News

Torq Users Hit 1,000,000+ Daily Security Automations

By Torq
December 5, 2022
4 Minute Read

Security automation is an increasingly critical element in optimizing enterprise cybersecurity postures. Today, Torq announced its users are executing more than 1,000,000 daily security automations using our security automation platform – a major milestone that underlines the traction and importance of unifying today’s complex security stacks. The exponentially-expanding usage of Torq also reflects the current macroeconomic climate, in which security leaders are being asked to maximize the value of their existing security infrastructure, as well as ensure staff are focused on higher-level management and critical incident response.

Torq’s modern security automation approach is helping security teams address these priorities, allowing teams of any size to quickly create, deploy, and iterate on automated responses to otherwise-unpredictable events.

Introducing Torq Insights

A key element of the Torq platform is our latest innovation: Torq Insights. It’s a comprehensive reporting and analytics overlay that provides the operational data needed to consistently manage, monitor, and iteratively evolve the security automation stack, to ensure it’s providing maximum protection while driving optimal efficiency.

From Automated Processes to Automation Programs

First-generation SOARs were introduced to the market as a way to add repeatability and predictability to security operations. While powerful, these platforms are difficult to deploy and generally designed only for a few threat response use cases. The need for more effective security automation remained.

Recognizing the gap between SOAR platforms and the need for more universal security automation, solution providers have begun to offer limited automation functionality within their platforms. The result is still piecemeal automation, only exacerbated by disparate approaches and processes. 

While there may be more automation than ever, Torq believes quality and efficiency has suffered. To truly realize the benefits of security automation, Torq closes these gaps by consolidating automation efforts, lowering the technical barriers to automated workflows, and now providing the analytical feedback necessary to truly optimize security automation. As a result, our users are benefiting from:

  • Increased predictability of security responses
  • Maximum benefits from the tools they’ve already invested in
  • A clear set of data that helps teams improve overall security efficiency
  • A solution powerful enough for the most complex threat responses, yet easy enough to deploy that it can be used for the smallest of repetitive security tasks

“Torq Insights shows me how actively my team is using the platform to improve our overall security posture and makes everyone’s lives easier and more productive,” said Phillip Tarrant, SOC Technical Manager, Compuquip. “It allows me to see my teammates’ progress with Torq by showing the value they’re getting out of it. The ‘total runs’ analytics capability is huge. It’s amazing to see that Torq is handling 80.8K runs a week for Compuquip without a single hiccup.”

A New Standard for Automation Management

Torq Insights is available to all Torq users. Current users can now simply click on “Insights” above the Workflows page in the app. With Torq Insights, users can instantly find data like total time saved by automated workflows, how many workflows are in production at a given time, and the most active workflows, among other information.

 

Security automation analytics with Torq Insights

Users will soon be able to assess their automation programs against common security frameworks, compare performance and effectiveness of internal use cases, and align to industry best practices, all while integrating with wider business intelligence reporting.

Get Access to Advanced Automation Insights Today

Existing Torq users can use the new dashboard right away. 

If you haven’t had a chance to see the platform in action, get in touch for a free trial account and put Torq to work for your team.

Share

Related Articles

News

Torq’s No-Code Security Automation Solution Now Available in AWS Marketplace

By Torq
November 21, 2022
2 Minute Read
Torq’s No-Code Security Automation Solution Now Available in AWS Marketplace

Torq is proud to announce the immediate general availability of its no-code security solution in AWS Marketplace, the curated digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).

Torq’s presence on AWS Marketplace streamlines and shortens the procurement process to handle the exponentially-increasing demand for our solution serving Fortune 500 enterprises to fast-growing medium-sized companies and small innovative businesses across every industry vertical.

Our availability on the AWS Marketplace, as well as private offers, provide Torq the flexibility to customize our offering for AWS-based cloud-native customers, while ensuring the smoothest purchase and deployment processes possible. This reduces overhead and complexity for Torq and its customers alike.

