Swimlane Security Operations Automation

Swimlane makes a security operations tool it bills as a “cloud-scale, low-code security automation tool”. It’s a combination dashboard, workflow automation, and collaboration tool aimed at security teams doing the daily work of responding to security threats.

I recommend watching the video that walks through the phishing email analysis workflow to get a good feel for how the tool works from a security analyst’s perspective.

I was initially skeptical of the Swimlane tool because I’ve sat through too many pitches for yet another Single Pane of Glass (or Single Glass of Pain, as I like to say) that tries to be all things to all people. But as a way to make the routine work of security analysis and response easier to do, it’s pretty compelling, especially when compared to having to navigate the dozens of specialised security tools that often exist inside a large organisation.

Swimlane can connect a lot of tools together, automating a lot of the boring work in the background: grabbing an email, enriching the view with information from threat intel sources like VirusTotal, and helping an analyst start with a lot of information ready to go.

It also lets you take action from within the Swimlane tool itself, to block the email sender at the gateway or delete the email, for example. An analyst doesn’t need to leave Swimlane and log into dozens of other tools to do routine work.

It also has a graphical node-graph interface for building new integration and automation workflows, which reminds me a lot of Control-M (for the mainframe fans out there) or PEGA or perhaps ServiceNOW, but with a security operations focus.

There’s one major thing I want to add to Swimlane, though: automated testing.

Automated Testing

The part that always frustrates me with low/no-code tools is the lack of automated test suites.

It’s one of my largest frustrations with Excel, for example. It’s quite hard to write something that will run regression tests of your functions to check they provide the right answer for different inputs, and particularly things like input validation and bounds checking. Does your VLOOKUP() break everything if the input field is N/A? What if someone puts text in a numeric field?

But more subtle calculation errors can also propagate this way, and a simple typo can hide inside a cell, or a drag-and-drop box in a GUI, for a long time before it gets discovered. This happens all the time. These kinds of errors can be very challenging to find and fix, and regression testing just isn’t something that people are used to doing with GUI based tools.

Most of the people who drive the GUI tools aren’t professional programmers; this is a selling point of the no-code tools after all! If there’s any testing at all, it’s usual some kind of manual procedure that people do by hand, which means it’s boring, and slow, and generally isn’t done well. It’s not something humans are good at. Regression testing is exactly the kinds of thing that should be automated.

There are ways to deal with it, such as GUI-based testing tools like Selenium, but they’re cumbersome compared to the vast array of tools we have for testing actual code. And, let’s be clear, there’s code in there somewhere because that’s what the computer is actually operating on. It’s just hidden from the end-user.

I don’t necessarily want to replace the Swimlane approach with a full security-as-code approach, because there are some tasks that are easier for humans to manage through a GUI. But automated, repetitive tasks work great as procedures and checklists and decision trees… which is really all code is.

If Swimlane can add a way to build a test suite for my configuration so I can check all my procedures still work after I change something, before I try to use it in the middle of a security incident, that would be excellent.

Bookmark the permalink.

One Comment

  1. Pingback: Swimlane Security Operations Automation - Tech Field Day

Comments are closed