The following was adapted from a conversation between Torq and Mike Britton, CISO at Abnormal Security. Abnormal Security is a cloud email security provider, and an esteemed customer of Torq. Read on to learn how hyperautomation has helped the Abnormal Security SecOps team scale and grow:
Introduction to Mike and Abnormal Security I’m Mike Britton. I’m the Chief Information Security Officer for Abnormal Security. What I do is I run our security, our IT, and our privacy program here at Abnormal. Prior to Abnormal, I was an early customer of Abnormal’s when I was the CISO for a company called Alliance Data. I have 27 years of security experience. Abnormal is a very fast growing cloud email security company. We plug in through the APIs for Google and Microsoft and protect our customers from advanced phishing and BEC type email attacks.
Life for the Abnormal SecOps Team Before Implementing Torq In my nearly three years here, we’ve done a tremendous amount of growing. I was employee number one from a security perspective. So it was important to hire the right people, but also be able to put tools in place that allowed me to scale and grow. We’ve probably grown 6X from an employee perspective and probably about that much from an infrastructure and product perspective as well. I don’t have the luxury of hiring an army of people – so leveraging solutions like Torq enabled me to grow and scale the business and keep up with where we’re going as a company.
I don’t have the luxury of hiring an army of people – so leveraging solutions like Torq enabled me to grow and scale the business and keep up with where we’re going as a company.
Mike Britton, Chief Information Security Officer for Abnormal Security
Comparing Hyperautomation to Legacy SOAR A lot of SOAR is really more tightly tied into maybe your endpoint detection or maybe your SIEM.Whereas [with] Torq, the sky’s the limit as far as what I want to automate and how I want to really make more efficiency and productivity in other tasks that my team does.
Hyperautomating Endpoint Security Audits We have a lot of different endpoint solutions. We have a lot of different tools and things like that. And we’ve decided not necessarily go down into the full CMDB aspect of trying to use a tool to keep track of what agents are working. So we leveraged Torq to really go through our primary tool set, make sure everything has the necessary agents and security tools on it. And anytime there’s a missing tool or tools not performing correctly, Torq cuts a ticket back to my team so we can get on it quickly and figure out why.
How Torq Hyperautomation Enables Just-in-Time Access The other big use case is we have a couple of applications that we want to enable just-in-time access on instead of letting users keep access 24/7. We’ve been able to plug that into Slack where an employee or user needs to get access to something. They can type a quick Slack message. It kicks back a ticket form. They fill it out. They ask for how long they need the access for and Torq does all the work behind the scenes to grant access, to revoke access and close out the ticket.
The Benefits and ROI of Hyperautomation It’s freed up some of my IT team members from having to do manual tasks, like add people to groups and provision access.And then not necessarily productivity, but risk reduction. It’s allowed me to basically keep access to just that time period that someone needs it instead of the exposure of someone keeping access permanently. Now they have to request it. I get good tracking on why they’re requesting it for that purpose. And then it goes away as soon as that time period is over.
Why Other CISOs Should Consider Hyperautomating Their SecOps Teams We’re all in this situation where we always are pushed from our boards and our leadership to do more with less. One of the things I really like about the Torq team is they love to create new integrations. So if you come up with a SaaS or a tool or something that you want to get integrated into Torq, they’re phenomenal with turning that around quickly. Torq does a great job of helping you calculate that ROI as well. So not only can they help you automate it, but they can help you show that cost savings as well.
Step Builder: One Giant Leap for No-Code Capabilities
By Torq
January 29, 2024
3 Minute Read
No-code support should be just that – the ability to build automations without coding.
At Torq, we continually work to extend the out-of-the-box no-code automation features available in our platform. That’s just what we’re doing with Step Builder, a new no-code feature that is now in GA.
Step Builder gives Torq users the ability to quickly and easily create custom content without the need to code, making your options for integration limitless. We already offer several thousand pre-built steps from more than 250 vendors, and Step Builder infinitely expands your options with a way to create a new, custom step with no code required. When we say “limitless integrations” we mean it – you can use automation for whatever you want.
And Step Builder features a dynamic preview of the step you’re creating – so you can see how it will look as you build it. You can also do a test run directly from Step Builder without having to return to the workflow.
Step Builder introduces new simplicity and efficiency to Torq’s already expansive no-code user experience, going well beyond what’s offered through legacy SOAR. There’s no need to code at all to extend the system and you can virtually create new steps or modify existing ones.