A new Forrester Total Economic Impact™ study found that by using AWS Marketplace, organizations experience three key benefits:

  • An improved vendor onboarding process, resulting in a 75% reduction in onboarding efforts for new vendors
  • Reduced time processing invoices, leading to a 66% reduction in time spent due to procurement efficiencies
  • Increased licensing flexibility, leading to a 10% reduction in licensing costs

With Torq in AWS Marketplace, it has never been easier for customers to rapidly access and implement our industry-leading solution to ensure the strongest security posture possible against all cyberthreats.

Learn more and purchase Torq in AWS Marketplace

Visit AWS Marketplace

Share

Related Articles

News

Torq Announces Advisory Board Featuring Global Cybersecurity Visionaries

By Torq
November 21, 2022
4 Minute Read
Torq Announces Advisory Board Featuring Global Cybersecurity Visionaries

Torq is extremely proud to announce the formation of the Torq Advisory Board, a group of some of the world’s most respected cybersecurity professionals, including several industry-leading CISOs and heads of information security. All of our advisors have made major impacts in cybersecurity for their companies, and for the industry at large. They have strongly advocated leveraging cutting edge technologies to drive greater effectiveness and productivity across organizational cybersecurity ecosystems, positively impacting systems, processes, and people.

Our Advisory Board is helping guide Torq as we further expand our Security Automation offerings and capabilities, serve more and more global enterprises, and continue to integrate the majority of cybersecurity systems into our platform.

Members of the Torq Advisory Board include:

Jason Chan, Former VP of Information Security, Netflix

Jason has more than 20 years of experience working in cybersecurity, including adopting security automation, cloud security, and enhancing security in modern software development practices. Jason’s most recent career experience was leading the information security organization at the video streaming behemoth Netflix for more than a decade. His Netflix team set the bar extraordinarily high, focusing on sophisticated risk assessment and management, and compliance management strategies and approaches. 

Talha Tariq, CISO, HashiCorp

In his role at HashiCorp, Talha is responsible for protecting the security of his company, customers, and partners as it provisions, secures, connects, and runs cloud infrastructure for their most important applications. He has 15 years of experience building and scaling security programs from startups to Fortune 100 organizations. Prior to HashiCorp, Talha served as CISO at Anki where he was responsible for corporate information security, product and application security, privacy engineering, security operations, and incident response. Talha also served as Director of Security Consulting at PwC, advising clients across a range of industries on matters related to data breaches, hacking events, security program development, and threat assessments.

Yaron Slutzky, CISO, Agoda

Yaron is responsible for security at Agoda, one of the world’s fastest growing-online travel booking platforms. From its beginnings as an e-commerce start-up based in Singapore in 2005, Agoda has grown to offer a global network of two million properties in more than 200 countries and territories worldwide. It provides travelers with easy access to a wide choice of luxury and budget hotels, apartments, homes, and villas. Headquartered in Singapore, Agoda is part of Booking Holdings and employs more than 4,000 staff in more than 30 countries. Prior to Agoda, Yaron was CISO at Cellcom, and Information Technology Director at Numark Innovations. 

Bill McKinley, CISO, SigFig and former Head of Information Security at The New York Times

Bill serves as CISO for SigFig, an enterprise financial technology firm that develops next-generation products for financial institutions, advisors, and their customers. Through its partnerships with financial institutions including Wells Fargo, UBS, and Citizens Financial, SigFig’s wealth management tool is available to over 70 million consumers. Prior to SigFig, Bill was Head of Information Security at The New York Times, Vice-President of Infrastructure Engineering at AllianceBernstein, and Senior Infrastructure Engineer Team Lead at JP Morgan.

We are also very fortunate to have Stephen Ward, Managing Director at Insight Partners, as part of our board of directors.

At Insight Partners, Stephen focuses on investments in cybersecurity. Prior to joining Insight, Stephen was CISO at The Home Depot, where he provided progressive direction over cybersecurity and technology risk. He is also a Board Member at Mimecast and served on the board of Cloudknox, which was recently sold to Microsoft. His innovative approach has led to malware-related patented technology and he has received award recognition from his industry peers in cybersecurity. Stephen has over 20 years of experience in cybersecurity, physical security, fraud and technology risk acquired throughout his career in both the public sector (U.S. Secret Service) and the private sector (JPMorgan Chase and TIAA).

