Product

Step Builder: One Giant Leap for No-Code Capabilities

By Torq
January 29, 2024
3 Minute Read

No-code support should be just that – the ability to build automations without coding.

At Torq, we continually work to extend the out-of-the-box no-code automation features available in our platform. That’s just what we’re doing with Step Builder, a new no-code feature that is now in GA.

Step Builder gives Torq users the ability to quickly and easily create custom content without the need to code, making your options for integration limitless. We already offer several thousand pre-built steps from more than 250 vendors, and Step Builder infinitely expands your options with a way to create a new, custom step with no code required. When we say “limitless integrations” we mean it – you can use automation for whatever you want.

And Step Builder features a dynamic preview of the step you’re creating – so you can see how it will look as you build it. You can also do a test run directly from Step Builder without having to return to the workflow.

Step Builder introduces new simplicity and efficiency to Torq’s already expansive no-code user experience, going well beyond what’s offered through legacy SOAR. There’s no need to code at all to extend the system and you can virtually create new steps or modify existing ones.

It’s also functionality not offered by other no-code automation solutions. With Step Builder, you can create high-level no-code steps that you can use without the need to understand the underlying REST APIs or care about technicalities, while other no-code systems allow for the creation of custom REST API/Webhook call steps, but you still have to take care of the additional details.

Step Builder is available to use now in the Torq Hyperautomation Platform.

AI Completions for Advanced Steps

Along with Step Builder, we’ve also released a new feature that gives automators of all skill levels the ability to bring scripting, querying, and coding capabilities into a no-code workflow by using Generative AI completion.

AI Completions for Advanced Steps is now available in the Workflow Designer. It simplifies and streamlines extensibility and the creation of advanced scenarios in Torq workflows. Specifically for cloud administrators using Torq in AWS, Azure, Google Cloud, and other platforms, this brings in a familiar language of capabilities available in the often very advanced CLI interfaces these platforms offer.

It’s simple to use: when you’re in the Workflow Designer, you can use the step name (description) as an input for Generative AI to generate that step’s advanced configuration and complete the step, whether that’s command arguments, scripts, queries, etc. Now in GA, the feature supports Python, Bash, PowerShell, JQ, RegEx, AWS CLI, Azure CLI, and GCP CLI.

This eliminates the need to bounce between tools and windows to build scripts – you can do it all from within Torq.

AI Completions for Advanced Steps is a win-win – giving less technical users in-context automation options, while giving more technical users who know what they want to achieve a more streamlined experience.

To see how Torq can improve your efficiency and productivity, request a demo.

Share

Related Articles

Integrations

Torq + Abnormal: Key Use Cases for More Secure Email

By Torq
January 24, 2024
3 Minute Read
Torq + Abnormal: Key Use Cases for More Secure Email

At Torq, we like to say “if it talks, we can connect to it.” Our limitless integrations are what set us apart from the pack. 

Our hyperautomation platform connects to any system seamlessly, no matter its complexity. It’s our open architecture that empowers this dramatic unification of your tech stack, and lets you maximize your security investment while enhancing efficiency and effectiveness of your security operations.

One of our key tech partners is Abnormal Security, the leader in email security. With Torq and Abnormal, you can orchestrate and automate response to email security events, analyze emails and their attachments, and automatically perform remediation actions. 

Here’s a look at two use cases in which Torq and Abnormal combine powers:

Account Takeover

This use case is simple, but effective, and is designed to help you protect your organization in the event of an account takeover.

When Abnormal Security detects a compromised email account, Torq sends an alert to the chosen collaboration platform – Slack or Teams – to notify response teams and the user that their account is suspended. In some instances, Torq can also request clarification from the user regarding the alert. From there, the account can be suspended or locked in Okta or in Microsoft Entra ID.

This use case also gives the option to communicate with the user first to give them a heads up of the compromise and that their account will be locked or suspended. There is an option in the workflow to kill all of the users authorized sessions to the organization’s resources, as well.

This use case is designed specifically to ensure that a compromised account can’t cause more damage. 

Without Torq, the time from detection to remediation would be longer, giving the bad actor more time to impersonate a valid authorized user. With Torq, the response is immediate. 

Post-Breach Remediation

This use case solves an all too common problem: an email is classified as malicious after a user has already interacted with it. 

It works like this: Torq fetches all of the pertinent details, such as the user affected, the device, and the geography. 

