Hyperautomation

How Torq Hyperautomation Simplifies Phishing Analysis for SOC Teams

By Torq
May 14, 2024
3 Minute Read

2023 went down in history as the worst year for phishing attacks on record, with nearly 35 million attempted business email compromise (BEC) attacks detected and investigated, according to the Microsoft Threat Intelligence Cyber Signals report. Unfortunately, phishing analysis is one of the most time-consuming tasks for the SOC. Responding to a phishing incident requires careful examination. SOC analysts quickly become overwhelmed by the volume of potential threats that need manual inspection, thanks in part to the use of Generative AI in these social engineering-based attacks. Phishing attacks have become so difficult for the untrained eye to detect that reports show that over 60% of end-user-reported phishing emails are false positives. SOC teams spend hours manually checking each email, attachment, and link against different databases and tools, which is time-consuming and error-prone. 

Streamlining Phishing Analysis in the SOC

Torq Hyperautomation helps automate repetitive phishing attack mitigation tasks, providing consistent and accurate case management without the fatigue. With Torq, SOC teams can quickly identify and evaluate risks through automated phishing analysis, cutting down analysis time from hours to minutes and freeing up analysts’ time for more critical tasks. By automating these otherwise monotonous tasks, security teams reduce false positives, experience less burnout, and can finally manage the growing volume of threats.

Monitor an Outlook Mailbox for Phishing via Graph Subscription  

Torq Hyperautomation empowers SOC analysts to automate phishing analysis and improve SOC team efficiency using several pre-built phishing templates in our template library. If you’re an Outlook user, this one is for you! 

First, select the “Monitor an Outlook Mailbox for Phishing via Graph Subscription” template from the library. From there, once an email hits the monitored inbox, Torq will receive a copy to analyze. When the analysis starts, the email will be labeled as  “Scan-Started” within Outlook while the necessary elements are extracted and observables are enriched. Once the analysis is done, the labels within Outlook will change to show the verdict. In this example, we can see that the email contains malware and phishing URLs. 

All results will then be added to a new case as custom fields, observables or attachments. All additions to the case are shown on the timeline for compliance tracking purposes. The overview of the case shows details about the email along with the verdict for the attachment and URL. Custom fields include important data such as DMARC and SPF analysis to help understand if the email is coming from a trusted sender. As a result of the phishing URL enrichment, a screenshot of the site is attached, and we know without visiting the website that it is impersonating a known service. 

All sub-observables are attached and show a malicious verdict. As the final step in this case enrichment, AI reviews sanitized data pulled from the verdict and generates a human-readable summary of the entire case analysis.

Automate your Phishing Analysis with Torq

Phishing analysis automation with Torq Hyperautomation significantly reduces the workload for SOC teams. Torq integrates with several key partners to offer use cases that can help organizations prevent, protect against, and understand phishing attacks and avoid costly data breaches. Want to learn more about how you can automate phishing analysis with Torq Hyperautomation? Get a demo.

Share

Related Articles

Insights

An Introduction to SOC Automation

By Torq
May 5, 2024
9 Minute Read
What is SOC Automation

The security operations center, or SOC, is the backbone of modern security operations. By centralizing security monitoring, detection, and response, SOCs help organizations manage security risks more efficiently and effectively.

But simply setting up a SOC doesn’t guarantee optimal security workflows. To get the very most from your SOC, you must automate its operations as much as possible. SOC automation allows teams to manage security threats with even greater speed, efficiency, and accuracy than they can in a SOC that relies on manual operations.

Keep reading for a dive into how SOC automation works, how to define SOC playbooks and workflows for your SOC, and which benefits automation in the SOC provides to both security teams and the business as a whole.

What Is a SOC?

A SOC (pronounced “sock”) is the part of a business that is responsible for managing security threats. A SOC is made up of the people and tools that handle:

  • Threat intelligence, meaning the collection of data about potential security threats and risks.
  • Security monitoring, which allows security teams to detect active risks and breaches.
  • Security analysis, or the process of investigating threats and breaches in order to identify their root cause and plan a response operation.
  • Security response, meaning the processes by which the security team reacts to identified threats.
  • Recovery, which involves restoring systems to a secure state following a security incident.
  • Post-incident reporting and analysis, which teams use to evaluate why an attack occurred and plan strategies for preventing a similar incident from happening again in the future.


Although the term “security operations center” may seem to imply that the SOC is an actual facility or physical location, that’s not always the case. Ultimately, a SOC is an organizational function. You don’t need all of your security analysts to sit in the same room in order to have a SOC. As long as there is a team within your business that handles the security tasks described above, you have a SOC in place.

What Is SOC Automation?

SOC automation is the process of automating some or all aspects of SOC operations. When you automate your SOC, you replace manual security workflows with automated ones.

For example, SOC automation might entail automatically collecting and parsing threat intelligence reports in order to identify which threat intelligence data is most relevant to your business based on the types of resources it relates to and the types of risks it addresses. You could perform this process manually, but SOC automation allows you to do it faster and with fewer staff resources.

As another example, SOC automation could take the form of automated security analysis. Instead of relying on engineers to investigate and analyze a threat manually, you could automate that SOC function using tools that assess the threat’s potential impact and trace it back to its root cause.