It’s a real honor and privilege to be working with these cybersecurity luminaries and to have them advise Torq as we further deliver on our incredible potential to customers, partners, and investors. We’re looking forward to further collaboration with them all in the years ahead as we take Torq to even greater heights of success.

Share

Related Articles

News

Torq Joins the Cloud Security Alliance

By Torq
November 16, 2022
2 Minute Read

We’re extremely happy to announce that Torq has joined the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

The CSA has more than 80,000 members worldwide and has been endorsed by the American Presidential Administration, which selected the CSA Summit as the venue for announcing the federal government’s cloud computing strategy. It also collaborates with global policy makers to support and evolve key cloud security initiatives, such as the National Institute of Standards and Technology (NIST) and the European Commission.

Torq is proud to collaborate with the CSA going forward, and work with its large-scale community of  industry practitioners, associations, governments, and corporate and individual members as it evolves the no-code security automation space, and introduces critical innovations in the coming months and years. Torq will also benefit from the CSA’s cloud security-specific research, education, training, certification, and events.

We are proud to be part of the CSA’s mission to create and maintain a global, trusted cloud ecosystem with positive, forward-looking outcomes for its members, customers, and the world at large alike.

With visibility and transparency top of mind, we display the CSA logo in our Trust Center alongside our other key compliance certifications, which include ISO 27001 and SOC 2.

To learn more about the CSA, please visit: cloudsecurityalliance.org

Share

Related Articles

Insights

Jason Chan on Harnessing Security Automation to Manage Cyberthreat Complexity

By Torq
October 19, 2022
2 Minute Read

Torq is extremely proud to have Jason Chan on our advisory board. Jason has more than 20 years of experience working in cybersecurity. He’s one of the world’s leading experts in adopting security automation, cloud security, and enhancing security in modern software development practices.

Jason’s most recent career experience was leading the information security organization at Netflix for more than a decade. His Netflix team set the bar extraordinarily high, focusing on cutting edge risk assessment and management, and compliance management strategies and approaches. 

I had the privilege of being able to have a discussion with Jason, exploring the positive impacts security automation is having on organizations of all sizes, worldwide. In the first part of our conversation, “Harnessing Security Automation to Manage the Complexity of Today’s Threat Landscape,” Jason discusses the fact that while cyberthreats are increasing exponentially, it’s becoming increasingly difficult to hire people to address this escalation. As Jason puts it, “The question is how do we get the most out of the resources we have and prioritize the issues we need to address most critically?”

Watch the first part of our conversation in video below and learn all about Jason’s perspective on how security automation addresses these challenges by maximizing the impact of the security systems, processes, and people organizations already have in place, and breaking down security silos:

 

Take Action Today
Learn how to get started with security automation by reaching out to the professionals at Torq. You’ll learn more about the Torq platform and how we’ve helped myriad organizations achieve and exceed their security goals.

Get Started

Share

Related Articles

Insights

When to Automate and When Not to Automate

By Torq
October 18, 2022
5 Minute Read
Understanding Security Automation vs. Orchestration

Everyone loves automation, and it can be easy to assume that the more you automate, the better. Indeed, falling short of achieving fully autonomous processes can feel like a defeat. If you don’t automate completely, you’re the one falling behind, right?

Well, not exactly. Although automation is, in general, a good thing, there is such a thing as too much automation. And blindly striving to automate everything under the sun is not necessarily the best strategy.

Instead, you should be strategic about what you do and don’t automate. Even if you have the tools and resources to automate certain parts of a process, you may not actually want to automate them.

The Benefits of Automation

To understand the argument for being selective about the processes you automate, let’s go over the key benefits that teams are usually trying to achieve when they automate something. Typically, those benefits include:

  • Faster results.
  • Less time spent by engineers on manual processes.
  • Greater consistency and a lower rate of errors.
  • Repeatability.

We could go on, but these bullet points summarize the main goals of most automation projects.

When to Automate and When Not to Automate

Now, if you think critically about how best to pursue the goals we’ve just described, you’ll realize that fully autonomous processes aren’t always the best ways to achieve the goals. Let’s go through each one carefully.