If there was a malicious file in the email that was opened or downloaded, Torq triggers a scan in the EDR, determines if other users received or interacted with the email, and isolate and delete that file. From there, you can add the file hash to your EDR block list or, if it’s a link, you can search for communication to the bad actor and if it happened in other places in the organization. activities from the organization.

Those are just two ways Torq and Abnormal work together to automate and improve email security. If you’d like to see this integration in action, schedule a demo.

Share

Related Articles

Integrations

How To Automate Recorded Future With Torq

By Torq
January 18, 2024
4 Minute Read
How To Automate Recorded Future With Torq

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.  

In our latest blog series, Hyperautomation Cheat Codes, we look at some of Torq’s key partners and highlight some of the automations that we pair up on. In fact, we make it so easy it’s like you have a cheat code (and it usually takes fewer steps than Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start).

In this post, we’ll talk about how to automate Recorded Future using the enterprise-grade Torq Hyperautomation platform to level up how your organization collects, processes, analyzes, and disseminates threat intelligence.

Here are the top four Torq and Recorded Future automations:

Analyze URLs and Files in Recorded Future Sandbox

In three simple steps, this workflow submits URLs to Recorded Future Sandbox for analysis.

  1. URLs in the urls_list are submitted as URLs and are analyzed as a website.
  2. URLs in the files_url_list are downloaded and analyzed as a file in the sandbox.
  3. Both lists are verified to have valid URLs here submitted to analysis, other values are removed

Boom! It’s that simple to use Torq and Recorded Future to analyze URLs and files in the sandbox. 

Enrich Hashes, CVEs and IP Addresses with Recorded Future

The focus of this automation is for users to receive a message with one or more CVEs, SHA256 hashes, or suspicious IP addresses from Slack and enrich the data with Recorded Future.

The first step is receiving a Slack message that extracts all indicators of compromise (IoCs). Then, it confirms the extracted IoCs with the requesting user. If provided in the event, the CVE detail is enriched and the Slack thread is replied to. The same is done for hash details and IP details if they’re provided in the event. 

The results are then sent to the Slack thread where the request originated.

Monitor an Outlook Mailbox for Phishing With Recorded Future

Thwart phishing attempts by cutting them off at the pass!

With this workflow you can automatically scan the messages arriving to a specific folder in Outlook with Recorded Future and Recorded Future Sandbox to look for malicious or suspicious URLs and files. The workflow looks for messages in the folder labeled “Not-Scanned” and uses Microsoft 365 Delegated access for easy setup on a mailbox.

The message headers will also be extracted and the public IP addresses that are not outlook.com domains will be looked up for a verdict in Recorded Future. 

After that, the workflow will also attempt to look for additional attachments at the top level of the message that are included and scan them – nested file attachments will not be scanned.

When results are found in either Recorded Future or Recorded Future Sandbox, the label on the email will be updated to indicate either Torq Investigated, Suspicious, Malicious, and/or Phishing (this workflow automatically creates the necessary labels in the mailbox if they do not exist). Then an email is sent back to the originator of the message with the findings.

TIP: Setup an Outlook rule that moves messages into the scan folder and sets the Not-Scanned category on the message.

Detect Impossible Travels In Okta Logins

This workflow analyzes users’ successful logins from different locations within a three-hour timeframe. If the end user does not accept ownership of a login, account hijacking is suspected and can be remediated by resetting that user’s password. When the password is reset, the user will receive a link by email to create a new password.

This workflow triggers only on successful logins and maintains the user’s login history using global variables. It obtains the geolocation of the source IP and compares it with the geolocation of the last login to find the distance between the two locations.

It can use VirusTotal and Recorded Future to enrich the source IP reputation. 

Those are just three of the myriad integrations Torq offers with Recorded Future to improve how your organization collects, processes, analyzes, and disseminates threat intelligence. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.

Ready to see Torq in action? Click here to get a demo.

Share

Related Articles

Integrations

How To Automate Incident Response with SentinelOne and Torq

By Torq
January 18, 2024
3 Minute Read

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.

In this post, we’ll talk about how the enterprise-grade Torq Hyperautomation platform integrates with SentinelOne to level up your organization’s SOC workflows with autonomous incident response

Here are the top three Torq and SentinelOne automations:

Enrich SentinelOne Incidents With Threat Intelligence From Intezer

Essentially, this workflow allows you to poll incidents in SentinelOne, and for each unresolved threat, it provides threat enrichment from Intezer with an optional Live Agent Endpoint Scan.

