Every investment in SOAR is accompanied with the hidden costs of onboarding and troubleshooting. The licensing structure SOAR brings to an organization is outdated and overpriced. The value of SOAR drastically declined when it transitioned its primary focus from being a force-multiplying automation solution to a glorified ticketing system still requiring countless professional service hours. In fact, 90% of security professionals claim that their SOAR needed upfront investment to build automation workflows and response playbooks.
Here are 5 hidden costs of SOAR no SecOps professional can afford to ignore:
1. Initial setup and implementation costs
SecOps is routinely shocked by the astronomical professional services and deployment costs SOAR involves. In contrast, Torq users experience a 10X+ operational and productivity boost just weeks after deployment. From day one, organizations can enjoy serious ROI via Torq’s cost savings by maximizing team productivity and process effectiveness with the Torq Insights dashboard. It granularly measures time savings and operational efficiency for total visibility into the hyperautomation platform’s impact.
2. Ongoing maintenance and support for self-managed infrastructure
As organizations adapt and calibrate their SOAR platforms, they discover the need for continuous monitoring, troubleshooting, and adjustments to ensure peak efficiency and adaptability for evolving threat landscapes. Simply put, the greater the maintenance required, the greater the price tag.
3. Hiring personnel and expertise
Qualified SecOps professionals are getting scarce. They’re in demand and the competition to secure them is severe. This is compounded by existing SecOps teams that are understaffed and burning out. All Torq customers benefit from dedicated technical experts that help organizations achieve their automation goals at no extra cost. Say goodbye to surprise consulting bills that cost more than the automation solution.
4. Cost of custom development required on top of SOAR
What SOAR solution providers fail to disclose is the additional set of expenses necessary to provide custom development. Organizations with a SOAR often find themselves needing customized solutions to align the system with their unique operational requirements and existing security stack.
5. Expensive reconfiguration of inflexible playbooks and workflows
In an effort for organizations to be agile in combating security landscape changes, automation sequences set in an organizations SOAR platform are often not up to par for addressing the complexities of today’s threat landscape. If organizations fail to adapt, they could face delayed response times and decreased agility.
It’s Time to Break Up With Your SOAR…
Seriously, stop settling. There are no strings attached or hidden costs with hyperautomation. The choice is clear. Hyperautomation’s radically different approach delivers a much better correlation between price and value. Need more reasons to ditch your Legacy SOAR? Download our Manifesto to learn exactly why SOAR is Dead.
SOAR is dead. At first glance, that might be a bold statement, but the writing’s on the wall. While SOAR may have been a thing in the past, it’s not built for hybrid cloud adoption at enterprise scale. Cue, Torq Hyperautomation.
Lack of connectivity with ever-expanding tools = red flag. The traditional SOAR operating model is slow and inflexible. Legacy SOAR is built upon an outdated architecture that can’t meet the hyperconnectivity and scalability to address modern threats. Guess what? Torq Hyperautomation not only allows you to create workflows in minutes, but it allows you to do it without professional services.
SOAR is Purely Reactive
You can’t be ahead of modern cyber threats if you’re a half a step behind. It’s not enough to just automate tasks around incident response, organizations need a solution that prevents incidents happening in the first place. Hyperautomation performs proactive, automated tasks like regular vulnerability assessments, configuration reviews, contextual threat intelligence, user behavior and insider threat monitoring, and threat hunting that prevent incidents while providing incident reports. Simply put, Hyperautomation allows you to stay ahead of the curve, SOAR keeps you a part of the pack.
Limited Events Processing
Pre-configured responses are a thing of the past. SOAR was built as a standard monolithic architecture, in which the entire application is deployed as a single entity, typically running on a single server or cluster of servers. You can’t teach a dog new tricks. Making SOAR extend beyond these configurations is too time-consuming, costly, and even potentially impossible to complete, as it typically requires the entire environment to be rebuilt and redeployed to upscale the entire system as a whole, instead of individual components.
Narrow and Incomplete Visibility
Lack of visibility? That’s sketchy. SOAR’s lack of a cloud-native architecture means they cannot deliver full visibility into on-premise, hybrid, and public or private cloud environments. Hyperautomation utilizes modern zero-trust containerized agents making outbound-only connections for on-premise environment connectivity.
Hidden Costs
You wouldn’t pay for a Ferrari to get a Prius, so why would you pay more for SOAR? The price tag and value don’t add up. SOAR’s licensing was based on the number of analysts or users in the organization, but that changed when it became a ticketing system, decreasing its value. Hyperautomation’s radically different approach delivers a much better correlation between price and the value received. There are also no hidden costs associated with hyperautomation.
