Customers Integrations Security Engineering Use Cases

How Next DLP Automates Data Breach Investigations with Torq Hyperautomation

By Torq
April 23, 2024
4 Minute Read

The following is adapted from a conversation between Torq and Robbie Jakob-Whitworth, Cybersecurity Solutions Architect at Next DLP. Next DLP is a leading provider of insider risk and data protection solutions. Read on to learn how Robbie has used Torq Hyperautomation to automate alerts and reduce alert fatigue within his organization.  

Introduction to Robbie and Next DLP

I’m Robbie Jakob-Whitworth, Solutions Architect with Next DLP. Next DLP is focused on reinventing data protection, DLP, and insider risk. So, I spend a lot of time working with customers and enterprises focusing on how we can protect the data in their organization, how we can prevent a data leak or data breach, and also how we can manage the insider risk. 

So a key thing that I work on with a lot of customers is alerts, detections and incidents from a data protection perspective as well as an insider risk perspective. And alert fatigue is something that is a very real problem for security analysts. They spend a lot of time looking through alerts. 

Next DLP provides a fantastic platform to get an overview and take control of risky behavior taken by users. For example, the sharing of sensitive data, or accessing data that is controlled by regulation or compliance. But going through all of these alerts and all of these incidents can be quite a time thing sometimes for an analyst. So in that theme of alert fatigue, I was able to use Torq to build a workflow to notify me separately via Slack about the most serious data breaches.

Combatting Alert Fatigue with Hyperautomation

So in the example that I’m going to show you here, we can actually reduce alert fatigue by using Torq to just alert us about the most high severity alerts. So using Next DLP, I built out a web hook integration directly into Torq and streamed detection information for Torq where the data is Personal Identifiable Information (PII).

I’m only going to focus on the most high risk users, and I only want events that are a score of at least 80. So, particularly high severity alerts. Now, when a policy violation or incident occurs that meets these thresholds, a workflow in Torq is triggered and I get notified in real time through Slack or on my phone.

Then, I can launch an investigation in real time. So I can go and spend my time on other things that are more important to me than looking through logs. I’m saving a lot of time by getting these alerts through Torq.

A Real-World Example

Consider this – from a data protection perspective, I might have data in my organization, maybe personal information, social security numbers, or customer information that needs to be protected. And in this case, if I’m a user and I’m sharing this data through a site like WeTransfer, either maliciously or accidentally, Next DLP can provide real-time data protection by enforcing IT and corporate policy, preventing the taking of sensitive data. 

So in this case, we caught the fact that this file contains this sensitive information – email addresses and social security numbers – and that it was leaked out through WeTransfer. Next DLP protected and blocked that activity.

Now as a SOC or security analyst, I don’t need to sit in the Next DLP platform and look through every single alert. With this automation, Torq notifies me with all of the information around the incident: which user violated the policy, what the policy was, that it contains social security numbers, how the data was being exfiltrated, in this case to WeTransfer. I get a link to view the file and the forensic evidence, along with a screenshot of the user’s desktop at that moment in time. So I’m able to launch an investigation to dive down deeper into the context of this user’s activity. 

The Power of Torq Hyperautomation

Traditionally, for an analyst or in a SOC, you spend all your time kind of combing through logs and alerts. You have a lot of false positives to deal with. And all the information is presented to you within a powerful UI of most products. But, you have to spend a lot of time going through each alert.

It was super simple to build this automation because I’m combining the powerful open API provided by Next DLP with the really helpful no code workflow UI provided by Torq. Plugging those two together is the best of both worlds. It’s really a fantastic way to orchestrate and connect different systems together and to save me time by automating those manual tasks.

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

Hyperautomation

Stop SOAR From Killing Your SOC Budget With Hyperautomation

By Torq
April 17, 2024
6 Minute Read

Cyberthreats are escalating and SOC budgets are tightening. It’s a recipe for disaster, that is, unless you take advantage of new technologies that keep both in check. The fact is, businesses are now spending nearly a third of their cybersecurity budget towards running an in-house SOC, averaging out to $2.86 million per year, according to Ponemon. 

Historically, security teams anchored their SOCs with SOAR. In the distant, fading past, this was intended to improve efficiency and drive standardization across incident response activities. SOARs promised to enable organizations to integrate security solutions within the SOC technology stack, filter and prioritize incident data, and automate processes to improve remediation speed. However, reality quickly set in, and SOC teams experienced disconnected and reactive defenses, narrow visibility and event processing capabilities, and limited inflexible integrations that were putting the organization in danger.

Beyond the technical limitations, organizations found that the myriad of hidden costs associated with running SOAR negatively impacted the investment already made in three key areas of the SOC: People, Time, and Technology.

