How Hyperautomation Unblocks the Events Processing Bottleneck
By Torq
December 4, 2023
2 Minute Read
Legacy SOAR offers limited events processing. That’s just the way it was built. SOAR is a standard monolithic architecture in which the entire application is deployed as a single entity, which typically runs on a single server or cluster of services. This dramatically restricts SOAR’s processing capacity, and it’s time-consuming and costly to try and extend SOAR beyond these restrictive configurations – it typically would require an entire rebuild and redeploy to upscale.
The only ways to deal with that is by either underprovisioning or overprovisioning your legacy SOAR. But that also creates problems. Underprovisioning creates poor performance, slow response times, and reduced availability. This affects the user experience and your solution’s ability to identify and remediate threats effectively. Overprovisioning allocates more resources than are actually needed to ensure there is always enough capacity to meet demand, but that method boosts costs, reduces efficiency, and increases risk with an extended infrastructure footprint.
Hyperautomation provides limitless horizontal scalability that allows individual components and services to be independently scaled based on specific demands.
Hyperautomation allows you to sift through the noise, prioritize events, close false positives, and more – all at scale and with precision accuracy. Plus, it’s entirely automated.
Hyperautomatn ensures specific event types are directed to relevant owners and automatically enriched with decision-supporting data.
Hyperautomation empowers you to automate the orchestration and handling of diverse technical solutions that best suit your requirements, including CNAPP, CSPM, CWPP, EDR, XDR, EASM, IAM, SAST, and DAST.
Hyperautomation enables you to have SLAs for different events to ensure the flood of events from one type or source does not prevent the system from processing other events.
Through dynamic defenses, security hyperautomation allows you to unblock the events processing bottleneck. Read more about how hyperautomation outperforms SOAR in our “SOAR is Dead” manifesto.
Torq for MDR: Increase Margin and Onboard Customers Faster
By Torq
November 29, 2023
3 Minute Read
Managed detection and response providers (MDRs) are at an inflection point. They previously relied on legacy SOAR to secure their customers. But SOAR solutions struggle to keep up with the evolving and maturing threat landscape, and were not designed to scale into cloud environments.
As a way to break free from SOAR’s shortcomings, MDRs are turning to hyperautomation.
Torq gives MDRs:
Increased margin: Automate more components in your alert investigation, analysis, and response, and handle securityevents more efficiently with less human involvement.
Faster customer onboarding: Automate customer onboarding and ramp-up, share workflows and use cases across customers, and automate in multiple environments.
Limitless integrations: Integrate with every tool within your customers’ security stacks to increase business value and widen total addressable market.
Torq for MDR is a significant evolution from legacy SOAR, and gives managed detection and response providers the ability to perform up to 90% of Tier-1 case analysis tasks with an autonomous agent; 10 times faster onboarding and provisioning of new customer environments, and the ability to handle 5 times more security events without adding headcount.
“With Torq Hyperautomation, we are significantly increasing productivity and efficiency, ensuring that our customers gain better evidence, analysis, and control over their cybersecurity, while staying protected from external threats and operational risks,” said Charlie Thomas, CEO, Deepwatch.
Torq Hyperautomation empowers MDRs to provide more value to customers to increase stickiness and reduce churn, while increasing SLA attainment. It also streamlines security operations and reduces costs by consolidating tooling and effortlessly integrating disparate tools managed by different teams for increased efficiency. At the same time, Torq Hyperautomation automates workflow management across an MDRs’ entire customer base, with the added flexibility of fine-tuned customization.
Torq also gives MDRs no-code, low-code, and full-code support; the ability to automate more processes; accelerated case management with AI; and a scalable, resilient infrastructure, all of which help MDRs improve efficiency and increase margin, while saving costs and scaling service offerings.
Automating Incident Response: Exploring the Latest Conversational AI Tools
By Torq
November 17, 2023
3 Minute Read
Hagai Shapira, Torq’s Director of Product spoke at DeepSec 2023 about different levels of automation approaches for incident response, culminating in the latest additions of conversational AI tools. In this interview (originally posted on DeepSec) Hagai answers questions about his talk and provides key insights on how to leverage AI to streamline incident response processes and improve their overall security posture.
Interview:
Please tell us the top 5 facts about your talk.
Most sec ops teams are still immature when it comes to utilizing automation for their detection and response and incident response procedures.
Powerful automation and efficiency improvements can be achieved without software engineers using modern security automation tools.
Some of the most time consuming tasks in incident handling are tasks that require interaction with other people (employees or users) and waiting for their responses.
