Automating Security Operations Using Phantom

Isabella Minca, an intern for 4 months in the Security Team at Adobe, presents an overview of automating security operations using Phantom. The presentation covers goals, security alerts, Phantom playbooks, handling security data, and the capabilities of Phantom in orchestrating security responses. Learn how automation can enhance analyst efficiency and enrich knowledge on potential security threats.

• Security Operations
• Phantom
• Automation
• Security Alerts
• Incident Response

gwe_sad Follow

Uploaded on Sep 30, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Automating Security Operations using Phantom

2. About Me Isabella Minca Intern for 4 months in the Security Team @ Adobe 4th year student @ Univ. Politehnica of Bucharest

3. Agenda Our goals Security Alerts Phantom overview Phantom Playbooks What's next

4. Our goals Automate repetitive manual work of analysts Enrich existing knowledge on Security Alerts In the future: Discovering new potentially malicious behavior

5. Security Alerts Logs SIEM Alerts Triage

6. How much data? 30 TB logs/day 150 alerts/day > 100 different types of alerts

7. Log example How the log looks like in the SIEM

8. Alert example How the alert looks like in the SIEM

9. Manual triage Manually handling the alerts includes a lot of repetitive work Example: Azure Weak Network Security Group

10. Example Workflow for handling the alert NSG still exists? NSG still weak? Create Jira ticket

11. Example (cont) All of these steps can be automated So here it comes Phantom

12. What is Phantom? Security Orchestration Response capabilities Automation

13. What is Phantom?(cont.) Aims to help scaling security operations efforts Recently acquired by Splunk

14. Main Components Apps Events Playbooks Assets

15. Apps Third party technologies Used similarly to an API

16. Playbooks Codification of the security operations plan Written in Python

17. Assets Specific instances of physical or virtual devices Examples: servers, endpoints, firewalls

18. Events Phantom server Asset Events Polling

19. Why Phantom? Phantom playbook Plain Python script vs.

20. Why Phantom?(cont.) Artifact Artifact Artifact Playbook Event Event

21. Why Phantom?(cont) Asset 1 ACTION 1 ACTION 2 APP PLAYBOOK ACTION 3 ACTION 4 Asset 2

22. Examples of useful integrations Virus Total Splunk Jira Slack SMTP

23. Demo Let s create a Playbook! Demo

24. Achievements Alerts for Weak Network Security Group in Azure

25. Achievements(cont.) Alerts for Publicly Exposed Azure Containers Container still exists? Container still exposed? Create Jira ticket

26. Achievements(cont.) Follow-up work on Jira tickets for AWS Weak Security Groups SG All SGs crossed out? Close ticket restricted/ deleted? Cross out

27. Next steps Automate repetitive manual work What is on for the future? Enrich alert data Use ML to detect security issues

28. Q & A