The Benefits of SOC Automation

The main reasons to consider SOC automation include:

  • Speed: Automation helps security teams detect and respond to incidents faster.
  • Efficiency: Automation allows the SOC to do more with fewer staff resources.
  • Scale: Relatedly, automation helps the SOC to contend with threats of increasing volume and complexity without having to scale up the size of the security team.
  • Better use of human capital: By automating routine aspects of security response, SOC automation allows engineers to apply their skills where they matter most: solving complex problems that require original thought and analysis, as opposed to performing mundane, repetitive tasks.

These advantages of automation in the SOC reflect the benefits of automation in general. However, given that the ability to respond quickly and efficiently is particularly critical in the context of security, automating the SOC arguably delivers even more value than automating other parts of the business. It’s nice to automate, say, the deployment of an application to a server, which would save a bit of time and effort. But it’s not absolutely critical. By contrast, detecting and remediating threats in as little time as possible with the help of security automation is absolutely essential for preventing risks from turning into active breaches. 

Aren’t SOCs Always Automated?

It’s worth noting that, to a certain extent, virtually every SOC has some level of automation.

For example, security monitoring, which is one of the core functions of a SOC, is typically performed using tools that automatically collect and analyze data to reveal anomalies that could be the sign of a threat. SOCs may also automate some of the auxiliary processes required to drive security workflows, such as providing communication channels between stakeholders.

However, the typical SOC relies mostly on manual operations for handling more complex tasks. It doesn’t automate work like security analysis or response. Those processes are harder to automate because every threat or risk requires a different analysis and response process, so many teams perform them manually.

The goal of SOC automation, then, is to automate those aspects of a SOC that teams have conventionally managed using a manual approach. So, if your SOC is automated, you go above and beyond basic security automations; you automate the more complex and less predictable components of your security operations.

The Role of Playbooks in SOC Workflows

A fundamental building block of SOC automation is the security playbook. A playbook defines a security workflow by outlining the steps teams will take to handle different types of security incidents. By developing SOC playbooks ahead of time, teams avoid having to make a response plan every time an incident occurs.

That said, simply having playbooks on hand doesn’t mean that you’ve automated your SOC. In order to enable complete SOC automation, your playbooks must integrate with other security tools and workflows so that your teams can deploy the playbooks easily and efficiently.

For example, in a fully automated SOC, monitoring tools might detect a certain type of risk, then identify the playbook that the team should use to respond to it. Then, the SOC can automatically keep track of the team’s progress as it works through the steps defined in the playbook. The SOC may also generate automatic post-incident reports based on the procedures laid out in the playbook.

What If There Is No Playbook for My Cyber Incident?

Of course, it’s impossible to create SOC playbooks ahead of time that address every type of incident. There will always be situations that your team didn’t anticipate, and for which it therefore didn’t prepare a playbook.

Even in those situations, however, the playbooks you do have can be useful for minimizing the manual effort required to respond to a security incident. During the response planning stage, your team can build on or borrow from existing SOC playbooks to craft a response strategy for a novel threat.

As a basic example, imagine you have a cyber incident playbook that defines a response plan for handling malware after you discover it on a server, but the security incident you’re dealing with involves malware inside a Kubernetes environment, not a standalone server.

These are different scenarios because they involve fundamentally different types of infrastructure or hosting environments. However, there is still likely to be a lot of overlap in the response process to each threat. In both instances, your team would need to identify the type of malware, then determine the most efficient way to remove it.

So, although the removal process would probably be different if you’re dealing with containers (where you could most likely replace the infected containers with new containers based on clean images) as opposed to a server (where you may need to scrub the malware from the server because you can’t just drop a new server into place), the initial stages of the response process would be more or less the same. The playbook for server malware response could therefore serve as the basis for responding to an incident involving malware on containers, saving your SOC from having to plan a response totally from scratch.

Of course, in order to automate the response process, your SOC would still need to be able to recognize the similarities between a malware incident in both types of environments, then alert your team to the relevant playbook. This can be done, but it requires nuanced, sophisticated SOC automation. Automation that is based on simple rules (like linking monitoring alerts to specific playbooks) wouldn’t be enough in this case to help the SOC automate the response process as much as possible based on the available resources.

What is the difference between cyber security and SOC?

A SOC is part of a company’s overall cybersecurity strategy – it’s the heart of security operations and where key functions like security monitoring, detection, and response occur. 

But a SOC is not the sole component of cybersecurity. It is one pillar of a complete cybersecurity strategy.

What is a SOC tool?

A SOC tool is any cybersecurity tool that is used in the security operations center.

What are the key tools in a SOC?

A SOC can comprise a number of different security solutions. Most modern SOCs include a combination of security automation and hyperautomation, endpoint protection/endpoint detection and response (EDR) platforms, intrusion prevention systems (IPS) and intrusion detection systems (IDS), networks security solutions, cloud SIEM/log management platforms, extended detection and response (XDR) platforms, mobile device management (MDM), asset discovery, vulnerability assessment and more.

What is the difference between SIEM and a SOC?
Security information and event management (SIEM) is a technology that supports threat detection, compliance, and security incident management. It collects and analyzes security events. While both SIEM and a SOC monitor for security events, SIEM is just one component of a SOC strategy and is often used as one tool within a SOC to detect and manage threats. 

Conclusion

Building a SOC is one step toward modernizing security operations, but it’s not enough on its own. Organizations should seek to automate SOC as much as possible – even in cases where there is no preexisting playbook to guide response operations. SOC automation helps security teams work faster while also maximizing their chances of shutting down threats before they cause harm to the business.