Simple primitives for asking questions in messaging platforms are key for enabling many automation use cases.
Recent advancements in LLM models and AI agent architectures have expanded the realm of what is possible to automate, including most Tier-1 level cases in day-to-day SOC operations.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
This talk is based on my experience and work with security teams over the last three years in automating their incident response. However, my exploration into use cases for the latest top-of-the-line LLM models and how AI agent architectures, such as ReAct, can be used for security automation, has driven the most recent and exciting frontiers in this field and are the focus of the talk.
Why do you think this is an important topic?
There are several reasons why this is an important topic. Firstly, the workload of security operations teams has significantly increased over the past few years due to the proliferation of security tools and sensors that they need to monitor, as well as the sheer volume of data and alerts these tools generate. Secondly, it has become increasingly difficult to hire qualified security professionals, exacerbating the problem. Given these challenges, automating security operations is the only rational solution to alleviate the burden on security teams.
Is there something you want everybody to know – some good advice for our readers maybe?
If there is something I’ve learnt from my three years trying to automate the world of security operations is that there is no magic behind it. You cannot expect a magical solution to solve all your problems. However, if you invest resources and prioritize automation, you can achieve returns and efficiencies that would be impossible to achieve otherwise.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
I definitely look forward to seeing even more improvement in the performance of LLM models, solving some issues they still suffer from like hallucination, and a reduction in the cost of completions. These changes and improvements will surely be key in seeing even more use of LLMs in automations, in more complicated investigations and at a scale that is required for supporting some of the bigger organizations in the world.
What does that mean? It means that your monitoring point products, like legacy SOAR, just don’t cut it any longer. They can’t scale in today’s hybrid cloud and multi-cloud environments without piling on more tools, further fueling tech stack sprawl.
The report notes that SOAR, SIEM, XDR, and EDR were conceived as on-premises solutions and security’s shift left – the idea that security begins at the time of code development – was not considered. This creates an inherent inability to scale. Additionally, the tools are often too complex and their effectiveness has dwindled in today’s modern, often cloud-based, security environments.
But all is not lost. Hyperautomation and its many benefits can help pull enterprises out of the legacy point product pit of despair.
The IDC report notes that hyperautomation enables:
Visibility and control of the heterogeneous network real estate, and all environments and for all processes and role players.
The ability to predict security gaps, proactively assess the network, and ultimately secure the network.
Proper contextual awareness including more than security logs (firewall, NetFlow, antivirus, etc.), and integration fabrics
Automation of everything that can and should be automated
Extensible capabilities using no code, low code, or full code with potential leveraging of generative AI to automate even more tasks.
How does that stack up against legacy SOAR? Here’s IDC’s breakdown:
According to the IDC report, hyperautomation is proactive, where legacy SOAR is reactive; hyperautomation connects devices, clouds, containers, and processes, where legacy SOAR connects devices; hyperautomation delivers enterprise-grade extensibility, where legacy SOAR offers connectivity only as strong as the sum of its APIs; and hyperautomation matches the resources needed for outcomes, while legacy SOAR has to either be over- or under-provisioned.
And when it comes to hyperautomation, Torq is leading the charge.
“The Torq hyperautomation approach is more comprehensive than what is offered in contemporary cybersecurity tooling,” the report states, adding “ Torq provides an end-to-end visibility, prevention, and detection application that entails the entire digital estate of a business.”
It wasn’t long ago that we at Torq proclaimed “SOAR is dead!”
And it didn’t take long for the industry to catch on. Leading analyst firm GigaOm in its recent GigaOm Radar report named Torq a leader and an outperformer in the security automation market, namely for our hyperautomation capabilities that legacy SOAR just can’t touch. And our competitors have also started jumping on the hyperautomation bandwagon since we shifted our focus to this model.
While SOAR was innovative and effective nearly a decade ago, it has become stagnant and beleaguered by its inherent complexity, management overhead, and high costs. Security pros have neither the time, the resources, nor the money to throw at legacy SOAR.
Enter hyperautomation.
An ‘Outperformer’
Let’s hear it directly from the source.
In the report, GigaOm praises Torq for our “extensive feature set” and “impressive portfolio of customers.” And beyond that, the firm gave Torq top marks across many of its key criteria, including case management and collaboration; automated alert prioritization; triage and curation; autonomous operations; and validation and red teaming.