Torq Hyperautomation achieves 10X Faster ROI Compared to Legacy SOAR
Torq Hyperautomation analyzes cyberthreats at scale with unprecedented ease and efficiency, using built-in advanced AI capabilities that SOAR completely lacks.
It Takes a Cybervillage: Torq Collaborates With Team8’s Ecosystem at CISO Summit
By Torq
June 13, 2023
3 Minute Read
Torq firmly believes in Team8’s philosophy that it takes a village to address the escalation in critical cyberthreats. This is why Torq is collaborating with Team8’s vast ecosystem of partners to unleash the most advanced hyperautomation solutions possible, which seamlessly integrate across the Team8 community.
We’re excited to showcase Torq Hyperautomation at Team8’s CISO Summit in Tel Aviv during Innovation Day on June 21. It’s an exclusive gathering for C-level leaders to discuss the evolving role of CISOs, the latest trends and technologies, mutual opportunities, common challenges, and pathways to success.
“The Torq team is really looking forward to taking part in Team8’s CISO Summit, which is bringing together an incredible braintrust of global C-level executives to address some of the most pressing and important topics in cybersecurity today,” said Ofer Smadari, CEO and Co-Founder, Torq. “Torq is delivering significant value to Team8’s ecosystem with our Enterprise-Grade Hyperautomation platform, which is automating the most complex security infrastructures at dramatic scale. We look forward to productive dialogs at CISO Summit that drive effective solutions.”
Here’s what founders of Team8 companies are saying about working with Torq:
“The combination of Talon and Torq enables organizations to maintain robust security across their workforce without impacting productivity. Through the power of Talon’s Enterprise Browser and Torq’s Hyperautomation platform, organizations are able to simplify and improve enterprise security in an extremely powerful way. We look forward to continuing to work together to add joint value for customers.”
– Ofer Ben-Noon, CEO, Talon
“Through our partnership with Torq, Dig Security customers can quickly automate full remediations through a single hyperautomation system to improve overall datasecurity posture, and stop data exfiltration in real time.”
– Dan Benjamin, CEO and Co-Founder & CEO, Dig Security
“Torq and Gem share a mutual vision of transforming cloud security operations. Together, we give customers the tools they need to better automate cloud detection and response, enabling seamless workflows to stop threats faster.”
– Arie Zilberstein, CEO, Gem
“Our integration with Torq allows our mutual customers to benefit from a fully-automated lifecycle on remediating supply chain security findings. It works across multiple organizational units and drives them with human-in-the-loop resolution. Now customers experience faster responses, cutting a lot of time from MTTR and keeping the operation more efficient and secure.”
– Neatsun Ziv, CEO and Co-Founder, OX Security
“IONIX’s remediation Action Items, together with Torq’s flexible hyperautomation workflows, align remediation tasks with the way that security operations actually work. Now, customers can spend less time on routing tickets manually and further reduce their MTTM (Mean Time To Mitigate) exposure across their attack surface.”
– Marc Gaffan, CEO, IONIX
Ready to learn more about how Torq Hyperautomation can transform your organization? Schedule a demo, now!
Torq is an inaugural WIZ Integration (WIN) Launch Partner
By Torq
June 13, 2023
2 Minute Read
Torq has been hand selected as a Wiz Integration (WIN) launch partner, bringing the power of Torq Hyperautomation to WIN, so that our joint customers can continue to seamlessly integrate Wiz into their workflows, empowering them to automate their response.
“Torq and Wiz work seamlessly together to give us a major real-time advantage in mitigating the ever-evolving cloud-based threat landscape.”
WIN enables Torq to deliver actionable remediation and response to threats with a full audit trail of automated security actions. Torq and Wiz work seamlessly together to provide a real-time advantage in mitigating the ever-evolving cloud-based threat landscape with comprehensive contextual and accurate malicious activity identification. And Torq frees up security teams’ precious time, empowering them to focus on strategic business initiatives without being overwhelmed by cloud alerts.
“Over 50% of our customers are utilizing our Wiz integration in order to strengthen their hyperautomation workflows and I’m thrilled for us to have been selected as a WIN launch Partner. I look forward to strengthening our relationship for the benefit of our joint customers.”
Eldad Livni, Co-Founder and CINO, Torq.
The combined value of Wiz and Torq streamline security for organizations that are on a cloud journey.
“A best-in-class cloud operating model reduces risk, improves ROI, and drives efficiency,” said Oron Noah, Director of Product Management, Wiz. “That value proposition is what lies at the heart of WIN, and what Torq as a partner helps to make a reality. This collaborative philosophy brings real customer benefits, and we are so thankful to have Torq on board for this launch.”
Interested to learn more about the power of Torq and Wiz together, schedule a demo.
