Jason Chan on Harnessing Security Automation to Manage Cyberthreat Complexity
By Torq
October 19, 2022
2 Minute Read
Torq is extremely proud to have Jason Chan on our advisory board. Jason has more than 20 years of experience working in cybersecurity. He’s one of the world’s leading experts in adopting security automation, cloud security, and enhancing security in modern software development practices.
Jason’s most recent career experience was leading the information security organization at Netflix for more than a decade. His Netflix team set the bar extraordinarily high, focusing on cutting edge risk assessment and management, and compliance management strategies and approaches.
I had the privilege of being able to have a discussion with Jason, exploring the positive impacts security automation is having on organizations of all sizes, worldwide. In the first part of our conversation, “Harnessing Security Automation to Manage the Complexity of Today’s Threat Landscape,” Jason discusses the fact that while cyberthreats are increasing exponentially, it’s becoming increasingly difficult to hire people to address this escalation. As Jason puts it, “The question is how do we get the most out of the resources we have and prioritize the issues we need to address most critically?”
Watch the first part of our conversation in video below and learn all about Jason’s perspective on how security automation addresses these challenges by maximizing the impact of the security systems, processes, and people organizations already have in place, and breaking down security silos:
Take Action Today Learn how to get started with security automation by reaching out to the professionals at Torq. You’ll learn more about the Torq platform and how we’ve helped myriad organizations achieve and exceed their security goals.
Everyone loves automation, and it can be easy to assume that the more you automate, the better. Indeed, falling short of achieving fully autonomous processes can feel like a defeat. If you don’t automate completely, you’re the one falling behind, right?
Well, not exactly. Although automation is, in general, a good thing, there is such a thing as too much automation. And blindly striving to automate everything under the sun is not necessarily the best strategy.
Instead, you should be strategic about what you do and don’t automate. Even if you have the tools and resources to automate certain parts of a process, you may not actually want to automate them.
The Benefits of Automation
To understand the argument for being selective about the processes you automate, let’s go over the key benefits that teams are usually trying to achieve when they automate something. Typically, those benefits include:
Faster results.
Less time spent by engineers on manual processes.
Greater consistency and a lower rate of errors.
Repeatability.
We could go on, but these bullet points summarize the main goals of most automation projects.
When to Automate and When Not to Automate
Now, if you think critically about how best to pursue the goals we’ve just described, you’ll realize that fully autonomous processes aren’t always the best ways to achieve the goals. Let’s go through each one carefully.
Faster Results
Automation can speed up processes by allowing operations to proceed without waiting on humans to sign off.
The caveat, however, is that if your automation tools run into a situation where they can’t make a decision about how to achieve something – which happens when a variable is introduced that your automation workflow didn’t anticipate – you can end up with more of a delay than you would face if you had a human in the loop to oversee things. You’ll probably get results much more slowly from a fully autonomous process that goes awry than you will from a process where you have a human in the loop to react to unexpected conditions.
Less Engineer Time
By a similar token, the total time that engineers have to invest in operations work may be lower if not all of your processes are completely automated.
The reason why is that if something goes wrong within a fully autonomous process, the response is likely to be highly distracting and time-consuming for your team. But, if you had a human in the loop to begin with, you’d face a lower risk of a disruption that would require an extensive manual response.
Greater Consistency
Automation is a good way to keep processes consistent — so long as those processes are 100 percent predictable and reliable.
But, when there are variables, or when you are dealing with a process where each use case is unique, automation won’t always breed consistency — at least, not the kind of consistency you want. It would be better to keep a human in the loop so that the human could react as needed to special circumstances.
Repeatability
It may be easier to reuse automation tooling, too, when you keep humans plugged into your automated processes.
The reason why is that — once again — each process may be unique, and so you can’t simply lift and shift the automations you’ve created for one process and apply them to a different one. But, if you leave some responsibility to humans, it becomes easier to keep your workflow adaptable enough so that you can use the same automations repeatedly, leaving it to the human to interpret the unique variables within each process and adapt the automations as required.
Using Partial Automation
To illustrate the points above, let’s consider a common process that might seem like a candidate for total automation, but actually is not.
The process is Just In Time (JIT) permissions granting. The goal of JIT permissions is to grant access rights when a user needs them, and revoke them when they are no longer necessary. Having humans configure these permissions each time in a totally manual way is not scalable, so you may think that you would want to automate the process as fully as possible.
But, in reality, it would make more sense to automate only part of your JIT permissions operations. You could automatically collect account and user information, for example, and use these to generate updated access control policies automatically.
But if you actually apply the policies automatically, you run the risk of something unexpected happening with highly negative security consequences. Maybe a user is requesting a JIT permissions update to access a system that was recently moved from testing to production, and that therefore has stricter access requirements. But your automation tooling isn’t aware of that change, so it will grant the permissions without considering the unique circumstances of the request in question.
