Enriched Visibility: Understand Level 2 of the ARMOR Assessment

In the world of cybersecurity every manual task is a burden. Boosting security operations (SecOps) proficiency, strengthening security posture, and navigating complex cybersecurity technologies may appear impossible. At Swimlane, we recognize that organizations can’t improve what they can’t measure, so we sought to contribute to the solution by providing the guidance, structure, and best practices required to elevate any organization’s security automation journey. This led to the creation of Swimlane’s Automation Readiness and Maturity of Orchestrated Resources (ARMOR) framework.

A decade’s worth of insights, institutional knowledge, and exemplary practices of our most successful customers is what anchors the ARMOR framework. It consists of two main elements: a readiness assessment and a maturity matrix. The assessment asks a series of 20 questions to evaluate organizations SecOps maturity relative to the ARMOR matrix’s 5 level scale.  Maturity levels are aligned to use cases such as insider threat, data loss prevention (DLP), fraud, application security, extended detection and response (XDR), and many others. 

In an earlier post, we dove into the first phase of the automation maturity levels – ARMOR Level 1: Foundational Visibility. In this stage organizations typically struggle to establish security strategies, fill headcount, and gain leadership support. We now turn our attention to exploring ARMOR Level 2: Enriched Visibility. Continue reading for an in-depth exploration of what it means for an organization to be at the enriched visibility level of the ARMOR Framework. 

Understand ARMOR Level 2: Enriched Visibility 

In the “enriched visibility” phase, organizations have a good understanding of security architecture and its capabilities. At this level, an organization may have defined simple processes which enables them to take on automation in a larger capacity. While in this phase there is an established people, process, and technology foundation, security teams may still struggle with the following:

• Ability to address security threats efficiently due to the absence of essential tools
• Breadth and depth of skills required to manage security tools
• Lack of SecOps visibility across the entire organization

When you take the ARMOR assessment online, it will determine the automation maturity level in accordance with the ARMOR framework. It concludes with a 30-minute consultative session that breaks down participants’ automation maturity into three categories: people, process and technology.

People in Enriched Visibility:

Organizations at the enriched visibility level have a solid grasp of SecOps tools and common automation use cases, however – teams may lack proficiency to manage security tools in the ecosystem as well automation skills, which at a more advanced level, includes scripting. To excel, SecOps teams should define a clear strategy on a robust skills development plan that anchors on the goal of driving efficiency within their operations, while also staying effective in their work – this is where automation plays a pivotal role.

Process in Enriched Visibility:

Security workflow definition is always a work in process. Organizations at this phase may have policies and procedures (incident handling, response & remediation, and governance & risk management) detailed, outlined, or even complete, but ensuring these align with business targets and objectives is difficult. For swift success, organizations should define a clear vision and strategy for next steps, establish well-defined roles and responsibilities for any individuals within the organization who will contribute to automation initiatives, and identify where automation can enhance team performance. Being pragmatic and realistic is also necessary in achieving automation success.

Technology in Enriched Visibility: 

Finally, let’s shift our focus to technology at the enriched visibility stage. Companies typically have centralized security logs, events, and alerts, in order to reduce the need for switching between multiple dashboards. However many organizations still lack comprehensive visibility into their security and risk posture, beyond just the security operations center (SOC). To quickly progress, organizations should prioritize three key actions: adopt a security architecture framework to enhance team learning, develop telemetry for tracking SOC performance, and establish centralized SOC visibility across the entire organization.

Join us on this expedition of automation readiness as we continue to dissect the maturity levels that make up the Swimlane ARMOR Framework. If you haven’t already, take the opportunity to explore your cybersecurity preparedness through our ARMOR Assessment. Subsequently, one of our Swimlane engineers will reach out to arrange an optional and complimentary consultation to dive further into the assessment results.