PhenPhen. He’s an orchestrator and more.

Phen is designed to and operates as an orchestrator. Phen works in conjunction with and replicates human administrators, computer security administrators, and security analysts.

The volume of data requiring analysis is increasing. Phen processes data at computer speeds.

It’s syslog data, netflow data, packet bits for layer 7 analysis, etc.
It’s 100Gbit network taps, as well as, multiple 1Gbit and 10Gbit data feeds.

CCG’s Phen strengthens administrator abilities. Phen operates in conjunction with system administrator staff.

The administrator staff is needed to ensure required resources and activities are taking place. All security systems (both dispersed or centrally) require support services and hardware. These systems also require analysts to investigate the environment behaviors and changes as well as the detailed operations and activities of systems, devices, and the network as a whole.

Security systems need data. If the data isn’t flowing properly the system administrator will adjust or apply a fix (delete data, etc), but will not understand the implications of the event in the same way as a security system.

This raises additional questions:

  • Why did it fill up?
  • Did something start creating more data?
  • How long are we retaining data?
  • Is the date retained stored long enough for analysis?

The system/security administrator is enforcing a basic operations state of systems and devices. Administrators are required to keep immediate functionality working. They respond and are coordinated by quick-check monitoring systems. They are trying to keep things quiet.

The system administrator is trying to maintain a state of the system. This means returning to a functional/operations state as quickly as possible.

  • Add/Remove/Access Level of users
  • Process running or being stopped
  • CPU, memory, or other resource run high

The system/security administrator needs to be involved in any and all issues as they present themselves, but the administrator often works slower than what is required to get back to a low-grade or fully operational state. The administrator also must preform a full, time-consuming, and often imperfect investigation into the system and document the events for correlation in an effort to discover and prevent a hidden or larger problem. They need to discover the root of the problem. Humans will take hours or even days to look through Gigs of logs (application or system). The administrator must acquire telemetry data and look at terabytes of network activity, often requiring the input of the designated security analyst.

Now see Phen in action…