• United States




Redefining mission critical systems in the world of analytics-driven security

Apr 27, 20184 mins
AnalyticsRisk ManagementSecurity

How should security operations determine what systems require the most attention?

17 critical
Credit: Thinkstock

IT and security infrastructure are at a crossroads. With the current technological advancements in cloud, IoT and the “as a Service” model, there is a continued blurring of where one product, service or platform ends and another begins. With the introduction of the cloud began the slow erosion of the classic network perimeter. Now IoT is taking it to a new level by connecting a diverse set of systems into the mix. Widespread adoption of these technologies ultimately begs the question: what is a mission critical system?

Devices are no longer isolated. It is nearly impossible to measure the effect that using or abusing each piece of a system will have on a business or user’s experience. For security teams, this increasingly blurred ecosystem made up of emerging vulnerabilities and opaque IT infrastructure brings to light serious concerns. If security operations’ core purpose is to ensure that business operations remain within acceptable risk posture, how should the security operations center (SOC) determine which aspects of a network require the most attention? And with so many distributed endpoints, what is the most feasible method for securing that network?

In order to scale with the current direction of enterprise IT, security teams simply cannot work at human speed. The SOC must operate at machine speed. Operating at the speed of data requires precise security ops that have three basic capabilities: one, an understanding of the business footprint; two, the ability to constantly measure that footprint; and three, the initiative to act with confidence.

Understand the business footprint

Historically, security teams have considered one of their top jobs to protect every aspect of a network. However, the cloud, apps, services and the blurring boundaries between insiders and outsiders have created complex tech footprints that security teams are scrambling to find the right area of focus. These tech footprints enable businesses to move fast and scale, but when they clash with legacy understandings of security, the SOC ends up assuming all of the blame when any little thing goes wrong.

This escalating complexity requires a shift in the corporate mindset towards a risk-based approach. Organizations can exploit the business value from tech and IoT, but they must manage the risk from these opportunities. To keep up, security operations teams will need to make fundamental changes to transition from a reactive to proactive approach. First, security teams need to embrace new tools that are integrated and leverage machine learning, which will allow the SOC to automate and remediate an increasingly large and diverse vulnerability landscape at machine speed. Second, security teams will need to partner with technology and business teams develop and share risk values and inform business decisions before the implementation stage.

Take an analytical approach

For the last few years, security teams have been emphasizing threat intelligence and indicators of compromise (IOC) for network security operations. Though IOC are useful to security, security operations have need of something more.

Many system compromises do not involve traditional security concerns, but rather focus on abusing business resources. These threats can be monitored through regular IT processes, and require a solution rooted in analytics. One recent and prominent example of this type of abuse is the unsanctioned use of enterprise systems to engage in cryptomining operations. Instead of infiltrating a network to extract trade secrets or shut down core functions, cryptomining attacks abuse the infrastructure and consume compute  resources to mine cryptocurrency.

These types of use cases underline how IT or security problems don’t just fall under data protection, vulnerability remediation or other traditional security focus areas. They instead represent a direct threat to a business’ bottom line by inappropriately inflating their compute costs for the cloud, slow down legitimate business processes or drive up energy consumption and cost.

Acting with confidence

Guarding against this kind of abuse requires diligent monitoring practices, a deep understanding of how systems operate and the ability to analyze system outputs for any irregularities. Despite this need for system observability to understand the end-to-end operation of a service, the rise of “invisible” IT infrastructure and outsourcing of the IT stack has drastically reduced the ability to inspect entire systems or services. These competing trends require the security operations teams to confidently assert the need for automated and intelligent analysis tools to defend against the constantly expanding range of potential system abuse.

Analytics-driven security also means that the focus of security ops needs to shift from chasing threats to managing the threat within acceptable risk. The only way to accomplish this change is by creating a transparent and shared understanding of security risks with other business teams. By creating an open and frequent dialogue between security ops and business, organizations can more accurately determine what to measure and which actions are acceptable.


Monzy Merza serves as the head of security research at Splunk. With over 15 years of cybersecurity leadership in government and commercial organizations, Monzy is responsible for helping advise and implement strategic security programs for Splunk’s cybersecurity customers, working hand-in-hand with executives across the Fortune 500 to develop modern security architectures.

Monzy is also responsible for leading the Splunk Cyber Research team, which arms Splunk customers with actionable threat intelligence to combat advanced threats.

A noted international speaker, Monzy frequently presents at government and industry events on topics such as nation state threat defense and machine learning. His current security research is focused on integrated approaches to human-driven and automated responses to targeted cyber attacks.

The opinions expressed in this blog are those of Monzy Merza and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.