People

When the SOC receives an alert, three levels of analysts typically work together to cover the entire threat lifecycle. Entry level analysts handle the initial triaging and filtering of alerts, escalating legitimate threats to Tier-2/3 analysts for more advanced investigations, and eventual remediation. However, the need for continuous monitoring, troubleshooting, and maintenance of SOAR solutions creates a bottleneck, slowing down the incident response process at every level. According to ESG, 92% of security professionals agree that leveraging a SOAR effectively demands intensive programming/scripting skills, meaning organizations often find themselves allocating one, if not more, FTEs strictly to SOAR management. 

Depending on the size and maturity of the organization, staffing an efficient 24/7 SOC may require between 5-10 analysts, with the average entry-level analyst salary hovering around $90,000 annually. The challenge is, the cyber security space is already dealing with a 4 million global shortage of security staff, and Tier-1 analyst roles are so tedious and demanding that employees don’t stay in these positions long due to high stress, and eventual burnout.  This shortage has made finding highly skilled and experienced analysts much more difficult, increasing the competitive salaries organizations must offer throughout the recruitment process. 

Time

Whether it’s cost associated with increasing staff or labor hours due to overwhelming amounts of disconnected SOAR alerts, the impact of organization downtime when a legitimate threat is missed, or even regulatory compliance fines and reputational damages that are incurred in post-breach recovery. According to IBM’s Cost of a Data Breach Report (2023), the global average cost of a data breach has risen by 15% over the past 3 years, reaching an astronomical $4.45 million dollars

Improving SOC speed to combat the potential impact of downtime is a key investment area for most organizations, and an area in which SOAR has drastically failed. SOAR’s poorly-scalable architecture and integration rigidity makes the initial implementation and configuration slow, tedious and time-consuming. Once implemented, CISOs and Directors of Cybersecurity commonly report on the mean time to respond (MTTR) to an incident when measuring the efficiency of the SOC. Ironically, the amount of time spent manually triaging, correlating and escalating massive amounts of alerts within a SOAR is often the major contributing factor leading to analyst burnout, and almost 40% of cybersecurity professionals say that their average MTTR is still “months or even years”

Technology 

To help reduce MTTR, especially in this intensely-competitive era of hiring experienced SOC analysts, organizations invest more heavily in technology to arm their security operations center. In 2024, approximately 70% of IT leaders expect to increase their cybersecurity budget, with almost half of that budget being allocated towards the cloud security and incident response solutions that are pertinent to day-to-day SOC responsibilities. Despite significant investments in cybersecurity tooling to increase SOC productivity, many organizations experience the opposite effect. 

Security teams are overloaded, trying to protect legacy systems, hybrid infrastructures, and emerging technologies with siloed security solutions that do not have pre-built SOAR integrations allowing them to work in harmony with each other, or third-party threat intelligence feeds. The overabundance of security tools meant to safeguard an organization, ends up contributing to operational deficiency known as stack sprawl, where a lack of integration, limited connectivity, and an overwhelming amount of disconnected event data actually decreases SOC productivity. Even building basic SOC automation playbooks and setting up integrations with existing security solutions can often require custom development or lengthy professional services offered by the SOAR vendor, delaying productivity and decreasing ROI.

Maximize ROI with SOC Hyperautomation

Before signing on the dotted line, organizations need to be aware of the budget-busters of SOAR and other legacy SOC solutions that erode their value, lengthen their ROI, and make them downright expensive. Today, building an efficient SOC and maximizing not only the investment made in SOC solutions, but also the resource investment in people and time, requires Hyperautomation

SOC teams leveraging Torq Hyperautomation easily integrate any security solution, and build effective automations using AI-prompts or no-code, low-code, and full-code support. Purpose-built AI capabilities that leverage LLMs to understand natural language uplevel Tier-1 analysts to perform Tier-3 tasks at machine speed, without the typical learning curve or need for professional services. By applying automation not only to security solutions, but to repetitive investigation, organization, and escalation tasks as well, Hyperautomation not only reduces the workload of SOC analysts, but enables them to act faster on critical incidents with intelligent, dynamic prioritization. Finally, a secure and extensible, cloud-native, zero-trust architecture eliminates scaling or performance ceilings, while maintaining compliance regardless of which best-of-breed solutions or enterprise architecture the organization is working with.

When building out a SOC, the best way to maximize an organization’s ROI is to protect the three key areas of investment; People, Time, and Technology. Torq Hyperautomation not only protects that investment, but enhances the SOC by automating processes at scale, with ease and efficiency – effectively solving the challenges outlined above, and removing the hidden costs associated with SOAR solutions. 

Learn more about how Torq Hyperautomation protects your SOC investment, and download our spotlight report “SOAR is Dead: A Manifesto”. And to see Torq in action, schedule a demo.

Share

Related Articles

Hyperautomation

No More SuckOps: How Hyperautomation is Transforming SOC Analysts’ Lives Forever

By Torq
April 15, 2024
2 Minute Read

Today’s SOC analysts are drowning in myriad notifications. They’re trying to parse what’s real, what matters, and what’s a genuine threat to the organization. This exhausting daily routine is significantly contributing to job dissatisfaction and the high turnover rate in SecOps teams. But there’s a major new innovation that solves it: AI-driven hyperautomation. This modern SecOps approach is enabling a key shift away from code reliance and it’s transforming analysts’ roles forever.

