An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

The Cyber Defense Review

Maintaining Massive Networks Through Automation And Management Tools

By 2LT Alexander Molnar | March 28, 2016

Modern computer networks are difficult to maintain, monitor, and protect. Their boundaries are amorphous, they process massive amounts of data, and cyber-attacks occur daily, which require real-time responses.  When computer networks were first utilized in the 1970s by the Department of Defense, they were tools used to exchange data for research purposes.[1] These networks were largely static compared to todays. Now, networks are constantly changing, and are used for more than just communication, and include shopping, finances, and data storage. The lines for where a network begins and ends are often blurred as devices from employees, customers, and contractors are connected and disconnected on a daily basis. Not knowing a networks complete layout makes monitoring difficult. Additionally, instead of just computers connecting to a network, we now have tablets, smart phones, and household appliances. Each new type of device in the network communicates and operates differently, adding another degree of complexity regarding network monitoring.

A tool that may satisfy network monitoring today may be ineffective in the near future as emerging technologies make their way to the marketplace. Also, policies such as ‘Bring Your Own Device’ (BYOD) and teleworking increase security concerns.[2] Where before an information security staff would only have to focus on a small set of devices that never left the work premises, they now must understand and monitor a large variety of devices that may be compromised at any time. Networks are increasing in size exponentially as companies become more reliant on their technological infrastructure. The need for filtering and analytic tools is essential to automate much of this work load. Managing these massive and complex networks, and at the same time conserving time and attention is a difficult balancing act for information security professionals. In order meet this challenge, information security professionals should focus on the following: high degrees of automation, scalability, centralized management, and real-time analysis. Tools such as Splunk and the Meraki Cloud platform, and programs such as the Continuous Diagnostics and Mitigation (CDM) program will allow information security professionals to maintain situational awareness of massive networks into the future.

Splunk automates a large portion of network monitoring and allows security professionals to react to cyber incidents in real-time. The software is designed to be scalable for monitoring and analysis of big data. The amount of data that goes through a modern network is staggering. To put things in perspective, the world processes on average 2.5 quintillion bytes of data every day.[3] In the last two years alone 90% of all computer data was created demonstrating its exponential growth. This increase in data production across networks has made network monitoring nearly impossible without machine assistance. Wireshark, another network monitoring tool, can be useful for filtering through small network traffic, but it will begin to slow with a packet capture above 100MB.[4]  For networks handling big data, this capability is insufficient. Splunk is particularly useful because it allows network analysts to create alarms, which will go off when suspicious behavior is identified. These alarms are set to automatically notify network professionals of incidents and assist them diagnose the problem. This approach to network monitoring alleviates much of the burden characteristic of manually filtering through data. Splunk also operates 24/7 and handles data in real-time, so problems are identified quickly.[5] This is crucial since cyber-attacks occur daily against businesses and government agencies. For example, the Department of Defense reported that it was subjected to 10 million cyber-attacks in 2012, an average of over 1000 an hour.[6] Also, in 2014 over 317 million new pieces of malware were created.[7] Without such technologies like Splunk, analysists would fall days, if not weeks behind in analyzing their network traffic. Splunk assists in analyzing big data, while relieving the burden from network managers, but other tools are needed to maintain these massive networks.

Cloud computing solves problems associated with complex networks spanning across vast geographical locations. It is scalable to large networks, and utilizes an ‘out of band’ management architecture. This architecture ensures that only prescribed management data flows through the cloud. User data stays in your network without ‘touching’ the internet. Cloud networking also provides centralized management, visibility, and control without the cost of and complexity of traditional management software.[8] The Cisco Meraki Cloud Platform is one such tool which utilizes cloud networking and handles networks with tens of thousands of devices. Cloud networking is especially useful for massive networks because devices just need to connect to the internet in order to download their complete configurations. With the Cisco Meraki Cloud Platform, the connection through the Secure Socket Layer utilizes both symmetric and asymmetric key encryption. Not only is configuring devices easier with cloud networking, but firmware updates, and VPN configurations can also be automated. Managers can utilize online control applications to check the status of their network nodes and run diagnostics from anywhere. Being able to centralize management through the internet gives network managers the ability to automate numerous tasks, and focus their attention on the ‘big security’ picture. Massive networks often have sites located across huge distances, and cloud networking helps alleviate the need for unnecessary and time consuming travel. With cloud networking, large infrastructures can be maintained, but other tools are needed to help staff prioritize cyber threats.