GigaOm gave Torq Socrates, our just-announced Tier-1 analysis AI Agent – the first in cybersecurity – a nod for its use of AI to hyperautomate key security operations activities, like alert triage, contextual dataenrichment, and indecent investigation, escalation, and response.
“Torq offers autonomous operations features for both the workflow design process and the workflow run time of processing security events,” the GigaOm report states. “Design-time capabilities consist of assistive development of automated processes, such as summarization for successful collaboration, improvement, development co-pilots, and the like. Run-time capabilities consist of data enrichment and data-driven suggestions to assign specific teams or analysts based on their profile, ownership, and history, and to recommend investigative steps to help understand the issue and containment actions that can help stop the negative effect and allow remediation as part of a process to resolve the issues completely.”
Additionally, the firm dubbed Torq’s Case Management as “exceptional” in how it hyperautomates security signal detection, streamlines decision making, and automatically
“For case management and collaboration, Torq offers a built-in case management system developed in-house and integrated with the solution’s event-driven architecture and security automation capabilities,” the report states. “Torq also offers out-of-the-box bi-directional integrations with leading case management systems such as ServiceNow, Jira, and Zendesk, as well as communication platforms like Slack, Microsoft Teams, and Cisco WebEx. Torq supports in-the-platform virtual war rooms as part of its case management, and its multi-workspace architecture and granular RBAC can involve multiple teams across organizational disciplines: security, IT, engineering, business lines, and human resources.”
It’s clear through GigaOm’s latest report that Torq Hyperautomation is helping organizations overcome the limitations and challenges of legacy SOAR and empowering security pros with solutions that take out the complexity while also freeing up their time and budget for meatier projects.
The GigaOm Radar report confirms that we’re on the right path in our unwavering commitment to hyperautomation and our quest to make it as easy as possible for enterprises to fortify themselves against cyber threats without sacrificing protection.
Download the full GigaOm Radar report now and read how hyperautomation is shaking up the sluggish SOAR category. And try Torq Hyperautomation for yourself: https://torq.io/demo/
Solving the Integration Problem at Scale: How Torq Connects With Any Tool Using Hyperautomation
By Hagai Shapira, Director of Product
September 21, 2023
8 Minute Read
Setting up your security tools to work together seamlessly is often easier said than done, leading to time-consuming tasks and potential security gaps, especially without the proper tools. You must have both the ability to connect to any product, using APIs, CLIs or proprietary protocols, and do that in a simple no-code manner, without having to know the ins and outs of each technology. Without these, the ability to quickly automate is greatly diminished – as in legacy SOAR products.
Torq hyperautomation solves that by providing a powerful automation engine and a true no-code step creation ability. This combination empowers you to connect and work with any other product or tool in your security stack and, right out of the box, to create near-limitless automations. Torq also provides a fast-growing library of official integrations and automation actions that feature any of your products, both legacy and new, right when you need them.
Scalable orchestration platform to support your event loads and computation.
Simple language to create this automation.
Great connectivity and integration with your entire security stack, across multiple cloud and on-prem environments.
As the cybersecurityecosystem is ever-evolving and most security organizations adopt several new tools each year, meeting all three of these requirements can be exceptionally challenging. Maintaining an up-to-date library of integrations for the latest tools, plus easily onboarding new tools required, becomes a major undertaking.
How legacy SOAR attempts to solve it, and why that doesn’t work
Legacy SOAR is renowned for having poorly addressed this last problem of connecting to any tool quickly. Integrations in legacy SOAR products are based on building dedicated code modules for every single new product you interact with. This requires specialized software developers to build these integrations, making it an expensive, slow, and time-consuming effort to develop in-house. Waiting for the SOAR providers themselves to integrate new tools would take many months or years until that specific integration was completed. Integrating any homebrew or internal system is out of the question unless you have dedicated software development resources for this purpose.
Example code snippet to establish rudimentary connectivity to a third-party application
How newer no-code tools attempt to solve it, and why that also doesn’t work
After the frustration with legacy SOAR products’ difficulty integrating with new platforms, a host of newer, no-code tools emerged. They claim to integrate with any product without any integration-building required.
This is based on the assumption that most products today provide some HTTP-based APIs available to interact with. Then, these no-code tools provided a Postman-like experience for creating HTTP calls.
Example Postman HTTP call
Though this approach is definitely a league more flexible than the legacy SOAR pace, at scale, it often fails. Enterprises try to integrate with systems that don’t provide any clear HTTP APIs. The ability to integrate with proprietary protocols, perform remote RPC calls, or even run a small script is often the last crucial piece in building a full enterprise-grade automation process. Plus, requiring users to build their own HTTP calls for every action on every product has become a burden on the security operations team.