Faster Results

Automation can speed up processes by allowing operations to proceed without waiting on humans to sign off.

The caveat, however, is that if your automation tools run into a situation where they can’t make a decision about how to achieve something – which happens when a variable is introduced that your automation workflow didn’t anticipate – you can end up with more of a delay than you would face if you had a human in the loop to oversee things. You’ll probably get results much more slowly from a fully autonomous process that goes awry than you will from a process where you have a human in the loop to react to unexpected conditions.

Less Engineer Time

By a similar token, the total time that engineers have to invest in operations work may be lower if not all of your processes are completely automated.

The reason why is that if something goes wrong within a fully autonomous process, the response is likely to be highly distracting and time-consuming for your team. But, if you had a human in the loop to begin with, you’d face a lower risk of a disruption that would require an extensive manual response.

Greater Consistency

Automation is a good way to keep processes consistent — so long as those processes are 100 percent predictable and reliable.

But, when there are variables, or when you are dealing with a process where each use case is unique, automation won’t always breed consistency — at least, not the kind of consistency you want. It would be better to keep a human in the loop so that the human could react as needed to special circumstances.

Repeatability

It may be easier to reuse automation tooling, too, when you keep humans plugged into your automated processes.

The reason why is that — once again — each process may be unique, and so you can’t simply lift and shift the automations you’ve created for one process and apply them to a different one. But, if you leave some responsibility to humans, it becomes easier to keep your workflow adaptable enough so that you can use the same automations repeatedly, leaving it to the human to interpret the unique variables within each process and adapt the automations as required.

Using Partial Automation

To illustrate the points above, let’s consider a common process that might seem like a candidate for total automation, but actually is not.

The process is Just In Time (JIT) permissions granting. The goal of JIT permissions is to grant access rights when a user needs them, and revoke them when they are no longer necessary. Having humans configure these permissions each time in a totally manual way is not scalable, so you may think that you would want to automate the process as fully as possible.

But, in reality, it would make more sense to automate only part of your JIT permissions operations. You could automatically collect account and user information, for example, and use these to generate updated access control policies automatically.

But if you actually apply the policies automatically, you run the risk of something unexpected happening with highly negative security consequences. Maybe a user is requesting a JIT permissions update to access a system that was recently moved from testing to production, and that therefore has stricter access requirements. But your automation tooling isn’t aware of that change, so it will grant the permissions without considering the unique circumstances of the request in question.

If you require a human to sign off on the permissions change, however, there is a higher chance that the oversight will be caught. Manual sign-off could delay the process slightly, but the delay should not be significant if the rest of the process is well-automated.

Conclusion: The Limits of Automation

To be clear, we’re not saying automation is a bad thing, by any means.

What we are saying is that there are points within processes where full automation doesn’t always make sense. Although it may seem counterintuitive, there’s value in requiring human participation, even if making processes fully autonomous is a possibility.

Share

Related Articles

Integrations

How Wiz and Torq Combine to Mitigate Existential Cloud Security Threats

By Leonid Belkind
September 23, 2022
5 Minute Read
How Wiz and Torq Combine to Mitigate Existential Cloud Security Threats

A single cloud security incident can stop an enterprise in its tracks, sometimes resulting in irreparable damage to its operation, reputation, and customer loyalty. One key strategy for preventing such incidents is combining complementary cybersecurity tools to defeat threats at scale.

A coherent Cyber Security Incident Response Planning (CSIRP) approach requires enterprises to select and integrate the right tools before a security incident occurs. Torq’s next-generation orchestration and automation capabilities combined with Wiz Cloud Detection & Response empowers forward-thinking security teams to analyze cloud events and alerts from services like Amazon GuardDuty alongside the rich context provided by the Wiz Security Graph.

“The combination of Torq’s no-code security automation approach that delivers immediately actionable response and Wiz’s comprehensive contextual and accurate malicious activity identification means we can focus on high-level threats without being overwhelmed by cloud alerts. Torq and Wiz work seamlessly together to give us a major real-time advantage in mitigating the ever-evolving cloud-based threat landscape.” CISO of a major gaming company

Customers are already seeing that combining Torq and Wiz means the whole is far greater than the sum of the parts.