It’s also functionality not offered by other no-code automation solutions. With Step Builder, you can create high-level no-code steps that you can use without the need to understand the underlying REST APIs or care about technicalities, while other no-code systems allow for the creation of custom REST API/Webhook call steps, but you still have to take care of the additional details.
Along with Step Builder, we’ve also released a new feature that gives automators of all skill levels the ability to bring scripting, querying, and coding capabilities into a no-code workflow by using Generative AI completion.
AI Completions for Advanced Steps is now available in the Workflow Designer. It simplifies and streamlines extensibility and the creation of advanced scenarios in Torq workflows. Specifically for cloud administrators using Torq in AWS, Azure, Google Cloud, and other platforms, this brings in a familiar language of capabilities available in the often very advanced CLI interfaces these platforms offer.
It’s simple to use: when you’re in the Workflow Designer, you can use the step name (description) as an input for Generative AI to generate that step’s advanced configuration and complete the step, whether that’s command arguments, scripts, queries, etc. Now in GA, the feature supports Python, Bash, PowerShell, JQ, RegEx, AWS CLI, Azure CLI, and GCP CLI.
This eliminates the need to bounce between tools and windows to build scripts – you can do it all from within Torq.
AI Completions for Advanced Steps is a win-win – giving less technical users in-context automation options, while giving more technical users who know what they want to achieve a more streamlined experience.
To see how Torq can improve your efficiency and productivity, request a demo.
Torq + Abnormal: Key Use Cases for More Secure Email
By Torq
January 24, 2024
3 Minute Read
At Torq, we like to say “if it talks, we can connect to it.” Our limitless integrations are what set us apart from the pack.
Our hyperautomation platform connects to any system seamlessly, no matter its complexity. It’s our open architecture that empowers this dramatic unification of your tech stack, and lets you maximize your security investment while enhancing efficiency and effectiveness of your security operations.
One of our key tech partners is Abnormal Security, the leader in email security. With Torq and Abnormal, you can orchestrate and automate response to email security events, analyze emails and their attachments, and automatically perform remediation actions.
Here’s a look at two use cases in which Torq and Abnormal combine powers:
Account Takeover
This use case is simple, but effective, and is designed to help you protect your organization in the event of an account takeover.
When Abnormal Security detects a compromised email account, Torq sends an alert to the chosen collaboration platform – Slack or Teams – to notify response teams and the user that their account is suspended. In some instances, Torq can also request clarification from the user regarding the alert. From there, the account can be suspended or locked in Okta or in Microsoft Entra ID.
This use case also gives the option to communicate with the user first to give them a heads up of the compromise and that their account will be locked or suspended. There is an option in the workflow to kill all of the users authorized sessions to the organization’s resources, as well.
This use case is designed specifically to ensure that a compromised account can’t cause more damage.
Without Torq, the time from detection to remediation would be longer, giving the bad actor more time to impersonate a valid authorized user. With Torq, the response is immediate.
Post-Breach Remediation
This use case solves an all too common problem: an email is classified as malicious after a user has already interacted with it.
It works like this: Torq fetches all of the pertinent details, such as the user affected, the device, and the geography.
If there was a malicious file in the email that was opened or downloaded, Torq triggers a scan in the EDR, determines if other users received or interacted with the email, and isolate and delete that file. From there, you can add the file hash to your EDR block list or, if it’s a link, you can search for communication to the bad actor and if it happened in other places in the organization. activities from the organization.
Those are just two ways Torq and Abnormal work together to automate and improve email security. If you’d like to see this integration in action, schedule a demo.
How To Automate Incident Response with SentinelOne and Torq
By Torq
January 18, 2024
3 Minute Read
One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.
In this post, we’ll talk about how the enterprise-grade Torq Hyperautomation platform integrates with SentinelOne to level up your organization’s SOC workflows with autonomous incident response.
Here are the top three Torq and SentinelOne automations:
Enrich SentinelOne Incidents With Threat Intelligence From Intezer
Essentially, this workflow allows you to poll incidents in SentinelOne, and for each unresolved threat, it provides threat enrichment from Intezer with an optional Live Agent Endpoint Scan.
First, it will poll for recent threats in SentinelOne that are not resolved on a scheduled interval – for example one day. Each unresolved incident file hash will be queried against Intezer and the results will be provided in the notes of the threat.