If you require a human to sign off on the permissions change, however, there is a higher chance that the oversight will be caught. Manual sign-off could delay the process slightly, but the delay should not be significant if the rest of the process is well-automated.
Conclusion: The Limits of Automation
To be clear, we’re not saying automation is a bad thing, by any means.
What we are saying is that there are points within processes where full automation doesn’t always make sense. Although it may seem counterintuitive, there’s value in requiring human participation, even if making processes fully autonomous is a possibility.
How Wiz and Torq Combine to Mitigate Existential Cloud Security Threats
By Leonid Belkind
September 23, 2022
5 Minute Read
A single cloud securityincident can stop an enterprise in its tracks, sometimes resulting in irreparable damage to its operation, reputation, and customer loyalty. One key strategy for preventing such incidents is combining complementary cybersecurity tools to defeat threats at scale.
A coherent Cyber Security Incident Response Planning (CSIRP) approach requires enterprises to select and integrate the right tools before a security incident occurs. Torq’s next-generation orchestration and automation capabilities combined with Wiz Cloud Detection & Response empowers forward-thinking security teams to analyze cloud events and alerts from services like Amazon GuardDuty alongside the rich context provided by the Wiz Security Graph.
“The combination of Torq’s no-code security automation approach that delivers immediately actionable response and Wiz’s comprehensive contextual and accurate malicious activity identification means we can focus on high-level threats without being overwhelmed by cloud alerts. Torq and Wiz work seamlessly together to give us a major real-time advantage in mitigating the ever-evolving cloud-based threat landscape.” CISO of a major gaming company
Customers are already seeing that combining Torq and Wiz means the whole is far greater than the sum of the parts.
Achieve a Coherent CSIRP with Wiz and Torq
In its Computer Security Incident Handling Guide (Special Publication 800-61), NIST advises organizations to strengthen their capabilities in four broad areas:
Preparation
Detection and Analysis
Containment / Eradication / Recovery
Post-Incident Lessons Learned and Documentation
To better understand these areas, let’s apply them to a hypothetical brute-force attack.
Preparation
To be prepared for a brute force attack, you should:
1. Set up the infrastructure to identify potential attacks
Amazon GuardDuty can continuously monitor network and endpoint activity in production cloud environments to detect brute force attacks (amongst many others). Furthermore,Amazon CloudWatch Events or Amazon EventBridge should be configured to monitor events on new or updated GuardDuty findings. These events will later be consumed by an automation and orchestration system to enrich, analyze, and remediate the issues.
2. Analyze the assets’ context
Understanding the topology of your cloud environment, maintaining up-to-date connection states, and knowing which assets have access to sensitive data are critical to prioritizing response efforts to an attempted brute force attack. The Wiz Security Graph discovers and correlates these signals, providing incident responders with important context. For example, Wiz will alert on an SSH brute force attack when attempted on a publicly exposed asset that allows password authentication and has high permissions to the organization’s cloud environment.
3. Orchestrate analysis and resolution
Notifications of new potential threats must be handled and interpreted consistently and programmatically (i.e. with minor involvement of human analysts) in order to operate at scale. Torq allows enterprises to automate data and response flows generated by the Wiz Security Graph, making it possible to route remediations either directly to DevOps or after a quick triage process of the security team. The owners of the at-risk assets receive all the relevant contextual information around the alert to quickly resolve the issue and shorten the MTTR significantly. Torq’s no-code automation platform lets you build these workflows from scratch, leverage hundreds of security process templates, and adjust them to the needs of every environment.
Here’s how Torq combines with Wiz to create autonomous responses to security events:
The detection stage begins with Wiz delivering an alert based on an Amazon GuardDuty event together with the context of the cloud environment. The alert immediately drives the execution of an automated response workflow in Torq.
Analysis
In the analysis stage, contextual data about external exposure to the asset is retrieved from Wiz Cloud Security Graph as part of the alert. If there was internal exposure, further analysis would be conducted to understand the possible connections between the attacked asset and the crown jewels that might be exposed to it.
Containment
In the containment stage, particular sources of the attack can be blocked by modifying the Security Groups and Access Control Lists, as well as by prompting an additional wider response to the potential threat. Further eradication of an issue can be achieved by orchestrating changes in the configuration of the cloud assets to improve their security posture and by enforcing multi-factor authentication and strong passwords.
Torq enables enterprises to respond by both triggering containment flows and alerting the relevant teams in the organization on the event, preventing them from wasting crucial time.