SecOps Is No Longer Just For Code Warriors

During the legacy SOAR era, SecOps was largely exclusively the realm of expert coders. Analysts needed months of complex training and the ability to dig deep into myriad programming languages in order to assess and address threats. 

Together, hyperautomation and generative AI liberate analysts from these requirements. The combination delivers auto-calibrated workflows in real time that can predictively mitigate threats before they happen–and even more importantly–handle them as they occur in real time. No code needed. The hyperautomation platform does all the work. And if something exceeds a critical impact threshold, hyperautomation’s human-in-the-loop crosschecks ensure the analyst is informed before a remediation approach is executed.

Out-of-the-Box Automations Don’t Cut It Anymore

Given the fact we’re living in the most complex security threat landscape in history, legacy SOAR’s out-of-the-box automations are simply no longer effective. They’ve historically been valuable prior to the explosion of novel cyberthreats, but with attackers hitting enterprises with more and more unanticipated tactics and strategies, the automation response must keep pace. Generative AI delivers a machine speed defense unlike anything we’ve previously seen in cybersecurity.

AI-driven hyperautomation is transforming and democratizing the role of SecOps analysts, so they can do more, with less training. This is lowering the bar to entry in the field, while further empowering their capabilities. By embracing AI-driven hyperautomation, we’re not just optimizing processes; we’re reinvigorating our teams, allowing them to shift from constant firefighting to proactive threat hunting and analysis. 
Ready to empower your SOC analysts? Learn more at: https://torq.io/product/

Share

Related Articles

Hyperautomation Research

Enhancing Cyber Defenses: The Benefits of Hyperautomation in Cybersecurity

By Torq
April 11, 2024
4 Minute Read

Cyber threats are constantly evolving and becoming increasingly sophisticated, and organizations are continuously searching for ways to fortify their cybersecurity defenses. One approach that has gained significant traction is hyperautomation

Hyperautomation, which automates once-manual security workflows and processes, enhances cybersecurity posture, streamlines security operations, and effectively mitigates risks.

So, what are the benefits of hyperautomation in cybersecurity, and how does it improve security operations while reducing cyber risks?

The Benefits of Hyperautomation in Cybersecurity

Increased Efficiency

Hyperautomation increases efficiency in cybersecurity. It enables organizations to automate repetitive tasks, such as threat detection, incident response, and vulnerability management by automating these processes. This allows cybersecurity teams to focus their time and efforts on more strategic initiatives.

Faster Response

Hyperautomation empowers SecOps teams to respond to threats in real-time. AI-powered hyperautomation that uses large language models can analyze vast amounts of data at incredible speeds, allowing for faster identification and remediation of security incidents before they have a chance to escalate into larger breaches.

Proactive Threat Detection

Hyperautomation uses AI in security to detect and analyze patterns indicative of potential cyber threats. By continuously monitoring network traffic, user behavior, and system logs, organizations can proactively identify and stop attacks before they have the chance to cause significant damage.

Seamless Integration

Hyperautomation integrates seamlessly with the vast majority of existing cybersecurity tools and technologies, which enhances their capabilities and provides a more unified approach to security management. This extensibility and interoperability ensures organizations can leverage their existing investments while maximizing the effectiveness of their cybersecurity defenses.

Scalability

As organizations grow and evolve, so do their cybersecurity needs. Hyperautomation delivers scalability by adapting to changing requirements and increasing workloads. Whether it’s securing new endpoints, expanding into cloud and hybrid environments, or integrating with emerging technologies, hyperautomation offers the flexibility to scale security operations accordingly.

How Does Hyperautomation Improve Security Operations?

AI-driven hyperautomation greatly improves security operations by streamlining workflows, accelerating response times, and enhancing decision-making processes. With hyperautomation you can achieve a 10X or more operational and productivity boost within weeks of deployment. Autonomously detecting, triaging, investigating, and remediating security threats introduces new efficiencies in cybersecurity without the need for human intervention. This dramatically filters out the noise of thousands of daily security alerts and only presents the most critical as needing attention, which greatly accelerates the mean-time-to-resolve genuine security. By leveraging AI and automation, organizations can:

  • Automate routine tasks: Hyperautomation automates repetitive tasks, such as log analysis, malware detection, and patch management, freeing up security teams to focus on more complex and strategic initiatives.
  • Enhance threat intelligence: AI algorithms analyze vast amounts of data to identify patterns and anomalies that indicate  a potential cyber threat. This enables organizations to stay ahead of emerging threats and proactively defend against potential attacks.
  • Improve incident response: Hyperautomation enables faster incident detection, analysis, and remediation. By automating incident response workflows, organizations minimize threat exposure and can more quickly mitigate the impact of security incidents.
  • Optimize resource allocation: AI-driven insights provide security teams with actionable intelligence, enabling them to prioritize tasks based on risk severity and potential impact. This eliminates the need to respond to low-priority alerts and tasks, and ensures resources are allocated efficiently to address the most critical security issues.