A SentinelOne deep visibility query will also run to gather how many other instances of this hash have been found in the environment.
If the results from Intezer indicate a malicious or suspicious result, the customer’s Slack channel will be asked if an Intezer Live Scan is desired. If the answer is yes, the workflow will execute a remote script to install the Live Scan agent, run the scan, and gather the results of the scan, placing the results into the Slack channel and SentinelOne notes on the threat.
Threat Hunt for a Specified SHA1 Signature (SentinelOne) and Search Within SentinelOne XDR Solution for the Malicious File(s)
Using this workflow, you can receive a file signature from Slack and hunt for the signature across EDR agents, notify the owners of the endpoint, and kick off a scan of the device.
Here’s how it works:
Receive a Slack command with platform and SHA1 hash
Add the hash to the blacklist for the platform if it does not exist
Initiate a Deep Visibility query to threat hunt for the signature
Go over the affected agents/hosts
Retrieve the information from either Jamf or Intune
If the owner is found in Slack, reach out to them directly, otherwise update the Slack channel
Scan the endpoint/host with a full disk scan
From there, you can search in SentinelOne’s XDR solution for the malicious files.
Enrich SentinelOne Findings With Threat Intelligence
This workflow retrieves the latest threats from SentinelOne on a schedule (say, every five minutes). And for each threat found, it retrieves the signatures of the files involved.
Then, for each file, it queries VirusTotal and Recorded Future for analysis then updates the notes on the threat in SentinelOne with the results.
You can also run a deep visibility query on SentinelOne for other results for the same file hash and add the deep visibility count to the notes for the threat in SentinelOne.
Those are just three of the myriad integrations Torq offers with SentinelOne for autonomous incident response. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.
Evade the SecOps Black Hole: A Five-Tier Approach to a Hyperautomated SOC
By Torq
January 11, 2024
5 Minute Read
There’s a term to describe what happens to something that gets sucked into a black hole: “spaghettification.” The gravitational pull of a black hole is so forceful, that it is believed to stretch and compress objects into long thin shapes resembling spaghetti.
SOC analysts spend their days trying to avoid being sucked into the black hole of overwhelming securityevents and alerts. They’re fighting to not be spaghettified.
Day in, day out, SecOps analysts face a staggering deluge of alerts. A recent Vectra AI study found that on average, SOC teams receive 4,448 alerts per day, and spend nearly three hours a day manually triaging them. Startlingly, that same study found that security analysts are unable to deal with 67% of the daily alerts they receive, with 83% reporting that alert alerts are usually false positives and not worth their time.
This overabundance of low-fidelity alerts and false positives clouds the judgment of security teams, and leads to alert fatigue. It’s also dangerous, in that it can distract from more impactful and important security operations, such as proactive threat hunting, strategy optimization, and addressing major vulnerabilities. According to IDC, 30% of alerts are ignored or not investigated due to alert fatigue.
Meanwhile, according to IDC, 83 percent of cybersecurity employees say they’re struggling to cope with the volume of alerts, while 30% of alerts are ignored or not investigated due to alert fatigue.
But all hope is not lost. Torq Hyperautomation provides the rocket fuel to help SOC analysts achieve escape velocity and evade the security events black hole. Through a hyperautomated SOC, a security operations center powered by hyperautomation through which the vast majority – 90% to 95% – of tickets, alerts, events, and incidents are handled and closed by hyperautomation, SOC analysts can eliminate alert fatigue and escape the black hole.
A hyperautomated SOC helps eliminate alert fatigue through a five-tiered approach.
1. Collect the Noise: Millions of Events; One Hyperautomation Platform
First, Torq’s Hyperautomation platform effortlessly ingests event data with limitless horizontal scalability through a variety of mechanisms, such as message queues (AWS SQS, GCP Pubsub, Azure EventGrid,Kafka), direct webhooks, TCP transmission, email, and API polling, just to name a few. This is where we start collecting events. It’s where we embrace the chaos to bring order.
2. Start Filtering: Reduce the Noise 10x
Here, triggered workflow automations apply a 10x reduction filter. This slashes the volume of events from a million to hundreds of thousands. Torq’s technology sifts through the events to identify the data that matters most, zapping out false positives and low-fidelity alerts. Our horizontally scalable events pipeline performs numerous checks, ranging from string and numeric comparisons to more advanced regular expressions. Only the most relevant pieces pass through this stage. No more irrelevant and superfluous logs, events, or alerts get through.