Post-Incident
The incident audit trail is created to chroniclelessons learned to better mitigate related threats in the future. Security teams can use the audit trail together with the visibility they get from the Wiz Security Graph to identify potential weak points and work to mitigate them in advance
Learn more
To learn more,see how you can reduce alert fatigue and focus on the most critical security gaps withWiz andGet Started withTorq’s no-code security automation platform to handle these and similar threats at scale.
Torq Delivers on the Promise of Parallel Execution
By Torq
September 15, 2022
6 Minute Read
Torq Delivers on the Promise of Parallel Execution
Security operations professionals are constantly being pushed to the edge of their capacities. They’re dealing with endless manual processes and managing tasks sequentially, because of the limitations of their security tools and options. They’ve dreamed of being able to execute more tasks simultaneously to quickly enrich, analyze, contain, and resolve security threats.
Today, Torq is proud to introduce Parallel Execution, which makes those capabilities a reality. Parallel Execution is a significant evolution for no-codesecurity automation that enables you to instantly create multiple branches within an automatic workflow, and handle each concurrently before seamlessly merging back into a single flow.
While some SOAR platforms claim to support parallel processing, these solutions require massive engineering efforts to deploy. Some low-code platforms try to simulate parallel processing functionality by creating workarounds, but are in actuality asynchronous processing with deduplication managed by code. In the end, these attempts are not scalable, meaning they cannot effectively improve MTTA, MTTR, or the overall efficiency of your security operations.
Torq is delivering on the promise of true no-code parallel computing, to provide easier workflow design, adaptable iterating, and more powerful execution, which security teams have long been asking for. Now, teams can focus on actual security responses without sacrificing precious time and resources to develop the workflows that deliver them.
Here’s how Torq’s new Parallel Execution capability works:
Run Steps in Parallel
Parallel Execution allows users to drop in a simple step to branch workflows “horizontally,” execute each branch in parallel, then instantly merge the output back into a single workflow. Before, if a user wanted to accomplish this process in an older SOAR platform, it would require hours of engineering digging into code or defining the minutiae of complex deduplications for each case.
This functionality can exponentially speed up tasks like threat intelligenceenrichment, enabling users to check multiple sources at once. Instead of waiting for one check before moving to the next, each source is checked simultaneously, reducing total execution time from the cumulative total down to whichever the ‘slowest’ source is.
Parallel Execution can also distribute work more efficiently. For example, when an incident response requires input before proceeding, but the input can be from anyone within a finite list. Instead of pinging the analyst on-call, waiting for response or time out, then moving on to the resource owner, a message can be sent to the complete list of possible responders.
The operator can also support so-called “long queries” in which large datasets need to be queried, but the outcomes are not codependent. A workflow can simultaneously query a data lake, cloud graph, and SIEM, again reducing total execution time to whichever query is the slowest, instead of the cumulative time for each source.
These are just a few examples of use cases where running steps in parallel can be helpful. The functionality is incredibly flexible, and because it is so easy to include in a workflow, customers will have many opportunities to explore which environments and processes it can be used to improve efficiency.
A New Era for Security Automation
We are thrilled to provide the industry’s first true example of no-code parallel processing. But we are even more proud of where this can take teams once they adopt Torq.
Until now, security automation tools have been, at best, asynchronous, meaning they’re rigid and poorly suited for handling urgent escalations and different service level requirements. Security teams need more nimble and responsive tools that allow them to operate in realistic conditions, which sometimes involve as many as 1,000 simultaneous events. These first-generation SOAR and low-code tools also require significant additional effort to deduplicate outputs.
With earlier solutions, if an organization wanted to automate a security process, it would need to map out every step along the way, name or create roles for those responsible, build operational structures to enforce those steps and roles, document each potential permutation, develop or purchase the many needed connectors for the systems involved, script and code the minutiae of data manipulation, and then finally cross their fingers that the correct action comes out the other side.
One of the unspoken laws in this chain is that Step X must always come before Step Y, and both must return a value before moving on to Step Z, regardless of whether that is how the real world operates.
Torq not only releases organizations from the restrictions of linear processes, but does so in a way that is so simple it is usable for even the most mundane of routine security processes.
No longer are security teams required to toil away at menial tasks, saving automation for only the most daunting response workflows. Using simple drag-and-drop functionality, anyone can put Torq to work using pre-coded steps, templatized workflows, and unfettered integrations.
Because Torq automations can be developed and edited at-will, teams are free to experiment with new processes, and free to design workflows that match their real operations, rather than molding their processes to their tools.
Users have all of the modern functionality available to their developer and DevOps peers, like publishing and version controls, contextual documentation, and collaborative editing. Operating with a git-style or even a true GitOps development experience helps teams better understand and manage a workflow across its lifecycle, and better aligns them with DevSecOps methodologies.