First, it will poll for recent threats in SentinelOne that are not resolved on a scheduled interval – for example one day. Each unresolved incident file hash will be queried against Intezer and the results will be provided in the notes of the threat.

A SentinelOne deep visibility query will also run to gather how many other instances of this hash have been found in the environment.

If the results from Intezer indicate a malicious or suspicious result, the customer’s Slack channel will be asked if an Intezer Live Scan is desired. If the answer is yes, the workflow will execute a remote script to install the Live Scan agent, run the scan, and gather the results of the scan, placing the results into the Slack channel and SentinelOne notes on the threat.

Threat Hunt for a Specified SHA1 Signature (SentinelOne) and Search Within SentinelOne XDR Solution for the Malicious File(s)

Using this workflow, you can receive a file signature from Slack and hunt for the signature across EDR agents, notify the owners of the endpoint, and kick off a scan of the device. 

Here’s how it works:

  • Receive a Slack command with platform and SHA1 hash
  • Add the hash to the blacklist for the platform if it does not exist
  • Initiate a Deep Visibility query to threat hunt for the signature
  • Go over the affected agents/hosts
  • Retrieve the information from either Jamf or Intune
  • If the owner is found in Slack, reach out to them directly, otherwise update the Slack channel
  • Scan the endpoint/host with a full disk scan

From there, you can search in SentinelOne’s XDR solution for the malicious files. 

Enrich SentinelOne Findings With Threat Intelligence

This workflow retrieves the latest threats from SentinelOne on a schedule (say, every five minutes). And for each threat found, it retrieves the signatures of the files involved. 

Then, for each file, it queries VirusTotal and Recorded Future for analysis then updates the notes on the threat in SentinelOne with the results.

You can also run a deep visibility query on SentinelOne for other results for the same file hash and add the deep visibility count to the notes for the threat in SentinelOne.

Those are just three of the myriad integrations Torq offers with SentinelOne for autonomous incident response. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.

Ready to see Torq in action? Click here to get a demo.

Share

Related Articles

Integrations

How to Automate Cloud Security with Torq and Wiz

By Torq
January 17, 2024
4 Minute Read
How to Automate Cloud Security with Torq and Wiz

The Top 3 Wiz and Torq Automations

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.  

Integrating Torq and Wiz enables security teams to automate the remediation of cloud security issues, freeing up analysts’ time and giving them the ability to tend to the laundry list of low and medium issues that often go untouched. These low and medium issues still pose a threat, so creating an automation for them can help avoid a security incident. With Torq and Wiz, SecOps teams can create fully automated or human-in-the-loop remediation workflows for things like expired secrets, or unused privileged access keys. These automations are more powerful options than those available with legacy SOAR platforms.

In this post, we’ll talk about how the enterprise-grade Torq Hyperautomation platform integrates with Wiz to level up your organization’s cloud security. 

Here are the top three Torq and Wiz automations:

Handle Wiz Alerts For Public AWS S3 Bucket With Sensitive Data

Looking for a simpler way to deal with Wiz alerts for when public AWS S3 buckets contain sensitive data? You’re in luck.

This workflow receives an alert from Wiz when an AWS S3 bucket is found to be exposed to the public with sensitive personal data contained in it and it triggers on Wiz ID wc-id-1264.

When the trigger is received, the workflow will pull the bucket’s public access settings and tags and look for an owner tag. If an owner tag is not found, it will set notifications to a specific Slack channel.

From there, it checks the public settings on the S3 bucket to see if the issue was resolved before the alert from Wiz was triggered, and, if it is still publicly accessible, it will ask to limit access to the bucket. 

Once the user agrees, the bucket settings are updated and the Wiz alert is moved to in progress. If the user does not agree, or the question times out, a Jira issue is opened to track the issue and the issue ID will be added to the Wiz alert.

It’s important to note that this workflow will set the public block settings on the S3 bucket to “true” and block all public access. It is possible that your application will need a more granular update to the JSON policy to block the existing access; the existing policy will be provided in the Slack message

Enable AWS S3 Bucket Encryption On Alert From Wiz

This workflow is a simple and effective way to ensure that encryption is turned on for an AWS S3 bucket. 

First, the workflow receives an alert from Wiz and is triggered by an event with the control name “S3 bucket default encryption disabled.” If the owner tag is found, the owner will be contacted or notified in the Slack channel about the issue. 