Share

Related Articles

Integrations

How Next DLP Automates Data Breach Investigations with Torq Hyperautomation

By Torq
April 23, 2024
4 Minute Read

The following is adapted from a conversation between Torq and Robbie Jakob-Whitworth, Cybersecurity Solutions Architect at Next DLP. Next DLP is a leading provider of insider risk and data protection solutions. Read on to learn how Robbie has used Torq Hyperautomation to automate alerts and reduce alert fatigue within his organization.  

Introduction to Robbie and Next DLP

I’m Robbie Jakob-Whitworth, Solutions Architect with Next DLP. Next DLP is focused on reinventing data protection, DLP, and insider risk. So, I spend a lot of time working with customers and enterprises focusing on how we can protect the data in their organization, how we can prevent a data leak or data breach, and also how we can manage the insider risk. 

So a key thing that I work on with a lot of customers is alerts, detections and incidents from a data protection perspective as well as an insider risk perspective. And alert fatigue is something that is a very real problem for security analysts. They spend a lot of time looking through alerts. 

Next DLP provides a fantastic platform to get an overview and take control of risky behavior taken by users. For example, the sharing of sensitive data, or accessing data that is controlled by regulation or compliance. But going through all of these alerts and all of these incidents can be quite a time thing sometimes for an analyst. So in that theme of alert fatigue, I was able to use Torq to build a workflow to notify me separately via Slack about the most serious data breaches.

Combatting Alert Fatigue with Hyperautomation

So in the example that I’m going to show you here, we can actually reduce alert fatigue by using Torq to just alert us about the most high severity alerts. So using Next DLP, I built out a web hook integration directly into Torq and streamed detection information for Torq where the data is Personal Identifiable Information (PII).

I’m only going to focus on the most high risk users, and I only want events that are a score of at least 80. So, particularly high severity alerts. Now, when a policy violation or incident occurs that meets these thresholds, a workflow in Torq is triggered and I get notified in real time through Slack or on my phone.

Then, I can launch an investigation in real time. So I can go and spend my time on other things that are more important to me than looking through logs. I’m saving a lot of time by getting these alerts through Torq.

A Real-World Example

Consider this – from a data protection perspective, I might have data in my organization, maybe personal information, social security numbers, or customer information that needs to be protected. And in this case, if I’m a user and I’m sharing this data through a site like WeTransfer, either maliciously or accidentally, Next DLP can provide real-time data protection by enforcing IT and corporate policy, preventing the taking of sensitive data. 

So in this case, we caught the fact that this file contains this sensitive information – email addresses and social security numbers – and that it was leaked out through WeTransfer. Next DLP protected and blocked that activity.

Now as a SOC or security analyst, I don’t need to sit in the Next DLP platform and look through every single alert. With this automation, Torq notifies me with all of the information around the incident: which user violated the policy, what the policy was, that it contains social security numbers, how the data was being exfiltrated, in this case to WeTransfer. I get a link to view the file and the forensic evidence, along with a screenshot of the user’s desktop at that moment in time. So I’m able to launch an investigation to dive down deeper into the context of this user’s activity. 

The Power of Torq Hyperautomation

Traditionally, for an analyst or in a SOC, you spend all your time kind of combing through logs and alerts. You have a lot of false positives to deal with. And all the information is presented to you within a powerful UI of most products. But, you have to spend a lot of time going through each alert.

It was super simple to build this automation because I’m combining the powerful open API provided by Next DLP with the really helpful no code workflow UI provided by Torq. Plugging those two together is the best of both worlds. It’s really a fantastic way to orchestrate and connect different systems together and to save me time by automating those manual tasks.

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

Hyperautomation

Stop SOAR From Killing Your SOC Budget With Hyperautomation

By Torq
April 17, 2024
6 Minute Read

Cyberthreats are escalating and SOC budgets are tightening. It’s a recipe for disaster, that is, unless you take advantage of new technologies that keep both in check. The fact is, businesses are now spending nearly a third of their cybersecurity budget towards running an in-house SOC, averaging out to $2.86 million per year, according to Ponemon. 

Historically, security teams anchored their SOCs with SOAR. In the distant, fading past, this was intended to improve efficiency and drive standardization across incident response activities. SOARs promised to enable organizations to integrate security solutions within the SOC technology stack, filter and prioritize incident data, and automate processes to improve remediation speed. However, reality quickly set in, and SOC teams experienced disconnected and reactive defenses, narrow visibility and event processing capabilities, and limited inflexible integrations that were putting the organization in danger.

Beyond the technical limitations, organizations found that the myriad of hidden costs associated with running SOAR negatively impacted the investment already made in three key areas of the SOC: People, Time, and Technology.

People

When the SOC receives an alert, three levels of analysts typically work together to cover the entire threat lifecycle. Entry level analysts handle the initial triaging and filtering of alerts, escalating legitimate threats to Tier-2/3 analysts for more advanced investigations, and eventual remediation. However, the need for continuous monitoring, troubleshooting, and maintenance of SOAR solutions creates a bottleneck, slowing down the incident response process at every level. According to ESG, 92% of security professionals agree that leveraging a SOAR effectively demands intensive programming/scripting skills, meaning organizations often find themselves allocating one, if not more, FTEs strictly to SOAR management. 