Begin Executing in Parallel, Today
The Parallel Execution capability, as well as the workflow templates that use it, are available to Torq users, today. You can find them in the workflow designer and template libraries, respectively, or your customer success manager would be glad to walk through them with you.
Parallel Execution Demo Templates
We’ve prepared a few workflow templates that already utilize and demonstrate the power of this new functionality. Torq users can begin deploying these right away.
Retrieve and Normalize data on a hash Lookup threat intelligence data from a number of sources, aggregate the findings, and then normalize a score for the provided file hash.
Future Torq users can request a live demonstration and set up a demo account to test these new features themselves through our get started page.
Why Torq’s Momentum Mirrors the Exponential Adoption of No-Code Security Automation
By Torq
August 22, 2022
3 Minute Read
In just three quarters since Torq was officially launched, our visionary team has delivered a 385% increase in customers, resulting in 360% quarter-over-quarter growth. We’ve also boosted our headcount by 150% and now have more than 100 technology integration partners, including Armis, Orca, SentinelOne, and Wiz. In addition, we recently opened new offices in the UK, Spain, and Taiwan
Our no-code security automation innovations are paying dramatic dividends for our ever-increasing customer base. We serve organizations of all sizes as they face incredibly challenging, complex, and dramatically-escalating cyberthreats. We’re mitigating those threats at every conceivable incursion point, and emancipating overworked security teams from manual, reactive processes, so they can focus on remediation and response.
I take Torq’s dedication to providing our customers the highest level of protection very personally. I began my career as a technologist and software engineer, then shifted into the world of cybersecurity, and then became an entrepreneur when I co-founded Luminate in 2017 and Torq in 2021. I was inspired by seeing how many earlier industries were revolutionized by automation.
Back when I began my career as a software engineer, all my software testing was done manually. We had QA engineers repeating the same testing procedures over and over on each and every build of my product to verify it worked correctly. That era is long gone. Today’s modern software development processes benefit from automated QA on multiple levels. Manual testing is exclusively the domain of the most complex and creative tasks, if it’s done at all.
The Security Operations world is now increasingly harnessing the value of automation. Previously, the industry was based on simply delivering “alerts” about potential malicious activity and “reports” on vulnerabilities or misconfigurations, all of which had to be reviewed and dealt with manually. Virtually everyone understands this model is archaic and creates more problems than it solves.
Both of Torq’s production environments, which include running in the cloud, and our often SaaS-based business line applications, are rapidly evolving. It’s simply not scalable to conduct manual security operations across these complex scenarios. It’s why organizations of all types and sizes are harnessing the potential of automation to ensure continuous compliance and the strongest security posture possible.
This change is akin to an industrial revolution for cybersecurity and it’s why Torq is experiencing such significant adoption. We’re working with organizations from Fortune 10 goliaths to high-velocity startups and solving major cybersecurity challenges for all of them. They’re all dealing with similar issues as they strive to protect myriad assets from the tens or hundreds of thousands of security events they face daily. Without automation, there simply isn’t a way to effectively mitigate the situation.
I couldn’t be more pleased to see the positive benefits our customers are experiencing. And I couldn’t be more proud of the Torq team that’s so dedicated to pushing the technological envelope. They’re constantly delivering new innovations to make the customer experience as simple, yet powerful and comprehensive as it can be.
We’ve only just begun the Torq journey. I can’t wait to show you everything that’s coming up in the near- and long-term. Our customers and employees represent a true community. It’s our pleasure and privilege to play such an important role in protecting today’s digital-first organizations.
Torq Announces 385% Customer Growth and 360% Revenue Increase
By Torq
August 22, 2022
4 Minute Read
Torq Also Announces Visionary Additions to Executive Team, 150% Headcount Growth, New EMEA and APAC Offices, and Expanded Partner Ecosystem.
PORTLAND, Ore.—Torq, the leader in no-code security automation, today announced 385% customer growth, a 360% revenue increase, and 150% headcount expansion across the last three quarters. The company has also appointed visionary new executive leaders with the addition of CFO Yaron Bartov, and Head of Security Aner Izraeli, as well as opened new offices in the UK, Spain, and Taiwan. In addition, Torq now has more than 100 technology integration partners, including Armis, Orca, SentinelOne, and Wiz.
Torq’s expansion underlines the rapidly-growing adoption of its platform that enables security teams from Fortune 100 companies to startups to create automated security workflows and streamline processes to respond to threats faster, and deliver best-in-breed cybersecurity defenses across their organizations.