Fix Cybersecurity Tool Sprawl with Hyperautomation
By Luke Bentley, Torq EMEA Account Executive
June 1, 2023
5 Minute Read
The evolution of cybersecurity tools is nothing short of remarkable, but I suppose they had to be when it isn’t just the Morris Worm you’re worried about. There has been a wave of buzz around the latest technology in years gone by. EDR evolved into MDR, then SASE, and in recent times we’ve seen Immutable Backup take the front seat.
But hey, I’m sure you can’t go far wrong by investing in all these kinds of technologies. The more the merrier, right? Depending on what you read, the number of cybersecurity-related technologies that enterprises have integrated and deployed in their infrastructure is between 45-70*, which is absurd. So, when there are vendors that are working in unison and supporting the idea of a better integrated and more visible cyber picture, it sounds like a win-win. This idea of your EDR, SASE and Email Securityvendor working in tandem is a dream come true, right?
Some things don’t change unfortunately, and cybersecurity teams and CISOs are still being asked to do the impossible. Those age-old problems don’t budge easily: shortage of cyber professionals and resources, and a plethora of cyber vendors offering too many tools and too many processes. “With great tools, come great alerts,” or something along those lines, is what we’re typically told.
Who’s expected to deal with these additional alerts created from all of these technologies? Just because they integrate well, doesn’t mean they’re contributing to what the main focus should be: improving your cybersecurity posture and reducing the risk to your organization’s workforce.
Some things do change, however. The new generation of CISOs don’t want to overload their teams with work to churn out results. They want to work smarter. They see business, people, and technology as one that can work together to get results.
CISOs are looking at the bigger picture. Empower the cyber teams, let them develop their skill sets, so they can return their knowledge and value back to the company. They’re not relying solely on the latest tech to churn through alerts and let the team on the ground deal with the processes.
The saying goes, “Train your people enough so they can leave, and treat them well enough so they don’t want to.” Nailed it.
Your infrastructure security engineer wants to develop into an AWS architect, but is too busy dealing with CSPM alerts. Your cyber analyst has aspirations of being a CISO themselves one day, but is bogged down by suspicious user activity, and misses all those opportunities to gain additional knowledge, learning how to present and communicate better, or simply lacks a development in strategic mindset to tackle problems. And that lack of development means they look elsewhere. Cybersecurity roles are notorious for job hopping, and I think that’s because the dreams of complex, technical and exciting projects are brushed away by daily firefighting.
Give the power back to the people, including the techies that are literally running the show, and retain them longer. But how? First, strip your mind of all pre-existing knowledge and thoughts on legacy SOAR. Those time consuming, low use case producing, pro-services heavy technologies are a thing of the past.
Hyperautomation is reforming how cyber teams, top to bottom, left to right, are approaching their CyberSecOps. The time to automate every task that comes from the latest and greatest cyber technologies you invest in, because it’s perfectly viable, is now. Torq’s enterprise-grade security hyperautomation has made that possible.
The barrier to entry is no longer a dedicated DevSecOps team of 5 who can code in every language A through Z. Cyber and dev teams have spent years trying to create use cases with legacy SOAR vendors, and might be lucky if they publish 4 or 5 workflows/playbooks in a year. With Torq, the entry need only be a laptop, mouse and keyboard. Maybe a slight oversimplification, but it’s not far wrong. The ability to imagine, create and publish a workflow is now astonishingly rapid with Torq.
So, yes, the latest tech tools are great to have, the integrations will no doubt provide you with additional advantages and help secure your workforce, and sure they’ll do what they say on the tin. But the real power in your CyberSecOps is their new found time, being in control of alerts and tasks, and effectively remediating all of those alerts with a hands-off approach where possible. Torq is the tool to augment everything you have, say (and show) how we give time back to your teams, as well as increase the efficacy and ROI of other tools. Here’s a sneak peek at what time you could be saving:
If you’ve miraculously found time between all your alerts to read this, don’t take my word for it; put our hyperautomation platform to the test. Any and all CyberSecOps or CloudOps processes you want automating – we’ve got you!
CSPM, IAM, alert remediation, email phishing response, threat hunting, and secure access to sensitive data – honestly the list is only limited to your imagination (or in my case, a word count).
Building Efficient SecOps Pipelines with AWS Security Lake and Torq
By Torq
May 31, 2023
8 Minute Read
Amazon Security Lake automatically centralizes an organization’s security data from cloud, on-premises, and custom sources it into a purpose-built data lake stored in a customer’s AWS account.
Amazon Security Lake reduces the complexity and costs for customers to make their security solutions data accessible to address a variety of security use cases such as threat detection, investigation, and incident response. Amazon Security Lake is one of the many solutions that now supports the Open Cybersecurity Schema Framework (OCSF), an open industry standard, making it easier to normalize and combine security data from AWS and dozens of enterprise security data sources.
