Is the enterprise ready to automate security operations? Splunk makes the case

Profile picture for user ddpreez By Derek du Preez May 16, 2016
Summary:
We sat down with chief security evangelist at Splunk, Monzy Merza, who argued that enterprises are ready to give some control over to the machines.

Automation is high on the agenda

for many people running enterprise technology operations, given that it can often mean both a frictionless experience for customers and also result in efficiencies for the company.

And I’m not necessarily talking about replacing jobs with machines (although that is happening too), but automation can simply mean a stripping out of manual processes to provide a better end-to-end service that allows people to put their time to better use.

However, are companies really ready to let machines take control of their security operations? We have seen many an example in recent months where failed security practices have left companies with a damaged brand and losses in revenue. This stuff is critically important to the C-suite now, as companies recognise that customers expect security to be intrinsically built into everything that they do.

So, is a CIO or CEO going to be comfortable with letting a security system do a lot of the work for them when so much is at stake? Splunk’s chief security evangelist, Monzy Merza, believes that this is exactly where the industry (and Splunk) is headed - and that there is demand from the customer base to make it happen.

According to Merza, this is being driven by a rapidly changing landscape, which has left the people in charge of security operations floundering for support and pushing for increased automation. Merza said:

It used to be that customers would buy all these things, whether it’s a firewall, an endpoint solution, or whatever. And they’re fed up. The security infrastructure and ecosystem has become so complex, that now instead of the security teams focusing on the actual security operations part, they’re spending a lot of their time just maintaining this stuff - maintaining all the toys that they’ve bought. And a lot of these things don't work, or they don’t work well together.

Another thing that’s happening, is that if ten years ago I went and suggested to a large financial institution that they should go and explore automation, they would have thrown me out the room and called me ridiculous. Now they are saying that automation is almost a requirement.

Automation in terms of identifying threats, investigating threats and in terms of taking action. Not just action from the perspective of blocking or making a change in the firewall, or deleting someone’s credentials, but automatically creating a ticket. Or acquiring more information from a third party system.

Drivers

Merza said that the appetite for security automation is largely being driven by the fact that the threat landscape is evolving so quickly that companies don’t have enough time to pay attention to all the different types of threats or attacks. He said that businesses have now resigned to the fact that it’s not ‘if’ they get attacked, but ‘when’, and that some companies are getting hundreds or thousands of alerts at a time. Merza said:

They don’t have enough time to respond to all of this, so they’re looking at how they can bubble up the stuff that’s high confidence and then automate certain pieces to bridge that gap.

And whilst this also helps companies in terms of human resources, they aren’t yet willing to completely remove the person from the equation. Merza added:

[They] still want human mediation, but they want it to be as automated as possible so that the human is not manually switching tools and techniques. And I think that’s the other contributing factor, it’s not just about automation and threat landscape, it’s also that the human resource landscape is so stressed right now.

Splunk’s aim is to remove manual processes that collectively add up to time-consuming work for security operations teams, freeing up resources for them to focus on being proactive rather than reactive. Merza said:

It’s a question of taking things within a security operation that are time consuming. One of the things that customers often talk to me about is that when they have an incident or an alert, they want to know who the user is, they want to know what the asset is associated with that alert. That little association in itself for many organisations is time consuming.

We can resolve it for them and do it in a variety of different ways, by integrating into asset management systems, by integrating into authentication systems, or automatically developing lists of users IDs and mapping to their systems, based on other log data that we have. That’s something that may have taken 20 mins, but we’ve eliminated it.

Also, for certain types of use cases you’re going to make a configuration change somewhere - you’ll disable someone’s account, or change permissions on someone’s account. Historically that’s a very manual step. But what if that piece was integrated and you as a human being can check a box and say go do that? That saves a whole bunch of time.

The fear factor

Merza agreed that he’s seeing evidence of security now being a board-level discussion, with security

splunk logo
operations teams now often having to update their executive leadership team on at least a quarterly basis.

However, he admitted that getting companies to commit to automation can require some “confidence building” and that it is baby steps to getting there. But Merza noted that some of the fear can be eliminated if people are still convinced that they retain control. He said:

When it comes to automation, there are two key features that result in the fear and lead companies to saying that they don’t want to do it I think the first one is transparency, they want to be able to know why the system took a certain action. It can’t be because the system felt like it and it’s secretive. So there has to be some level of transparency.

And the second component about that is that the system has to have the ability to back out, so that a human can say no that’s wrong and I want to undo that very quickly.

When we talk to customers and we say that we have those two capabilities, that really lowers their fear factor and allows them to build confidence.

So we aren’t removing the human from the equation, we’re just getting rid of the boot strap and we are just kind of shrinking the timeline. It shrinks of that window down.

Merza said that he believes that security automation will reach a point where systems are actually advising companies when an alert comes in, on what are the most appropriate steps to take. These suggestions will be contextual and based on a system’s understanding of the risk involved.

This made me wonder whether he believes that this could lead companies like Splunk down a dangerous route towards questions around liability. If a Splunk system is recommending a company takes a certain action, and then that action proves to be the wrong one, is it Splunk that’s to blame? However, Merza isn’t worried about this, as he believes that recommendation engines and automation can be done in a way that still leaves the end user with the ultimate decision. He said:

I think it’s a general automation problem. In terms of saying, who is really in control of the decision making? That’s what it ultimately boils down to. I believe a system can be built such that the human is in the loop.

And if the system is transparent and there are ways to back out and ways to add on, I think that’s fairly easy to do. I think there are reasonable ways of automation that balance the risk and improve the efficiency of the business at the same time.