Skip to content

Introduction to Phantom

How Phantom Can Increase Your Security Posture

Introducing: Phantom. What Is It, and What Does It Do?

Phantom, now officially a part of Splunk, is a platform that integrates your existing security technologies, allowing you to automate tasks, orchestrate workflows, and support a broad range of SOC functions, including event and case management, collaboration, and reporting.

It’s a tool meant primarily for deployment in security operations centers (SOCs) and/or network operations centers (NOCs), which allows security and compliance teams to identify threats and provide action on those threats in a quick and reasonable fashion. Traditionally, threats coming into a SOC are dealt with by three levels of operatives. Level 1 SOC personnel typically have to identify a threat as something they can deal with quickly or queue in a certain location or send to a next-level analyst. Level 2 SOC personnel analyze a threat and do further testing. From this point, a particular threat can be passed onto Level 3, who decides and approves on the actions that have been taken by the Level 2 personnel and either identify it as an actual threat and deal with it, or sandbox it until the appropriate response has been determined.

The Phantom Security Operations Platform supports six primary functions in the SOC to help your analysts work smarter, respond rapidly, and strengthen defenses:

  • Automation
  • Orchestration
  • Collaboration
  • Event management
  • Case management
  • Reporting and metrics

How Does Phantom Solve Security Challenges?

It’s important to note that converse to Splunk, Phantom is not a data searching application. It does import and collect data and events, however, and provides access to these as part of the automation and orchestration in the platform.

You can consider Splunk and Phantom complementary. Spunk has the ES module, which overlaps with the functionality Phantom provides, but Phantom is much more clearly focused on event analysis. Splunk can collect event data that Phantom can use to determine if incoming data can be identified as a threat or needs to be analyzed further.

Phantom can link to external sources such as threat intelligence databases, known antivirus signature databases, and general ancillary security tools that collect data about digital threats, except in a supercharged fashion in comparison with other software. It does this via pre-built apps which allow you to search and leverage available security tools/repositories, and enables the ability to orchestrate workflows and make security determinations automatically.

  • Repetitive tasks are automated to force multiply your team’s efforts and better focus your attention on mission-critical decisions.
  • Dwell times are reduced with automated detection and investigation, as are response times, thanks to playbooks that execute at machine speed.
  • Your existing security infrastructure is integrated so that each part is actively participating in your defense strategy.

Unique Features of Phantom to Of Note

Phantom normalizes all data in the same way that Splunk does using a common information model known as the Common Event Format (CEF). Additionally, there are two variations of Phantom today: a free community edition (CE) which is limited in the number of daily actions permitted, and a fully licensed enterprise version which includes customer support. Both Phantom and community-written apps will work with either version, but the latter must be submitted to Phantom and go through their validation process to be considered fully supported. Finally, Phantom stands out because of how workflow orchestrations are implemented through the use of visual playbooks. If you’re familiar with a playbook in Ansible, for example, the concept is similar because it consists of all the asset data/metadata and defines the process by which you’re going to apply decisions and actions from the time the data is ingested and an incident is opened until the incident is closed. Starting with Version 3, Phantom provides a visual studio-like mechanism to create different icons defining either partial or complete workflows orchestrating the decisions and actions needed to address a general or particular threat. Previously, this all had to be done manually in Python. Manual customization of visual playbooks is still possible. Integrated case management and support for managed security service providers (MSSPs) through the multi-tenancy feature make Phantom the leading security operations platform in the market today.

Interested in Phantom? Let’s Talk.

If you’re looking to integrate your security team, processes and tools together using a proven security operations platform, Phantom may be an option worth evaluating. We can help you understand how it could work in your SOC. Reach out to us today, or call us at (301)-838-9470.