Achieve a Coherent CSIRP with Wiz and Torq

In its Computer Security Incident Handling Guide (Special Publication 800-61), NIST advises organizations to strengthen their capabilities in four broad areas:

  1. Preparation
  2. Detection and Analysis
  3. Containment / Eradication / Recovery
  4. Post-Incident Lessons Learned and Documentation

To better understand these areas, let’s apply them to a hypothetical brute-force attack.

Preparation

To be prepared for a brute force attack, you should:

1. Set up the infrastructure to identify potential attacks

Amazon GuardDuty can continuously monitor network and endpoint activity in production cloud environments to detect brute force attacks (amongst many others). Furthermore, Amazon CloudWatch Events or Amazon EventBridge should be configured to monitor events on new or updated GuardDuty findings. These events will later be consumed by an automation and orchestration system to enrich, analyze, and remediate the issues.

2. Analyze the assets’ context

Understanding the topology of your cloud environment, maintaining up-to-date connection states, and knowing which assets have access to sensitive data are critical to prioritizing response efforts to an attempted brute force attack. The Wiz  Security Graph discovers and correlates these signals, providing incident responders with important context. For example, Wiz will alert on an SSH brute force attack when attempted on a publicly exposed asset that allows password authentication and has high permissions to the organization’s cloud environment.

3. Orchestrate analysis and resolution

Notifications of new potential threats must be handled and interpreted consistently and programmatically (i.e. with minor involvement of human analysts) in order to operate at scale. Torq allows enterprises to automate data and response flows generated by the Wiz Security Graph, making it possible to route remediations either directly to DevOps or after a quick triage process of the security team. The owners of the at-risk assets receive all the relevant contextual information around the alert to quickly resolve the issue and shorten the MTTR significantly. Torq’s no-code automation platform lets you build these workflows from scratch, leverage hundreds of security process templates, and adjust them to the needs of every environment.

Here’s how Torq combines with Wiz to create autonomous responses to security events:

The detection stage begins with Wiz delivering an alert based on an Amazon GuardDuty event together with the context of the cloud environment. The alert immediately drives the execution of an automated response workflow in Torq.

Analysis

In the analysis stage, contextual data about external exposure to the asset is retrieved from Wiz Cloud Security Graph as part of the alert. If there was internal exposure, further analysis would be conducted to understand the possible connections between the attacked asset and the crown jewels that might be exposed to it.

Containment

In the containment stage, particular sources of the attack can be blocked by modifying the Security Groups and Access Control Lists, as well as by prompting an additional wider response to the potential threat. Further eradication of an issue can be achieved by orchestrating changes in the configuration of the cloud assets to improve their security posture and by enforcing multi-factor authentication and strong passwords.

Torq enables enterprises to respond by both triggering containment flows and alerting the relevant teams in the organization on the event, preventing them from wasting crucial time.

Post-Incident

The incident audit trail is created to chronicle lessons learned to better mitigate related threats in the future. Security teams can use the audit trail together with the visibility they get from the Wiz Security Graph to identify potential weak points and work to mitigate them in advance

Learn more

To learn more, see how you can reduce alert fatigue and focus on the most critical security gaps with Wiz and Get Started with Torq’s no-code security automation platform to handle these and similar threats at scale.

First posted by our partners at Wiz

Share

Related Articles

Product

Torq Delivers on the Promise of Parallel Execution

By Torq
September 15, 2022
6 Minute Read
Torq Delivers on the Promise of Parallel Execution

Security operations professionals are constantly being pushed to the edge of their capacities. They’re dealing with endless manual processes and managing tasks sequentially, because of the limitations of their security tools and options. They’ve dreamed of being able to execute more tasks simultaneously to quickly enrich, analyze, contain, and resolve security threats.

Today, Torq is proud to introduce Parallel Execution, which makes those capabilities a reality. Parallel Execution is a significant evolution for no-code security automation that enables you to instantly create multiple branches within an automatic workflow, and handle each concurrently before seamlessly merging back into a single flow. 