Depending on the size and maturity of the organization, staffing an efficient 24/7 SOC may require between 5-10 analysts, with the average entry-level analyst salary hovering around $90,000 annually. The challenge is, the cyber security space is already dealing with a 4 million global shortage of security staff, and Tier-1 analyst roles are so tedious and demanding that employees don’t stay in these positions long due to high stress, and eventual burnout.  This shortage has made finding highly skilled and experienced analysts much more difficult, increasing the competitive salaries organizations must offer throughout the recruitment process. 

Time

Whether it’s cost associated with increasing staff or labor hours due to overwhelming amounts of disconnected SOAR alerts, the impact of organization downtime when a legitimate threat is missed, or even regulatory compliance fines and reputational damages that are incurred in post-breach recovery. According to IBM’s Cost of a Data Breach Report (2023), the global average cost of a data breach has risen by 15% over the past 3 years, reaching an astronomical $4.45 million dollars

Improving SOC speed to combat the potential impact of downtime is a key investment area for most organizations, and an area in which SOAR has drastically failed. SOAR’s poorly-scalable architecture and integration rigidity makes the initial implementation and configuration slow, tedious and time-consuming. Once implemented, CISOs and Directors of Cybersecurity commonly report on the mean time to respond (MTTR) to an incident when measuring the efficiency of the SOC. Ironically, the amount of time spent manually triaging, correlating and escalating massive amounts of alerts within a SOAR is often the major contributing factor leading to analyst burnout, and almost 40% of cybersecurity professionals say that their average MTTR is still “months or even years”

Technology 

To help reduce MTTR, especially in this intensely-competitive era of hiring experienced SOC analysts, organizations invest more heavily in technology to arm their security operations center. In 2024, approximately 70% of IT leaders expect to increase their cybersecurity budget, with almost half of that budget being allocated towards the cloud security and incident response solutions that are pertinent to day-to-day SOC responsibilities. Despite significant investments in cybersecurity tooling to increase SOC productivity, many organizations experience the opposite effect. 

Security teams are overloaded, trying to protect legacy systems, hybrid infrastructures, and emerging technologies with siloed security solutions that do not have pre-built SOAR integrations allowing them to work in harmony with each other, or third-party threat intelligence feeds. The overabundance of security tools meant to safeguard an organization, ends up contributing to operational deficiency known as stack sprawl, where a lack of integration, limited connectivity, and an overwhelming amount of disconnected event data actually decreases SOC productivity. Even building basic SOC automation playbooks and setting up integrations with existing security solutions can often require custom development or lengthy professional services offered by the SOAR vendor, delaying productivity and decreasing ROI.

Maximize ROI with SOC Hyperautomation

Before signing on the dotted line, organizations need to be aware of the budget-busters of SOAR and other legacy SOC solutions that erode their value, lengthen their ROI, and make them downright expensive. Today, building an efficient SOC and maximizing not only the investment made in SOC solutions, but also the resource investment in people and time, requires Hyperautomation

SOC teams leveraging Torq Hyperautomation easily integrate any security solution, and build effective automations using AI-prompts or no-code, low-code, and full-code support. Purpose-built AI capabilities that leverage LLMs to understand natural language uplevel Tier-1 analysts to perform Tier-3 tasks at machine speed, without the typical learning curve or need for professional services. By applying automation not only to security solutions, but to repetitive investigation, organization, and escalation tasks as well, Hyperautomation not only reduces the workload of SOC analysts, but enables them to act faster on critical incidents with intelligent, dynamic prioritization. Finally, a secure and extensible, cloud-native, zero-trust architecture eliminates scaling or performance ceilings, while maintaining compliance regardless of which best-of-breed solutions or enterprise architecture the organization is working with.

When building out a SOC, the best way to maximize an organization’s ROI is to protect the three key areas of investment; People, Time, and Technology. Torq Hyperautomation not only protects that investment, but enhances the SOC by automating processes at scale, with ease and efficiency – effectively solving the challenges outlined above, and removing the hidden costs associated with SOAR solutions. 

Learn more about how Torq Hyperautomation protects your SOC investment, and download our spotlight report “SOAR is Dead: A Manifesto”. And to see Torq in action, schedule a demo.

Share

Related Articles

Hyperautomation Insights

How to Save Your SOC Analysts From Alert Fatigue

By Torq
April 12, 2024
3 Minute Read

SecOps teams face an unyielding barrage of security signals raised by various systems and tools. It’s estimated that 56% of large companies receive 1,000 or more alerts per day

SOC analysts are expected to wade through these alerts and determine which ones are important, which are low priority, and which are imperative. 

According to IDC, 83% of cybersecurity employees say they’re struggling to cope with the overwhelming alert volume. Meanwhile, 30% of alerts are ignored or go uninvestigated due to security teams of all sizes struggling with alert fatigue, leaving the door open to potential threats that can adversely affect the organization.

Legacy SOAR: The #1 Cause of Alert Fatigue

The leading cause of alert fatigue is legacy SOAR’s flawed approach to alert prioritization. It treats every event as an incident and depends on inflexible SIEM-based event pipelines for the critical tasks of noise reduction and data enrichment. Further, SOAR requires significant costs for processing additional signals and automating subsequent follow up. And because SOAR relies primarily on on-premise architecture, its scalability is crippled, further increasing costs and hindering integration of modern security tools.