The Continuous Diagnostics and Mitigation (CDM) program is a process developed by the Department of Homeland Security to help government agencies protect and manage their networks by prioritizing focus on the most significant cyber threats first.[9] The massive number of cyber-attacks launched every day has made it increasingly difficult to maintain the confidentiality, integrity, and availability of extensive networks. This program consists of six steps designed to be scalable and adaptable to new and evolving threats: Install/Update Sensors, Automated Search for Flaws, Collect Results from Departments and Agencies, Triage and Analyze Results, Fix Worst First, and Report Progress.[10] Sensors perform automated searches for known cyber flaws and create reports for network managers. These reports are prioritized based on what is most dangerous, which allows network managers to allocate resources effectively. Progress reports are relayed to key leaders providing situational awareness to the entire agency. The CDM program transforms resource-limited organizations, and effectively tackles the worst cyber threats facing their networks. Additionally, it creates a prioritization within minutes, allowing for near real-time responses.[11] The CDM has great potential to help streamline network maintenance, but it is still growing and has challenges. Though the tools used in CDMs continuous monitoring methods are not new, there are concerns regarding budget and staffing required to build the infrastructure to create these reports. Additionally, 56% of the government agencies who have used the CDM program and have reported success, with 44% saying budget and staffing requirements are causing issues.[12] The success of these tools and programs are dependent on how well they are implemented.



Splunk, Cloud Networking, and the CDM program all offer promising automation towards massive network maintenance by alleviating much of the manual burden from IT staff, and allowing organizations to focus their efforts on security threats. As networks grow in size and complexity, so too do their vulnerabilities. Additionally, cyber criminals are becoming increasingly sophisticated as they take advantage of powerful open-source online tools. Though these tools and programs are critically important to managing massive networks, it is sometimes difficult for an organization to change its infrastructure to support them. Also, these promising network capabilities are only as effective as organizations allow them to be. Splunk is a powerful tool for monitoring massive networks, but the staff needs to properly take advantage of its features, or it will become an unnecessary burden. Likewise, the Meraki Cloud Platform, which allows network managers to quickly and efficiently manage networks across the globe, puts a heavy responsibility on the individuals running the operation. Organizations that use these tools must never fall victim to complacency and allow automation to diminish network manager skills. These tools and programs will provide the capability to maintain massive networks, but they are not a replacement for the expertise required from professionals in the field.  Moving forward, it is critical that information security professionals be flexible to an ever-changing environment. With the aid of automation tools, coupled with a deep understanding of network fundamentals, massive networks can safely be used to form the backbone of a world being connected.



[1] Suzanne Deffree, “ARPANET establishes 1st computer-to-computer link, October 29, 1969,” EDN Network. (29 October, 2015), 1-2.


[2] Dean Evans, “What is BYOD and why is it important?”–1175088 (accessed 13 December, 2016).


[3] International Business Machines, “What is Big Data?” (accessed 13 December, 2015).


[4] Anders Broman, “Working with Large Capture Files”, 30 January, 2013. (accessed 14 December, 2015).


[5] Splunk Enterprise, “The Platform for Operational Intelligence,” (accessed on 13 December, 2015).


[6] Jonathan O’Callaghan, “Think you’re safe on the internet? Think Again,” (26 June 2014). (accessed 12 December, 2015).


[7] Virginia Harrison and Jose Pagliery, “Nearly 1 million new malware threats released every day,” CNN Tech, 14 April, 2015. (accessed 13 December, 2015).


[8] Cisco Systems, Inc. “Cloud Networking Architecture: An Integrated Networking Platform Build for Management,” 2015. (accessed 12 December, 2015).


[9] John Pescatore, “Continuous Diagnostics and Mitigation: Making it Work,” SANS Institute InfoSec Reading Room, August 2014.


[10] Department of Homeland Security, “Continuous Diagnostics and Mitigation (CDM),” 6 November, 2015. (accessed 12 December, 2015).


[11] Ibid., 1.


[12] Continuous Diagnostics and Mitigation: Making it Work, 2.

US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.