Instead of focusing on automating their processes, analysts are forced to be experts in the specificities of each of the APIs of their security tools. They must stay up to date with any changes in the APIs of these ever-evolving tools, otherwise, the connectivity often breaks, preventing automations from running. With no-code, the responsibility to maintain these HTTP calls falls on the shoulders of the security team instead of on the no-code automation tool itself.
Sampling of Torq’s ever-expanding pre-built integrations that are managed and maintained by Torq to provide the latest functionality without breaking your connectivity.
How Torq solves the content problem – Orchestrating any containerized logic
The understanding that an automation platform should be able to orchestrate any kind of technology, both new or legacy, was in our minds from the very first days of developing Torq’s hyperautomation platform.
This principle was introduced into our product design goals and led to the decision for a step in Torq to be any kind of containerized logic. Containers have become the ubiquitous technology for shipping and deploying software and the orchestration of each kind of logic, and even executing it in different environments, means that Torq can support communicating with any kind of tool in an organization’s security stack over any kind of technology. This can range from the latest HTTP-based API, a proprietary database protocol, any command line interface (CLI), or even a homebrew system, using the ability to bring your own containerized logic and run it from the same simple, no-code UI.
Example of Torq connecting to systems via webhook, SSH with embedded commands or scripts and HTTP-based API requests
How Torq solves the content problem – Calling any HTTP API and making it a no-code step with flexibility
While having the ability to run any container and CLI command from a single interface is extremely powerful, today, most security products expose an HTTP-based API (REST or GraphQL) to allow integrating and communicating with them. InTorq,q you can quickly call any of those products using the “Send an HTTP request” step. This step exposes a simple UI to model any type of HTTP call, with any authentication required, and built-in support for OAuth and JWT auths, just like the Postman app. It even automatically translates a cURL command, available from many API references, to the proper fields in the step, making connection with new API-driven products a breeze.
How Torq solves the content problem – Create new content at scale using Torq’s step builder to drive hypergrowth of no-code integrations and steps
Having the ability to easily create HTTP API-based steps is significant for quickly connecting with new tools and never having to stop automation building. Messing around with raw HTTP mode isn’t that useful over time and is a lot more complicated for new team members who want to use true no-code steps. This is exactly why we developed the Torq step builder. A simple builder that takes your raw HTTP steps and turns them into true no-code steps, complete with the appropriate parameters, descriptions, and examples on how to operate the specific step you’re building. Torq eliminates the complexities of formatting JSON and handling the authentication for a specific API. These custom steps can be saved to your workspace’s custom step library, and shared with your team members to enable them to build further automations with no-code simplicity.
To create new steps and content, there’s no need to start from scratch each time. Torq allows you to take any API-based step from the Torq public library and switch it over to its raw HTTP mode. You can then modify it to fit any specific need or requirement, like adding new optional parameters, updating API paths, or making any other changes, and convert it back into its fully no-code parameterized form. These new versions of steps can again be saved to your custom steps library. Should you choose to share them with the entire Torq user community, they can also be published to the public step library.
Torq’s step builder which allows building true no-code steps from HTTP based steps.
Torq’s content team and technical partners use precisely this method to expand Torq’s public step library. They build Torq steps with Torq’s step builder, test them by using them in automations, and finally, after validation, publish them. By having these extremely quick building and testing processes, in-app, new content in Torq can be published within hours instead of weeks and months in legacy SOAR systems, all while providing a mature content management system, complete with seamless content updates, notifications, and tracking for changes.
Conclusion
Torq has reimagined the approach to security automation by focusing on security hyperautomation and seamless content creation, unlike legacy SOAR solutions that necessitate specialized software development skills to achieve simple integrations. Torq provides an extensible platform that leverages containerized logic and an extensive, user-friendly library of no-code steps to get you automating in minutes. Our approach frees your security analysts from the constraints of needing to become API experts and instead lets them focus on what matters most: securing your organization and digital assets.
Want to learn more about how Torq can dramatically enhance your security workflows so you can stay ahead of emerging threats? Test drive Torq Hyperautomation, here: https://torq.io/demo/
Redefining Cybersecurity Operations: The Power of Torq’s Workflow-Centric Case Management
By Dor Morgenstern, Senior Product Manger
September 7, 2023
7 Minute Read
Cybersecurity is a landscape forever in motion, an arena where threats evolve at an alarming pace. The tools we employ to counter threats should match this pace and anticipate the unforeseeable. Still, a chasm exists where tools are not keeping up with the changes, particularly regarding case management.
