Case Study
Background
The cybersecurity labor shortage is felt across the globe by all industries. This challenge is compounded by sheer volume of different tools in use impacting teams across enterprises, not the least of which are security teams. By automating repetitive processes like Phishing or SIEM alert triage Softcat enables their talent to spend their time on more critical work, and in return retains their talent.Swimlane’s low-code security automation helped Softcat gain operational efficiencies and retain talent, which were key drivers for building out their cyber services offerings.
Key Challenges
No Company is Immune to the Cybersecurity Skills Shortage
Matt Helling, Softcat’s head of Cyber Services business, shares, “As clients continue to mature their cybersecurity practice internally, they are having to adopt more platforms. To manage these platforms they need more staff. To grow their staff, they need to find and recruit qualified people and then continuously nurture and develop them. It’s very difficult. We built our services to try and eradicate some of those issues, to essentially take the platform problem and people problem away from our customers and take it on ourselves.”
Softcat realized early on that the same cybersecurity labor shortage felt by their customer would affect them, too. Even though their location in Marlow, just outside of London, provides high availability to talent, it’s also hyper-competitive and expensive to hire headcount. In order to build out Softcat’s service offering, they needed to hire, train, develop, and retain a core group of security analysts to support their customers.
To keep this group of top, hard to recruit, analysts engaged Softcat needed to limit the amount of tedious alert management they were requiring analysts to do. Mundane or overly repetitive work is not a good use of a senior analyst’s time. The dilemma is compounded by the fact that it cannot be solved by passing manual alert triage off to junior analysts who are not skilled enough to handle high-volumes of alerts. This is how threats get buried in noise, and mistakes are made. Although 99.9% of alerts are very low risk, it only takes missing a tiny percentage of high-risk alerts to put both Softcat, and their customers, in a vulnerable position.
Softcat knew that automation was the only way to truly solve this complex problem. They needed a robust automation platform that would take the manual labor of trafficking every alert off the staff and allow them to free their time for critical events and analytical work.
Managed service providers (MSPs) oversee multiple clients’ infrastructures and this leads to thousands, if not tens of thousands, of incoming alerts that all need some level of action. Without automation, this requires a human to investigate each alert and go from platform to platform to platform to close a ticket. With that volume of alerts, it’s inevitable that something critical will be missed.
Analysts also get burned out on monotonous work, like constantly triaging low-fidelity alerts. They didn’t become a forensic analyst or security analyst to just sit and close out tickets all day. They’d rather be doing strategic work, and their skills are in high demand so it is not hard for analysts to find opportunities to grow, develop, and build out their skills.
Outside of London, provides high availability to talent, it’s also hyper-competitive and expensive to hire headcount. In order to build out Softcat’s service offering, they needed to hire, train, develop, and retain a core group of security analysts to support their customers.
To keep this group of top, hard to recruit, analysts engaged Softcat needed to limit the amount of tedious alert management they were requiring analysts to do. Mundane or overly repetitive work is not a good use of a senior analyst’s time. The dilemma is compounded by the fact that it cannot be solved by passing manual alert triage off to junior analysts who are not skilled enough to handle high-volumes of alerts. This is how threats get buried in noise, and mistakes are made. Although 99.9% of alerts are very low risk, it only takes missing a tiny percentage of high-risk alerts to put both Softcat, and their customers, in a vulnerable position.
Softcat knew that automation was the only way to truly solve this complex problem.. They needed a robust automation platform that would take the manual labor of trafficking every alert off the staff and allow them to free their time for critical events and analytical work.
SOLUTION
Why Swimlane
Benefits:
- Retain talented security professionals
- Reduce risk through more consistent response
- Greater visibility across disparate systems
- Immediate savings of 4 staff
- Improved customer experience
- Enable rapid services scaling
“As we saw more customers wanting to come onboard, we knew that we had to bring automation in,” stated Helling. “We actually ended up expediting our automation capabilities 12 months early in our planning because of the volume of customers we were onboarding.”
Justifying the value of automation to internal stakeholders at Softcat was straightforward and quick. In their analysis, they looked at the number of customers coming onboard and the projected volume of alerts and tickets that were likely to get generated. They knew that without automation they would need to hire several more people in order to cover that volume of data. Understanding the cost of acquiring and training new talent, it quickly became obvious that investing in automation was the easiest, fastest, and most cost-effective way to grow the business.
In their journey to find an automation solution, Softcat first defined what use cases they needed to focus their efforts on in order to save their team the most time without compromising the level of service Softcat provides its customers. Once the priority use cases were defined, they sent out an RFP to five vendors to learn how each would meet their requirements. Softcat narrowed the vendor’s responses down to three finalists, of which Swimlane was ultimately chosen.
Many Security Orchestration Automation and Response (SOAR) vendors tout their out-of-the-box content and playbooks. While Swimlane’s low-code automation platform does offer these capabilities too, Swimlane stood out to Helling because of its strong automation engine. Its workflow and technology agnostic approach means that customers can customize use cases to fit their particular environments. “With Swimlane, we didn’t have to try and fit our outcome into a preconceived box that had already been developed. Swimlane allowed us to build something that worked for us and how we operate,” said Helling.
Another related capability that stood out about Swimlane’s platform when compared to other SOAR vendors was the ability for Swimlane to automate processes beyond the security operations center (SOC). Softcat found that other platforms were focused solely on security use cases. “What we like about Swimlane is the fact that it also allows our internal IT department to automate certain processes like JMLs (joiners, movers, leavers). Additionally, we have other services within the business that are interested in how they can utilize the platform.”
RESULTS
Quick Wins with Automation
When employees incorrectly enter a password too many times, they get locked out. As innocent as this is, it was the number one use case for Softcat to solve because it would create thousands of tickets each month. This would require analysts to spend anywhere from three and eight minutes to resolve, while the employee remains locked out and unproductive.
At an average of five and a half minutes per ticket this low-risk use case would have demanded more headcount or automation. After the quick fix of automating this use case, Softcat built out additional use cases covering a variety of areas, such as custom reporting.
30% Growth in Customer Acquisition: Return on Investment (ROI) on technology investments is critical. Swimlane makes it easy to track ROI through intuitive dashboards and reporting. One of the biggest impacts noted by Softcat is around the costs associated with adding each new customer. So far, Softcat has automated 14 use cases through Swimlane’s platform, enabling them to onboard 30% more customers with no headcount increase. And their team still has bandwidth to increase capacity beyond this.
System of Record for Security: A major benefit of Swimlane’s integrations with other solutions in Softcat’s environment is that their analysts can use Swimlane as their primary interface to interact with these solutions. When they deployed a new SIEM after implementing Swimlane, they realized early on that it would be much easier to integrate through Swimlane rather than try and train people to use yet another platform.
Retain and Grow Security Talent: Swimlane has also allowed Softcat to invest in and promote their staff. The level-one analysts they brought in originally to handle the high volume of alerts have now had their time freed up. This has allowed Softcat to further train and develop these analysts and promote them into more senior positions. As Helling pointed out, “This investment in our people allows us to retain those people.”
Explore Swimlane Turbine
The world’s most capable security automation platform