Can Hyperautomation Reduce Cybersecurity Risks?

Because hyperautomation gives security teams the ability to automate threat detection and response, reducing cyber risks is one of the main reasons organizations deploy it. Add to the mix AI cybersecurity advantages of being able to analyze massive amounts of data in real-time to identify indicators of potential security threats and security risk is further reduced. 

Ultimately, hyperautomation allows security teams to detect security threats faster and respond more quickly and more effectively, minimizing their impact and reducing cyber risks by.

  • Minimizing human error: By automating routine tasks and standardizing security processes, hyperautomation reduces the likelihood of human error, which is a common cause of security breaches.
  • Enabling proactive threat hunting: AI-powered analytics enable organizations to proactively hunt for threats across their infrastructure, identifying and neutralizing potential risks before they can be exploited.
  • Improving compliance posture: Hyperautomation ensures consistent enforcement of security policies and regulatory requirements, reducing the risk of non-compliance and potential penalties.

Hyperautomation offers myriad benefits, including increased efficiency in cybersecurity, faster response, proactive threat detection, seamless integration, and scalability. By leveraging AI and automation, organizations can enhance their security operations, reduce cyber risks, and strengthen their defenses against today’s evolving security threats.

To see the benefits of hyperautomation in action, schedule a Torq demo

Share

Related Articles

Customers Research

Torq Talks to Tyler Young, CISO at BigID

By Torq
April 8, 2024
5 Minute Read

The following is adapted from a conversation between Torq and Tyler Young, CISO at BigID. BigID produces software for data security, compliance, privacy, and governance. Read on to learn about how Torq Hyperautomation has helped BigID unlock new levels of efficiency and productivity by relieving their team of rudimentary tasks.

Introduction to Tyler and BigID

I’m Tyler Young, Chief Information Security Officer at BigID. I’ve been at BigID for two years, and I was brought in to take the company’s product security program to the next level. Prior to BigID, I was at Relativity for almost four and a half years where I was responsible for building out and scaling the security program. Prior to Relativity, I was at Zurich Insurance. Before that, I worked with some consulting firms and the US Government. I’ve had experience with multiple sectors am now focused in hypergrowth tech.

BigID’s Automation Journey

BigID’s automation journey consists of two different parts. First, we needed to bring in the right technologies that fed the right telemetry to our security engineering teams. Second, we wanted to save time by not building out an elaborate SOC. We talk all the time as an industry about burnout and talent shortage. Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq. We leverage Torq for the phishing aspects of what BigID is doing, as well as our level one and level two tasks. We built our automation strategy from scratch leveraging Torq.

Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq.

Tyler Young, CISO at BigID

Life Before Torq Hyperautomation

We had Torq Hyperautomation within my first five months of being at BigID, but in my last role, we used a SOAR platform. It took an entire team to operate and to manage it. I’m talking like six or seven people writing automation framework playbooks and writing threat detections in the platform. Instead of spending over a million dollars on the program, we could have been using those resources to build homegrown security solutions or leveraging open source that we could then offset some other security costs. I think a lot of places are leveraging these really robust SOAR capabilities, but they require a significant head count, a lot of funding and top-notch talent to write code, almost at the same level as some developers are writing.

Comparing Torq Hyperautomation to Traditional SOAR Offerings

Torq Hyperautomation’s click and drag capability and ability to integrate with companies like SentinelOne or Crowdstrike, combined with not having to write API connections and build connectors for all these different aspects make the program different from Legacy SOAR. Being able to just click and drag makes our job so much easier. I can do the same thing with one or two security engineers that we could do with ten when they’re having to write these things manually.

Benefits BigID Has Experienced with Torq Hyperautomation

Maybe this is the unconventional aspect of this, but I think the biggest benefit we’ve seen is our security engineers don’t have to focus on remedial workflows that they can build themselves in a playbook, which allows them to focus on more meaningful work. I’m a big believer in building security solutions, and leverage things off the shelf when possible. Torq allows our team to take the rudimentary tasks and automate them so that they can spend more of their time building. 

Advice to CISO’s Considering Torq Hyperautomation

I think it’s important to do a cost benefit analysis of how much time and money you spend today on your current SOAR offering. It’s also important to gauge your employees’ happiness and satisfaction with their responsibilities. There’s already a talent shortage. Ask yourself, is my team bought into what they’re doing? If not, leverage something like Torq Hyperautomation to automate those repetitive tasks so your team is focusing on more meaningful work. 