I’m Dor Morgenstern, lead PM for Case Management at Torq. With a background rooted in cybersecurity, I’ve seen firsthand the evolving challenges that security operations face. In this blog, I aim to shed light on the transformational power of workflow-centric case management and how it addresses these challenges head-on.
The Sunset of Legacy SOAR Solutions
From their start, case management and SOAR solutions carried the promise of transforming cybersecurity operations. They introduced playbooks, welcoming an era that promised seamless automation and rapid response to threats. On paper, they’re the perfect solution.
But the reality has been disappointing. Instead of simplifying the security process, these platforms layer automation onto existing ticketing or case management solutions. Like placing a new engine in an old car chassis–it might run faster, but it still can’t navigate the modern digital highway efficiently.
Legacy SOAR gives people clunky configuration panels resembling aircraft cockpits. Analysts and SOC architects are forced to mentally sift through a mess of switches, knobs, and redundant options. Instead of enabling rapid response, the tools become a stumbling block. More often than not, critical response actions get delayed by the sheer complexity of the tool meant to streamline them. SOAR is not alone in this complexity problem, of course, as Ross Haleliuk pointed out in a recent blog:
“…every product today has hundreds of configurations, options, and knobs that security practitioners need to turn a certain way to achieve a particular outcome.”
That’s where workflows come into play.
The Intuitive Power of Workflows
At the heart of this new paradigm shift in cybersecurity lies the idea of dynamic workflows. Instead of getting bogged down in static configurations and limited predefined settings, why not design a system that evolves and adapts on the fly?
Workflows act like dynamic decision trees, charting a course through the complexity of security incidents. They are inherently flexible, allowing for real-time adaptation based on the unique characteristics of each security event. Teams are no longer forced to stick to a rigid script; instead, they can navigate the ever-changing terrain of cybersecurity threats.
Simple, drag-and-drop interface that you can create complex no-code workflows.
The distinction between legacy configuration panels and workflows is clear– where configuration panels are static, workflows are dynamic. Where panels force users into a one-size-fits-all mold, workflows adapt and mold themselves around the unique life cycle of each case. Workflows breathe life into the cybersecurity process, transforming it from a static chore into a dynamic dance of defense.
Torq’s Hyperautomation: A New Dawn in Cybersecurity
Our approach at Torq is a game-changer in case management. Instead of bolting automation onto dated case management systems, we’ve designed our case management system as an integral part of a powerful no-code automation foundation, ditching the messy bolt-on experience most SOC teams struggle with for an organically embedded case management process. What does this mean in practical terms? Let’s break it down with some clear examples:
1. Dynamic Case Tailoring: Consider a scenario where suspicious activity is detected from a list of IP addresses. With traditional systems, you might be constrained by pre-defined case layouts and parameters. With Torq, the case can be dynamically modified on the fly using workflows (i.e., surfacing relevant information or even remediation workflows as quick buttons to the case), adapting to intel as it comes in.
Automatic alert triage and investigation mapping malicious IP address activity to MITRE ATT&CK framework techniques with intelligent automatic investigation and remediation workflows
2. Intuitive Workflows Over Configuration Panels: Torq liberates SOC architects from sifting through overwhelming configuration panels. Want to add a new dataenrichment step? Simply tweak the workflow. It’s as straightforward as connecting a new step in a visual editor, without a single line of code.
Drag and drop simplicity of connecting steps in a visual editor.
3. Automated Remediation Built-In: Remediation isn’t an afterthought; it’s part of the process. If the case’s workflow identifies a malicious email, it can automatically initiate remediation steps, like isolating affected systems or revoking email access, all within the same case environment.
4. Intelligence at Your Fingertips: Traditional SOAR systems separate threat intelligence from case data, requiring teams to hop between different platforms. With Torq, observables and indicators of compromise (IOCs) like IP addresses and file hashes are first-class citizens, easily accessible and actionable within the case.
Automatic analysis of IP address reputation with the attack origin locations and contextual information allowed with the associated tactics, techniques, and procedures from third-party threat intelligence information.
5. Lifecycle Triggers for Contextual Actions: The dynamic nature of Torq empowers SOC architects to set up triggers based on case milestones. For instance, when a case moves to the investigation stage, a workflow could automatically pull in additional forensic data, notify team leads, or modify the case’s layout as it evolves.
The numerous and varied case management triggers that can be customized to meet your organization’s needs.