Legacy’s SOAR’s downsides include:

  • Difficulty finding useful information and managing vulnerabilities
  • Slower time to identify and respond to actual threats
  • Higher rates of SOC analyst burnout, which drives attrition

How a Hyperautomated SOC Eliminates Alert Fatigue

Torq Hyperautomation can process event volume orders of magnitude larger and faster than legacy SOAR, and has more flexible capabilities to filter, enrich, correlate, and aggregate events for automation processing. A Torq Hyperautomation-driven SOC is built on an event-driven architecture and offers easy workflow automation to sift through the noise, close out false positives more quickly, and prioritize responses more efficiently.

Torq also offers horizontal scalability to support a vast amount of processes and automatically parses all data, while SOAR requires manually selecting and mapping fields.

In addition, Torq offers more flexibility with trigger conditions, including templates. This means multiple triggers look at the same event and can launch a variety of different workflows dynamically. 

A Torq Hyperautomation-based SOC helps eliminate alert fatigue and frees SOC analysts from the endless, resource-draining game of event whack-a-mole SOAR is known for. With Torq, alerts are prioritized, enriched, and contextualized, and 95% of Tier-1 tasks are hyperautomated, so SOC analysts can focus their attention on only significant alerts and incidents without being bogged down by noise.

See how a hyperautomated SOC can eliminate alert fatigue. Get a demo.

Share

Related Articles

Hyperautomation

Enhancing Cyber Defenses: The Benefits of Hyperautomation in Cybersecurity

By Torq
April 11, 2024
4 Minute Read

Cyber threats are constantly evolving and becoming increasingly sophisticated, and organizations are continuously searching for ways to fortify their cybersecurity defenses. One approach that has gained significant traction is hyperautomation

Hyperautomation, which automates once-manual security workflows and processes, enhances cybersecurity posture, streamlines security operations, and effectively mitigates risks.

So, what are the benefits of hyperautomation in cybersecurity, and how does it improve security operations while reducing cyber risks?

The Benefits of Hyperautomation in Cybersecurity

Increased Efficiency

Hyperautomation increases efficiency in cybersecurity. It enables organizations to automate repetitive tasks, such as threat detection, incident response, and vulnerability management by automating these processes. This allows cybersecurity teams to focus their time and efforts on more strategic initiatives.

Faster Response

Hyperautomation empowers SecOps teams to respond to threats in real-time. AI-powered hyperautomation that uses large language models can analyze vast amounts of data at incredible speeds, allowing for faster identification and remediation of security incidents before they have a chance to escalate into larger breaches.

Proactive Threat Detection

Hyperautomation uses AI in security to detect and analyze patterns indicative of potential cyber threats. By continuously monitoring network traffic, user behavior, and system logs, organizations can proactively identify and stop attacks before they have the chance to cause significant damage.

Seamless Integration

Hyperautomation integrates seamlessly with the vast majority of existing cybersecurity tools and technologies, which enhances their capabilities and provides a more unified approach to security management. This extensibility and interoperability ensures organizations can leverage their existing investments while maximizing the effectiveness of their cybersecurity defenses.

Scalability

As organizations grow and evolve, so do their cybersecurity needs. Hyperautomation delivers scalability by adapting to changing requirements and increasing workloads. Whether it’s securing new endpoints, expanding into cloud and hybrid environments, or integrating with emerging technologies, hyperautomation offers the flexibility to scale security operations accordingly.

How Does Hyperautomation Improve Security Operations?

AI-driven hyperautomation greatly improves security operations by streamlining workflows, accelerating response times, and enhancing decision-making processes. With hyperautomation you can achieve a 10X or more operational and productivity boost within weeks of deployment. Autonomously detecting, triaging, investigating, and remediating security threats introduces new efficiencies in cybersecurity without the need for human intervention. This dramatically filters out the noise of thousands of daily security alerts and only presents the most critical as needing attention, which greatly accelerates the mean-time-to-resolve genuine security. By leveraging AI and automation, organizations can:

  • Automate routine tasks: Hyperautomation automates repetitive tasks, such as log analysis, malware detection, and patch management, freeing up security teams to focus on more complex and strategic initiatives.
  • Enhance threat intelligence: AI algorithms analyze vast amounts of data to identify patterns and anomalies that indicate  a potential cyber threat. This enables organizations to stay ahead of emerging threats and proactively defend against potential attacks.
  • Improve incident response: Hyperautomation enables faster incident detection, analysis, and remediation. By automating incident response workflows, organizations minimize threat exposure and can more quickly mitigate the impact of security incidents.
  • Optimize resource allocation: AI-driven insights provide security teams with actionable intelligence, enabling them to prioritize tasks based on risk severity and potential impact. This eliminates the need to respond to low-priority alerts and tasks, and ensures resources are allocated efficiently to address the most critical security issues.

Can Hyperautomation Reduce Cybersecurity Risks?

Because hyperautomation gives security teams the ability to automate threat detection and response, reducing cyber risks is one of the main reasons organizations deploy it. Add to the mix AI cybersecurity advantages of being able to analyze massive amounts of data in real-time to identify indicators of potential security threats and security risk is further reduced. 

Ultimately, hyperautomation allows security teams to detect security threats faster and respond more quickly and more effectively, minimizing their impact and reducing cyber risks by.

  • Minimizing human error: By automating routine tasks and standardizing security processes, hyperautomation reduces the likelihood of human error, which is a common cause of security breaches.
  • Enabling proactive threat hunting: AI-powered analytics enable organizations to proactively hunt for threats across their infrastructure, identifying and neutralizing potential risks before they can be exploited.
  • Improving compliance posture: Hyperautomation ensures consistent enforcement of security policies and regulatory requirements, reducing the risk of non-compliance and potential penalties.