Operationalizing the above (and additional) scenarios on top of the security data lake requires a set of basic building blocks that can either be used directly by SecOps professionals, or combined into larger workflows driving specific outcomes.
Executing Automated Actions as a Response to Security Events
As an Amazon Security Lake subscriber, Torq consumes logs and events from Security Lake. In order to control costs and adhere to least privilege access best practices, Torq workflows can be automatically notified of new Amazon S3 objects for a source as the objects are written to the Amazon Security Lake by setting up one or more data access subscribers. Data access subscribers are notified of new Amazon S3 objects for a source as the objects are written to the Security Lake data lake.
In Torq, this notification is received in an Integration Webhook, so the first step of the configuration process is to create a new Webhook integration in Torq, as described in Torq’s documentation here. Take note of the resulting Webhook integration URL (endpoint), as it will be needed to set up a data access subscriber in Amazon Security Lake.
Completing the creation of the subscriber also requires setting up a new AWS Integration in Torq, as described in Torq’s documentation here. This integration will also be used afterwards to pull data from the Security Lake in Torq Workflows. As described in Torq’s documentation, setting up an AWS Integration requires creating a new Role in AWS Identity and Access Management. For that role to be able to pull data from the security lake, please sure to add the following permission policies to the role:
Create a new IAM Policy with the following contents:
Make sure to replace “{accountId}” in the JSON above with your own AWS Account ID.
Add this policy to the Permissions Policies for role you’re creating for Torq’s Integration
Add the following policy to the Permissions Policies of the role AmazonAthenaFullAccess (this is needed to enable querying, writing results, and data management through Amazon Athena, which is how Torq workflows will query data from the AWS Security Lake.
While setting up the AWS Integration in Torq, take note of the Torq Account ID and the AWS External ID, as you will need these in the process for creating a custom subscriber
Next, follow the following steps to set up a new Data Access Subscriber through your AWS Console:
For Subscriber details, enter the subscriber’s name and (optionally) a description.
For Log and event sources, choose from which sources you want to receive notifications in your previously created Torq webhook (you can choose whether you want to send notifications from all your Amazon Security Lake sources to Torq or select specific sources for each subscriber).
For Data access method, choose S3 to set up data access for the subscriber.
For Subscriber credentials, provide the Torq Account ID and the AWS External ID you got from AWS integration in Torq for AWS account ID and external ID, respectively.
For Notification details, select Subscription endpoint so that your Amazon Security Lake can send notifications through EventBridge to the HTTPS endpoint of the Torq Webhook created previously.
For Service Access, select the IAM role named AWSServiceRoleForAmazonEventBridgeApiDestinations, which is automatically created during the Amazon Security Lake set up process when run from the AWS Console, and which gives EventBridge permission to invoke API destinations and send object notifications to the correct endpoints.
Provide the Torq Webhook integration URL (endpoint) as the subscription endpoint.
Choose Create.
Check the configuration of Subscription associated with the Amazon SNS Topic which has been created as a result of the previous steps, and verify that Raw message delivery is enabled for the Subscription. Enable it by editing the Subscription if it wasn’t.
Schematic configuration of Amazon Security Lake subscribers triggering Torq workflows
Depending on the settings you defined in step #5 above (Log and event sources) it might be necessary to define trigger conditions in your Torq workflows triggered from Amazon Security Lake events. Here’s an example of a trigger condition meant to restrict a workflow to be triggered by Route53 events in Amazon Security Lake from a region us-east-1 only:
A Torq workflow trigger condition definition example to restrict a workflow to be triggered only by Amazon Security Lake events for a specific account id, region and data source (such as AWS Route53)
Querying Data from Security Data Lake
The Amazon Security Lake creation and set up process run from the AWS console, automatically registers each Security Lake region as a new Database in AWS Athena.
AWS Athena is a serverless service which allows querying Amazon Security Lake S3 data (with an S3 bucket per region for which the Security Lake has been enabled) using SQL.
Querying Amazon Security Lake from Torq Workflows using SQL through AWS Athena
Querying Amazon Security Lake data from Torq workflows, either automatically triggered from Security Lake events, scheduled to periodically pull notifications of new objects by polling an Amazon Simple Queue Service (SQS) queue or run on-demand to search for specific data in the Security Lake, can be easily implemented by using SQL in AWS CLI steps to query Athena’s API.