The power of automation is harnessed when it’s organically embedded into the case management process, not slapped on as an afterthought. This provides a more cohesive and efficient system for handling security events.
Our emphasis is not on rigid configuration panels that can stifle response flexibility. Instead, Torq’s system is designed to harness the full potential of dynamic workflows. We empower analysts and architects to craft unique response strategies tailored to specific threats and organizational needs. Security professionals are not restrained by the limitations of their tools. With Torq, they are free to innovate, adapt, and respond with unparalleled precision.
The Torq Difference: Dynamic Control Across the Lifecycle
Another thing that sets Torq apart is the degree of control we’ve built-in throughout the case’s lifecycle. In traditional SOAR platforms, playbooks–though groundbreaking for their time– are often employed merely as remediation tools. Torq’s approach is more holistic. Every stage, from detection to analysis and finally to remediation, can be steered by dynamic workflows. This ensures that the system is always in tune with what’s occuring in a case, leading to spot-on accuracy and timely responses.
Furthermore, Torq’s platform eliminates the need for redundant back-and-forth between separate systems. Integrating no-code automation into the fabric of case management means that every action, automated or manual, is executed within a unified environment. It’s a symphony orchestra where every instrument, no matter how disparate, plays in perfect harmony.
The Future of Hyperautomation is Here
We’re at a turning point in cybersecurity. On the one hand, threats are multiplying and evolving at a pace that’s hard to keep up with. Conversely, the tools and systems at our disposal are often found wanting. But with Torq’s innovative approach to case management, the tide is turning.
By placing powerful hyperautomation at the heart of our platform, we’ve ushered in a new era in cybersecurity operations that prioritizes agility, precision, and efficiency. Legacy SOAR platforms had their moment in the sun. As the landscape changes, so must our tools. Torq is lighting the way to a safer, more secure digital future in this fast-changing arena.
Want to learn more about how Torq can dramatically enhance your security workflows so you can stay ahead of emerging threats? Test drive Torq Hyperautomation, here: https://torq.io/demo/
Every investment in SOAR is accompanied with the hidden costs of onboarding and troubleshooting. The licensing structure SOAR brings to an organization is outdated and overpriced. The value of SOAR drastically declined when it transitioned its primary focus from being a force-multiplying automation solution to a glorified ticketing system still requiring countless professional service hours. In fact, 90% of security professionals claim that their SOAR needed upfront investment to build automation workflows and response playbooks.
Here are 5 hidden costs of SOAR no SecOps professional can afford to ignore:
1. Initial setup and implementation costs
SecOps is routinely shocked by the astronomical professional services and deployment costs SOAR involves. In contrast, Torq users experience a 10X+ operational and productivity boost just weeks after deployment. From day one, organizations can enjoy serious ROI via Torq’s cost savings by maximizing team productivity and process effectiveness with the Torq Insights dashboard. It granularly measures time savings and operational efficiency for total visibility into the hyperautomation platform’s impact.
2. Ongoing maintenance and support for self-managed infrastructure
As organizations adapt and calibrate their SOAR platforms, they discover the need for continuous monitoring, troubleshooting, and adjustments to ensure peak efficiency and adaptability for evolving threat landscapes. Simply put, the greater the maintenance required, the greater the price tag.
3. Hiring personnel and expertise
Qualified SecOps professionals are getting scarce. They’re in demand and the competition to secure them is severe. This is compounded by existing SecOps teams that are understaffed and burning out. All Torq customers benefit from dedicated technical experts that help organizations achieve their automation goals at no extra cost. Say goodbye to surprise consulting bills that cost more than the automation solution.
4. Cost of custom development required on top of SOAR
What SOAR solution providers fail to disclose is the additional set of expenses necessary to provide custom development. Organizations with a SOAR often find themselves needing customized solutions to align the system with their unique operational requirements and existing security stack.
5. Expensive reconfiguration of inflexible playbooks and workflows
In an effort for organizations to be agile in combating security landscape changes, automation sequences set in an organizations SOAR platform are often not up to par for addressing the complexities of today’s threat landscape. If organizations fail to adapt, they could face delayed response times and decreased agility.
It’s Time to Break Up With Your SOAR…
Seriously, stop settling. There are no strings attached or hidden costs with hyperautomation. The choice is clear. Hyperautomation’s radically different approach delivers a much better correlation between price and value. Need more reasons to ditch your Legacy SOAR? Download our Manifesto to learn exactly why SOAR is Dead.
