A Deep Dive into ARMOR Level 3: Automated Response

At Swimlane, “armor” takes on a distinct meaning. It represents automation readiness and maturity of orchestrated Resources (ARMOR). In today’s age of cybersecurity warfare, ARMOR security is the only way to go up against the ever-evolving cybersecurity threat landscape. Although the industry has many threat detection and incident response (TDIR) centric maturity models, the industry lacked a model for security automation. 

Our continuous pursuit for improvement and commitment to being a proactive part of the solution inspired the creation of the Swimlane ARMOR Framework. Built on customer insights and institutional knowledge, the ARMOR Framework contains two fundamental elements: a readiness assessment and a maturity matrix. Both elements leverage a five-level scale to examine security automation maturity. 

• Level 1 – Foundational Visibility 
• Level 2 – Enriched Visibility 
• Level 3 – Automated Response 
• Level 4 – Automated Prevention
• Level 5 – Advanced Automated Operations 

In previous posts, we dissected the first two phases of the ARMOR maturity levels – Level 1: Foundational Visibility and Level 2: Enriched Visibility. At the foundational visibility stage organizations may struggle to establish security strategies, fill headcount, and gain leadership support. As they mature, organizations in the enriched visibility stage struggle with efficiently addressing security threats, a shortage of team expertise for advanced security tools, and siloed SecOps visibility.

Now that you have a broad understanding of the first two ARMOR levels, let’s shift our focus to examine ARMOR Level 3: Automated Response. Keep reading for an in-depth overview of what it means for an organization to operate at the automated response stage within the ARMOR Framework.

ARMOR Level 3 Unveiled: Automated Response 

In the “Automated Response” phase, organizations demonstrate a high level of maturity in their security practices. Most security processes are well-defined and leverage automation where it’s possible. SecOps teams operating at this level possess mid-level coding skills and exhibit a good ability to consolidate security logs, events, and alerts. 

Organizations in this phase are strongly prepared for automation success, as they demonstrate a deep comprehension of their security architecture, clearly defined security objectives, and profound alignment with executive-level management’s expectations. Despite establishing strong groundwork in people, process, and technology, organizations at this stage may still be challenged with: 

• An automation first approach company-wide
• Lack of advanced level coding skills across the entire SecOps team
• Robust ability to fully consolidate logs, events, and alerts 

The ARMOR assessment is a 20-question online quiz, strategically crafted to assist organizations in gauging their security automation maturity within the ARMOR Framework. Following the assessment, participants benefit from a 30-minute no strings attached consultation session, where their automation maturity is dissected into three essential categories: people, processes, and technology.

People in Automated Response:

Organizations at the automated response level demonstrate advanced proficiency in existing security tools. They also have a comprehensive understanding of the SecOps automation platform, architecture, and capabilities relevant to common use cases. The SecOps team at this level possess scripting skills that can be paired with low-code automation technology to generate successful outcomes. Organizations at this level place an emphasis on ensuring their team’s skills are assessed and developed based on their business needs.

Process in Automated Response:

Achieving a robust workflow process while simultaneously aligning them with company-wide goals is never easy. We applaud organizations at the automated response phase because they have meticulously documented current security processes, ensuring thoroughness and alignment with organizational objectives. Similar organizations that have found themselves at this level have successfully achieved next-level automation advancements that continue to align with company goals. It’s imperative to allocate time and resources to the development of new processes. Doing this helps to expedite progress towards the next phase of automation readiness (automated prevention), improve operational efficiency, and establish clear and strong verification and measurement procedures. 

Technology in Automated Response:

Now, let’s delve into technology at the automated response level. In this phase, the deployment of partially automated use cases and alert responses exist. Alongside this are the centralization of security logs, events, and alerts, offering holistic visibility across the entire organization. Context enrichment through event correlation is clear at this level, automating time-consuming processes and freeing up valuable resource time for SOC SecOps teams. For quick victories, the next step involves constructing automation logic to seamlessly connect the enriched alert triggers with the appropriate remediation actions.

If you haven’t done so already, we invite you to join us on our automation readiness journey as we explore the various maturity levels that make up the Swimlane ARMOR Framework. By participating in the ARMOR Assessment, you can acquire valuable insights into the current state of your organizations cybersecurity readiness. And as we mentioned earlier, participating organizations have the opportunity to benefit from a complimentary follow-up consultation with one of our engineers, allowing for a deeper dive into the assessment results.