This workflow then checks the encryption status on the bucket to see if encryption is still disabled and suggests remediation by enabling default AES256 encryption on the bucket. 

If the user or Slack channel rejects the notification, the workflow collects a reason and opens a follow up ticket and updates the notes on the Wiz issue. 

Remediate AWS EC2 Instance With Open SSH Access From Wiz Alert

This workflow receives an alert from Wiz and is triggered by an event with control name “Instances with open SSH to the world in AWS.”

If an owner tag is found, the user will be looked up in Slack, otherwise the Slack channel is updated. The user or channel is then asked to remediate the instance by shutting it down or removing the open SSH rule in the Security Group and by adding a specific network rule allowing SSH from a corporate owned network.

The user or channel will also have the option to open a Jira issue instead of doing the remediation. A Jira issue is opened for any issue with the process, and will be added to the issue notes in Wiz.

Those are just three of the myriad templates Torq offers with Wiz to improve cloud security. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.

Ready to see Torq in action? Click here to get a demo.

Share

Related Articles

Hyperautomation Product

Evade the SecOps Black Hole: A Five-Tier Approach to a Hyperautomated SOC

By Torq
January 11, 2024
5 Minute Read

There’s a term to describe what happens to something that gets sucked into a black hole: “spaghettification.” The gravitational pull of a black hole is so forceful, that it is believed to stretch and compress objects into long thin shapes resembling spaghetti.

SOC analysts spend their days trying to avoid being sucked into the black hole of overwhelming security events and alerts. They’re fighting to not be spaghettified.

Day in, day out, SecOps analysts face a staggering deluge of alerts. A recent Vectra AI study found that on average, SOC teams receive 4,448 alerts per day, and spend nearly three hours a day manually triaging them. Startlingly, that same study found that security analysts are unable to deal with 67% of the daily alerts they receive, with 83% reporting that alert alerts are usually false positives and not worth their time.

This overabundance of low-fidelity alerts and false positives clouds the judgment of security teams, and leads to alert fatigue. It’s also dangerous, in that it can distract from more impactful and important security operations, such as proactive threat hunting, strategy optimization, and addressing major vulnerabilities. According to IDC, 30% of alerts are ignored or not investigated due to alert fatigue. 

Meanwhile, according to IDC, 83 percent of cybersecurity employees say they’re struggling to cope with the volume of alerts, while 30% of alerts are ignored or not investigated due to alert fatigue. 

But all hope is not lost. Torq Hyperautomation provides the rocket fuel to help SOC analysts achieve escape velocity and evade the security events black hole. Through a hyperautomated SOC, a security operations center powered by hyperautomation through which the vast majority – 90% to 95% – of tickets, alerts, events, and incidents are handled and closed by hyperautomation, SOC analysts can eliminate alert fatigue and escape the black hole. 

A hyperautomated SOC helps eliminate alert fatigue through a five-tiered approach.

1. Collect the Noise: Millions of Events; One Hyperautomation Platform

First, Torq’s Hyperautomation platform effortlessly ingests event data with limitless horizontal scalability through a variety of mechanisms, such as message queues (AWS SQS, GCP Pubsub, Azure EventGrid,Kafka), direct webhooks, TCP transmission, email, and API polling, just to name a few. This is where we start collecting events. It’s where we embrace the chaos to bring order.

2. Start Filtering: Reduce the Noise 10x

Here, triggered workflow automations apply a 10x reduction filter. This slashes the volume of events from a million to hundreds of thousands. Torq’s technology sifts through the events to identify the data that matters most, zapping out false positives and low-fidelity alerts. Our horizontally scalable events pipeline performs numerous checks, ranging from string and numeric comparisons to more advanced regular expressions. Only the most relevant pieces pass through this stage. No more irrelevant and superfluous logs, events, or alerts get through.

3. Gain Context: Enrich Events With AI

This is where things get really exciting. We use stateful event filtering to reduce noise by 100x. Through intelligent event handling with large language learning models (LLMs), we enrich the

context for each security event. 

Your events volume is down to mere thousands now – as opposed to the millions you battled with before – and these are the events you should genuinely care about. 

From there, Torq Hyperautomation adds another layer of AI-driven stateful filtering, further enriched with context like threat intelligence, business context, or even historical events. Every event is vetted from multiple angles using LLMs and third-party security tools. Torq hyperautomates 95% of Tier-1 analysis with generative AI, which ultimately empowers you to make faster, better informed decisions.

