At Swimlane, Security Analysts Are Creative Thinkers
Improvise, adapt and overcome.
That’s what the United States Marine Corps taught Michael Lyborg, and it’s a mantra that still drives him today. At automated security operations platform Swimlane, where he serves as senior vice president of global security and enterprise IT, Lyborg gets the job done using all the tools at his disposal.
“If you’re part of a security organization, whether it’s human or physical or information or cyber, it doesn’t really matter,” he said. “You’re going to be given a budget. You’re going to be given tools to succeed, hopefully. But you can’t just say, ‘Well, I don’t have this tool, so that’s it.’”
In the field of modern cybersecurity, where Swimlane has emerged as a leader in cloud-based low-code security automation, creativity is key. Phishing emails and malware remain common and can still devastate an organization if not intercepted or contained, but cybercriminals find new methods of attack all the time, meaning security teams must stay vigilant and ready to tackle potential threats from every angle.
Augmenting the traditional security orchestration, automation and response (SOAR) and extended detection and response (XDR) solutions used by security analysts to face these challenges, Swimlane is distinguished by its focus on automation beyond the security operations center (SOC), where information security has been historically concentrated. Instead, Swimlane’s low-code platform — so called because it uses visual interfaces with drag-and-drop capabilities and basic logic, rather than relying on complex programming languages — serves as the system-of-record across an entire security organization, allowing anyone within said organization to play a key role in responding to threats.
“I take more of a sledgehammer approach, but we need scalpels as well,” said Lyborg.
That’s where security automation architects Nick Tausek and Josh Rickard come in. Part of Swimlane’s cross-functional research team, both also work in the “DeepDive” division that follows emerging trends in the security space, working to address new potential challenges and threats as they arise.
“There’s never going to be a time when every security tool you have has every feature you need, and it’s perfect,” Tausek said. You’re always going to be working around gaps. You’re always going to be trying to find ways to improve your organization’s security posture.”
That word, “improve,” is another guiding tenet at Swimlane. By automating workflows and use cases that have historically been time-consuming and labor-intensive, the company aims to free up security analysts’ time and reduce the security alert fatigue that’s long plagued its industry — and that has been especially vexing amid a growing skilled labor shortage.
Below, Lyborg, Tausek, and Rickard discuss their experiences in security and the need for companies to combat security team fatigue by turning to low-code automation.
As I understand it, low-code security automation harnesses the knowledge of an entire security organization to centralize operational data as a system of record. Why is this your preferred approach at Swimlane?
Josh Rickard: Our competitors use no-code and low-code terminology, but we’re truly low-code in that we have dedicated integrations with 300+ security products. We provide building blocks through which a client can build up automation based on their business processes. We try not to force anyone into a box they’re not comfortable with, but our solution builds playbooks and workflows around automating traditional, security-related processes, whether that’s defending against phishing or taking the business logic behind a workflow — perhaps you need to contact someone, speak to another department or get approval — and adding in steps around that instead of just providing automation you never look at. It’s a design with which you could do that, but we’re more about making analysts’ jobs more proficient and providing feedback without them just being blind robots. We give them feedback, and they can feed that information back into their processes. In general, any condition or action that you want to perform, or any decision point that you want to make, you can automate with Swimlane.
Michael Lyborg: If you have no-code, you’ll be constrained to doing it in a systematic way or process that has often been predefined. You may be able to tweak and tune certain aspects of it, but the sweet spot in the market, especially in orchestration and automation, is low-code, so you also have the ability to provide a customizable UI. Swimlane has an extensible, contextual application builder that allows you to move, drag and drop fields and values you want to see. What’s important to the analyst is the user experience.
Nick Tausek: The key portion of low-code is having those building blocks plus the flexibility to do whatever you need to do in your custom environment. Everybody’s environment is different. There’s no one-size-fits-all solution to security. There’s no one-size-fits-all solution to automation. And there’s certainly no one-size-fits-all solution to security automation. You’re always going to need to build out different processes and take the stakeholders’ needs into account. Low-code combines flexibility with that pre-built content.
In the face of modern cybercrimes such as phishing schemes, which continually find new methods of attack, even the best security teams risk being overwhelmed and are frequently overtasked, which in turn prevents them from bringing the full measure of their knowledge to more strategic initiatives. How does Swimlane address the fatigue this brings about?