Hyperautomation offers myriad benefits, including increased efficiency in cybersecurity, faster response, proactive threat detection, seamless integration, and scalability. By leveraging AI and automation, organizations can enhance their security operations, reduce cyber risks, and strengthen their defenses against today’s evolving security threats.

To see the benefits of hyperautomation in action, schedule a Torq demo

Share

Related Articles

Insights

Torq Talks to Tyler Young, CISO at BigID

By Torq
April 8, 2024
5 Minute Read

The following is adapted from a conversation between Torq and Tyler Young, CISO at BigID. BigID produces software for data security, compliance, privacy, and governance. Read on to learn about how Torq Hyperautomation has helped BigID unlock new levels of efficiency and productivity by relieving their team of rudimentary tasks.

Introduction to Tyler and BigID

I’m Tyler Young, Chief Information Security Officer at BigID. I’ve been at BigID for two years, and I was brought in to take the company’s product security program to the next level. Prior to BigID, I was at Relativity for almost four and a half years where I was responsible for building out and scaling the security program. Prior to Relativity, I was at Zurich Insurance. Before that, I worked with some consulting firms and the US Government. I’ve had experience with multiple sectors am now focused in hypergrowth tech.

BigID’s Automation Journey

BigID’s automation journey consists of two different parts. First, we needed to bring in the right technologies that fed the right telemetry to our security engineering teams. Second, we wanted to save time by not building out an elaborate SOC. We talk all the time as an industry about burnout and talent shortage. Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq. We leverage Torq for the phishing aspects of what BigID is doing, as well as our level one and level two tasks. We built our automation strategy from scratch leveraging Torq.

Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq.

Tyler Young, CISO at BigID

Life Before Torq Hyperautomation

We had Torq Hyperautomation within my first five months of being at BigID, but in my last role, we used a SOAR platform. It took an entire team to operate and to manage it. I’m talking like six or seven people writing automation framework playbooks and writing threat detections in the platform. Instead of spending over a million dollars on the program, we could have been using those resources to build homegrown security solutions or leveraging open source that we could then offset some other security costs. I think a lot of places are leveraging these really robust SOAR capabilities, but they require a significant head count, a lot of funding and top-notch talent to write code, almost at the same level as some developers are writing.

Comparing Torq Hyperautomation to Traditional SOAR Offerings

Torq Hyperautomation’s click and drag capability and ability to integrate with companies like SentinelOne or Crowdstrike, combined with not having to write API connections and build connectors for all these different aspects make the program different from Legacy SOAR. Being able to just click and drag makes our job so much easier. I can do the same thing with one or two security engineers that we could do with ten when they’re having to write these things manually.

Benefits BigID Has Experienced with Torq Hyperautomation

Maybe this is the unconventional aspect of this, but I think the biggest benefit we’ve seen is our security engineers don’t have to focus on remedial workflows that they can build themselves in a playbook, which allows them to focus on more meaningful work. I’m a big believer in building security solutions, and leverage things off the shelf when possible. Torq allows our team to take the rudimentary tasks and automate them so that they can spend more of their time building. 

Advice to CISO’s Considering Torq Hyperautomation

I think it’s important to do a cost benefit analysis of how much time and money you spend today on your current SOAR offering. It’s also important to gauge your employees’ happiness and satisfaction with their responsibilities. There’s already a talent shortage. Ask yourself, is my team bought into what they’re doing? If not, leverage something like Torq Hyperautomation to automate those repetitive tasks so your team is focusing on more meaningful work. 

On the Future of AI and Security 

I think there’s a place and time where all the alerts, all the telemetry is going to some type of autonomous agent that’s leveraging AI in some capacity. In the future we’ll be able to understand the attacks that are happening in real time, something that’s lacking today with AI. If you have threat detections that are happening and updating in real time, then you have the ability to block and respond to those in real time. In a perfect world, I see AI enabling security teams to be focused on building solutions that are more custom tailored to your needs. 

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

Integrations Product

Detect and Respond to Threats Faster with Torq and Anvilogic

By Torq
April 1, 2024
3 Minute Read

Is SIEM lock-in preventing the transformational impact of Torq Hyperautomation? Due to cost and scale challenges, endpoint activity, cloud telemetry, and network flows are often missing from detection and security automation. For security teams that keep these and other large datasets outside their SIEM, Anvilogic has teamed up with Torq to take SOC automation to the next level.

Integrating Torq and Anvilogic gives security operations teams a new way to detect threats across data platforms like Splunk, Snowflake, and Azure Sentinel- and then quickly handle those detections with interactive remediation workflows. Sound complicated? Let’s walk through an example of how Torq and Anvilogic make it easy.

Detection Scenarios Across Your SIEM and Data Lake

Traditionally, critical data sets such as Active Directory and endpoint activity logs are a SIEM blind spot. Anvilogic’s support for cost-effective data lake alternatives means these high-volume security feeds can be used for detection rules and correlated scenarios. 

For example, the FIN6 cybercrime group targets the retail and hospitality sectors to steal payment card data using Active Directory (AD) attack techniques. While these may often seem benign, one of Anvilogic’s thousands of curated detection scenarios correlates FIN6-associated AD activity and what the threat group later does on victim endpoint hosts. The combination of these data points, which are often not available in a traditional SIEM, serves as a high-confidence indication that an attack is in progress.