“Torq’s dramatic growth trajectory is evidence of the significant market fit for our no-code security automation platform that empowers security teams of all sizes to implement and deploy the most robust cyberdefense postures at scale,” said Ofer Smadari, co-founder and CEO of Torq. “Torq’s easy no-code automation is enabling digital-first enterprises to overcome the cybersecurity challenges they face when shifting to the cloud by blocking the exponentially-increasing volume of threat incidents. Torq also relieves overworked security teams from dealing with time-consuming, manual, reactive processes, and false positives, so they can focus on high-value remediation and response.”
Torq’s latest additions to its executive team possess comprehensive cybersecurity experience from prestigious companies, further strengthening its ability to deliver the most positive customer and employee outcomes possible. New Torq CFO Yaron Bartov was previously the CFO for GuardiCore, and Vice-President of Finance and Operations at Wix.com. Aner Izraeli, Torq’s new Head of Security, previously served as Information Security Manager for Intezer, and helmed SIEM/SOC incident response at Outbrain.
Rapidly-Growing Customer Success and Traction
Customers that have deployed Torq have quickly ramped up their active workflows by 3.5X, which showcases the increasing usage and traction for its platform. Every customer is now ingesting and processing hundreds of thousands of daily cybersecurity events, using Torq to both shield them from impact, and ensure strict compliance with standards such as NIST and MITRE.
“Torq’s unique no-code security automation approach has fundamentally transformed and accelerated our security team’s ability to rapidly identify and remediate cybersecurity threats,” said Yaron Slutzky, Chief Security Officer of Agoda. “With Torq, Agoda has significantly advanced its cloud security posture, and brought a new level of rigor to security operations. Torq’s pre-built workflows enable us to easily deploy cybersecurity defenses at scale throughout our organization, mapping to countless different use cases, and protecting us across multiple conceivable incursion points.”
Expanding Partner Ecosystem
Torq’s no-code security automation platform is also driving extraordinary partner traction, with more than 100 technology partners now a part of its ever-expanding community. Torq technology partners play a critical role in driving adoption, integration, and visibility for Torq’s evolving offerings.
“Together, Torq and its partners help customers make the most of their cybersecurity investments by automating processes throughout the entire security stack and delivering best practice workflows for security operations across dozens of partner platforms,” said Eldad Livni, co-founder and Chief Innovation Officer of Torq. “We’re constantly developing and unveiling new security automation innovations at a rapid pace with complete partner integration to deliver unparalleled protection.”
“Through our partnership with Torq, we recently announced Armis Enterprise Workflow Automation (EWA), a new module for security automation and threat response workflows,” said Peter Doggart, Chief Strategy Officer of Armis. “Security teams now have a seamless and rapid experience to build event-triggered workflows, no matter how simple or complex the process, and no matter how many tools are involved.”
Last June, Torq also established the Torq Automation Alliance, a first-of-its-kind channel partner program. The alliance is designed to maximize the benefits partners deliver to customers by providing streamlined access to Torq’s platform, enablement, and marketing materials. Torq Automation Alliance members can also leverage Torq’s knowledge base and template library to address virtually any security process.
To learn more and get started with Torq, visit Torq.io.
About Torq Torq is a no-code automation platform for security teams. Torq allows any security professional to connect to any system, anywhere, and easily create automated workflows that streamline security processes. Fortune 100 enterprises and cutting edge startups alike trust Torq to help them maximize their cybersecurity investments, respond to threats faster, and deliver protection at the speed of business.
Media Contact: MikeWorldWide (MWW) for Torq Krista Couch [email protected]
Why Templates Deliver Critical Best Practice Workflows For Maximizing Enterprise Security
By Torq
August 10, 2022
3 Minute Read
It’s difficult for even the most advanced security teams to stay on top of evolving incursions and ensure their processes effectively map to prevent them. That’s where pre-built templates come into the conversation. No-code, security automation templates can handle the considerable burden of having to maintain and update processes that integrate with a company’s security stack.
Having the right systems, tools, and people in place are essential for effective cybersecurity postures. But while templates may sound unsexy, they’re the critical connective tissue that helps enable all three to significantly mitigate the hundreds of thousands of daily cyberthreats the typical enterprise encounters. They also ensure modern compliance requirements are proactively and accurately addressed.
Comprehensive Templates for Comprehensive Security
Torq now offers hundreds of security workflow automation templates aligned to MITRE, NIST, and Defense-in-Depth standards. Security teams of all sizes can easily use these templates to rapidly boost incident response speed. They all deliver impressive time to value and ease of use for security teams of all sizes.
Available at no extra cost to Torq customers, these templates are entirely ready to deploy, with minimal configuration. They’re specifically designed to enable security teams of all levels to instantly deploy workflows across their infrastructure and third-party app ecosystem to identify and block cyberthreats before they have a chance to make a significant impact.
