know, false positives are inevitable and pretty common, a Security Analyst spends most of its time triaging them.
This is where you start looking for a SOAR platform which can leverage your security operations and reduce the incident response time (by automating most of the process).

SOAR stands for:
S Security
O Orchestration,
A Automation and
R Response.
is a term coined by Gartner (Research firm) to describe software solutions (stack or alone) that allow an organization to collect data about security threats from multiple sources and respond to them with minimum human involvement (automated way). This improves the efficiency of all your security operations

According to Gartner, the three most important features for the solutions in the SOAR category are:

Threat & vulnerability management:
The continuous process of identifying, assessing, classifying and mitigating security holes/risks.

You can also know about :  What is Metrics Data? ( Part - 1 )

Security incident response:
This is basically how an organization plans, manages, and counters any security incidents.

Security operations automation:
This is the automation and orchestration of workflows.

While both Security Information and Event Management (SIEM) and SOAR solutions aggregate relevant data from multiple sources, SOAR solutions integrate with a wider range of internal and external applications/tools. Most of the companies nowadays are adopting SOAR services to augment their in-house SIEM software.

It is expected that as SIEM vendors begin to add SOAR capabilities/features to their solutions, the market for these two product lines will narrow down. Examples of vendors that are promoting their products as a SOAR platform are CybersponseLogRythm and Rapid7 .

I think that’s enough of us running around SIEM and SOAR, so coming to the point…..

What is Splunk Phantom?

Splunk Phantom is a SOAR platform that helps you in harnessing the full power of your existing security investments. It helps you orchestrate the existing tools in your infrastructure & automate the stuff that you have been doing manually from the time immemorial.
You can Ingest the high-fidelity events from Security Intelligence and Event Management (SIEM) tools into the Phantom Platform to trigger automated and analyst-driven workflows.
Examples : Splunk Enterprise Security, IBM QRadar and Arcsight ESM.
Splunk Phantom is not designed to replace any security products, but to work along with them.

You can also know about :  Report Acceleration In Splunk

Phantom Apps and Orchestration
Phantom has a very flexible app model that supports numerous other tools and APIs, giving you the capability to connect and coordinate complex workflows across your teams and tools. Phantom Apps extend the platform by integrating third-party security products and tools. Most security technologies have RESTful APIs, CLIs, or other management interfaces that allow Phantom Apps to connect and execute actions. Apps expose the set of actions that they support back to the Phantom.

Splunk Phantom History:
Phantom Cyber Corporation was established in 2014 based in Palo Alto, California. Splunk and Phantom first partnered in 2016 as part of an initiative to more tightly integrate their products. Later on, Splunk Inc. acquired the 4 year old startup Phantom Cyber Corporation, a leader in Security Orchestration, Automation and Response (SOAR) on April 9,2018 for approx. $350 Million.

Competitors of Splunk Phantom:
The top three in this list are Cybersponse, Demisto, UPlevel.

—– Some Key Concepts related to Splunk Phantom —-

Data Sources:
Use any source of security data to trigger Phantom into action, like incidents, threat indicators, vulnerabilities & more. Depending on your preference either push your data to Phantom, or pull it from a number of externally supported tools.

Playbooks are the block of programs that describe your Security Operations plan.Basically, they’re high-level Python scripts that Phantom interprets in order to execute your mission.

You can also know about :  User Roles & Capabilities In Splunk

Actions are the high-level primitives that Phantom uses within playbooks.
Detonate a file in a supported sandbox
Geo-locate IP
Hunt File
Look for a particular file on endpoints
Block a URL on perimeter devices
Disconnect a device from the network via NAC

Threat Intelligence Services:
Automate or manually query threat intelligence services for contextual information to help you with decision making.
Examples: VirusTotal, Recorded Future

Endpoint Detection and Response:
Enhance your security policy decisions by integrating Phantom with your Endpoint Detection and Response (EDR) tool.
Examples: Carbon Black, Crowdstrike, McAfee and Symantec.

Thanks, for being here….

Happy Splunking!!!

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.