How Torq Socrates is Designed to Hyperautomate 90% of Tier-1 Analysis With Generative AI
By Leonid Belkind, CTO and Co-Founder, Torq
August 2, 2023
6 Minute Read
Artificial intelligence (AI) has generated significant hype in recent years, and separating the promise from reality can be challenging. However, at Torq, AI is not just a concept. It is a reality that is revolutionizing the SOC field, specifically in the area of Tier-1 security analysis, especially as cybercriminals become more sophisticated in their tactics and techniques. Traditional security tools continue to fall short in detecting and mitigating these attacks effectively, particularly at scale.
Introducing Torq Socrates
Torq Socrates introduces dramatic new efficiencies and incident response accuracy that alleviates security analysts’ critical challenges, including alert fatigue, false positives, decreased visibility, and job burnout, by hyperautomating key security operations activities using AI. It is based on cutting-edge Large Language Models (LLMs) and AI Agents that intelligently analyze and understand organizations’ unique SOC playbooks to become an integral extension of their SOC teams.
See Torq Socrates following the guidelines in a SOC runbook to triage a case automatically
Imagine having a bird’s-eye view of your complete enterprise environment from on-premise, hybrid to full SaaS applications, with all the relevant information at your fingertips. Torq Socrates makes this dream a reality by utilizing the security tooling already connected to the Torq Hyperautomation platform and performing any actions and activities only when explicitly authorized.
So, how does this transformation happen? Let’s journey through a typical security event and see how tasks previously handled by human analysts are now handled with unprecedented efficiency by Torq Socrates.
1. Automatic Runbook Analysis
When a security event arises, an analyst traditionally consults a “runbook” – a guide specifying the response to that specific type of event. Today, these “runbooks” exist in all modern SOCs and are prepared by senior architects to benefit Tier-1 and Tier-2 analysts.
Torq Socrates automatically analyzes runbooks written in natural language, typically containing step-by-step procedures for handling various security incidents. By analyzing the semantic meaning of the natural language instructions, Socrates derives action flow from the recommended response strategies for different security events.
The imported runbook is written in natural language that Socrates analyzed, “understood,” and can follow
2. Workflow Choice to Perform the Designated Runbook Actions
The next step for a human analyst is to carry out the activities outlined in the runbooks, choosing the proper tool and executing the instructions.
Based on the content of the runbook, Socrates utilizes its semantic analysis capabilities to suggest suitable workflows and security tools from the list of ones explicitly made available inside the Torq platform. They align with the specific steps outlined in the document conveyed in natural language.
Each workflow made available to Torq Socrates comes with a natural language description of the tasks it can accomplish.
Torq Socrates performing the initial actions within the runbook
3. Interpreting the Outcome of Executed Actions to Follow the Next Step Prescribed by the Runbook
Various security tools available in the arsenal of Tier-1 SOC analysts can return information in great detail. The analyst’s goal is to try and synthesize this information into a decision to support data on which next steps should be taken according to the runbook guidance.
An LLM is extremely powerful in accepting information in a structured or unstructured form by analyzing security tool output. Socrates can create dynamic-decision trees based on the previously-made analysis of a runbook that adapts, allowing for more context-aware and efficient incident handling. For example: Is the file malicious? Is the user a very important person (VIP)? Is the activity frequent or infrequent during a specific time period indicating anomalous behavior?
Execution showing semantic interpretation of threat intel result
4. Leveraging Knowledge of Security Frameworks for Context
More experienced alert triage specialists bring their own contextual knowledge and understanding of networking, endpoint architecture, and attack techniques into the mix.
Large Language Models are trained on an immense body of natural language documents containing information about the above and more. This allows the semantic analysis of an LLM to match between the observed outcome of a security tool and the technique described in a documented framework, such as the MITRE ATT&CK framework.
Using the above technique, Torq Socrates leverages the information available in numerous documents describing attack frameworks, such as the MITRE ATT&CK framework, and maps its tactics and techniques to the outcomes observed in the security event being analyzed.
Intelligent modeling with Torq Socrates enables it to mimic this human-like thinking process, correlating information efficiently and mapping the appropriate outcomes to common frameworks like the MITRE, NIST, and more.
5. Automated Incident Investigation
Just as human analysts rely on insights from the runbook, Socrates can assist in automating investigation or even incident response tasks. This includes tasks such as alert triage, data enrichment, containment, and remediation actions, speeding up response times and reducing the manual effort required from analysts.