Torq templates can be deployed with a single click across thousands of security integrations and vendors. Torq developed its templates in conjunction with its 100+ ecosystem partners, including Orca, Wiz, Armis, and SentinelOne, to ensure customers can build out and standardize their security processes at cloud scale. They enable large security teams to focus on bigger-picture security management. And they dramatically reduce the workload for smaller teams overwhelmed by parsing endless security alerts, rather than focusing on critical threats.
How Torq Templates Mitigate Critical Security Events
Third-Party Identity Lifecycle Management—Workflows can vet all external network access, ensuring contractors and partners are approved, current, and can only engage with systems and data they are authorized for. Torq templates cross-check identity against IdM and SSO systems such as Okta. If a potential incursion is identified, Torq automatically shuts down the account, and alerts the security team to take further action.
Contextual Threat Hunting—Integrates with services like SentinelOne endpoint security to harness its alerts, and automatically enrich its findings. Torq’s template infuses reports with additional critical data from threat intelligence services such as VirusTotal, to detect suspicious files, domains, IPs, and URLs, as well as to identify potential malware and other breaches. The enriched data delivers a comprehensive contextual view into the alert for security teams to rapidly understand and mitigate the situation, as well as prevent further related attacks.
Cloud Security Monitoring and Remediation—Ensures storage classes like AWS S3 are protected with advanced encryption, or are appropriately publicly accessible, according to company policies. If a service such as Wiz or Orca detect that a storage class is improperly classified, Torq automatically collects the relevant data, and sends a critical alert to a security analyst to rapidly remediate the issue.
Get Access to Torq Templates Now
Already a Torq customer? You can find our comprehensive Template Library here, or by clicking ‘templates’ on the left-hand menu in the app, just below your existing workflows.
Automation is like running a marathon. It sounds like a great and noble pursuit until you actually go out and start pursuing it. At that point, it’s easy to fail if you don’t prepare yourself ahead of time for the challenges that are inherent to the process.
Indeed, although automation can provide a number of awesome benefits, whether you actually reap those benefits depends on how easy it is to implement and manage automation tools. And, as many teams discover, doing these things may be harder than it often seems.
That’s why it’s critical to take a balanced approach to automation by being strategic about what and how you automate. Keep reading for a discussion on what to consider before developing an automation strategy for your team or business.
The Pitfalls of Automation
If you work in IT or security, you probably don’t need to be reminded about why automation is theoretically useful. You already know about automation’s theoretical benefits: It can save time, reduce toil, reduce errors and so on.
What’s easier to overlook, however, are the potential pitfalls of automation. If your organization isn’t actually ready for automation, or the automation tools you choose are not a good fit for your organization, automation can do more harm than good.
Specifically, automation may lead to problems like:
Slower tool deployment because your team struggles to manage the complex configurations required to implement automated workflows.
High rates of false positives and negatives because your automation tools are not configured properly for your environment.
Dependency on key employees to manage automation tools because only those employees know how the tools work or have the skill sets to support them.
Half-baked automations where some parts of your workflows are automated but others are still manual, and no one is sure which is which.
The automation of poor processes, which results in problematic processes being performed faster. It would be better to step back and redesign a flawed process than apply automation to it.
To avoid these pitfalls, you need to take a measured and systematic approach to automation. Rather than jumping head-first into automation tooling without having a plan about how to deploy or manage it, ask yourself these questions.
1. What Will You Automate?
Although it’s tempting to imagine that you’ll automate everything, almost no one does that. There will always be some processes that you operate manually, either because you lack tools to automate them, or they don’t occur frequently enough to benefit from automation.
So, sit down ahead of time and identify the specific processes you plan to automate. Make your choices based on how much benefit you’ll gain by automating each process, as well as how easy it will be to automate it.
Keep in mind, too, that some processes should be only partly automated. For instance, maybe you need to grant just-in-time access to a user. Elements of the process like identifying the user and confirming current access rights can be automated. But confirming whether that access is warranted can be left to a human.
2. Who Are the Automation Stakeholders?
Deploying automations can change the way a number of teams or individuals work. You should identify who those people are and how automation will affect them.
If you deploy security automations, for example, not only your security teams will be impacted. Network engineers, developers, IT engineers and so on also may be affected.
Make sure you have plans in place to communicate to all stakeholders how automation will affect them and how they need to update their workflows as a result.
3. Who ‘Owns’ Automations?
Along similar lines, it’s important to determine who is responsible for maintaining automations and dealing with any unintended consequences of them.
Who will ensure that automation tools are updated to support a new type of resource? Who will document how the automation tools are deployed and configured? Who will be held responsible if an automation tool generates a false negative and you miss a risk as a result?
If you don’t have clear answers to these questions, you run the risk that your automations won’t be properly maintained, and that they’ll create chaos within your organization.