On the Future of AI and Security 

I think there’s a place and time where all the alerts, all the telemetry is going to some type of autonomous agent that’s leveraging AI in some capacity. In the future we’ll be able to understand the attacks that are happening in real time, something that’s lacking today with AI. If you have threat detections that are happening and updating in real time, then you have the ability to block and respond to those in real time. In a perfect world, I see AI enabling security teams to be focused on building solutions that are more custom tailored to your needs. 

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

Integrations Use Cases

Detect and Respond to Threats Faster with Torq and Anvilogic

By Torq
April 1, 2024
3 Minute Read

Is SIEM lock-in preventing the transformational impact of Torq Hyperautomation? Due to cost and scale challenges, endpoint activity, cloud telemetry, and network flows are often missing from detection and security automation. For security teams that keep these and other large datasets outside their SIEM, Anvilogic has teamed up with Torq to take SOC automation to the next level.

Integrating Torq and Anvilogic gives security operations teams a new way to detect threats across data platforms like Splunk, Snowflake, and Azure Sentinel- and then quickly handle those detections with interactive remediation workflows. Sound complicated? Let’s walk through an example of how Torq and Anvilogic make it easy.

Detection Scenarios Across Your SIEM and Data Lake

Traditionally, critical data sets such as Active Directory and endpoint activity logs are a SIEM blind spot. Anvilogic’s support for cost-effective data lake alternatives means these high-volume security feeds can be used for detection rules and correlated scenarios. 

For example, the FIN6 cybercrime group targets the retail and hospitality sectors to steal payment card data using Active Directory (AD) attack techniques. While these may often seem benign, one of Anvilogic’s thousands of curated detection scenarios correlates FIN6-associated AD activity and what the threat group later does on victim endpoint hosts. The combination of these data points, which are often not available in a traditional SIEM, serves as a high-confidence indication that an attack is in progress.

Slashing the Mean Time to Respond

With the new integration between Anvilogic and Torq, the alert for possible FIN6 activity can quickly turn into mitigation, reducing the risk of payment card data theft. The Torq Hyperautomation platform receives a detailed alert from Anvilogic, with information about the users involved and potential indicators of compromise (IOCs). In parallel, the affected user receives a Slack message to determine if they’re aware of the suspicious activity, while the IOCs are extracted for investigation. All of this happens without analyst involvement.

If the user is not aware of the activity, their response, as well as the extracted IOCs, are funneled into the case management system, where the SOC can see why Anvilogic triggered the alert together with the context that’s been automatically gathered. The team can then isolate the system and take any additional steps needed to eliminate the threat from the environment. 

Fewer Silos, Better Fidelity: Keys to Effective Automation

We’ve shown how a security operations team can keep an initial network compromise from becoming a full-blown breach. To do this, the team needed to correlate high-volume datasets often unavailable to detection engineers. Anvilogic breaks SIEM lock-in so the SOC can put these large-scale security sources to work. In addition to supporting multiple data platforms, Anvilogic provides thousands of multi-stage detection scenarios off the shelf. This cuts the alert noise that can keep security teams from adopting hyperautomation across more of their processes. 

For Torq customers, fewer data silos and better alert fidelity translate to more value from their existing investments. Doing more with less is a common demand in the current climate. We’ve only shown one example of the many opportunities to tackle threats like ransomware, cryptomining, and data theft across clouds, networks, and endpoints. Reach out to learn more about the exciting combination of multi-data platform SIEM and hyperautomation.

Share

Related Articles

Hyperautomation Research

Implementing Hyperautomation: A Blueprint for Security Managers and SecOps Teams

By Torq
March 26, 2024
2 Minute Read

One of the key questions we get is “how do I get started with hyperautomation?” It can seem slightly overwhelming if you haven’t automated in the past, or you’re used to attempting to automate using legacy SOAR solutions. 

If you’re wondering where to get started with hyperautomation, look no further. We caught up with Security Automation Leader Filip Stojkovski, who put together a handy blueprint on how and where to start your journey to hyperautomation. It’s a step-by-step roadmap for Security Managers and SecOps teams looking to build an effective and mature hyperautomation program. 

1.  Decide what to automate: The first step is to dive into stakeholder needs, picking the right integrations, determining the areas that will benefit the most, and selecting the appropriate platform.

2. Determine the feasibility of automation: This is where organizations set expectations that align with a company’s rules and set a realistic timeline for when you’ll see a return on investment. 

3. Use hyperautomation: Automation has evolved from legacy SOAR platforms to hyperautomation. “It’s better. It’s faster,” Stojkovski says. Hyperautomation was designed with AI and machine learning in mind and is more flexible than its legacy SOAR predecessors. 

4. Implement automations: Determine who is implementing the automations. Is it the SecOps team? Is it specialized engineers? The right resource allocation can make a world of difference when implementing hyperautomation. 

5. Infrastructure and processes: Align with your organization’s goals and understand your infrastructure and processes. Set up test and production environments and document all processes to streamline hyperautomation. 