Slashing the Mean Time to Respond

With the new integration between Anvilogic and Torq, the alert for possible FIN6 activity can quickly turn into mitigation, reducing the risk of payment card data theft. The Torq Hyperautomation platform receives a detailed alert from Anvilogic, with information about the users involved and potential indicators of compromise (IOCs). In parallel, the affected user receives a Slack message to determine if they’re aware of the suspicious activity, while the IOCs are extracted for investigation. All of this happens without analyst involvement.

If the user is not aware of the activity, their response, as well as the extracted IOCs, are funneled into the case management system, where the SOC can see why Anvilogic triggered the alert together with the context that’s been automatically gathered. The team can then isolate the system and take any additional steps needed to eliminate the threat from the environment. 

Fewer Silos, Better Fidelity: Keys to Effective Automation

We’ve shown how a security operations team can keep an initial network compromise from becoming a full-blown breach. To do this, the team needed to correlate high-volume datasets often unavailable to detection engineers. Anvilogic breaks SIEM lock-in so the SOC can put these large-scale security sources to work. In addition to supporting multiple data platforms, Anvilogic provides thousands of multi-stage detection scenarios off the shelf. This cuts the alert noise that can keep security teams from adopting hyperautomation across more of their processes. 

For Torq customers, fewer data silos and better alert fidelity translate to more value from their existing investments. Doing more with less is a common demand in the current climate. We’ve only shown one example of the many opportunities to tackle threats like ransomware, cryptomining, and data theft across clouds, networks, and endpoints. Reach out to learn more about the exciting combination of multi-data platform SIEM and hyperautomation.

Share

Related Articles

Hyperautomation Product

Implementing Hyperautomation: A Blueprint for Security Managers and SecOps Teams

By Torq
March 26, 2024
2 Minute Read

One of the key questions we get is “how do I get started with hyperautomation?” It can seem slightly overwhelming if you haven’t automated in the past, or you’re used to attempting to automate using legacy SOAR solutions. 

If you’re wondering where to get started with hyperautomation, look no further. We caught up with Security Automation Leader Filip Stojkovski, who put together a handy blueprint on how and where to start your journey to hyperautomation. It’s a step-by-step roadmap for Security Managers and SecOps teams looking to build an effective and mature hyperautomation program. 

1.  Decide what to automate: The first step is to dive into stakeholder needs, picking the right integrations, determining the areas that will benefit the most, and selecting the appropriate platform.

2. Determine the feasibility of automation: This is where organizations set expectations that align with a company’s rules and set a realistic timeline for when you’ll see a return on investment. 

3. Use hyperautomation: Automation has evolved from legacy SOAR platforms to hyperautomation. “It’s better. It’s faster,” Stojkovski says. Hyperautomation was designed with AI and machine learning in mind and is more flexible than its legacy SOAR predecessors. 

4. Implement automations: Determine who is implementing the automations. Is it the SecOps team? Is it specialized engineers? The right resource allocation can make a world of difference when implementing hyperautomation. 

5. Infrastructure and processes: Align with your organization’s goals and understand your infrastructure and processes. Set up test and production environments and document all processes to streamline hyperautomation. 

6. Develop use cases: Prioritize the processes that are most frequently used throughout the organization and focus on them. This will free up time and help an organization make the leap from reactive to proactive. 

7. Measure the impact: Determine what you should measure and then what metrics signify success. Is it reducing time to detect or respond to threats? FTE saved or added? Proactive threat mitigation? ROI? Understanding what signifies success up front will help ensure you’re measuring the right things.

We’d love to thank Filip for taking the time to chat with us and for sharing his blueprint for effective security automation. Be sure to watch the full video to learn more. 

Want to see the Torq Hyperautomation platform in action? Request a demo.

Share

Related Articles

Insights

Beyond the Hype: How Torq’s AI-Driven Innovations Are Transforming Security Automation

By Leonid Belkind, Co-Founder and CTO
March 14, 2024
8 Minute Read
Making a real difference for our users with Generative AI

Making a real difference for our users with Generative AI

It has been over a year and a half since the latest generative AI revolution descended upon the world. All IT markets have seen a wave of both new AI products, as well as AI-driven capabilities in existing products being introduced with a breakneck pace. While most of them clearly perform things that, until recently, could have been described as “pure magic” even by the most cynical audiences, many questions can be raised regarding these capabilities being truly directed at transforming the customer experiences and outcomes vs. just being “mega cool.”

What’s wrong with “tech first”

Let’s take one step back. Allow me to introduce myself: I am a proud serial entrepreneur, having successfully established and grown two companies (one of which was acquired by a major player in the enterprise cybersecurity market). 

When learning “entrepreneurship 101” – not a formal discipline, of course, but rather a collective experience of a community of entrepreneurs – I was told that establishing a cool (or even a unique) technical capability and then searching for a problem to apply it to is not a great idea. In the entrepreneurial world this is referred to as the “tech first” approach to establishing a product or a company, and it has been proven inferior to a “problem first” approach, where one identifies a problem and then considers various alternatives on how to solve it. 

