In addition to Mission Control, which integrates Splunk’s SIEM, UEBA and SOAR within a single pane of glass, the 6.4 release of the Phantom SOAR  adds a mobile app and changes pricing to be by analyst rather than by event.

LAS VEGAS – At Splunk’s .conf19 user event here, the company launched Splunk Mission Control to unify the solutions within their Security Operations Suite. Splunk Mission Control integrates the Splunk Enterprise Security SIEM, Splunk Phantom SOAR and Splunk UBA UEBA products into a single pane of glass experience which the company says will make SOC analysts’ lives easier and save them lots of time.

One of these products, Phantom, is a relative newcomer to Splunk, whose acquisition closed in April 2018.. Customers had been trying to get the other products to work together before that, however.

“There were some natural integrations between the SIEM, the analytics and the UBA, but it was still not as simple as it sounds because of the data passing from one platform to another, and the multiple browsers,” said Oliver Friedrichs, VP of Security Products at Splunk, who had been the founder and CEO of Phantom before its acquisition. The Phantom acquisition complicated do-it-yourself efforts further, and made an integration by Splunk a high priority.

“With the Mission Control integration, we focused on the user experience,” Friedrichs said. “The priority was getting rid of the four separate browsers and giving the SOC analysts a single place to do case management, without having to flip around.

“There is now a single presentation layer – the work surface – where the analyst can work from detection through to closure in one place,” Friedrichs added. “Something that could have taken 60 minutes before, you can now do in five minutes. It eliminates the swivel chair syndrome, and makes the analysts much more productive than before.”

Friedrich said that this is particularly the case in hybrid environments.

“Because Mission Control is in the cloud, it has the ability to connect to on-prem Splunk, and hit all those instances securely,” he stated. “That’s very useful in any federated situation. In addition, we have now baked Phantom into Mission Control so it will be available as a cloud-delivered service when it goes GA in late Q1.”

In addition to Mission Control, Splunk announced the 4.6 version of Splunk Phantom at the event.

“The coolest thing is the mobile app, which automates repetitive tasks and allows an analyst to easily respond to major threats,” Friedrichs said. During the keynote presentation on Wednesday that introduced the new capability, a video was shown contrasting a beleaguered analyst behind increasing walls of monitors with another tech, who simply resolved his issue on his phone in a fraction of the time. It was well received by the audience.

“We also added the ability to scale Phantom automation on AWS, elasticity support, and the ability to monitor Phantom with our IT Service Intelligence,” Friedrichs added.

Splunk Phantom 4.6 also open sourced the 300 plus Phantom apps.

“By open sourcing those apps, we enable users to customize them, share updates, and extend the ecosystem,” Friedrichs indicated. “We posted them on GitHub under the Apache 2.0 license, so they are essentially free. Customers and users really want this and this will encourage its adoption.

Pricing for Phantom has changed as well.

“It’s now based on analyst seats,” Friedrichs said. “Before, it was based on the number of events processed. The problem with that was we that were basically charging customers for automation. Now five analysts can do an unlimited number of events a day. We aren’t charging them more for processing more events. This is another thing that will help encourage the adoption of SOAR.”

Splunk Mission Control is in beta for early access customers, with general availability scheduled for late in the first quarter of 2020. Splunk Phantom 6.4 is available now.