4. Intelligent Security Case Orchestration: Automatically Triage, Classify, and Remediate 100s of Tier-1 and Tier-2 Cases

At this point, the funnel narrows to just 100s of security cases requiring further action, but they still don’t necessarily require human involvement. Torq Hyperautomation does the heavy lifting by intelligently delegating issues to R&D, DevOps, or related business owners.

If an event makes it this far, it requires serious attention. We’ve already performed significant

noise reduction and filtered out irrelevant events and alerts. It’s time to prioritize what’s critical. 

Through Torq’s sophisticated orchestration capabilities, some of these cases may still be handled entirely without analyst involvement. 

Third-party integrations like SecOps, DevOps, or application owners have handled vulnerabilities and other findings, and non-compliant assets have been flagged and are now considered exceptions. That, coupled with case management through external communication and ticketing, means you can automatically close about 90% of Tier-1 tickets.

5. Security Analyst Expertise: High-Priority Cases Require Human Intervention

A hyperautomated SOC does not eliminate the need for human intervention. It does, however, ensure that humans are the last, and most critical, line of defense for the most severe and high-priority cases. At this part in the process, you’re left with only critical security cases that have undergone rigorous scrutiny and automated handling. Now humans must intervene. By now, the remaining cases are enriched with valuable data, minimizing the time and effort needed to take appropriate action. Analysts can tap into a library of pre-configured sub-processes, making their operations significantly more efficient.

By the time an event has passed through Torq’s Hyperautomation platform, it has undergone an intense, multi-tiered evaluation and action process, each phase of which is designed to optimize accuracy and efficiency, and, of course, improve your security posture to defend against threats.

Following this five-tier approach can help SOC analysts prevent being sucked into the security event black hole (and avoid spaghettification). 

To read more about achieving escape velocity, read our guide “Escape the SecOps Black Hole.” And if you’re ready to hyperautomate your SOC with Torq, request a demo.

Share

Related Articles

Product Use Cases

Automating Extension Risk Assessment and Permissions

By Aner Izraeli, Head of Information Security
January 8, 2024
6 Minute Read
Automating Extension Risk Assessment and Permissions

Browser extensions are a classic shadow IT concern. Assessing the reputation and security of a browser extension is crucial before installing it on a company computer, as extensions often have wide-ranging permissions that could be abused for data theft or other malicious activities.

In an open environment style company, extensions generate significant shadow IT risk that needs to be managed and addressed.

Let’s shed some light on the security challenges extensions present, and how you can use Torq to automate assessing the risk an extension may pose.

I decided to get into the crabs of a certain extension that helps to capture screen full pages. When browsing the extension’s official page, I went to its privacy page, and there I noticed a header saying: 

The developer has disclosed that it will not collect or use your data.

Oh yeah? Let’s go deeper into the privacy policy!

And there I found these two clauses:

When you access our Service, we may automatically collect non-personal data from you, such as web pages viewed, browser type, operating system, referring service, search information, device type, page views, usage and browsing habits on the Service and similar data.

and:

It is possible at times when collecting non-personal data through automatic means that we may unintentionally collect or receive personal data that is mixed in with the non-personal data

From this point, I checked more data properties that could help me decide if this should be removed or stay. Along with reviewing the privacy policy and extension’s web page, I checked a few additional parameters:

Installation method

How the extension was installed – NORMAL or SIDELOAD

  • NORMAL – Extension installed directly by the user from the browser’s official extension store.
  • SIDELOAD – Extension installed from a source outside of the browser’s official extension store.
  • DEVELOPMENT – Extension that is being loaded directly into the browser for testing or development purposes, rather than being installed from a web store or other official distribution channel.

This particular extension was installed in a SIDELOAD fashion, which can pose a greater risk because it may not have undergone as stringent of a security review as it would have if it was in an official store.