3. Gain Context: Enrich Events With AI
This is where things get really exciting. We use stateful event filtering to reduce noise by 100x. Through intelligent event handling with large language learning models (LLMs), we enrich the
context for each security event.
Your events volume is down to mere thousands now – as opposed to the millions you battled with before – and these are the events you should genuinely care about.
From there, Torq Hyperautomation adds another layer of AI-driven stateful filtering, further enriched with context like threat intelligence, business context, or even historical events. Every event is vetted from multiple angles using LLMs and third-party security tools. Torq hyperautomates 95% of Tier-1 analysis with generative AI, which ultimately empowers you to make faster, better informed decisions.
4. Intelligent Security Case Orchestration: Automatically Triage, Classify, and Remediate 100s of Tier-1 and Tier-2 Cases
At this point, the funnel narrows to just 100s of security cases requiring further action, but they still don’t necessarily require human involvement. Torq Hyperautomation does the heavy lifting by intelligently delegating issues to R&D, DevOps, or related business owners.
If an event makes it this far, it requires serious attention. We’ve already performed significant
noise reduction and filtered out irrelevant events and alerts. It’s time to prioritize what’s critical.
Through Torq’s sophisticated orchestration capabilities, some of these cases may still be handled entirely without analyst involvement.
Third-party integrations like SecOps, DevOps, or application owners have handled vulnerabilities and other findings, and non-compliant assets have been flagged and are now considered exceptions. That, coupled with case management through external communication and ticketing, means you can automatically close about 90% of Tier-1 tickets.
5. Security Analyst Expertise: High-Priority Cases Require Human Intervention
A hyperautomated SOC does not eliminate the need for human intervention. It does, however, ensure that humans are the last, and most critical, line of defense for the most severe and high-priority cases. At this part in the process, you’re left with only critical security cases that have undergone rigorous scrutiny and automated handling. Now humans must intervene. By now, the remaining cases are enriched with valuable data, minimizing the time and effort needed to take appropriate action. Analysts can tap into a library of pre-configured sub-processes, making their operations significantly more efficient.
By the time an event has passed through Torq’s Hyperautomation platform, it has undergone an intense, multi-tiered evaluation and action process, each phase of which is designed to optimize accuracy and efficiency, and, of course, improve your security posture to defend against threats.
Following this five-tier approach can help SOC analysts prevent being sucked into the security event black hole (and avoid spaghettification).
Automating Extension Risk Assessment and Permissions
By Aner Izraeli, Head of Information Security
January 8, 2024
6 Minute Read
Browser extensions are a classic shadow IT concern. Assessing the reputation and security of a browser extension is crucial before installing it on a company computer, as extensions often have wide-ranging permissions that could be abused for data theft or other malicious activities.
In an open environment style company, extensions generate significant shadow IT risk that needs to be managed and addressed.
Let’s shed some light on the security challenges extensions present, and how you can use Torq to automate assessing the risk an extension may pose.
I decided to get into the crabs of a certain extension that helps to capture screen full pages. When browsing the extension’s official page, I went to its privacy page, and there I noticed a header saying:
The developer has disclosed that it will not collect or use your data.
Oh yeah? Let’s go deeper into the privacy policy!
And there I found these two clauses:
When you access our Service, we may automatically collect non-personal data from you, such as web pages viewed, browser type, operating system, referring service, search information, device type, page views, usage and browsing habits on the Service and similar data.
and:
It is possible at times when collecting non-personal data through automatic means that we may unintentionally collect or receive personal data that is mixed in with the non-personal data
From this point, I checked more data properties that could help me decide if this should be removed or stay. Along with reviewing the privacy policy and extension’s web page, I checked a few additional parameters:
Installation method
How the extension was installed – NORMAL or SIDELOAD
NORMAL – Extension installed directly by the user from the browser’s official extension store.
SIDELOAD – Extension installed from a source outside of the browser’s official extension store.
DEVELOPMENT – Extension that is being loaded directly into the browser for testing or development purposes, rather than being installed from a web store or other official distribution channel.
This particular extension was installed in a SIDELOAD fashion, which can pose a greater risk because it may not have undergone as stringent of a security review as it would have if it was in an official store.