While some SOAR platforms claim to support parallel processing, these solutions require massive engineering efforts to deploy. Some low-code platforms try to simulate parallel processing functionality by creating workarounds, but are in actuality asynchronous processing with deduplication managed by code. In the end, these attempts are not scalable, meaning they cannot effectively improve MTTA, MTTR, or the overall efficiency of your security operations.

Torq is delivering on the promise of true no-code parallel computing, to provide easier workflow design, adaptable iterating, and more powerful execution, which security teams have long been asking for. Now, teams can focus on actual security responses without sacrificing precious time and resources to develop the workflows that deliver them.

Here’s how Torq’s new Parallel Execution capability works:

Run Steps in Parallel 

Parallel Execution allows users to drop in a simple step to branch workflows “horizontally,” execute each branch in parallel, then instantly merge the output back into a single workflow. Before, if a user wanted to accomplish this process in an older SOAR platform, it would require hours of engineering digging into code or defining the minutiae of complex deduplications for each case

This functionality can exponentially speed up tasks like threat intelligence enrichment, enabling users to check multiple sources at once. Instead of waiting for one check before moving to the next, each source is checked simultaneously, reducing total execution time from the cumulative total down to whichever the ‘slowest’ source is.

Parallel Execution can also distribute work more efficiently. For example, when an incident response requires input before proceeding, but the input can be from anyone within a finite list. Instead of pinging the analyst on-call, waiting for response or time out, then moving on to the resource owner, a message can be sent to the complete list of possible responders.

The operator can also support so-called “long queries” in which large datasets need to be queried, but the outcomes are not codependent. A workflow can simultaneously query a data lake, cloud graph, and SIEM, again reducing total execution time to whichever query is the slowest, instead of the cumulative time for each source. 

These are just a few examples of use cases where running steps in parallel can be helpful. The functionality is incredibly flexible, and because it is so easy to include in a workflow, customers will have many opportunities to explore which environments and processes it can be used to improve efficiency.

A New Era for Security Automation

We are thrilled to provide the industry’s first true example of no-code parallel processing. But we are even more proud of where this can take teams once they adopt Torq.

Until now, security automation tools have been, at best, asynchronous, meaning they’re rigid and poorly suited for handling urgent escalations and different service level requirements. Security teams need more nimble and responsive tools that allow them to operate in realistic conditions, which sometimes involve as many as 1,000 simultaneous events. These first-generation SOAR and low-code tools also require significant additional effort to deduplicate outputs.

With earlier solutions, if an organization wanted to automate a security process, it would need to map out every step along the way, name or create roles for those responsible, build operational structures to enforce those steps and roles, document each potential permutation, develop or purchase the many needed connectors for the systems involved, script and code the minutiae of data manipulation, and then finally cross their fingers that the correct action comes out the other side. 

One of the unspoken laws in this chain is that Step X must always come before Step Y, and both must return a value before moving on to Step Z, regardless of whether that is how the real world operates. 

Torq not only releases organizations from the restrictions of linear processes, but does so in a way that is so simple it is usable for even the most mundane of routine security processes. 

No longer are security teams required to toil away at menial tasks, saving automation for only the most daunting response workflows. Using simple drag-and-drop functionality, anyone can put Torq to work using pre-coded steps, templatized workflows, and unfettered integrations. 

Because Torq automations can be developed and edited at-will, teams are free to experiment with new processes, and free to design workflows that match their real operations, rather than molding their processes to their tools. 

Users have all of the modern functionality available to their developer and DevOps peers, like publishing and version controls, contextual documentation, and collaborative editing. Operating with a git-style or even a true GitOps development experience helps teams better understand and manage a workflow across its lifecycle, and better aligns them with DevSecOps methodologies.

Begin Executing in Parallel, Today 

The Parallel Execution capability, as well as the workflow templates that use it, are available to Torq users, today. You can find them in the workflow designer and template libraries, respectively, or your customer success manager would be glad to walk through them with you.

Parallel Execution Demo Templates

We’ve prepared a few workflow templates that already utilize and demonstrate the power of this new functionality. Torq users can begin deploying these right away.

