Is Too Much Automation an Issue for Security Operations?

John P. Gormally, SR
6 min readAug 16, 2022


Scale, optimization, rapid response, lateral attack propagation, kill chain, and automation all equate to the current model for SecOps when dealing with potential threats. Even before the continuous outbreak of ransomware, malware, and business email compromise, the role of the Secops team continues to be in flux, trying to understand their future in dealing with cyberattacks.

The availability of global talent to support the demand for highly trained and experienced security operations engineers is still a problem for every organization and country. There is still a global talent problem even with leveraging overseas managed service providers to help with the “follow the sun” model.

Cybersecurity teams, risk management personnel, and executive leaders must define what the SecOps is to their organization and how they meet this business challenge.

The threat landscape is evolving faster than most alert tool capabilities.

With the sheer volume of attacks coming to an organization, the ability for human SecOps engineers to process, analyze, research, test, remediate and validate attack vectors and resolution still extends into days. With more attacks, the incident response times continue to climb.

By the time most attack root-cause has been determined, several other new attack variance has already impacted the organization with additional types of threats.

Are artificial intelligence(AI) and machine learning(ML) the way forward?

Suppose CISOs and CIOs simply go off the number of malicious activity, cyber threats, and ransomware attacks being processed by the Security information and event management tool (SIEM), then yes. In that case, AI ML is critical to the future of security operations automation. Having the SIEM with AL processing the data flows quickly and applying ML; the SecOps could create substantial automation capabilities.

Security orchestration automation and response(SOAR) has been the toolbox for SecOps and NetSecOps for years. Leveraging a PowerShell or python script to alter an adaptive security control is essential for SecOps to deal with scaling up attacks impacting several points within their network. Like any new capability, the challenge is navigating through the false positives and negatives is still a problem today.

As an example, after washing security telemetry data through AI and ML, did the automation-capable response script block the entire web-front end or remove the client database from the Oracle Cloud? Yes, that does happen with automation. There is always a risk. The burden on security analysts falls into main categories:

Is SecOps automation becoming the next great denial of service attack?

Yes, automation is the resolution equalization to help with security orchestration, incident response, processing threat intelligence, and relief to SecOps alert fatigue. Even with the most advanced AI and ML, is too much automation bad for a SecOps strategy?

Hackers know through surveillance and social engineering which organizations spend on AL and ML. They will search through cybersecurity engineers on Linkedin and other job sites, analyzing people’s backgrounds and experience in security operations, robotic process automation, and python.

Automation under attack

Hackers also use machine-based execution tools to probe clients. They also use security automation to respond effectively when they come under attack. Hackers learn just as much as companies about how and when automation makes sense.

Automation logic does improve over time. The more data AL processes and feeds into ML, the more likely the security automation platforms will know if a hacker has compromised the workflow.

There is a place for automation in every SecOps regardless of the growing threat against automation.

  • Repetitive tasks
  • Mundane tasks
  • Execution of security actions
  • Low-level tasks, including essential patching of non-critical systems
  • Continuous vulnerability scanning and analysis

Feeding more data into AL to reduce the attack on automation

Organizations investing heavily into extended detection and response (XDR) capture telemetry from several elements in the network, including:

  • Endpoint tools
  • Cloud access security broker (CASB)
  • Firewalls
  • VPN
  • Zero-trust applications
  • SASE cloud
  • Enterprise-wide identity management systems
  • Enterprise information systems
  • Cloud Infrastructure

XDR solutions feed telemetry data into an AL system to process and correlate by looking for common trends and similar values while cross-referring similar attack signatures and looking for attacks in other parts of the environment. The AL feeds into the ML to determine fixed characteristics, including attacks with closest neighbors and attacks originating from the exact location. Based on this data process flow, the XDR system can integrate through automation directly with several vendor products to quarantine, isolate, or classify the attack to prevent lateral propagation.

So why, then, with this advanced AL and ML feeding automation, do we still have ransomware outbreaks impacting global organizations?

The Need for a human being in Secops is well beyond AI and ML.

Many security breaches start with some form of attack automation. Hackers could start their kill chain with an email phishing attack, possibility a clone attack, or other email attack methods. The XDR type, receiving telemetry, recognized the alert from the email security platform, processed the data fed into the AL and ML, and determined the likelihood that this was a phishing attack. Should the security teams trust the automation response to the email security portal and execute the prefined blocking?

Having humans in the SecOps will know better how to answer the question. In this case, a blocking script is launched against the email client, preventing the user from receiving any emails. The hacker successfully executed a denial-of-service through an email phishing attack vector.

Too much automation? Probably.

SecOps co-existence with AI, ML, and automation

Security operations teams, MSSP teams, and outsourcing to global engineering resources will not be enough to meet the demand to handle the number of attacks coming into an organization. Expert systems, including AL and ML, are needed to collect, analyze, and initiate some level of SOAR for the organization to withstand an attack.

Where is the balance between these elements aligning in the decision-making workflow for SecOps?

CIOs and CISOs should invest in their talent by realigning traditional network engineers, systems administrators, and security architectures into a SecOps/NetSecops scrum. Instead of looking at various teams in a waterfall architecture, each group should become travelers within the DevOps model.

AI and ML capabilities could serve the organization in several ways. AI could help transform customer service by analyzing sales data in multiple markets. Machine learning could help determine if the data analysis is relevant and valuable to optimize sales operations and customer service. Cybersecurity, Security operations, and DevOps contribute to the growth of AI in an organization.

Knowing how AI can be used and what value is recognized by the ML will help SecOps determine the proper and safe automation layer. As more organizations leverage agile CI/CD development, Secops automation should be sprinted within these workflows. Feeding these sprints is managing practical outputs from AI and ML to create intelligent and security automation.

Value of penetration testing against the AI and ML engines

How often do we pen testers engaged in testing the authenticity of the AL /ML layer? Could cybercriminals compromise AI? Absolutely. Pen testing should be done by human testers knowing how to attack an AI and ML layer before automation. Pen testers should attempt to crack into the automation platform.


Humans will never go away from the SecOps, DevOps, NetSecOps, and pen tester teams. AL and ML have a place in the SecOps of today and tomorrow. Automation is critical to an organization when dealing with security breaches and attacks. These tools work not because an AI; they work because people know how to harness the value, and through deep human learning, we learn to adjust as needed.

All the best,




John P. Gormally, SR

John P. Gormally is a fictional and non-fictional cybersecurity blogger and writer based in Lake Forest California.