How the Phantom acquisition changed Splunk's approach to automation
- 28 October, 2019 15:30
The future is increasingly looking automated for the machine data cruncher Splunk as customers look to ease the burden on analysts grappling with higher alert volumes, and since the acquisition of Phantom in February last year, Splunk has been busy folding the startup's automation and orchestration expertise into its IT and security monitoring product portfolio.
Since then two of the Phantom cofounders – Oliver Friedrichs and Sourabh Satish – have taken on senior security roles at Splunk.
"The cofounders Oliver and Sourabh have been game changers for the company," Splunk CTO Tim Tully told Computerworld. "Oliver leads all product engineering across security in my team, Sourabh has become the chief architect for what we do in security."
Founded in Palo Alto, Phantom allows security and IT operations staff to write custom playbooks to respond to common incidents, such as remotely wiping a laptop after it is reported lost.
As ESG senior principal analyst Jon Oltsik wrote for our sister publication CSO at the time: "While Splunk will still open adaptive response to others (Demisto, Resolve Systems, Siemplify, ServiceNow, Swimlane, etc.), Phantom will become its de facto process automation/orchestration glue. Look for Splunk to start to crowdsource adaptive response playbooks like it has done so successfully for dashboards."
This has since come to fruition with an active Slack community, open sourced Phantom apps on GitHub and community playbooks.
How Phantom slots in at Splunk
Spending a few days with Splunk in Las Vegas this week it quickly becomes clear why the vendor forked out a reported $350 million on Phantom: the two companies share a belief that orchestration and automation are key to security and IT professionals being able to work in a cloud world where scale and velocity demands are higher than ever.
As Phantom cofounder and now VP of security products at Splunk Oliver Friedrichs told Computerworld this week while attending Splunk's .conf event in Las Vegas: "Splunk brought us here because they want to listen to us and take our direction."
This became most apparent during the week with the beta release of Splunk Mission Control – which falls within Satish's remit – and the integration of Phantom into the Splunk mobile app, allowing customers to write and trigger playbooks on the move. Mission Control now brings together Splunk's Enterprise Security, user behaviour analytics and Phantom into a single space.
Culture-wise Friedrichs also said the combination of the two companies has been a nice fit. "It's a fun company, great people, doesn't take itself too seriously and is generally just a great environment," he said of his new parent company.
In terms of what he has learned in the last year and a half, Friedrichs talks a lot about scale. "That ability to take our product to many more customers and continue to grow as more and more people want to automate, Splunk really gets that message and the marketing and sales team really take it on," he said.
Friedrichs also says his team has benefited from Splunk's continued investment in machine learning, especially bringing it to bear for analysts to predict threats and offer smart recommended actions.
Pivoting to IT
Starting with security, as the sheer volume of attack vectors proliferate, organisations are increasingly in need of an automated response system, preferably with some smart AI baked in, and this is certainly the direction of travel for the Splunk security portfolio.
Speaking to the press during its .conf event in Las Vegas this week Splunk CTO, Doug Merritt, Splunk CEO said: "The vision for Phantom from the acquisition forward was to continue to lean in on the security orchestration, automation, response piece so they could evangelise and lead the industry with the portfolio."
The other priority for Merritt post-acquisition was to broaden the Phantom capabilities into IT use cases. The interesting part for the Phantom team has been learning how to adapt its automation and orchestration software for the IT user base that is the other half of Splunk's business.
"You know, it was very seamless," Friedrichs said. "Security, I would say, is more complex in some ways than IT use cases. With security you may have a very complicated playbook that has multiple levels of information gathering... In IT it's a lot simpler." He added that 70 of the 300 Phantom 'apps' are now relevant for IT use cases.
Under the covers
Splunk CTO Tim Tully explained how Splunk actually went about baking Phantom capabilities into the Splunk stack so far.
"Underneath the hood for both mobile and Mission Control is a cloud service called the Splunk Cloud Gateway," he explained. "That's a cloud platform that acts as a proxy service to facilitate communication between clients that are out there in the real world, whether their desktop or mobile, it doesn't really matter, to broker communication with all kinds of assets like enterprise security."
Next Phantom and Splunk are increasingly looking to the cloud. Friedrichs added: "As customers move more to be cloud first, ultimately you'll have Splunk in the cloud with enterprise security in the cloud SIM product with Mission Control on the cloud with an automation service for that end to end pipeline. Then connecting to other third party cloud services as well during that investigation and response activity.
"You could conceivably have no on prem footprint at all in the future. But we have to be available and ready for both, so we're not stopping on premise, that will continue to see a lot of investment. It'll give our customers the option: cloud or no cloud, hybrid."
Case study: Bank of England
One customer that has taken the Phantom way of thinking on board is the UK central bank. The Bank of England is a longtime Splunk customer and used its analytics capabilities to underpin what it calls the SOC 2.0.
Now the bank is shifting towards the next iteration of its security operations centre – version 3.0 – around a lot of orchestration and automation principles it has picked up from Phantom.
Speaking to Computerworld in Las Vegas this week Jonathan Pagett said: "We started working with Phantom in the past year and that has changed how we think about things.
"When you think about your most costly areas within the SOC, it is effectively where your humans are. If you can automate your triage process and make that more efficient, that's obviously a good thing. Same with the orchestration side of incident response, if you can orchestrate some of those actions and stop people having to manually do those actions, then that's great."
Considering the price in today's market, Phantom is looking more and more like a snip for Splunk as it continues to drive automation and orchestration into its entire product portfolio.
The talent alone that came over as a result are now driving significant change and customers are starting to rethink their operations as a result.