Future Torq users can request a live demonstration and set up a demo account to test these new features themselves through our get started page.

Share

Related Articles

Insights

Security Basics: Incident Response and Automation

By Torq
September 9, 2022
5 Minute Read

Incident response is one of the most challenging tasks that IT teams face. It’s challenging not just because it typically involves many stakeholders and moving pieces, but also because teams usually face pressure to respond as quickly as possible.

That’s why investing in incident response automation is a wise choice. Although it may not be possible to automate every aspect of every incident response workflow, being able to automate at least the major elements of incident response will yield incident management processes that are faster, more reliable, and more consistent.Keep reading to learn about the components of incident response and which incident response activities to start automating.

What Is Incident Response?

In the world of IT, incident response is the process that takes place when teams detect an incident that poses a serious risk to IT operations.Incidents can be cybersecurity problems, like the detection of a software zero-day vulnerability or the existence of malware inside an IT environment.Incidents can also be failures that are not related to security problems. For example, the crash of a mission-critical application or the accidental deletion of important data could trigger incident response operations.

The Components of Incident Response

Each incident is unique, and each incident response needs to be tailored to meet the special requirements of the incident. However, in most cases, incident response hinges on three types of resources.

People

First and foremost, incident management requires some level of intervention by human actors. Humans may need to determine what caused the incident, what the solution is, and how the solution can best be implemented. Humans might also have to manage the sharing of information between the various stakeholders who are affected by an incident or are part of the response operation.

Some of these activities can be automated, so the level of human involvement in incident response may be limited. But, at a bare minimum – even in the context of very simple incidents that can be resolved automatically – humans would at least need to be notified that an incident has occurred and a response has taken place.

Tools

Whether it’s manual or automated, incident response requires tools. Alerting tools tell teams about an incident. Analytics and debugging software can help them investigate the incident and identify its root cause. Collaboration tools help stakeholders share information and plan response activities.

Processes

Incident response also involves a set of processes. These processes define who does what, using which tools, in order to identify, investigate, and resolve the incident. Frameworks like MITRE offer guidance on what processes to take depending on the particular situation.

What Is Incident Response Automation

Incident response automation is the use of tools to automate one or more aspects of your incident response. Depending on the types of incidents you are dealing with, you can likely use automation tools to automate at least one significant part of your incident response operations.

Aspects of incident response that are obvious candidates for automation include:

  • Alerting: There’s no good reason to wait on humans to tell you that an incident has occurred. Automate alerts based on your monitoring and analytics data.
  • Incident prioritization: In the event that multiple incidents occur at once, automation tools can help to assess the severity of each one, so your team knows which to prioritize.
  • Communication: Automation tools can help to ensure that each stakeholder receives the appropriate information during incident response. This is important because different people may need different types of information. C-level executives may want to know what the incident means for the business, for example, while IT engineers need technical information to help them resolve the incident.
  • Remediation: In some situations, incidents can be resolved automatically. For example, if a vulnerability scanner detects a zero-day vulnerability in an application, and the vulnerability is fixed in an updated version of the app, you could use automated tools to deploy a new version of the app in order to fix the vulnerability risk.
  • Reporting and post-mortems: After a serious incident has been resolved, it’s common to perform a “post-mortem” and prepare a report that explains what went wrong and which steps the team has taken to prevent a similar incident from occurring. Automation tools can help to generate and organize the data inside these reports.

Incident Response Playbooks vs. Automation

In many cases, organizations create incident response playbooks, which define who will do what during incident response operations.

It’s important to note, however, that playbooks alone are not a form of automation. Playbooks are instead a plan for incident response.

Playbooks can certainly be automated by deploying tools that can operationalize the steps within playbooks. But, having a playbook alone doesn’t equate to having automated incident response. Playbooks are more of a first step toward automating incident response processes.

Torq’s Role in Incident Response Automation

With Torq, security teams can deliver improved security without a significant increase in manpower. Automation ensures consistent execution of day to day tasks, and triggered workflows speed incident response and reduce manual effort which, in turn, lets security practitioners do more professionally rewarding work, preventing burnout and attrition. Torq’s ease of use and out of the box integrations mean that security teams no longer need to invest in expensive professional services or middleware development. 