The following figures illustrates the process of querying Amazon Security Lake from Torq Workflows in 3 steps:
Creating a dynamic SQL query for AWS Athena:
Using AWS CLI to execute the query in AWS Athena:
The result of Athena SQL queries is stored as a csv document in S3 and can be easily pulled into a Torq workflow by using an AWS S3 Read File step, and then the Convert CSV to JSON step from Torq Utilities to simplify data extraction and transformation in later steps in the workflow:
Bringing It All Together
Operationalizing Security Operations with fully automated or human-in-the-loop pipelines using the above “building blocks” is a process consisting of the following phases:
Identifying the relevant security events:
Torq triggers can be configured with conditions, expected from the delivered event, in order to start performing automatic actions. In some cases, looking just at the event data might not be sufficient to decide whether it requires a certain security follow-up or not. For these scenarios, following up with additional automated enrichment and investigatory steps can be performed with Torq workflow steps.
Defining the required enrichment / hydration data:
Upon receiving a security event that has a potential for a follow-up, certain parts of it, such as (but not limited to) User Identifiers, Device Identifiers, Network Addresses, etc… should be retrieved for further enrichment with additional systems (IAM, CMDB, Threat Intelligence and more) by introducing initial steps in a workflow triggered by security lake events.
Building the pipelines – what happens when the event occurs:
Defining the response process can take place in an iterative manner. Main questions that need to be addressed are:
What additional information do we need to be able to better classify the event
Once classified, are there external notification / orchestration systems that need to be updated with this information
If building a human-in-the-loop pipeline, which role-players need to be provided an information about this event
If performing automatic remediation actions – what are they and which role-players can approve executing them
Summary
Amazon Security Lake provides a flexible and scalable repository for different kinds of security events. In order to build flexible and scalable security operations, your teams will require this data to be at their fingertips with the ability to efficiently use it and to trigger processes based on it.
Implementing Torq workflows, that can be triggered either
Manually by security professionals via Messaging / Chat or Web
By identifying specific events reaching the security lake
By using detections made by 3rd party security products
In these workflows, following capabilities can be delivered to security professionals:
Retrieve data from security lake and present it to security role-players in a convenient fashion
Enrich operational systems with context from the security lake
Process the security lake data to make decisions on severity and priority of different security events
Suggest and execute containment and remediation strategies based on processed contextual data
Examples of these and additional scenarios can be found at Torq Template Library.
Turning Intelligence Into Action with Cybersixgill and Torq
By Dallas Young, Sr. Technical Marketing Manager
May 24, 2023
4 Minute Read
No matter the industry, geography, or organizational size, cybersecurity teams are united by their many shared challenges: talent shortages, expanding attack surfaces driven by digitization and remote work, increasing velocity of software development, and the rapidly growing scope and sophistication of global cybercrime. In response, these teams have embraced and incorporated a range of specialized tools within their defensive arsenal in attempt to address and resolve these issues. Threat intelligence and security automation solutions form the front lines of their battle, yet these pillars of the cybersecurity ecosystem are often disconnected, creating a dangerous gap between intelligence and action.
This divide prevents security teams from deriving the full value from their solutions. Non-actionable threat intelligence increases analyst fatigue with yet another stream of feeds and alerts. While automated security playbooks without context-rich threat data lack the means to validate, prioritize and triage threats, resulting in inefficient processes and extending the MTTR.
By integrating actionable, relevant, context-rich threat intelligence within orchestration automation tools and processes, security teams can unlock the full potential of their existing security stacks – saving precious time and resources while streamlining response and remediation.
Turning Intelligence Into Action with Cybersixgill and Torq
Cybersixgill and Torq have partnered to bridge the divide between intelligence and action, operationalizing Cybersixgill’s market-leading threat intelligence through next gen security hyperautomation with Torq. With this strategic partnership, we have pioneered end-to-end, no-intervention threat protection, helping to dramatically reduce MTTR through customizable, automated workflows and playbooks, triggered by context-rich threat intelligence extracted in real-time from the cybercriminal underground.
Using Torq’s library of automation components, organizations can build an automation infrastructure to orchestrate immediate responses to Cybersixgill’s early warnings of potential threats, allowing teams to build automated, alert-triggered playbooks with any other tool in their environment – without writing a single line of code.
Alerts from Cybersixgill’s rich threat intelligence insights can be programmed to autonomously initiate incident response workflows in Torq to instantly remediate issues at the first indication of a potential threat. Alternatively, security teams can harness Cybersixgill’s rich threat context to create automated threat hunting workflows, triggering data enrichment upon the arrival of an event or signal discovered through any other security tool.
Torq and Cybersixgill make it easy for teams to turn manual security processes into automated, intelligence-driven workflows within minutes, eliminating reactive processes to build a resilient, proactive cybersecurity posture.
The Benefits of the Combined Solution
Cybersixgill gives users covert access to our complete body of context-rich threat intelligence from the deep, dark & clear web, including limited-access forums and markets, invite-only messaging groups, code repositories, paste sites and clear web platforms. We correlate our threat intelligence with each customers’ defined organizational assets, alerting teams to relevant threats at the earliest indication of risk, enabling preemptive action to be taken before they can materialize into an attack.