4. Why Are You Automating?
Your rationale for adopting automations should never boil down to “because automation is good.” Instead, be specific in determining the outcomes you hope to achieve.
Are you automating in order to speed up workflows? To reduce toil? To do more with fewer engineers?
By answering these questions, you ensure that you can accurately assess the impact and return on investment of your automation initiatives. Otherwise, you are left in the position of having a vague automation agenda and a low ability to justify your automation investments.
5. Do You Have the Skills to Automate?
Last, but certainly not least, it’s absolutely critical to ensure that your teams have the skills necessary to deploy and maintain automation tools.
This is vitally important because some automation tools are much harder to configure than others, no matter how easy they are to use once set up. A SOAR, for example, is great if it’s carefully tailored for your environment, but configuring it may require writing a lot of custom code and policies – processes that could be out of your reach if you don’t have skilled security engineers and developers at your disposal. On the other hand, security tools like Torq, which is designed to be easy enough so that even non-technical users can create security automations, require fewer skills to deploy effectively.
The point here is that you need to take a close look at your organization’s skill sets, as well as the automation tools you plan to use and make sure they are in alignment before you commit to automation.
Conclusion
Automation is great, but only when you wield it wisely. Instead of automating just to automate, be sure you have a purpose, a plan and automation tools aligned with them to maximize your chances of automation success.
Discovering security threats is good and well. But, in many cases, simply knowing that a threat may exist is not enough.
Instead, you also need threat intelligence enrichment. Threat enrichment plays a critical role in helping to evaluate and contextualize threats, root out false positives and gain the insights necessary to mitigate risks as efficiently and quickly as possible.
Keep reading for a primer on how threat enrichment works, why it’s important and where to look to get key insights from threat intelligence data.
What Is Threat Intelligence Enrichment?
Threat intelligence enrichment is the process of gaining context through security threat data in order to better understand the threat.
For example, imagine you’ve detected port scans against your servers. You know the IP addresses of the hosts from which the port scans originated, but you don’t know much more than this.
In this case, threat intelligence enrichment could include insights such as where the offending servers are located and which operating systems they are running. This information may, in turn, be useful for determining whether you’re dealing with a probe against your network from a generic botnet or a port scan operation that originates from a more sophisticated group of attackers, like state-sponsored actors. Threat intelligence enrichment could also inform you whether port scans like the type you’ve experienced are associated with any specific known risks, like a pervasive malware attack recently launched against other organizations.
All these additional threat data insights would provide you with the information you need to react as intelligently and efficiently as possible to block the threat. They would also help you know how dangerous the threat might be. For example, a threat from a generic botnet is probably less risky than a targeted attack by sophisticated threat actors, and threat enrichment helps you know the difference.
Which Threat Enrichment Data Do You Need?
The data that threat intelligence enrichment provides can vary widely in scope and form. In general, however, the more data you have to contextualize a threat, the better.
At a minimum, threat enrichment data should include information about where a threat originated, which resources it affected and when the threat was detected or was active. You should also determine whether the threat was correlated chronologically with any separate attacks or attempted attacks that took place against other systems.
In some cases, threat intelligence enrichment can go deeper. For example, as noted above, threat enrichment might provide details about whether the pattern of security events you’ve witnessed is associated with a specific type of attack or group of attackers. This type of information is usually generated by security researchers who systematically study cyber events.
Threat Intelligence Data Sources
There are many ways to obtain threat data that enables threat intelligence enrichment. You should take advantage of all threat intelligence sources available to you.
Start by compiling as much data as you can from your own internal systems to provide context on a threat. This includes information like the time a threat was detected and the systems it affected, as noted above.
You can also use threat intelligence databases or feeds, which record information about known threat types, patterns and actors. Some of these sources, like MISP, are free and open source. Others are proprietary. They either require subscriptions , or are built into proprietary security platforms you use.
Automating Threat Intelligence Enrichment
You can, of course, manage your threat intelligence data manually by correlating and comparing it by hand.
That approach, however, is not practical at scale. A better strategy is to usef automation tools like Torq, which provides continually updated threat intelligence by automatically collecting enrichment data about threats that may affect your business. An automated approach to threat intelligence enrichment not only saves your team time, but also helps you take full advantage of as much threat data as possible.
Putting Automated Threat Enrichment to Use
To a large extent, you can automate the operationalization of threat intelligence data by using it to drive automated workflows. You can, for example, configure specific actions based on threat enrichment data.
In some cases, however, threat enrichment will require some manual effort. In the case of complex threats, your team will need to study enrichment data by hand to determine the best course of action.
But in general, you should take advantage of automation wherever possible. The more you automate, the faster you can block threats and the lower your overall security risk.