Tausek: I was a SOC analyst for eight years before I came to Swimlane. I worked for a couple of governmental organizations, then for a managed security service provider (MSSP). And the amount of tools, expertise, and knowledge that analysts are not just expected but required to have to be able to do their jobs — without utilizing some kind of automation platform or centralized aggregation platform that allows you to actually perform incident response as well — is immense. Without a product like Swimlane, you still have to facilitate all the ingestion, research and enrichment you have to do on your alerts in addition to then pivoting and keeping track of metrics, actually performing that Incident Response (IR) action and also engaging external stakeholders if you have a department that you need to get ahold of or IT needs to do some kind of remediation on a system. In addition to the business processes, there’s also a huge amount of technology knowledge that people have to have, and it’s ever-evolving.
Working for an MSSP, sometimes we’d get a new customer, and it’s like, “Alright, everyone: learn QRadar, or another enterprise security information and event management (SIEM) product. We’ve got a week until this customer onboards and asks for their QRadar instance. We don’t have one? Do your best.” That’s the norm. You’re constantly behind and trying to catch up. Once you can take all these business, human and incident response processes, and turn them into a simple interface where an analyst can log in, see what cases are assigned to them, look at those cases, make human determinations based on available evidence, have metrics tracked automatically, take notes, engage external stakeholders — and to do all that from one page instead of 15 pages, it’s not just about saving time. The amount of things that the analyst has to know how to do on day one when they get into the job is cut into a very small fraction of what it would have been.
Rickard: I previously worked in higher education, and there were five security analysts for 18,000 staff and 40,000+ students. You couldn’t even keep up with what you had to get done, let alone improve your defenses against your critical data. You were completely overwhelmed by the amount of alerts. Even just the amount of data coming through your network was quite large. If, back then, we’d had an automation tool, we would have been able to have five staff. Without that, people were burned out and working 12-hour days. Automation helps burnout; it augments people without replacing them. It gives analysts more to do besides point and click. If you’re just sitting at a computer doing the same thing over and over, like an assembly-line worker, it gets really taxing. We’re tinkerers by nature, and we’re hackers. We like to understand how things work. When you have a mundane job, it burns you out quickly. Those point-and-click processes can be automated, and at least through that process you’re engaging people who are creative thinkers.
Lyborg: I’ve been with Swimlane for almost five years. Previously, I worked for the U.S. government, then built a SOC for a private company. That was very structured. We were almost all-code; everything was PowerShell or Bash. One person in that organization, if something broke, could actually fix it. Cody Cornell, the founder of Swimlane, built our platform to be more flexible, more intuitive and easier to work with. I’m onboarding an SOC analyst currently, who’ll be assisting with incident response and triage and investigations and research. Rather than having to teach this individual all these tools in-depth, upfront, I’ll only have to teach them Swimlane, which I can do quickly. They don’t have to be a full-blown expert by week two, but we get them used to the user interface then focus on getting them engaged with additional tools. To get someone quickly onboarded and ramped is extremely valuable. This gives analysts the time to focus on what’s next, to lean forward. We reduce our attack surfaces by staying proactive rather than reactive.
From the picture you’re painting, security often runs the risk of anonymizing analysts and treating them as manual laborers rather than creative thinkers. How does the culture at Swimlane differ for not just analysts, but all of its employees?
Lyborg: We have always talked about the skills gap. You can go out and find that perfect candidate, but who is the perfect candidate? Is it someone who’s been sitting in a SOC for 10 years? Or is it someone just coming out of school, who really wants to learn how to do these things better? There isn’t a perfect candidate, in my mind. We generally hire on aptitude, drive and will.
Other companies might make people feel cornered, or they might have boundaries they need to stay within. Here, it’s about being creative, taking everything you know and those lessons learned, then see how we can implement them.
Rickard: Swimlane’s flexibility is unique. It’s an organization where they encourage experimentation, creativity and thinking outside of the box, because we’re trying to solve complex problems. We need people that have unique ideas. One of the biggest draws of Swimlane is the encouragement around creativity, giving back and trying to solve problems for our users and security in general.