Torq’s enterprise-grade security hyperautomation platformunifies and automates the entire security infrastructure to deliver unparalleled protection and productivity. Torq drives maximum value and efficiency from existing security investments. It supercharges security teams with powerful, easy-to-use no-code, low-code, and full-code workflows that reduce manual tasks, freeing security professionals to focus on higher-value strategic activities.
Together, the combined solutions help users:
Reduce risk with automated end-to-end intelligence-driven security workflows- Identify, capture and block threats as they emerge with seamlessly deployed playbooks to accelerate Mean Time to Respond and better secure your environment.
Save time and maximize team productivity- Eliminate manual work with automated workflows triggered by actionable and relevant threat intelligence data – built and deployed in minutes with no need for developers, professional third party services or month-long implementation delays
Minimize cost and maximize resources- with a consolidated end-to-end no-intervention threat protection solution that allows you to make the most out of your existing security stack, with faster time to value.
Optimize operations- by automating repeatable security processes, allowing you to shift valuable resources to higher priority tasks.
Schedule a demo to learn more about Torq Hyperautomation.
The Top 4 Criteria for Choosing a Security Automation Solution
By Afik Levi, Product Specialist, Torq
May 18, 2023
5 Minute Read
As businesses continue to evolve, automation has become an essential aspect of modern operations. The benefits of automation are numerous, ranging from reducing operational costs to increasing security, efficiency, and accuracy. However, with so many automation solutions available on the market, it can be challenging to select the right one for your business. As a product specialist at Torq with over a decade of experience in field positions, I have had the opportunity to witness countless businesses on their automation journey, and I want to share some of the insights with you. At the end of the article, you will have a better understanding of the critical factors to consider when choosing the right automation solution.
1. Business requirements, Technology Stack, In-House Solutions
The first step towards selecting the right automation tool is understanding your business requirements. This involves identifying the processes that need automation (repetitive tasks, high error rates, etc.) and mapping the technology stack. It is crucial to evaluate the automation solution’s capabilities to integrate seamlessly with your stack and provide out-of-the-box functions that are relevant to your technology stack, as this improves the time to value and ROI by enabling simplicity when creating automation workflows. It’s also equally as important to map your in-house customizations to examine how the potential solution works with them, as without the sync between the two, you will most likely face “unplanned costs” and it might lead to complete blockers.
2. Out-of-the Box vs Generic
Flexibility is another important factor to consider when selecting an automation solution. Wait a minute! What do we mean by flexibility? Referring to the balance between out-of-the-box capabilities and generic/customization capabilities. It is essential to ensure that the “out-of-the-box” capabilities can be fully customized; based on my experience, missing even one piece of the puzzle can prevent successful workflow automation, so you better be able to customize it or you might hit the same wall that is killing the legacy SOARs (content and integration creation; “Sorry, we don’t support it”).
However, beware of generic solutions that may satisfy use cases but hinder time-to-value and solution maintenance (for example, vendor API updates). So at the end of the day, having both out-of-the-box and generic capabilities is desirable.
3. POC Time + Success Criteria
After understanding your business requirements and technology stack, evaluating potential automation solutions with a Proof of Concept (POC) is the next step. The focus is on time-to-value and ROI. Choosing your important use cases and evaluating how quickly and easily they can be fully operational is essential. It is equally important to determine how easy it is for you to accomplish this. It’s time to ask your team to complete a use case from scratch using the potential automation solution.
Here is the specific success criteria for the POC as I see it (I promise it will save you money in the long):
New content creation – “steps”.
New integration creation – out of the box and generic capabilities.
Bring your own code – relevant when you have a legacy code such as a big in-house solution that you can’t replace right away, or even empowering someone who wants to use code for specific use cases.
Connectivity capabilities – more than APIs (SSH, Bash, SQL, etc).
Life cycle management – vendor API updates, production vs testing separation, testing and CI/CD solutions, etc.
Templates – out-of-the-box workflows that reflect different use cases.
Content sharing – workflows and steps, relevant for a super user who helps others.
Now that we have a candidate that answers all of that (hint: Torq), it’s time to validate what the future looks like. It’s time to focus on scalability, maintenance, and the vision of the vendor. As your business grows, the solution should scale with it. It is essential to choose an automation system that can handle increased volumes of data and adapt to changing business needs over time. Selecting a solution from a vendor with a clear vision for the future can be critical to ensuring the long-term success of your automation efforts.
Choosing the right automation tool is a critical aspect of a modern security team. It’s crucial to examine the standout aspects of the solution as it can have a significant impact on your organization, particularly in terms of efficiency, improved security posture and lowering costs.