6. Develop use cases: Prioritize the processes that are most frequently used throughout the organization and focus on them. This will free up time and help an organization make the leap from reactive to proactive. 

7. Measure the impact: Determine what you should measure and then what metrics signify success. Is it reducing time to detect or respond to threats? FTE saved or added? Proactive threat mitigation? ROI? Understanding what signifies success up front will help ensure you’re measuring the right things.

We’d love to thank Filip for taking the time to chat with us and for sharing his blueprint for effective security automation. Be sure to watch the full video to learn more. 

Want to see the Torq Hyperautomation platform in action? Request a demo.

Share

Related Articles

AI Research

Beyond the Hype: How Torq’s AI-Driven Innovations Are Transforming Security Automation

By Leonid Belkind, Co-Founder and CTO
March 14, 2024
8 Minute Read
Making a real difference for our users with Generative AI
Making a real difference for our users with Generative AI

Making a real difference for our users with Generative AI

It has been over a year and a half since the latest generative AI revolution descended upon the world. All IT markets have seen a wave of both new AI products, as well as AI-driven capabilities in existing products being introduced with a breakneck pace. While most of them clearly perform things that, until recently, could have been described as “pure magic” even by the most cynical audiences, many questions can be raised regarding these capabilities being truly directed at transforming the customer experiences and outcomes vs. just being “mega cool.”

What’s wrong with “tech first”

Let’s take one step back. Allow me to introduce myself: I am a proud serial entrepreneur, having successfully established and grown two companies (one of which was acquired by a major player in the enterprise cybersecurity market). 

When learning “entrepreneurship 101” – not a formal discipline, of course, but rather a collective experience of a community of entrepreneurs – I was told that establishing a cool (or even a unique) technical capability and then searching for a problem to apply it to is not a great idea. In the entrepreneurial world this is referred to as the “tech first” approach to establishing a product or a company, and it has been proven inferior to a “problem first” approach, where one identifies a problem and then considers various alternatives on how to solve it. 

The collective experience of the past 2-3 decades has clearly shown that “problem first” products and companies have greater chances of generating long-lasting outcomes for their customers, and, therefore, have greater chances of establishing significant growing businesses. Tech first, on the other hand, might find a lot of support among the “romantics” of the technology, who enjoy technical capabilities because of what they can deliver, but might find it difficult to drive significant impactful outcomes.

Should we wait for a problem to present itself?

Does the above mean that every time a new technological barrier is being broken (just like it happened with the recent advancements in generative AI) we need to wait for the problems to present themselves and only then try to apply the new technology? 

Of course not. The problems exist everywhere in the world and in different markets today. It is only a matter of picking the right (worthy of solving) problem and researching whether it can be solved to a better extent with the new technology (in comparison to existing solutions).

When deciding on a problem to pick, therefore, it is important to understand the components of it, and not just the general “headline,” such as:

  • Who are the target audiences, i.e., the people or organizations having the problem? What are the unique characteristics of those who have it vs. those who don’t?
  • How severe is the problem? How critical will solving the problem be for the target audience?
  • What do these audiences do today? Do they have alternative solutions? How will our solution be better?

Finally, specifically when applying generative AI to certain problems, one of the most important questions to ask is: what would be the role of AI in the solution? Answering this question correctly is critical not only for creating the capability, but also for its future defensibility vs. the competition.

The role of AI in the solution

So what role does an AI play in the overall solution? Is there a real value in the integration of generative AI into the product environment, or is it just a “thin layer of glue” connecting mostly “off the shelf” Large Language Model (LLM) to the existing product “just for the cool effect?”

In my humble opinion, there is a huge difference between just bringing “some” AI capabilities into the UI of an existing product by integrating with one of the available off-the-shelf generative AI services and truly extending the unique technology in one’s product with AI

Does the AI-driven capability rely on some rich, unique, or powerful technology that exists in the product, or does it simply come “on its own” without deep ties to the underlying tech? Does the capability perform additional functions on top of or integrated with “sending information to an AI and receiving the response” or is it mainly about interfacing with AI? 

The answers to the above questions distinguish between an impactful and defensible technology and a cool thin layer of “AI”.

Case in Point: AI-driven automation workflow generation

During the past year Torq has released 5 different AI-powered capabilities inside the product: 

  • Automatic generation of advanced data transformation and cloud platform management actions (in Torq workflows)
  • Automatic generation of a documentation for complex automated processes to improve team collaboration
  • Generation of workflow structure and data flow based on natural language description of the use-case
  • Natural-language agent for security Case Management (a.k.a. Torq Socrates)
  • Automatic summary for complex security cases to improve SOC analysts collaboration

As always, each of these has undergone a deep ideation process, involving not only our product leaders, but also our close partners, in order to ensure delivering important outcomes to our users. 

