The cybersecurity industry is riddled with challenges like how to prevent breaches, mitigate alert fatigue, connect siloed tools, and measure the impact of security programs. Security automation is the only technology capable of addressing all of these challenges with a single technical solution. However getting started with automating SecOps workflows may feel like a daunting task.
Swimlane has been helping organizations across the world build security automation functions for nearly a decade now. We’ve harnessed our collective lessons learned and built the Swimlane Automation Readiness and Maturity of Orchestrated Resources (ARMOR) framework. The framework includes a readiness assessment and maturity matrix which help security professionals identify a baseline of where their security organization is in terms of maturity, measure their organizations SecOps capabilities based on a five level scale, and provides a reference point for security professionals to establish as the next target in terms of maturing their teams.
- Level 1 – Foundational Visibility
- Level 2 – Enriched Visibility
- Level 3 – Automated Response
- Level 4 – Automated Prevention
- Level 5 – Advanced Automated Operations
Continue reading this blog post for a deep dive explanation of what it means to be in the foundational visibility level of the ARMOR framework.
Level 1 Explained: Foundational Visibility
In the ”foundational visibility” phase, organizations are going through dynamic transformation. There is foundational work that needs to be done before teams can be successful with a security automation platform. Organizations in the foundational visibility stage tend to struggle with challenges like:
- Absent or frequently changing security strategies
- Difficulty filling open headcount
- Limited leadership support for effective SecOps programs
The ARMOR assessment is a 20 question online quiz designed to help organizations determine their security automation maturity level in accordance with the ARMOR framework. It concludes with a 30-minute consultative session that breaks down participants’ automation maturity into three categories: people, process and technology.
People in Foundational Visibility:
The cybersecurity talent gap exists at all ARMOR maturity levels, but it’s desperately present at the foundational visibility level. At this level security teams may not have a security operations center (SOC) function and likely lack the coding proficiency necessary to effectively utilize advanced python tools such as traditional security orchestration automation and response (SOAR). For quick wins, organizations in the foundational visibility phase should consider working with a managed detection and response (MDR) or managed security service provider (MSSP) in order to supplement their internal skills gap. For long term solutions, organizations should continue to invest in learning and development programs for their teams to refine their technical proficiency.
Process in Foundational Visibility:
Organizations in the foundational visibility level may have begun documenting their current security processes, but are unlikely to have completed the documentation. At this phase, it’s important to establish and plan security automation priorities and key milestones. For example, think about the workflows that have the highest volume of low-fidelity alerts and manual steps. Organizations who take an iterative approach and apply an outcome-oriented mindset are able to achieve quick wins and faster time to value for security automation.
Technology in Foundational Visibility:
The first step to building the foundation for security automation is to consolidate security alerts, events, and logs in a central repository. At this phase, security telemetry consolidation may be inconsistent. Once organizations have the right people & process components in place, automation can be leveraged to help make the leap from foundational to enriched visibility. In the meantime, security teams should continue to consolidate visibility for greater security operations center (SOC) efficiencies.
Take the 5 Minute ARMOR Assessment
If you haven’t done so already, it’s time to participate in the ARMOR Assessment to gain valuable insight into the state of your cybersecurity ARMOR. You will also receive the option for a complimentary follow-up consultation with one of our engineers to delve deeper into these levels.
The Swimlane ARMOR Framework
SecOps teams who want to map their goals, tactics, and security automation use cases to industry standard frameworks like NIST, CMMC, CMMI or C2M2