Increasing Capacity in the Security Operations Center

The current state of security operations is harried. Especially in light of recent events—wholesale work-from-home environments where new devices are introduced; attack surfaces are thus increased; new behavioral baselines must be established—security operations center (SOC) teams are overburdened. And it’s not as if SOC teams were sitting idly on the sidelines before. Staffing shortages, the proliferation of disparate technologies running in organizations’ environments, and the number of alerts that must be triaged everyday all lead to a need for consolidation and simplification. As such, the security orchestration, automation, and response (SOAR) market has seen an increase in entrants.

Initially, SOAR was focused on automated aggregation of data and alerts for deployed technologies. Today, best-of-breed SOAR solutions are more robust and include capabilities for incident response and case management, leveraging features/functionality for context enrichment, threat scoring and/or prioritization, and automated implementation of workflows or playbooks. Though there are a dozen or so players competing in the SOAR space, each offers a certain skew that might be a better fit for certain SOC teams than others.

Eliminating expensive admin work

One such company is Swimlane, a 6-year old SOAR provider based in Denver, Colorado. Founded in 2014 by Cody Cornell, Swimlane was built to counter the inefficiencies Cornell saw firsthand when he was working in a SOC and later managing SOC teams. He explained during a recent conversation that, due to the number of disparate tools and conflicting processes required to manage each, he “couldn’t take people and use them well. My team was essentially doing expensive admin work.” Because that wasn’t the SOC’s function, he decided to develop technology that would operationalize everything his team was doing and “make SecOps more effective, complete with case management, integration, and ticketing.”

Cornell didn’t have plans to offer that technology outside of his then-company’s service organization, but as often happens in security, those initial designs became the foundation of Swimlane’s SOAR. Now a global company, Swimlane’s main value proposition, Cornell told us, is creating bandwidth for the SOC team and helping IT ops departments—not just SOC teams—operationalize and create efficiency. “Most other SOAR technologies focus on prioritization, but if you don’t have the capacity to act on prioritized risk, it’s still a risk.”

Creating bandwidth

The way Swimlane accomplishes this is by “shifting left,” or by looking at more data sooner, Cornell said. With over 1,300 integrations with third-party SIEMs, EDR, ticketing systems, threat intelligence tools, network monitoring tools, endpoint monitoring tools, and more, Swimlane integrates easily with any tech a company has deployed, and, as any good SOAR would do, aggregates and correlates data, then presents prioritized findings. With the company’s acquisition of Syncurity Corporation earlier in 2020, the platform now also allows customers to rapidly respond to incidents using pre-built workflows and implement end-to-end case management.

Deployed as either SaaS, a virtual machine, or on-premises, Swimlane allows for full scalability and high availability—something today’s businesses must have in any technology platform. All customers also have access to Swimlane’s 24×7 customer experience team, which can help new customers ramp up quickly and realize ROI faster. For established customers, the customer experience team provides ongoing support to help optimize and customize use, plus offers training and certifications. Customers can achieve the Swimlane Certified SOAR User, Swimlane Certified SOAR Administrator, or Swimlane Certified SOAR Developer certification.

Respond faster, more accurately

Though there are many commercially available SOAR platforms, Cornell says Swimlane differs in a few respects. First, he told us during our call, “No two organizations manage their SOC in the same way, so our solution has to be customizable and give customers the ability to respond faster, more accurately, to the outputs from their disparate tech stack.” With the company’s focus on workflows—connecting business process management to controls—Swimlane creates bandwidth for clients, going beyond the traditional prioritization of events and alerts. Second, he said, the company’s open API framework allows customers to quickly integrate any technology deployed in their environment and start seeing results in a short period. Last but not least, Swimlane’s strong focus on professional services is a big win for clients. While may platform providers include customer support, Swimlane goes above and beyond with 24X7 access and certification programs—helping clients improve their technical skill and gain valuable workplace experience.