The basic capability allows the person wishing to build an automated workflow expressing their needs with a native language prompt. For example:  “For every threat coming from my EDR, enrich its data with my Threat Intelligence systems and if the risk score is greater than X, take actions A,B,C to contain the threat”. After receiving the goals in such form, the system would automatically generate a Torq workflow based on the provided specifications that is close to being deployed to production after a quick review cycle.

While the above is a correct answer to the question “what is it doing?” it cannot drive the development of the capability without the consideration of challenges and problems experienced by a certain audience. In our case, we decided to double-down on accessibility of security automation for audiences of different technical abilities. Furthermore, we studied the ramp-up process of thousands of users developing security automation with Torq today, identifying existing gaps and focusing on rectifying the situation. Specifically, we realized that, as Torq becomes more sophisticated and feature-rich as a platform for developing automations, the task of finding the right and the most efficient way to implement a certain process becomes more challenging.

  • The above has led us to a more focused definition of what we were looking for: a way to allow more people who are ramping up their security automation skills translate their ideas faster to fully-working and efficient automation workflows. Taking this challenge and breaking it down into components has clarified the main challenges that we needed to address.

Armed with the breakdown of required capabilities, we studied components that we already had in our product that should be leveraged to deliver the solution and identified gaps where AI could bring some critical game-changing value.

Thankfully, we had previously made a significant technological investment in the following:

  • Thousands of predefined “smart” actions that can be reused in different security processes
  • Carefully curated metadata explaining each such action in natural language, alongside possible usage variations and output examples
  • Reusable process templates that combine above mentioned actions into consistent processes driving to specific security outcomes
  • Unique extensibility architecture allowing flexible data retrieval and manipulation mechanisms, among other things

Building on top of the above technologies and leveraging generative AI for smart semantic analysis of natural language tasks, as well as for creating logical connections between consequent steps of automated processes has allowed us to deliver a uniquely powerful and flexible capability that stands out in terms of the value it provides. While the large language models we used for the task are trained on a generic set of data and can serve other solutions and not only Torq, the unique connective tissue are the data points and technologies mentioned above. These are the ones that ensure that the capabilities we deliver support the outstanding differentiation that Torq platform provides to its customers.

Summary

Having defined “product excellence” as a core value of our company, we are constantly on the lookout for innovation that can increase the outcomes we are delivering to our customers. Leveraging generative AI as a “tool” in our arsenal has allowed us to deliver multiple important innovations (and, BTW, if you are reading this blog, then stay tuned for more exciting things to come), but it is critical to view it as an important capability and continue building things targeted at solving user needs, rather than “trying to glue to AI into the product.”

P.S. This blog has been written entirely by human beings. No AI involved. Why? Not sure, but it felt like it would turn out more genuine this way.

Share

Related Articles

Integrations Use Cases

Streamlining Security with Notion, Torq, and Slack

By Torq
March 12, 2024
4 Minute Read
Streamlining Security with Notion, Torq, and Slack
Streamlining Security with Notion, Torq, and Slack

Security teams using legacy SOAR platforms often face struggles with scattered information, limited collaboration tools, and inflexible response playbooks. Managing knowledge, automating tasks, and communication can be complex and resource consuming. Let’s see how integrating Torq, Notion, and Slack address these challenges to improve and streamline security processes. 

Torq supports seamless integration with any third-party tool, empowering organizations to build and deploy complex workflows in minutes. Notion’s focus on flexibility and customization, with key productivity capabilities helps to unify efficiency across organizations. 

In this blog, we’ll discuss several key use cases that demonstrate how the combined strengths of Notion, Torq, and Slack, create a more streamlined and efficient security framework. 

Threat Intelligence Sharing Made Easy

Notion serves as the central repository, organizing threat intelligence from a wide variety of sources to storing threat reports, vulnerability information, and attack indicators (IOCs). Torq automatically aggregates data from a multitude of sources, populating Notion databases with relevant information, ensuring that teams have access to current threat data without manual intervention or searching in multiple resources. 

Now that the data and the relevant threat intel are updated in Notion via the Torq automation, it’s time to incorporate real-time communication and alerts via Slack. Creating a dedicated channel specifically for sharing critical threat intelligence updates related to your organization allows for immediate collaboration: team members can discuss findings, track emerging threats, coordinate responses efficiently, or launch additional predefined automation to investigate or escalate. Leveraging this use case in your security workflow delivers a multitude of advantages, such as receiving automated updates from Torq into the Notion hub and real-time notifications in Slack ensure everyone has immediate access to the latest threat intelligence.

Automate Security Awareness Training 

Effective security awareness training is the bedrock of any organization’s cybersecurity posture. However, traditional training methods often fail to engage employees, leaving them unprepared to combat modern cyber threats. This is where the powerful trio of Notion, Torq, and Slack comes in, revitalizing stale training programs for today’s fast-paced environment. Notion acts as a single, accessible repository to house engaging security awareness content. This includes a variety of assets such as articles, videos, and interactive quizzes, keeping learning dynamic and interesting.