Socrates utilized Splunk, Crowdstrike Falcon, and a Microsoft Windows WMI query information to distill the relevant information to the SOC analyst.
6. Summarizing Relevant Security Case Information
An important pillar of any operational practice is meticulous documentation of all actions taken, decisions, and achieved outcomes.
LLMs have proven to be efficient at rephrasing and summarizing large amounts of natural language text. Torq Socrates leverages this capability to summarize the “conclusions” and desired next steps, and document this in the “case timeline.”
Torq Socrates summarized the findings and actions taken of the security event and automatically added them to Torq’s built-in ticket management system timeline
Here’s a summary of how Torq Socrates uses powerful LLMs to perform Tier-1 SOC analyst duties:
Tier-1 analysts work strictly according to defined runbooks. LLMs effectively analyze natural language text and break it down into components.
Analysts match directives from the runbooks with tools at their disposal. LLMs are effective at finding similarities, in this case, between a “desired action” and an “available tool to execute this action.”
Analysts digest the output of different tools to choose the correct follow-up course of action. LLMs analyze semantically the output of different tools and match it to the runbook directives related to follow-up steps.
Analysts can bring in context from their training. LLMs can load related context from the myriad of documents scanned during the model’s training.
Analysts are required to document all actions taken and the reasoning behind the conclusions. LLMs summarize the matches made and audit all the performed activities.
See how security analysts can leverage Torq Socrates to assist the triage of security alerts
Torq Socrates is designed to handle up to 90% of Tier-1 triage actions by mapping the tasks and activities of human Tier-1 analysts to use cases leveraging LLM. With Torq Socrates, security analysts remain in charge of processes and outcomes. The AI-powered system introduces dramatic new efficiencies and incident response accuracy, alleviating security analysts’ most critical challenges.
SOAR was never built for hybrid cloud adoption at enterprise scale. SOAR’s complexity, critical operational holes, and technical limitation, make the fatal flaw sinking your organization’s ship. If you’re still using outdated Legacy SOAR, it’s time to make the switch TODAY.
You don’t need to be a developer or experienced security professional to create powerful workflows in minutes with never-seen-before efficiency. The solution is powerful enough for the most complex threat responses, yet easy enough to deploy with a drag-and-drop interface. Unlike legacy SOAR solutions, multiple teams can eliminate repetitive security tasks with automations that can be created in minutes.
2. Extensibility
With Hyperautomation, you can empower your organization beyond security by connecting to collaboration, communication, infrastructure applications, and more. Whether it’s on-prem on in the cloud, Torq provides near-limitless connectivity to any system in your stack.
3. Enterprise-Grade Architecture
Torq is cloud-native, built on secure, zero-trust architecture, with elastic, horizontal scalability with flexible SLAs. It provides enterprise-grade immutable activity and audit logs to meet the most stringent compliancerequirements, as well as granular scope, and role-based access control.
4. Real ROI, Productivity, and Cost Savings
From day one, organizations can measure Torq’s cost savings by maximizing team productivity and process effectiveness with the Torq Insights dashboard. It granularly measures time savings and operational efficiency for total visibility into the hyperautomation platform’s impact. With Torq Hyperautomation, you’ll receive 10X+ operational and productivity boost just weeks after deployment.
5. Intelligent Case Management with Automated Contextual Resolution
Torq transforms large numbers of security events and signals into contextually-enriched cases, ordered by severity, priority, and field of ownership. It then orchestrates the analysis and remediation of security cases by centrally tracking all relevant activities and decisions, accelerating the detection, analysis, and response of security issues, freeing up significant analyst time to focus on strategic activities.
6. No Costly Professional Services
All Torq customers benefit from dedicated technical experts that help organizations achieve their automation goals at no extra cost. Say goodbye to surprise consulting bills that cost more than the automation solution.
7. Connect Every App and Stack
You never need to punch holes in your firewall for VPN services or reverse proxies. Torq uses zero-trust containerized agents to make outbound-only connections for on-premise connectivity.
8. Integrate Anything. Automate Everything.
Gain vast flexibility to expand use cases with capabilities such as SSH, PowerShell, SQL, Python, BASH, Kubernetes, AWS, GCP, Azure CLI, or other scripting or programming languages. Run multiple scripting languages concurrently within automation workflows.
The Writing’s On The Wall…SOAR is Dead
Simply put, your SOAR is hindering your organization. Hyperautomation equips your organization for the demands of modern cybersecurity.
We’re just getting started… The SOAR is Dead Manifesto has the details on exactly why SOAR has been put to rest.