Permissions

I also examined the extension’s permissions – what it allows an extension to do. The list of permissions included some dangerous ones:

  • <all_urls> – Allows the extension to access all web pages. This is a very broad permission and is one of the most severe in terms of potential privacy and security risks.
  • tabs – Gives the extension access to various properties of the browser’s tabs. This can include reading the URL, title, and other attributes of tabs and closing, moving, or creating new tabs.
  • unlimitedStorage: Permits the extension to store more data than typically allowed in the browser’s local storage.
  • system.display – Allows the extension to interact with the display properties of the system. This could include things like:
  • Querying display metadata: Fetching information about connected displays, like their resolution, orientation, etc.
  • Manipulating display settings: Changing settings such as screen resolution or orientation.
  • Controlling display layout: Positioning screens in multi-display setups.
  • scripting – Depends on what scripts are executed (someone mentioned supply-chain risk)

Vulnerability Scans

Using the free extension scanning tool CRXcavator can shed more light on extensions that may be considered in the risk assessment. Decision making data could be added through its API, such as:

  • Vulnerabilities scan: Are there any vulnerable applicative components? Are there CISA KEV vulnerabilities?
  • Risk Over Time: The extension’s overall risk, is it escalated?
  • CSP (content security policy): More advanced insights
  • Networking: Could be correlated with <all_urls>

Whois

Use Whois to find the extension’s website URL. This could help you understand more about an extension, like where the extension’s coming from, its domain’s age, and more. Whois revealed the particular extension’s domain age is 59 days.

Risk assessment time!

Given the insights I was able to gather, I can now assess the risk and make a decision.

  1. Privacy policy shows Uncompromised information of the ability to collect PII. This has tremendous consequences on compliance and privacy settings and policy.
  2. Considering permissions like <all_urls>, scripting, tabs – These generate risks affecting data privacy, compliance, supply-chain (scripting?), data-leak etc…
  3. Considering the installation method – NORMAL installation type would at least have lowered the risk, which is not the case here, as this one was installed in SIDELOAD fashion – outside of the browser’s official extension store, which means, it wasn’t reviewed by Google.
  4. Whois – domain age is very low – 59 – not always necessarily, but it could raise a concern that something fishy is going on.
  5. Considering there are a few high vulnerabilities (with high EPSS).

After examining the findings above, I assume that the prevailing conclusion would be to remove the extension. However, in any environment there are many variables that can cause decision-makers to leave the extension installed.

How to Automate Extension Risk Assessment

All this work has to be done manually, right? That may be feasible if you have only a few extensions to investigate. Most organizations, however, have 20 times that many extensions. So I decided to use Torq to create workflows to automate the extension risk assessment.

Here’s how I did it:

  1. Focus only on risky permissions. Extensions have dozens of permissions types. I used Torq’s Gen AI integration to assign a risk score (1 to 5) for each permission, considering their capabilities. Focusing on the most prominent permissions reduced the number of issues to address.
  2. Let AI summarize the privacy policy with a prompt focusing on personal information, additional data processors, and what is essential to keep compliance governed.
  3. Use WHOIS to grab the domain’s age and its activity status.
  4. Extract the extension’s CVEs and use the power of automation to enrich and attach CISA KEV, EPSS, and CVSS metrics for better vulnerability management.
  5. Correlate CVEs with your device vulnerabilities inventory to detect whether they are vulnerable.
  6. Aggregate all insights into one case for the verdict:
    1. If the risk is tolerable, reach out to the employee to understand whether the extension is used and needed for work purposes.
    2. If the risk isn’t tolerable, reach out to the employee to inform them of the extension removal. Execute the MDM command to remove immediately.
    3. Exclude the extension from use.

Conclusion

The decision to remove or keep an extension may change under different circumstances and based on differing data. However, an extension that violates privacy compliance and provokes severe vulnerabilities shouldn’t be ignored.

As security pros, it’s our job to educate and raise awareness about extensions and the potential risk they pose, while also providing insight based on investigation and analysis. From there, organizations can make informed decisions whether they’ll allow a certain extension.

Share

Related Articles

Product Use Cases

Squish the Phish: Hyperautomation Plays a Key Role in Phishing Defense

By Torq
January 5, 2024
4 Minute Read
Squish the Phish: Hyperautomation Plays a Key Role in Phishing Defense

Phishing isn’t anything new. It’s been a tried and true threat for nearly 30 years. Its age, however, doesn’t diminish its seriousness. 

Phishing By the Numbers

Actually, 2023 marked a significant growth in phishing attacks, mainly due to the rise in large language models and AI being used for nefarious purposes. For example:

  • Since Q4 2022, there’s been a 1,265% increase in malicious phishing messages (SlashNext)
  • On average, 31,000 phishing attacks are sent per day (SlashNext)
  • This year saw a 967% increase in credential phishing  (SlashNext)
  • An estimated 3.4 billion spam emails are sent daily (AAG)
  • 36% of all data breaches involved phishing (Verizon 2023 DBIR)

Enter Hyperautomation

What is hyperautomation’s role in phishing defense? Torq integrates with several key partners to offer use cases that can help organizations prevent, protect against, and understand phishing attacks and avoid costly data breaches – which AAG estimates can cost an organization more than $4 million on average. Here we look at six use cases where hyperautomation aids in fighting phishing. 