Gone are the days of manual reminders and missed deadlines. Torq automates tasks such as training reminders, progress updates, and due dates for both employees and managers. This ensures everyone stays on track to complete training requirements in a timely manner, meeting compliance needs.  A dedicated security awareness training channel in Slack fosters a dynamic and quick learning environment. Employees can ask questions during training, share best practices and key takeaways, and navigate real-time use cases collaboratively.  By integrating Notion, Torq, and Slack, organizations can create a modern security awareness program that keeps employees informed, engaged, and prepared to combat ever-evolving cyber threats. This, in turn, leads to a more secure and resilient organization.

Security Policy Management

Keeping security policies accessible and up to date can be a constant struggle for fast-moving teams. Notion eliminates this hassle and helps organizations by providing a centralized location to maintain and revise your policies. This ensures that the latest information pertaining to critical security policies is updated, and also helps to encourage employees to be more self service oriented when reviewing compliance information. Please note, that while automation streamlines access, individual user permissions within the tools may affect immediate visibility.

Torq, your reliable task automation companion, takes care of the heavy lifting when it comes to security policy management. Torq automatically sends out policy updates and reminders to employees, ensuring entire organizations stay both informed and compliant. It is important to note that effective security practices go beyond the standard policy documents. This is where Slack delivers additional value, bridging the gap by facilitating open discussions and Q&A sessions around new or updated policies in relevant channels (in real time)! 

By harnessing the combined power of Notion, Torq, and Slack, teams improve current workflows to create a streamlined and efficient security framework. This empowers your team to stay informed and proactive, while simultaneously curating a collaborative and communicative environment – two fundamentals pillars of a proactive and robust cybersecurity culture.

See the power of Torq’s integrations – get a demo.

Share

Related Articles

AI Autonomous SOC Hyperautomation

How to Build Security Workflows with AI Workflow Platforms

By Torq
February 15, 2024
3 Minute Read
Learn more about Torq AI workflow builder.

Contents

In today’s fast-moving threat landscape, Hyperautomation is essential. But building workflows from scratch? That’s time you don’t have. That’s why we started with a library of pre-built templates, helping teams quickly configure security automation workflows. Templates made automation more accessible. Now, we’re taking the next step in that evolution and introducing Torq’s AI Workflow Builder.

By harnessing the power of AI, we’re going beyond templates. Now, in addition to the library of pre-built workflows, you can simply describe what you need, and Torq will generate a workflow tailored for you in seconds. No code, no limits — just fast, flexible automation that meets your unique security requirements.

How AI-Powered Workflows Will Change The Industry

The days of spending hours manually building workflow from scratch are over. Security teams need agility, but building automation workflows step-by-step slows you down. Templates provide a fast way to get started by selecting from pre-configured workflows. However, we recognize that templates have limitations and can sometimes call for resources the team doesn’t have. They require adaptation and configuration and sometimes fail to fully capture the specific needs of each security team.

You already know the events and actions for your team —  let AI Workflow Builder take care of the rest. AI Workflow Builder is a natural language agent that leverages Torq’s 4,000+ out-of-the-box actions and 300+ integrations and enables you to implement faster than ever before. Allowing you to focus on the bigger picture: securing your organization.

With AI Workflow Builder, simply:

  1. Describe your workflow: Provide bullet points describing your desired actions.
  2. Get instant results: Torq’s AI instantly generates a workflow preview tailored to your needs.
  3. Customize with ease: You remain in full control, with the flexibility to adjust, fine-tune, and add configurations as needed.


As Gartner highlighted in their 2024 Hype Cycle, the industry has evolved beyond traditional SOAR platforms. As the autonomous SOC emerges, Torq is setting a new standard with Hyperautomation — one that prioritizes speed, efficiency, and security.

Detecting Instant IP Threats With AI Builder

As an example, you might need to check an IP address or a range of IP addresses using VirusTotal and take action if they’re flagged. Simply prompt the AI Workflow Builder with natural language to describe what you need:

“Check IP address 8.8.8.8 with VirusTotal, and if it’s flagged as malicious more than 3 times then do the following:

  1. Create a Torq case with High severity 
  2. Send a notification to #alerts in Slack.”

Seconds later, Torq’s AI Workflow Builder generates a fully functioning workflow ready for review. You can tweak anything — from setting custom thresholds to fine-tuning case details and personalizing Slack alerts. AI handles the grunt work, but you stay in control.

Get Started with AI Workflow Builder

Whether you’re a beginner or an automation expert, Torq’s AI Workflow Builder simplifies creating powerful, secure workflows. With 4,000+ out-of-the-box actions, 300+ integrations, and 325+ million workflows executed annually, Torq has the speed, flexibility, and scale to meet modern security needs.

Schedule a demo today and discover how powerful and easy Hyperautomation can be with Torq.

Share

Related Articles

See Torq in Action

Get a demo to see how Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?