PhenPhen. He’s an orchestrator and more.

Phen is being designed and currently operates as an orchestrator.  Phen works in conjunction with and to replicate the human administrators, computer security administrators, and/or security analysts.

The volume of data to analyze in increasing. Phen is there, processing data at computer speeds.

It’s syslog data, netflow data, packet bits for layer 7 analysis, etc.
It’s 100Gbit network taps, as well as, multiple 1Gbit and 10Gbit data feeds…

CCG provides Phen to help strengthen administrator abilities.  Phen operates in conjunction of these folks.

The admin is needed to ensure required resources and activities are happening. All these security systems (both dispersed or centrally) require support services and hardware. These require analysts to investigate the environment behaviors and changes as well as the detailed operations and activities of systems, devices and the network.

Security systems need data. If the data isn’t flowing properly the sys admin will go adjust or apply some fix (delete data, etc) but not understand the implications of the event as a security administrator would.

    1. Asking additional questions, why did it fill up?
    1. Did something start creating more data?
    1. How long are we retaining data?
    1. Is that long enough for the analyst and analytical systems?

The system admin is enforcing a basic operations state of systems and devices. They are required to keep immediate functionality working. The respond and are coordinated by quick check monitoring systems. They are trying to keep them quiet.

The system admin is trying to maintain a state of the system. This means getting as quickly as possible back to a functional / operations state.

    1. Add / Remove / Access Level of users
    1. Process running or being stopped
    1. CPU, memory, or other resource runs high

To all of these issues the security administrator should be involved. Often working slower that required by the system administrator to get back to an operational or fully operational state. The security admin is should be investigating. They will want to document the events for correlation that may indicate a larger or hidden problem. They need to look into the reasons the changes happened. Humans will take hours to days to look through Gigs of logs ( application or system ). They need to get telemetry data and look at terabytes of network activity. This also now reaches up / out into the security analyst.

Now see Phen in action…