Skip to content

Phantom as a Case Management System

Using Phantom to Understand the Value of Thorough Security Case Management Over Business Metrics

Heard of Phantom? Here’s a Quick Primer.

Phantom is a platform that integrates your existing security technologies, and it’s now officially a part of Splunk. It allows you to automate tasks, orchestrate workflows, and support many SOC functions, like event and case management, collaboration, and reporting.

The Phantom Security Operations Platform supports six primary functions in the SOC to help your analysts work smarter, respond rapidly, and strengthen defenses:

  • Automation
  • Orchestration
  • Collaboration
  • Event management
  • Case management
  • Reporting and metrics

Want the full overview? Check out our recent blog, “Introduction to Phantom.”

Phantom as a Case Management System

Phantom comes with a fairly diverse range of capabilities, including case management, which allows you to track all different artifacts associated with a particular incident. Suppose, for instance, an alarm goes off indicating a new threat that needs to be examined. You can either manually open a use case, or, if you’ve already written up your automated playbook, Phantom will allow a second-level SOC analyst to communicate that the incident needs to be addressed, push a button, and gain a yes-or-no response from a third-level SOC analyst. From there, you’re able to issue approval and open up a case within Phantom. The case contains any and all information that has been gathered about the incident in question, and also allows you to add additional artifacts and data knowledge about the incident as it progresses.

It’s worth noting: although many customers have a good case management system, one of the top requests continues to be for linking Phantom to ticketing systems to manage the case within them as opposed to managing it within Phantom. This is most likely because ticketing systems are used by the business side of the house for metrics purposes to identify and address how well a ticket, or progress on an incident, is being addressed.

Decision makers wind up creating custom templates to address things like security incidents and track them with tickets, and the question becomes “How many tickets can I close?” Often times, managing the case is not about addressing the incident and understanding why it happened. If a ticketing system is based on a send box mechanism, it doesn’t lend much in terms of a post-incident or root cause analysis mechanism, and simply becomes a repository with info found from separate sources, whether manually put in, or semi-automated by trying to move as much of the data as possible through Phantom into the ticketing system.

Reexamining the Business Value of Proper Case Management Versus Metrics

Now, here’s the issue with focusing more on the metrics of a security incident rather than understanding the incident itself: there isn’t enough emphasis on using proper case management to actually address security incident responses.

Consequently, customers often end up playing whack-a-mole to try to close a case, when whack-a-mole won’t get you what you really need. Ultimately, it’s of far greater value to examine the details of the security incident and gather as much information about it as possible. It’s important to recognize that this approach doesn’t mean that security analysts don’t have any sense of urgency—it means that the security organization as a whole recognizes the need to be a lot more careful about how they go about addressing security incidents without having some sort of business metric-driven reason for their process.

The mantra for incident response has to be: “If we see this incident, and haven’t before, we want to identify, understand, modify and log it so that if it happens again, we can address it right away and share the information with other people so they’re not hit by the same problem.” Security becomes something more than a metric driven by a company’s own interest; something that’s more socially codependent, and ironically, will deliver greater business value in the long term, rather than simply trying to rush security processes for the sake of relatively arbitrary numbers.

“The mantra for incident response has to be: ‘If we see this incident, and haven’t before, we want to identify, understand, modify and log it so that if it happens again, we can address it right away and share the information with other people so they’re not hit by the same problem.’”:

Also, you can still do metrics in Phantom! It’s available. You just need to be accessible in a familiar way with top-level, business-driven folks who have become used to the notion that metrics are what drives the company’s assessment of how well it’s doing, rather than where security incidents are concerned. The fact that you can gather additional information regarding the incident, and put it all into one use case within Phantom, which allows you to use automated workflow and orchestration to correlate that information, is what makes it so powerful—and worth using as a case management system.

Want to know more about Phantom? We Can Help!

If you’re searching for ways to bring together your security team, tools and processes using a proven security operations platform, Phantom is definitely worth taking a closer look at—especially if comprehensive security case management is on your mind. We’re happy to show you how it can work within your SOC. Get in touch with us today, or call us at (301)-838-9470.