Permissions
I also examined the extension’s permissions – what it allows an extension to do. The list of permissions included some dangerous ones:
<all_urls> – Allows the extension to access all web pages. This is a very broad permission and is one of the most severe in terms of potential privacy and security risks.
tabs – Gives the extension access to various properties of the browser’s tabs. This can include reading the URL, title, and other attributes of tabs and closing, moving, or creating new tabs.
unlimitedStorage: Permits the extension to store more data than typically allowed in the browser’s local storage.
system.display – Allows the extension to interact with the display properties of the system. This could include things like:
Querying display metadata: Fetching information about connected displays, like their resolution, orientation, etc.
Manipulating display settings: Changing settings such as screen resolution or orientation.
Controlling display layout: Positioning screens in multi-display setups.
scripting – Depends on what scripts are executed (someone mentioned supply-chain risk)
Vulnerability Scans
Using the free extension scanning toolCRXcavator can shed more light on extensions that may be considered in the risk assessment. Decision making data could be added through its API, such as:
Vulnerabilities scan: Are there any vulnerable applicative components? Are there CISA KEV vulnerabilities?
Risk Over Time: The extension’s overall risk, is it escalated?
CSP (content security policy): More advanced insights
Networking: Could be correlated with <all_urls>
Whois
Use Whois to find the extension’s website URL. This could help you understand more about an extension, like where the extension’s coming from, its domain’s age, and more. Whois revealed the particular extension’s domain age is 59 days.
Risk assessment time!
Given the insights I was able to gather, I can now assess the risk and make a decision.
Privacy policy shows Uncompromised information of the ability to collect PII. This has tremendous consequences on compliance and privacy settings and policy.
Considering permissions like <all_urls>, scripting, tabs – These generate risks affecting data privacy, compliance, supply-chain (scripting?), data-leak etc…
Considering the installation method – NORMAL installation type would at least have lowered the risk, which is not the case here, as this one was installed in SIDELOAD fashion – outside of the browser’s official extension store, which means, it wasn’t reviewed by Google.
Whois – domain age is very low – 59 – not always necessarily, but it could raise a concern that something fishy is going on.
Considering there are a few high vulnerabilities (with high EPSS).
After examining the findings above, I assume that the prevailing conclusion would be to remove the extension. However, in any environment there are many variables that can cause decision-makers to leave the extension installed.
How to Automate Extension Risk Assessment
All this work has to be done manually, right? That may be feasible if you have only a few extensions to investigate. Most organizations, however, have 20 times that many extensions. So I decided to use Torq to create workflows to automate the extension risk assessment.
Here’s how I did it:
Focus only on risky permissions. Extensions have dozens of permissions types. I used Torq’s Gen AI integration to assign a risk score (1 to 5) for each permission, considering their capabilities. Focusing on the most prominent permissions reduced the number of issues to address.
Let AI summarize the privacy policy with a prompt focusing on personal information, additional data processors, and what is essential to keep compliance governed.
Use WHOIS to grab the domain’s age and its activity status.
Extract the extension’s CVEs and use the power of automation to enrich and attach CISA KEV, EPSS, and CVSS metrics for better vulnerability management.
Correlate CVEs with your device vulnerabilities inventory to detect whether they are vulnerable.
Aggregate all insights into one case for the verdict:
If the risk is tolerable, reach out to the employee to understand whether the extension is used and needed for work purposes.
If the risk isn’t tolerable, reach out to the employee to inform them of the extension removal. Execute the MDM command to remove immediately.
Exclude the extension from use.
Conclusion
The decision to remove or keep an extension may change under different circumstances and based on differing data. However, an extension that violates privacy compliance and provokes severe vulnerabilities shouldn’t be ignored.
As security pros, it’s our job to educate and raise awareness about extensions and the potential risk they pose, while also providing insight based on investigation and analysis. From there, organizations can make informed decisions whether they’ll allow a certain extension.
One thing we’ve consistently heard from our customers is that using legacy SOAR solutions to build AWS automations and workflows is complex and painfully slow.
Why? Because legacy SOAR solutions typically use Python to do anything, and to make Python work for you, you have to be an expert in it. Python is often complex and requires writing scripts to execute most commands. And, often times, Python scripts create a single point of failure, where the person who wrote the scripts is the only one in an organization that knows them – if that person leaves, the scripts leave with them.
Torq, however, integrates with AWS CLI, which eliminates the Python problem by allowing you to run AWS CLI commands directly from the Torq Hyperautomation platform. This saves you time and effort when automating in the cloud and lets you do more.