While there are many factors to consider when selecting a security automation tool, these essential elements should guide your decision-making process as they increase the probability of success. As a product specialist at Torq, we understand the importance of selecting the right automation tool (so we have created an Hyperautomation one), and I hope that this article has provided you with valuable insights to make an informed decision.
Hype vs. Reality: Are Generative AI and Large Language Models the Next Cyberthreat?
By Torq
May 17, 2023
5 Minute Read
Generative AI and large language models (LLMs) have the potential to be used as tools for cybersecurity attacks, but they are not necessarily a new cybersecurity threat in themselves. Let’s have a look at the hype vs. the reality.
The use of generative AI and LLMs in cybersecurity attacks is not new. Malicious actors have long used technology to create convincing scams and attacks. The increasing sophistication of AI and machine learning algorithms only adds another layer of scale and complexity to the threat landscape, which should be met with both common and innovative protection measures to maintain organizations’ security posture.
Generative AI and LLMs can have a significant impact on the scale of cybersecurity threats, both in terms of the number of attacks and their complexity. On one hand, these technologies can make it easier and faster for attackers to create convincing fake content. This could lead to an increase in the overall volume of attacks, as attackers are able to generate larger quantities of fraudulent content more quickly and easily.
Additionally, LLMs can be used to generate highly-targeted and personalized messages, which could make it more difficult for people to recognize them as fraudulent. For example, an attacker could use an LLM to generate a phishingemail that appears to come from a friend or colleague, using their writing style and language to make the email seem more authentic. They could also be used to generate realistic-looking password guesses, in order to bypass authentication systems. Generative AI and LLMs can give attackers an advantage in certain situations. These tools can automate the process of creating convincing fake content, making it easier and faster for attackers to generate large quantities of phishing emails and other types of misleading content.
To mitigate the potential threats posed by generative AI and LLMs, organizations can take immediate steps, such as:
Multi-factor authentication-Implementing multi-factor authentication systems can help to prevent attacks that use AI technology to guess or crack passwords. By requiring additional verification steps, such as a biometric scan or a one-time password, organizations can make it more difficult for attackers to gain access to sensitive data or systems.
Employee training-Providing training to employees on the increasing threat of highly targeted and personalized phishing attacks as a result of generative AI. This can include training on how to identify and respond to phishing emails or suspicious behavior on the network.
Email filtering-Email filtering systems can provide an effective defense against phishing attacks that leverage AI technology. These systems can analyze large volumes of email traffic and quickly identify and block suspicious emails, helping to prevent users from falling victim to these types of attacks.
Hyperautomation-This new security automation approach is effective for countering the scale of attacks generated by AI, by providing organizations with comprehensively-integrated capabilities needed to quickly detect and respond to threats. In addition, it can help to reduce the workload on security teams by hyperautomating routine tasks such as incident triage and response. This can help to free up time and resources to handle more complex threats, such as those involving generative AI and LLMs.
The use of generative AI and LLMs is not limited to attackers. These tools can also be used by defenders to develop more effective security measures and detect potential threats. For example, security researchers can use LLMs to analyze large volumes of data and identify patterns that could indicate the presence of a cybersecurity threat. Some possible future applications of LLMs in cybersecurity protection can be developed to augment the existing tech stack, and help protect against a wide range of new and more sophisticated cyber threats:
Phishing Detection-LLMs can be trained to recognize and flag suspicious emails that may be part of a phishing attack. By analyzing the text of an email, an LLM can identify patterns or keywords that are commonly used in phishing attempts and alert users or security teams to the potential threat.
Malware Detection-LLMs can be used to analyze large volumes of code and identify patterns that are associated with malware or other types of cyber attacks. An LLM can identify keywords or phrases that are commonly used in malicious code and help to flag potential threats.
Threat Intelligence Analysis-LLMs can be used to analyze and categorize large volumes of threat intelligence data, such as security logs or incident reports, to identify patterns and trends in the data and help that indicate potential threats or vulnerabilities in the system.
Hyperautomation-By integrating AI-based threat detection capabilities into a hyperautomation platform, organizations can enhance their ability to quickly respond to attacks. For example, machine learning algorithms could analyze network traffic and identify patterns that indicate the presence of a threat. This would automatically trigger a response, such as blocking the malicious traffic or quarantining an infected device.
If you want to learn more about how hyperautomation can help your organization connect your entire tech stack, use no-code to full-code, and bring your own container, and deploy in a matter days, visit Torq.
For years, efficient Case Management has been one of the single most challenging tasks for security operations professionals. It involves ensuring all threats are proactively identified and prioritized based on risk criticality, and then rapidly investigated and appropriately elevated across all organizational cybersecurity platforms and tools. Optimally, it sets up a near-bulletproof incident response posture that makes the most of an organization’s cybersecurity ecosystem.