The collective experience of the past 2-3 decades has clearly shown that “problem first” products and companies have greater chances of generating long-lasting outcomes for their customers, and, therefore, have greater chances of establishing significant growing businesses. Tech first, on the other hand, might find a lot of support among the “romantics” of the technology, who enjoy technical capabilities because of what they can deliver, but might find it difficult to drive significant impactful outcomes.

Should we wait for a problem to present itself?

Does the above mean that every time a new technological barrier is being broken (just like it happened with the recent advancements in generative AI) we need to wait for the problems to present themselves and only then try to apply the new technology? 

Of course not. The problems exist everywhere in the world and in different markets today. It is only a matter of picking the right (worthy of solving) problem and researching whether it can be solved to a better extent with the new technology (in comparison to existing solutions).

When deciding on a problem to pick, therefore, it is important to understand the components of it, and not just the general “headline,” such as:

  • Who are the target audiences, i.e., the people or organizations having the problem? What are the unique characteristics of those who have it vs. those who don’t?
  • How severe is the problem? How critical will solving the problem be for the target audience?
  • What do these audiences do today? Do they have alternative solutions? How will our solution be better?

Finally, specifically when applying generative AI to certain problems, one of the most important questions to ask is: what would be the role of AI in the solution? Answering this question correctly is critical not only for creating the capability, but also for its future defensibility vs. the competition.

The role of AI in the solution

So what role does an AI play in the overall solution? Is there a real value in the integration of generative AI into the product environment, or is it just a “thin layer of glue” connecting mostly “off the shelf” Large Language Model (LLM) to the existing product “just for the cool effect?”

In my humble opinion, there is a huge difference between just bringing “some” AI capabilities into the UI of an existing product by integrating with one of the available off-the-shelf generative AI services and truly extending the unique technology in one’s product with AI

Does the AI-driven capability rely on some rich, unique, or powerful technology that exists in the product, or does it simply come “on its own” without deep ties to the underlying tech? Does the capability perform additional functions on top of or integrated with “sending information to an AI and receiving the response” or is it mainly about interfacing with AI? 

The answers to the above questions distinguish between an impactful and defensible technology and a cool thin layer of “AI”.

Case in Point: AI-driven automation workflow generation

During the past year Torq has released 5 different AI-powered capabilities inside the product: 

  • Automatic generation of advanced data transformation and cloud platform management actions (in Torq workflows)
  • Automatic generation of a documentation for complex automated processes to improve team collaboration
  • Generation of workflow structure and data flow based on natural language description of the use-case
  • Natural-language agent for security Case Management (a.k.a. Torq Socrates)
  • Automatic summary for complex security cases to improve SOC analysts collaboration

As always, each of these has undergone a deep ideation process, involving not only our product leaders, but also our close partners, in order to ensure delivering important outcomes to our users

The basic capability allows the person wishing to build an automated workflow expressing their needs with a native language prompt. For example:  “For every threat coming from my EDR, enrich its data with my Threat Intelligence systems and if the risk score is greater than X, take actions A,B,C to contain the threat”. After receiving the goals in such form, the system would automatically generate a Torq workflow based on the provided specifications that is close to being deployed to production after a quick review cycle.

While the above is a correct answer to the question “what is it doing?” it cannot drive the development of the capability without the consideration of challenges and problems experienced by a certain audience. In our case, we decided to double-down on accessibility of security automation for audiences of different technical abilities. Furthermore, we studied the ramp-up process of thousands of users developing security automation with Torq today, identifying existing gaps and focusing on rectifying the situation. Specifically, we realized that, as Torq becomes more sophisticated and feature-rich as a platform for developing automations, the task of finding the right and the most efficient way to implement a certain process becomes more challenging.

  • The above has led us to a more focused definition of what we were looking for: a way to allow more people who are ramping up their security automation skills translate their ideas faster to fully-working and efficient automation workflows. Taking this challenge and breaking it down into components has clarified the main challenges that we needed to address.

Armed with the breakdown of required capabilities, we studied components that we already had in our product that should be leveraged to deliver the solution and identified gaps where AI could bring some critical game-changing value.

Thankfully, we had previously made a significant technological investment in the following:

  • Thousands of predefined “smart” actions that can be reused in different security processes
  • Carefully curated metadata explaining each such action in natural language, alongside possible usage variations and output examples
  • Reusable process templates that combine above mentioned actions into consistent processes driving to specific security outcomes
  • Unique extensibility architecture allowing flexible data retrieval and manipulation mechanisms, among other things

Building on top of the above technologies and leveraging generative AI for smart semantic analysis of natural language tasks, as well as for creating logical connections between consequent steps of automated processes has allowed us to deliver a uniquely powerful and flexible capability that stands out in terms of the value it provides. While the large language models we used for the task are trained on a generic set of data and can serve other solutions and not only Torq, the unique connective tissue are the data points and technologies mentioned above. These are the ones that ensure that the capabilities we deliver support the outstanding differentiation that Torq platform provides to its customers.

Summary

Having defined “product excellence” as a core value of our company, we are constantly on the lookout for innovation that can increase the outcomes we are delivering to our customers. Leveraging generative AI as a “tool” in our arsenal has allowed us to deliver multiple important innovations (and, BTW, if you are reading this blog, then stay tuned for more exciting things to come), but it is critical to view it as an important capability and continue building things targeted at solving user needs, rather than “trying to glue to AI into the product.”

P.S. This blog has been written entirely by human beings. No AI involved. Why? Not sure, but it felt like it would turn out more genuine this way.

Share

Related Articles