Conclusion

Although there will always be a need for human participation in most incident response operations, many components of incident response can be automated – and they must be automated if you want to reduce incident response time, minimize the risk of error, and keep response processes consistent across different types of incidents.

Share

Related Articles

Insights

Understanding Security Automation vs. Orchestration

By Torq
August 29, 2022
4 Minute Read
Understanding Security Automation vs. Orchestration

“Automation” and “orchestration” are terms that frequently appear within the same sentence – which is unsurprising, because they are closely related. In fact, they’re so similar in meaning that it can be easy to confuse them or assume that there is basically no real difference between security automation and orchestration.

But, as with many concepts in the world of IT and security (“observability” vs. “monitoring” is another good example), it would be a mistake to treat automation (or as Torq calls it, hyperautomation) and orchestration as synonymous terms. Understanding the nuanced differences between them is critical for leveraging hyperautomation and orchestration effectively alongside each other within modern IT and security operations.

To that end, let’s compare the definitions of orchestration and automation.

What Is Security Automation?

Security automation is what happens when you use software or other tools to complete a task without intervention by humans. Automation saves time and effort. It can also increase consistency and reduce the risk of mistakes due to human error.

Automation can be partial, meaning that a human plays some role in completing a process, while automation tools handle other parts of the task. This type of automation is known as “human in the loop” automation.

You can also have end-to-end automations, where tasks are completed entirely by automated tools. Humans may configure or deploy those tools, but the tools do their work autonomously once they are running.

What Is Security Hyperautomation?

At Torq, we call it security hyperautomation. Security hyperautomation intelligently integrates and orchestrates multiple security tools so they work in harmony, which empowers enterprise security teams to precisely and autonomously identify, escalate, and remediate security events at dramatic scale, helping them save precious time and money by automating tedious and frustrating manual tasks.

What Is Security Orchestration?

Orchestration is the management of multiple automated workflows.

When you orchestrate something, you are not automating just a single task. Instead, you have multiple related automations running at once, and your orchestration process is what ensures that all of the processes remain in sync.

Orchestration is important because, in many cases, automation processes are interdependent. One automated task may need to complete before another can begin, or data may need to be shared between processes. Orchestration ensures that the various tasks within an automated system proceed smoothly.

Differences Between Automation and Orchestration

The main difference between automation and orchestration is simple: whereas automation focuses on completing a single task with help from an automation tool, orchestration focuses on completing multiple tasks using automation tools across applications.

What this means is, you can have automation without orchestration. In that case, you’d oversee and coordinate each of the automation workflows within your organization by hand.

However, you can’t have orchestration without automation. If you don’t have automations in place, then you’d have nothing to orchestrate.

Orchestration vs. Automation

To contextualize all of the above, let’s consider the automation if tasks such as:

  • Collecting data from various sources (logs, metrics, user behavior patterns, and so on) that are relevant for security purposes.
  • Analyzing the data to detect anomalies that may be signs of a security issue.
  • Generating alerts that tell the security team about a potential risk.

Each of these is a discrete type of process. Each one can be automated separately.

However, because these processes are interdependent, you’d also typically want a way to orchestrate them by ensuring that individual automated tasks take place in a certain order. You need to collect data before you analyze it. And you can’t generate alerts until you have analytics results. Without  security orchestration, then, you’d run the risk that your automation tools would complete tasks in the wrong order, mucking up the whole process.

Orchestration can also help to ensure that humans are plugged into security automation processes at the right times and places. This is important because not every security workflow can be fully automated. For example, while some response operations (like blocking malicious endpoints) could be performed using automation, others (like fixing a vulnerability that requires changing an application’s source code) will require human intervention. Orchestration functionality could help a team identify which security workflows that begin with automation tools need to be handed off to humans to complete.

Conclusion

Security automation allows teams to operate efficiently and at scale. Organizations also benefit from orchestration, which helps to coordinate and manage multiple automation processes to ensure that they proceed as expected. Tools like Torq Hyperautomation bring these together through automated workflows and flexible pre-built templates.

Share

Related Articles