However, time and time again, legacy SOAR platforms have failed to deliver on the promise of Case Management. These earlier tools simply can’t keep up with the pace, volume, and variety of evolving cybersecurity threats. They also don’t offer SecOps the flexibility to quickly pivot through records to accurately assess whether or not they’re facing a targeted campaign, a new and novel threat, or an ongoing, pervasive threat that could stop business in its tracks.
The new Torq Hyperautomation platform was purpose-built from the ground up to deliver the comprehensive Case Management capabilities SecOps have been demanding for years, and never benefited from—until now. Unique modern AI co-pilot capabilities drive efficiency even further, ensuring that security analysts are assisted by cutting-edge technology to make the right choices and not miss any details.
Hyperautomating Contextual Security Case Resolution
Torq Hyperautomation is unique in that it rapidly and accurately collects a large number of unprocessed events and signals, and organizes them into contextually-enriched cases, intelligently ordered by severity, priority, and field of ownership. It also orchestrates the analysis and remediation of security cases across multiple organizational functions, and tracks all security decisions in a single dynamic, hyperautomated framework.
The benefits of Torq Hyperautomation’s Case Management approach are significant. By hyperautomating security signal detection, it reduces noise and manual investigations by up to 70%. Its flexible framework also streamlines decision-making and automatically enriches data, cutting through the noise and separating minor, easily-remedied incidents from significant, and existential organizational threats.
Here are some of the key benefits and how they work to streamline your case management processes:
Automated Case Management
Torq empowers organizations with the power to hyperautomate common use cases with repeatable workflow processes that launch all the necessary steps, such as customizable decision trees that integrate human intervention. This includes scenarios such as escalation or case handoff. SOC Analysts can analyze and create workflows to efficiently process a case or issue.
By hyperautomating case management, security teams can streamline workflows and focus on high-priority threats. Torq empowers teams to automatically create, update, and manage cases in response to security alerts, ensuring they can quickly prioritize and respond. Analysts are freed from the mundane to concentrate on higher-level security activities.
Automatically Enriches Security Case Context
Torq’s Use Case management solution automatically transforms large numbers of events and signals into contextually-enriched cases. All cases are ordered by severity, priority, and ownership with the intelligent correlation of signals to open, update, enrich, or close cases, with human interaction being optional.
Accelerates Discovery and Remediation of Threats with AI
Torq’s unique ability to hyperautomate case management handling using AI that enriches the context of the situation, so you only need to involve humans when necessary, such as when a judgment call is required. For example, when an alert is automatically sorted by priority, intelligent analysis is performed to determine the next steps with our flexible event-driven workflows that connect any of your existing security tools to perform the required actions.
In this example, a suspicious file was detected on the endpoint, and the IT Analyst wanted to check if this particular threat was already known to be suspicious or malicious on VirusTotal.
Security Analyst executing an MD5 hash lookup that automatically kicks off a workflow without ever leaving the use case ticketing system
Utilizing the power of ChatGPT, the findings are condensed to two sentences that state that 56 of 71 AV engines detected the threat as malicious. Contrast that with the overly-verbose output that you would typically receive on VirusTotal. This saves tremendous time and summarizes the incident in a readily consumable human-readable format.
Summary of the workflow automation output automatically logged to the open ticket
Torq can then execute automatic remediation workflows to run a scan of the environment for persistence anywhere on the network, automatically clean the endpoint, or quarantine it for further analysis by a SOC Analyst.
Unified Case Management
SOC Analysts can access a unified view of each case and follow essential processes for handling and resolving cases. Torq’s intelligent case management empowers them to take action confidently, reducing the risk of human error. Handoffs between SOC Analysts occur seamlessly via hyperautomated processes, with all the relevant case details at hand.
Collaboration outside the security operations center is easily done within the platform, which is especially helpful in promoting cross-team collaboration with more complex incidents requiring multiple subject matter experts. Each external team can resolve security issues efficiently using their tools of choice, such as, but not limited to, Atlassian Jira, ServiceNow, Github, and more.
Cross-team collaboration with various subject matter experts engaged in a high-priority investigation.
Precision Accuracy and Actionable Outcomes
Torq Hyperautomation’s Case Management capabilities curate accurate and actionable data to identify service and security issues as they develop. Real-time analytics and long-term analysis help identify service trends and determine areas where SOC Analysts or other teams could benefit from improved efficiency as a result of introducing automated investigation and containment strategies and tools. Effective reporting is available to help monitor progress and track performance which helps SOC Analysts resolve cases more efficiently, leading to better outcomes.Want to learn more about how Torq Hyperautomation Case Management can dramatically enhance your security workflows so you can stay ahead of emerging threats? Test drive Torq Hyperautomation, here: https://torq.io/demo/