Automation is a powerful tool. With some foresight and a little elbow grease, you can save hours, days, or even months of work by strategically automating repetitive tasks. What makes automation particularly beneficial is that it eliminates manual interaction with multiple systems.
Rather than manually uploading data to an event response system or notifying key support personnel of an incident, tying these tasks together through automation can reduce critical time and help resolve problems faster and more efficiently. But, before we can fill in the gaps between all of the platforms we are responsible for, we first need to understand how data moves around on the web and how we can use that process to our advantage.
How Automation Works
To begin automation, we first have to understand how data gets moved around on the web and what methods are available for connecting different services. In the real world, we have phone calls and emails to coordinate between different entities, but on the web, we have “protocols.” The most common protocols for moving data from one service to another are arbitrary HTTP requests, formal APIs, and webhooks.
HTTP Requests
The World Wide Web is built almost solely on the concept of HTTP requests. These are the requests that browsers make to push and pull data from the websites they are interacting with. While this data is often interpreted and rendered as HTML, so-called arbitrary HTTP requests can be used for much more.
Whenever data is requested to update a website (such as the current weather, news, or any other type of information), a simple GET request is made to a target address, instructing its underlying server that you are trying to retrieve some information. This information can be used to build internal dashboards and automation tools, or even for more advanced use cases like supplementing information within Torq.
On the flip side, when data needs to be pushed back out (such as when a web form is filled out and submitted), a POST request is made. This is a great solution for automatically filing support tickets or sending emails using third-party platforms without formal API support.
Third-Party APIs
Speaking of API support, one of the most common ways to automatically send and receive data within online services is through the use of formal APIs. An API (or, for the truly unititated, an Application Programming Interface), is a set of contracts that can be used to interface with a third-party application.
In the case of the web, APIs are generally powered by HTTP requests, but with a bit more formality. They offer official support for things like authentication, authorization, and rate limiting, in addition to stability and longer-term commitment to the request contracts. In other words, if you need to integrate with a third-party service to either push or pull data, using an API is far more stable than using arbitrary HTTP calls.
Webhooks
The unintuitively named “webhook” is a web-based endpoint that listens for data from some external source and reacts to it in a pre-defined way. Rather than manually (or repetitively) polling for data using an HTTP request or third-party API call, a webhook can be used to receive that information as soon as it is made available. Think of it like an API, but in reverse.
For example, Slack, Twitter, Stripe, and many other providers can send JSON-formatted payloads to any defined address, allowing you to update internal databases as information changes in real time, or even trigger Torq workflows for more complex operations.
Choosing Your Automation Methods
Connecting an unknown number of services and systems together is no mean feat. It can require a lot of coordination and planning to ensure that the defined automations work as expected, and even then, there is always a chance that the method used to integrate those services won’t stand the test of time.
So, how do you choose an automation method? When is a webhook a better choice over an API call? When should you use an API call over an arbitrary HTTP request? There are a lot of variables to take into account, but it generally comes down to weighing your needs against what’s possible.
Speed vs. Reliability
It’s no secret that an API is far more reliable than an arbitrary HTTP request, but sometimes developing against an API requires more work and overhead than a simple HTTP call. When connecting multiple services into a cohesive automation, determining your risk profile when it comes to speed versus reliability is key. Proofs-of-concept and non-mission-critical integrations are common scenarios where it might make more sense to quickly create an HTTP request instead of an equivalent API call.
Time-Sensitivity
Webhooks are incredibly useful when you need to react to the data as it changes, but this may not always be what you need. Maybe you want to update data on a slower cadence (such as daily or weekly), or maybe you want to batch the events that get triggered by changes in webhook data. A good rule of thumb is that if changing data has time-sensitive consequences like alerts or other automations, then webhooks are the way to go (if available); otherwise, you can feel free to pull the data down only when you need it.
Building Your Automation Workflow
Successful automation is a game of checks and balances and how you connect multiple systems together is often a balance of what is possible and what is practical. Sure, integrating with formal API specifications across all of your platforms might be the “right” way to do things, but it’s important to also consider the time cost of doing that work.
Sometimes, a combination of simple HTTP requests and webhooks can solve for your specific use-case while cutting down on implementation time. Ultimately, what matters is that you take into account how quickly you can spin something up given the available solution paths and how stable it needs to be when making decisions about integration.
To ensure a more consistent and frustration-free experience with automations, platforms like Torq can help establish these connections for you. Torq provides hundreds of pre-built integrations that can perform common security tasks across other tools. This eliminates the need to adapt or expand the interface to the API, and can even help consolidate multiple API calls into a single pre-built action.
Whichever you choose, preparing yourself with the knowledge of various benefits and liabilities for each model will start you on the path to success.
