• United States




The art of machine speed execution

May 22, 20185 mins
IT LeadershipMachine LearningSecurity

Understaffed security teams are struggling to secure their organizations’ expanding technology footprints, and often times the new tools they have been given to manage data bring with them a tidal wave of new data to sift through. In order for security analysts to effectively secure their networks going forward, security teams will need to understand the art of creating responsible automation programs to manage those increasingly large data pools.

digital brain connected to circuits
Credit: Thinkstock

If I had walked into most boardrooms and proposed security automation five years ago, I would’ve gotten laughed at. Or even worse, kicked out. But in the last five years, security infrastructure, needs and protocols have expanded so rapidly that the industry is confronting a new reality: security operations needs to execute at machine speed.

Security operations teams hold these truths to be self-evident: tools take too long to deploy. It takes too long to detect, respond and remediate threats. Security skills are highly specialized and difficult to develop. It takes too long to provide tangible results to the business

Responsible automation can enable machine speed execution. But administrative and technological complexities hinder most SOC teams from even dreaming about automation. Automation works. And your business needs you to adopt it. Here are a few things you’ll need in place to be successful on your journey to security operations at machine speed.

IT policy change: your vehicle to machine speed

As much as every company tries to purchase assets capable of scaling with their future needs, IT infrastructure frequently becomes a Frankenstein mass of legacy, proprietary and modern systems that all interact with one another on a limited basis, if at all. As technology infrastructure continues to balloon with an increasing number of service and platform vendors, the Security Operation Center (SOC) struggles to prioritize and secure these systems, making the problem even less manageable. The pain of managing an inhuman amount of threat vectors will simply be too big, and security teams need to consider new methods for managing these complex and wide footprints.

Changes to your IT policy, especially to change control processes, can enable semi-automated or human mediated automation in legacy environments. Acceleration is not about all or nothing automation. Something as simple as auto-creation of a ticket can save hours of time. Or weeks worth of time when aggregated over the course of a year. The more you reduce these mundane tasks, the more your teams can focus on the harder constraints, e.g. connecting and monitoring disparate network endpoints, and allowing analysts to elevate their role from remediating individual alerts, to understanding the larger trends behind individual system anomalies. Embracing automation also allows security teams to maximize their return on investment with new IT infrastructure and tools.

Open API requirement: ensure your new architecture can be automated

From an IT infrastructure standpoint, the foundation for cloud and new technologies is built on automation. However, this inherent dependence upon automated processes can unfortunately work as a double-edged sword for security teams. Security teams that have already deployed automation tools are able to build upon their enhanced understanding of IT network operations to rapidly identify, remediate and build new protocols around potential vulnerabilities. Conversely, teams without an established automation process will struggle to capitalize on all of the new information being sent across their desks, and ultimately see new tools as a hindrance rather than a help due to data overload.

When designing new architectures, automation must be part of the criteria. When purchasing products, ensure that your tech providers have open, well documented APIs. These capabilities will enable your IT and security teams to make business-driven decisions, rather than tech vendor-driven decisions.

The art of machine speed execution: how to ask for permission, not forgiveness

While every organization has differing priorities and needs of their SOC, the most common concerns executives have regarding automation tools and processes fall into three categories:

  1. First, one of the primary concerns regarding security automation tools is whether or not the process is auditable. Security analysts looking to responsibly implement automation need to create clear guidelines for who is establishing automation rules, and who is responsible for ensuring the tools are performing properly.
  2. Leadership teams want the capability to reverse decisions made by automation tools with the same ease and efficiency the SOC had before that tool was put in place. In order to address leadership concerns, the SOC needs to be able to show that automation isn’t taking away from its ability to precisely scrutinize security operations. Instead, analysts should underline how automation allows them to group and categorize events to apply that same level of scrutiny to multiple events at the same time.
  3. Lastly, security teams need to ensure that the rules governing automation tools are transparent. Ensuring the entire SOC has a thorough understanding of both the inputs and outputs of the system will help teams adjust their own processes and actually take advantage of the new capabilities. ART = Auditable, Reversible, Transparent

Security analysts are grappling with an unprecedented situation. Understaffed teams strain to support the weight of sprawling IT footprints, while the human resource problem is becoming increasingly challenging for leaders. All the while, IT and security teams are being flooded with new tools for defense. Security tools will struggle to provide a strong return on investment unless there are automation processes to help manage the influx of new data. In order for the SOC to scale into the future data needs of the enterprise, it will need to establish auditable, reversible and transparent automation practices to identify and remediate security vulnerabilities.

Five years ago, security automation was a concept teams didn’t even want to consider. In the next five, no security solution will be considered complete without it.


Monzy Merza serves as the head of security research at Splunk. With over 15 years of cybersecurity leadership in government and commercial organizations, Monzy is responsible for helping advise and implement strategic security programs for Splunk’s cybersecurity customers, working hand-in-hand with executives across the Fortune 500 to develop modern security architectures.

Monzy is also responsible for leading the Splunk Cyber Research team, which arms Splunk customers with actionable threat intelligence to combat advanced threats.

A noted international speaker, Monzy frequently presents at government and industry events on topics such as nation state threat defense and machine learning. His current security research is focused on integrated approaches to human-driven and automated responses to targeted cyber attacks.

The opinions expressed in this blog are those of Monzy Merza and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.