Automated security operations for managed security service providers (MSSP)
Running continuous monitoring and response for hundreds of customers around the world is challenging. A large managed security services provider (MSSP) with several 24/7 security operations centers (SOCs) located in North America, Europe, and Asia faced the common challenge of scaling a growing number of customers with limited analyst headcount. With more customers came more security solutions and an ever increasing number of alerts. They wanted to increase the productivity of the security team through orchestration and automation so staff could stay on top of alerts and keep their customers safe.
This became a reality through the implementation of the Swimlane platform. Swimlane’s leading security orchestration, automation and response (SOAR) solution helps this MSSP to scale and grow their business without adding headcount every time a new customer is onboarded.
This MSSP wanted a best-of-breed, standalone orchestration and response platform. Before choosing Swimlane, they used an in-house incident response tool, but it did not have the automation capabilities and flexibility they needed. Key requirements for their SOAR solution were:
- Highly scalable to support a large and growing number of customers
- Flexible to address myriad current and future use cases
- Must integrate with their existing systems, especially their analytics engine, via API
The goal for this MSSP was to have a single orchestration platform across their hundreds of customers to allow for the centralization of all incoming alerts. As their analysts worked across customers, they also needed the ability to automatically assign alerts based on the type or severity of alert versus assigning alerts based on the customer. Without a single, global instance, an analyst would have to log into each different environment, which does not scale. With Swimlane, this MSSP is now able to aggregate all alerts, automatically run workflows, then automatically assign and turn over cases to analysts only if needed.
This use of Swimlane provides several benefits:
- Most alerts do not need human intervention to be resolved, saving staff hours for higher value activities.
- Analysts do not have to be assigned set customers, allowing for better staff utilization.
- Analysts can specialize on specific types of alerts or investigations leading to higher efficiency and staff satisfaction.
As the MSSP was quickly growing, the importance of flexibility in their SOAR platform cannot be overstated. The SOAR solution needed to have features that, while not needed at present, may be needed in the future. Swimlane’s ability to dynamically assign analysts and groups of analysts makes managing growing SOCs much easier and convenient if a SOC were to go down. For example, they highlighted the capability that automates putting analysts into groups and then assigns groups to customers.
Use cases were varied and the MSSP tested a few key use cases mainly around endpoint detection and response (EDR) and cloud workflow protection. But that was just to prove capabilities, as “the whole point of an orchestration platform is that it’s flexible and it can do any use case, ideally,” stated the Director of Security Products for the MSSP. Swimlane is known amongst MSSPs and large enterprise customers for the ability to go beyond typical SOAR use cases, covering everything from automated attack testing, to insider threats, to analyst onboarding/offboarding and many more. Use cases are virtually unlimited with Swimlane’s broad capabilities around orchestration and automation.
Strong API integration capabilities were the third key requirement. “With most SOAR platforms you can use the APIs, but you have to pull the alert straight into the orchestration tool,” explained the Director of Security Products. With Swimlane, this MSSP is provided greater flexibility as the Swimlane API allows the customer to support key workflow demands including sending alerts from their Carbon Black EDR solution into their analytics tools then forwarding into Swimlane. Swimlane’s API also makes it easy “to pull data out of your security orchestration platform into our customer portal to show them a snapshot of what’s going on.” Swimlane supports hundreds of third-party tools and thousands of integrations. This capability is critical for MSSPs because they do not have the bandwidth to create and maintain API integrations themselves.
What About the Alternatives?
This MSSP evaluated six vendors, half were security-focused solutions and the other half were IT orchestration and automation solutions. While the IT orchestration and automation solutions had limited success in addressing the MSSP’s needs, two leading SOAR vendors, including Swimlane, made it to in-house testing. Swimlane came out on top.
Top reasons why Swimlane stood out as the best choice, according to the Director of Security Products included:
- “The APIs were everywhere.” Swimlane platform is completely API-enabled and is thoroughly documented. This customer was burned before by vendors saying they had APIs but the APIs did not work as expected. Seeing Swimlane’s APIs perform as expected was a key decision criterion and makes it easy for them to pull data into and out of the platform.
- The Swimlane platform demonstrated the scalability and flexibility they needed. Much of that was attributed to the fact that Swimlane’s CEO and other staff worked in SOCs and know how SOCs operate and function. While the other SOAR vendor had a security team, they were not security operations experts and “that kind of showed.”
- Swimlane’s granular role-based access controls (RBAC) were very important to this customer. Robust RBAC allows them to grant their global pool of analysts access to just the capabilities or customers necessary, reducing security risk.
- Polished, flexible dashboards make easily generated and understandable at-aglance metrics and reports.
- High Availability / Disaster Recovery architecture alleviates concerns around downtime.
- Swimlane is an independent SOAR platform, alleviating concerns about a focus on or bias towards a single vendor’s ecosystem
Return on Investment
For an MSSP, it is critical to get a positive return on investment (ROI) when adding new tools. For this customer, adding Swimlane as their SOAR solution provided the necessary ROI through improved efficiency and effectiveness. “Forrester, the analyst firm, said it right,” the Director of Security Products stated. “The objective (with SOAR) is not to make more bad decisions faster. The objective is to make good decisions. You automate the simple stuff so that your analysts can focus on the more complex stuff.”
Explore Swimlane Turbine
The world’s most capable security automation platform