Secure Email Gateways (SEGs)

Torq partners with Secure Email Gateway providers to enhance their detection accuracy and response by correlating data across SEG solutions, like Abnormal Security, Microsoft, Proofpoint, Mimecast, and more. Torq autonomously initiates remediation actions, such as removing malicious emails or adjusting email security controls to protect against phishing attacks. 

Endpoint Detection and Response (EDR)

Working with EDR providers like Crowdstrike, SentinelOne, Microsoft, and others, Torq can correlate endpoint data for a holistic view of a phishing attack’s scope and impact, triggering automatic malware scans and coordinating with the EDR solution for threat removal and system restoration.

Data Loss Identification and Prevention

Two key things an organization must do following a phishing attack is evaluating the scope and scale of data loss, and ensuring that they adhere to regulatory compliance with the appropriate notifications and reporting. Torq partners with Data Loss Identification and Prevention providers like Microsoft, Crowdstrike, Varonis, and Symantec to automate these two important pieces of the phishing puzzle.

Cloud Access Security Brokers (CASB) and Identity Access Management (IAM)

Proactive measures are imperative to protect against phishing. One way Torq does this is by analyzing cloud-based user and entity behaviors to detect anomalies that could be indicative of phishing. 

And if a phishing attack does occur, Torq partners with IAMs to automatically disable compromised credentials to halt unauthorized access across cloud, on-premises, and hybrid environments; and automate the reset process for compromised credentials to expedite resolution.

Key integrations to achieve this include Okta, Active Directory, JumpCloud, OneLogin, Ping, and Wiz. 

User Reporting and Security Awareness

Chatbots have become a key component in both reporting potential phishing attempts and educating users on what to look for to prevent falling victim. Chatbots provide an easy and immediate interface for users to report suspicious emails by integrating with an organization’s communication tools, such as Slack, Microsoft Teams, Discord, email, and others. Chatbots can also execute automated actions such as resetting passwords, revoking access, or initiating scans for malware, with the option for human-in-the-loop authorization. Chatbots can also provide educational resources and coaching to users on how to avoid phishing and other future compromises and to improve their cybersecurity awareness. 

Security Operations Metrics for Continuous Improvement

Understanding the metrics after the fact can help prevent a phishing attack in the future. Torq partners with SIEM, SEG, and EDR providers to evaluate response times and effectiveness of automated workflows in handling phishing attacks, and to provide insights to continually improve security posture against phishing and other threats. Torq Hyperautomation also prioritizes and categorizes incidents using LLMs to automatically create cases based on severity, impact, and other predefined criteria to ensure rapid response to critical threats. 

Through Torq’s limitless integrations, our platform can connect to and automate any security tool, meaning we can integrate with nearly any modern solution on the market to help understand phishing threats and automate the response to them.

Want to see the Torq Hyperautomation platform in action? Request a demo.

Share

Related Articles

Integrations Product

How to Simplify AWS Automations with Torq

By Torq
January 4, 2024
3 Minute Read

One thing we’ve consistently heard from our customers is that using legacy SOAR solutions to build AWS automations and workflows is complex and painfully slow.

Why? Because legacy SOAR solutions typically use Python to do anything, and to make Python work for you, you have to be an expert in it. Python is often complex and requires writing scripts to execute most commands. And, often times, Python scripts create a single point of failure, where the person who wrote the scripts is the only one in an organization that knows them – if that person leaves, the scripts leave with them.

Torq, however, integrates with AWS CLI, which eliminates the Python problem by allowing you to run AWS CLI commands directly from the Torq Hyperautomation platform. This saves you time and effort when automating in the cloud and lets you do more.

Torq is the only hyperautomation solution that offers integrated AWS CLI functionality. Other platforms force you to learn the API for AWS for every single workflow or automation. With Torq for AWS CLI, you don’t have to learn API calls – it cuts out APIs altogether. 

With AWS CLI, you can run any type of command you want in Torq – you don’t have to write the hundreds of steps you’d typically have to with Python Boto3 scripts. It simplifies your scripts into a concise workflow, making it easier to troubleshoot, build, and reuse automations. 

