How Torq Socrates is Designed to Hyperautomate 90% of Tier-1 Analysis With Generative AI

Artificial intelligence (AI) has generated significant hype in recent years, and separating the promise from reality can be challenging. However, at Torq, AI is not just a concept. It is a reality that is revolutionizing the SOC field, specifically in the area of Tier-1 security analysis, especially as cybercriminals become more sophisticated in their tactics and techniques. Traditional security tools continue to fall short in detecting and mitigating these attacks effectively, particularly at scale.

Introducing Torq Socrates

Torq Socrates introduces dramatic new efficiencies and incident response accuracy that alleviates security analysts’ critical challenges, including alert fatigue, false positives, decreased visibility, and job burnout, by hyperautomating key security operations activities using AI. It is based on cutting-edge Large Language Models (LLMs) and AI Agents that intelligently analyze and understand organizations’ unique SOC playbooks to become an integral extension of their SOC teams.

See Torq Socrates following the guidelines in a SOC runbook to triage a case automatically

Imagine having a bird’s-eye view of your complete enterprise environment from on-premise, hybrid to full SaaS applications, with all the relevant information at your fingertips. Torq Socrates makes this dream a reality by utilizing the security tooling already connected to the Torq Hyperautomation platform and performing any actions and activities only when explicitly authorized.

So, how does this transformation happen? Let’s journey through a typical security event and see how tasks previously handled by human analysts are now handled with unprecedented efficiency by Torq Socrates.

1. Automatic Runbook Analysis

When a security event arises, an analyst traditionally consults a “runbook” – a guide specifying the response to that specific type of event. Today, these “runbooks” exist in all modern SOCs and are prepared by senior architects to benefit Tier-1 and Tier-2 analysts.

Torq Socrates automatically analyzes runbooks written in natural language, typically containing step-by-step procedures for handling various security incidents. By analyzing the semantic meaning of the natural language instructions, Socrates derives action flow from the recommended response strategies for different security events.

Imported runbook is written in natural language that Socrates analyzed, “understands”, and can follow.
The imported runbook is written in natural language that Socrates analyzed, “understood,” and can follow

2. Workflow Choice to Perform the Designated Runbook Actions 

The next step for a human analyst is to carry out the activities outlined in the runbooks, choosing the proper tool and executing the instructions.

Based on the content of the runbook, Socrates utilizes its semantic analysis capabilities to suggest suitable workflows and security tools from the list of ones explicitly made available inside the Torq platform. They align with the specific steps outlined in the document conveyed in natural language. 

Each workflow made available to Torq Socrates comes with a natural language description of the tasks it can accomplish.

Torq Socrates performing the initial actions within the runbook
Torq Socrates performing the initial actions within the runbook

3. Interpreting the Outcome of Executed Actions to Follow the Next Step Prescribed by the Runbook

Various security tools available in the arsenal of Tier-1 SOC analysts can return information in great detail. The analyst’s goal is to try and synthesize this information into a decision to support data on which next steps should be taken according to the runbook guidance.

An LLM is extremely powerful in accepting information in a structured or unstructured form by analyzing security tool output. Socrates can create dynamic-decision trees based on the previously-made analysis of a runbook that adapts, allowing for more context-aware and efficient incident handling. For example: Is the file malicious? Is the user a very important person (VIP)? Is the activity frequent or infrequent during a specific time period indicating anomalous behavior?

Execution showing semantic interpretation of threat intel result

4. Leveraging Knowledge of Security Frameworks for Context

More experienced alert triage specialists bring their own contextual knowledge and understanding of networking, endpoint architecture, and attack techniques into the mix.

Large Language Models are trained on an immense body of natural language documents containing information about the above and more. This allows the semantic analysis of an LLM to match between the observed outcome of a security tool and the technique described in a documented framework, such as the MITRE ATT&CK framework.

Using the above technique, Torq Socrates leverages the information available in numerous documents describing attack frameworks, such as the MITRE ATT&CK framework, and maps its tactics and techniques to the outcomes observed in the security event being analyzed.

Intelligent modeling with Torq Socrates enables it to mimic this human-like thinking process, correlating information efficiently and mapping the appropriate outcomes to common frameworks like the MITRE, NIST, and more.
Intelligent modeling with Torq Socrates enables it to mimic this human-like thinking process, correlating information efficiently and mapping the appropriate outcomes to common frameworks like the MITRE, NIST, and more.

5. Automated Incident Investigation

Just as human analysts rely on insights from the runbook, Socrates can assist in automating investigation or even incident response tasks. This includes tasks such as alert triage, data enrichment, containment, and remediation actions, speeding up response times and reducing the manual effort required from analysts.

Socrates utilized Splunk, Crowdstrike Falcon, and a Microsoft Windows WMI query information to distill the relevant information to the SOC analyst.
Socrates utilized Splunk, Crowdstrike Falcon, and a Microsoft Windows WMI query information to distill the relevant information to the SOC analyst.

6. Summarizing Relevant Security Case Information

An important pillar of any operational practice is meticulous documentation of all actions taken, decisions, and achieved outcomes. 

LLMs have proven to be efficient at rephrasing and summarizing large amounts of natural language text. Torq Socrates leverages this capability to summarize the “conclusions” and desired next steps, and document this in the “case timeline.”

Torq Socrates summarized the findings and actions taken of the security event and automatically added them to Torq’s built-in ticket management system timeline
Torq Socrates summarized the findings and actions taken of the security event and automatically added them to Torq’s built-in ticket management system timeline

Here’s a summary of how Torq Socrates uses powerful LLMs to perform Tier-1 SOC analyst duties:

  1. Tier-1 analysts work strictly according to defined runbooks. LLMs effectively analyze natural language text and break it down into components.
  2. Analysts match directives from the runbooks with tools at their disposal. LLMs are effective at finding similarities, in this case, between a “desired action” and an “available tool to execute this action.”
  3. Analysts digest the output of different tools to choose the correct follow-up course of action. LLMs analyze semantically the output of different tools and match it to the runbook directives related to follow-up steps.
  4. Analysts can bring in context from their training. LLMs can load related context from the myriad of documents scanned during the model’s training.
  5. Analysts are required to document all actions taken and the reasoning behind the conclusions. LLMs summarize the matches made and audit all the performed activities.
See how security analysts can leverage Torq Socrates to assist the triage of security alerts

Torq Socrates is designed to handle up to 90% of Tier-1 triage actions by mapping the tasks and activities of human Tier-1 analysts to use cases leveraging LLM. With Torq Socrates, security analysts remain in charge of processes and outcomes. The AI-powered system introduces dramatic new efficiencies and incident response accuracy, alleviating security analysts’ most critical challenges.

Get the latest on Torq Socrates at: https://torq.io/socrates