kras99 - stock.adobe.com

How Splunk is driving security automation

Splunk’s head of security in APAC talks up the company’s efforts to ease the workloads of security analysts amid lower adoption of security automation and analytics in the region

The benefits of automation and analytics in alleviating the mounting workloads of security teams and countering offensive attacks being driven by artificial intelligence (AI) tools are clear, yet organisations in Asia-Pacific (APAC) are trailing their peers in security automation.

According to Splunk’s 2023 State of security report, just over a third of companies are integrating automation and analytic tools into their cyber security capabilities compared with 45% in North America.

Robert Pizzari, Splunk’s APAC vice-president of security, said the finding was “very much the opposite trend” and caught him by surprise, calling for organisations in the region to invest in machine-driven technology to combat the myriad attacks that are being automated by threat actors.

“Adversaries are looking for low-hanging fruit like vulnerabilities in your environment that haven’t been patched,” Pizzari told Computer Weekly. “If you’re a company with hundreds of applications, thousands of servers and multiple network hops across public cloud and private cloud, you are an opportunity waiting.”

Amid the talent crunch, particularly security analysts with higher-level skills such as incident response and threat hunting, security automation and orchestration will play a crucial role in reducing alert fatigue in security operations teams and fending off sophisticated attacks more effectively.

Hong Kong’s Bank of East Asia, for example, recently deployed a centralised security information and event management system that enables the company to have complete visibility across their entire environment. Through automation, the bank has also improved staff productivity and increased the level of coverage across their security domains, said Pizzari.

While automation can alleviate 50-80% of level-one security tasks and up to about 50% for level-two tasks, he said driving security automation can be challenging, partly due to the hodgepodge of security tools.

Read more about cyber security in APAC

Pizzari said in the past few years, organisations have bought best-of-breed security tools but have not seen incremental benefits due to the integration costs and complexity of maintaining those tools.

“The strategy that we’ve taken is to make it easier for our customers to leverage the technology components under a single user interface through what we call Mission Control,” he said. “It’s effectively a command centre, and whether you’re a level-one, level-two or level-three analyst, you have your incident queue tightly aligned with your automation queue.

“So, if you’re having a high rate of incidents, let’s just say malicious websites or phishing expeditions aimed at your organisation, rather than having an analyst open a ticket, do the research, close the ticket and go through this manual process, you can automate that workflow with a very high degree of confidence that you won’t miss out on things.”

To make it easier for analysts to write automation playbooks, Splunk acquired Phantom, a security orchestration, automation and response specialist, in 2018, to provide low-code and no-code capabilities that analysts can use to automate security workflows.

As a proponent of AI, having embedded machine learning and AI toolkits in its core technology for several years, Splunk is now looking at integrating large language models and other similar capabilities.

“We are on a path to look at how we can integrate those capabilities, whether it’s natively or through third parties, because as a security operations platform, we’re also very open in allowing others to connect their telemetry, as well as their threat intelligence feeds, to Splunk,” said Pizzari.

“For us, the goal is about providing the right contextual information in the hands of analysts as they’re running their investigations to make them more efficient.”

Read more on IT risk management