For example, if you wanted to produce a list of all of your active S3 buckets, all you have to do is find the command in AWS CLI documentation, type it into the AWS CLI in Torq, and it’ll return that list. It’s a super flexible way to run commands.

Torq with AWS CLI also lets you test workflows while you’re building them, which is a much less complex alternative to writing intricate Python scripts. And you can unlock the true power of Torq’s limitless integrations with solutions like Slack, Snyk, Wiz, and Orca Security, when you tie them together and build workflows that interact with AWS using the CLI command. 

And with the addition of Torq’s AI completions functionality in the AWS CLI command tool, your job just got even easier. You can use native language to find commands, saving the time you’d have spent digging into documentation to find the correct commands. Now, you can find and run AWS CLI commands without ever leaving the Torq platform. 

Want to see how Torq with AWS CLI can help you escape Python’s stranglehold and overcome slow automations? Get a demo.

Share

Related Articles

Hyperautomation Product

The Journey to True Hyperautomation

By Torq
December 19, 2023
4 Minute Read
The Journey to True Hyperautomation

The benefits of hyperautomation are well documented. But it can be challenging to determine where to get started. 

Maybe you’ve been burned by outdated and antiquated solutions, like legacy SOAR, that were so complex, costly, and time consuming that a path forward seemed impossible. 

At Torq, the journey to true hyperautomation is a three-phased approach that will transform your security posture and result in more than 90% of SOC processes automated.

  1. Phase 1: Task automation
  2. Phase 2: Process automation
  3. Phase 3: AI-driven hyperautomated SOC

Let’s examine each of the three phases of the hyperautomation journey.

Phase 1: Task Automation

The journey starts by determining which specific tasks require significant manual effort from SOC analysts. The goal is to automate repetitive, rule-based tasks – it’s essentially laying the bricks for your cybersecurity foundation. We use APIs and event feeds to pull data and automate tasks that would otherwise consume your team’s valuable time.

During this phase, you can automate a broad spectrum of task-based workflows, such as IOC enrichment, ticket triage, audit processes, and tasks related to handling vulnerabilities. 

This phase can run anywhere from two weeks to three months based on your organization’s maturity and whether you’ve pre-determined what to automate. The timing is also dependent on the priority your organization places on automation creation and implementation.

It gives you a solid start on your hyperautomation journey. Once completed, you’ll have automated roughly 15% to 20% of SOC processes.

Phase 2: Process Automation

Now that you’ve laid the foundation, the second phase focuses on automating process-based workflows. Here is where we automate entire security workflows and processes, not just tasks. You’ll automate rules-based decision making and allow for a few exceptions where human judgment is required. Internal and external event triggers help in seamless flow to create a more robust, responsive, and intelligent automated system.

Process automation requires extensive communication with your technology stack and tailoring use cases from start to finish. During this phase, multiple tasks converge to serve a specific use case, where Torq bridges all of the different elements, reducing user dependency. The goal is to involve users solely in critical decision-making aspects. 

The result is quicker identification of threats and risks, which allows for immediate action and a reduction of the window of exposure.

Based on organizational maturity and the priority your organization puts on automation creation and how much time to spend, this phase ranges from a few weeks to six months.

Once phase two is completed, you’ll have automated 30% to 65% of SOC processes.

Phase 3: AI-Driven Hyperautomated SOC

The third and final phase of your hyperautomation journey is harnessing the power of AI to hyperautomate your SOC. It’s this phase where you integrate AI and machine learning to deal with complex decision-making processes. Torq processes unstructured events to deliver contextual insights through cognitive automation. To do this, you’ll leverage your processes and technology solutions alongside large language models (LLMs).

The goal of this phase is to streamline day-to-day tasks through a combination of workflow automation, your security stack, and AI – all driven by your unique business logic. It combines the power of both process and AI to enhance efficiency and address your business needs.

This phase varies in duration based on the time it took for you to complete the first two phases. But once completed, you’ll achieve true automation and will have successfully automated more than 90% of your SOC processes. 

Achieve True Hyperautomation

Once you’ve completed all three phases of the journey, you’ll have evolved from basic task automation to an advanced, AI-driven, hyperautomated SOC. You’ll have automated more than 90 percent of your SOC processes, and your security team will be able to focus on only the most complex and nuanced issues. And your SOC analysis will be relieved to have automations that can support them 24/7.

You’ll have achieved true hyperautomation.

Ready to start the journey to true hyperautomation? Request a demo.

Share

Related Articles