Torq is the only hyperautomation solution that offers integrated AWS CLI functionality. Other platforms force you to learn the API for AWS for every single workflow or automation. With Torq for AWS CLI, you don’t have to learn API calls – it cuts out APIs altogether.
With AWS CLI, you can run any type of command you want in Torq – you don’t have to write the hundreds of steps you’d typically have to with Python Boto3 scripts. It simplifies your scripts into a concise workflow, making it easier to troubleshoot, build, and reuse automations.
For example, if you wanted to produce a list of all of your active S3 buckets, all you have to do is find the command in AWS CLI documentation, type it into the AWS CLI in Torq, and it’ll return that list. It’s a super flexible way to run commands.
Torq with AWS CLI also lets you test workflows while you’re building them, which is a much less complex alternative to writing intricate Python scripts. And you can unlock the true power of Torq’s limitless integrations with solutions like Slack, Snyk, Wiz, and Orca Security, when you tie them together and build workflows that interact with AWS using the CLI command.
And with the addition of Torq’s AI completions functionality in the AWS CLI command tool, your job just got even easier. You can use native language to find commands, saving the time you’d have spent digging into documentation to find the correct commands. Now, you can find and run AWS CLI commands without ever leaving the Torq platform.
Want to see how Torq with AWS CLI can help you escape Python’s stranglehold and overcome slow automations? Get a demo.
The benefits of hyperautomation are well documented. But it can be challenging to determine where to get started.
Maybe you’ve been burned by outdated and antiquated solutions, like legacy SOAR, that were so complex, costly, and time consuming that a path forward seemed impossible.
At Torq, the journey to true hyperautomation is a three-phased approach that will transform your security posture and result in more than 90% of SOC processes automated.
Let’s examine each of the three phases of the hyperautomation journey.
Phase 1: Task Automation
The journey starts by determining which specific tasks require significant manual effort from SOC analysts. The goal is to automate repetitive, rule-based tasks – it’s essentially laying the bricks for your cybersecurity foundation. We use APIs and event feeds to pull data and automate tasks that would otherwise consume your team’s valuable time.
During this phase, you can automate a broad spectrum of task-based workflows, such as IOC enrichment, ticket triage, audit processes, and tasks related to handling vulnerabilities.
This phase can run anywhere from two weeks to three months based on your organization’s maturity and whether you’ve pre-determined what to automate. The timing is also dependent on the priority your organization places on automation creation and implementation.
It gives you a solid start on your hyperautomation journey. Once completed, you’ll have automated roughly 15% to 20% of SOC processes.
Phase 2: Process Automation
Now that you’ve laid the foundation, the second phase focuses on automating process-based workflows. Here is where we automate entire security workflows and processes, not just tasks. You’ll automate rules-based decision making and allow for a few exceptions where human judgment is required. Internal and external event triggers help in seamless flow to create a more robust, responsive, and intelligent automated system.
Process automation requires extensive communication with your technology stack and tailoring use cases from start to finish. During this phase, multiple tasks converge to serve a specific use case, where Torq bridges all of the different elements, reducing user dependency. The goal is to involve users solely in critical decision-making aspects.
The result is quicker identification of threats and risks, which allows for immediate action and a reduction of the window of exposure.
Based on organizational maturity and the priority your organization puts on automation creation and how much time to spend, this phase ranges from a few weeks to six months.
Once phase two is completed, you’ll have automated 30% to 65% of SOC processes.
Phase 3: AI-Driven Hyperautomated SOC
The third and final phase of your hyperautomation journey is harnessing the power of AI to hyperautomate your SOC. It’s this phase where you integrate AI and machine learning to deal with complex decision-making processes. Torq processes unstructured events to deliver contextual insights through cognitive automation. To do this, you’ll leverage your processes and technology solutions alongside large language models (LLMs).
The goal of this phase is to streamline day-to-day tasks through a combination of workflow automation, your security stack, and AI – all driven by your unique business logic. It combines the power of both process and AI to enhance efficiency and address your business needs.
This phase varies in duration based on the time it took for you to complete the first two phases. But once completed, you’ll achieve true automation and will have successfully automated more than 90% of your SOC processes.
Achieve True Hyperautomation
Once you’ve completed all three phases of the journey, you’ll have evolved from basic task automation to an advanced, AI-driven, hyperautomated SOC. You’ll have automated more than 90 percent of your SOC processes, and your security team will be able to focus on only the most complex and nuanced issues. And your SOC analysis will be relieved to have automations that can support them 24/7.
You’ll have achieved true hyperautomation.
Ready to start the journey to true hyperautomation? Request a demo.
How Hyperautomation Unblocks the Events Processing Bottleneck
By Torq
December 4, 2023
2 Minute Read
Legacy SOAR offers limited events processing. That’s just the way it was built. SOAR is a standard monolithic architecture in which the entire application is deployed as a single entity, which typically runs on a single server or cluster of services. This dramatically restricts SOAR’s processing capacity, and it’s time-consuming and costly to try and extend SOAR beyond these restrictive configurations – it typically would require an entire rebuild and redeploy to upscale.
The only ways to deal with that is by either underprovisioning or overprovisioning your legacy SOAR. But that also creates problems. Underprovisioning creates poor performance, slow response times, and reduced availability. This affects the user experience and your solution’s ability to identify and remediate threats effectively. Overprovisioning allocates more resources than are actually needed to ensure there is always enough capacity to meet demand, but that method boosts costs, reduces efficiency, and increases risk with an extended infrastructure footprint.
Here are the five major benefits of using hyperautomation to process your security events to overcome the limits of legacy SOAR.
Hyperautomation provides limitless horizontal scalability that allows individual components and services to be independently scaled based on specific demands.
Hyperautomation allows you to sift through the noise, prioritize events, close false positives, and more – all at scale and with precision accuracy. Plus, it’s entirely automated.
Hyperautomatn ensures specific event types are directed to relevant owners and automatically enriched with decision-supporting data.
Hyperautomation empowers you to automate the orchestration and handling of diverse technical solutions that best suit your requirements, including CNAPP, CSPM, CWPP, EDR, XDR, EASM, IAM, SAST, and DAST.
Hyperautomation enables you to have SLAs for different events to ensure the flood of events from one type or source does not prevent the system from processing other events.
Through dynamic defenses, security hyperautomation allows you to unblock the events processing bottleneck. Read more about how hyperautomation outperforms SOAR in our “SOAR is Dead” manifesto.
Torq for MDR: Increase Margin and Onboard Customers Faster
By Torq
November 29, 2023
3 Minute Read
Managed detection and response (MDR) Hyperautomation Guide
Managed detection and response providers (MDRs) are at an inflection point. They previously relied on legacy SOAR to secure their customers. But SOAR solutions struggle to keep up with the evolving and maturing threat landscape, and were not designed to scale into cloud environments.
As a way to break free from SOAR’s shortcomings, MDRs are turning to hyperautomation.
Increased margin: Automate more components in your alert investigation, analysis, and response, and handle security events more efficiently with less human involvement.
Faster customer onboarding: Automate customer onboarding and ramp-up, share workflows and use cases across customers, and automate in multiple environments.
Limitless integrations: Integrate with every tool within your customers’ security stacks to increase business value and widen total addressable market.
Torq for MDR is a significant evolution from legacy SOAR, and gives managed detection and response providers the ability to perform up to 90% of Tier-1 case analysis tasks with an autonomous agent; 10 times faster onboarding and provisioning of new customer environments, and the ability to handle 5 times more security events without adding headcount.
Regarded analyst firms IDC and GigaOm have both noted that hyperautomation is leading the shift away from legacy SOAR solutions and signaling the future of security automation. And one of the country’s largest MDRs, Deepwatch, recently announced it has standardized on Torq Hyperautomation. Ten other MDRs, such as SentinelOne Vigilance and Compuquip, have also joined the Torq for MDR program.
“With Torq Hyperautomation, we are significantly increasing productivity and efficiency, ensuring that our customers gain better evidence, analysis, and control over their cybersecurity, while staying protected from external threats and operational risks,” said Charlie Thomas, CEO, Deepwatch.
Torq Hyperautomation empowers MDRs to provide more value to customers to increase stickiness and reduce churn, while increasing SLA attainment. It also streamlines security operations and reduces costs by consolidating tooling and effortlessly integrating disparate tools managed by different teams for increased efficiency. At the same time, Torq Hyperautomation automates workflow management across an MDRs’ entire customer base, with the added flexibility of fine-tuned customization.
Torq also gives MDRs no-code, low-code, and full-code support; the ability to automate more processes; accelerated case management with AI; and a scalable, resilient infrastructure, all of which help MDRs improve efficiency and increase margin, while saving costs and scaling service offerings.
