News Product

How Torq Socrates is Designed to Hyperautomate 90% of Tier-1 Analysis With Generative AI

By Leonid Belkind, CTO and Co-Founder, Torq
August 2, 2023
6 Minute Read

Artificial intelligence (AI) has generated significant hype in recent years, and separating the promise from reality can be challenging. However, at Torq, AI is not just a concept. It is a reality that is revolutionizing the SOC field, specifically in the area of Tier-1 security analysis, especially as cybercriminals become more sophisticated in their tactics and techniques. Traditional security tools continue to fall short in detecting and mitigating these attacks effectively, particularly at scale.

Introducing Torq Socrates

Torq Socrates introduces dramatic new efficiencies and incident response accuracy that alleviates security analysts’ critical challenges, including alert fatigue, false positives, decreased visibility, and job burnout, by hyperautomating key security operations activities using AI. It is based on cutting-edge Large Language Models (LLMs) and AI Agents that intelligently analyze and understand organizations’ unique SOC playbooks to become an integral extension of their SOC teams.

See Torq Socrates following the guidelines in a SOC runbook to triage a case automatically

Imagine having a bird’s-eye view of your complete enterprise environment from on-premise, hybrid to full SaaS applications, with all the relevant information at your fingertips. Torq Socrates makes this dream a reality by utilizing the security tooling already connected to the Torq Hyperautomation platform and performing any actions and activities only when explicitly authorized.

So, how does this transformation happen? Let’s journey through a typical security event and see how tasks previously handled by human analysts are now handled with unprecedented efficiency by Torq Socrates.

1. Automatic Runbook Analysis

When a security event arises, an analyst traditionally consults a “runbook” – a guide specifying the response to that specific type of event. Today, these “runbooks” exist in all modern SOCs and are prepared by senior architects to benefit Tier-1 and Tier-2 analysts.

Torq Socrates automatically analyzes runbooks written in natural language, typically containing step-by-step procedures for handling various security incidents. By analyzing the semantic meaning of the natural language instructions, Socrates derives action flow from the recommended response strategies for different security events.

Imported runbook is written in natural language that Socrates analyzed, “understands”, and can follow.
The imported runbook is written in natural language that Socrates analyzed, “understood,” and can follow

2. Workflow Choice to Perform the Designated Runbook Actions 

The next step for a human analyst is to carry out the activities outlined in the runbooks, choosing the proper tool and executing the instructions.

Based on the content of the runbook, Socrates utilizes its semantic analysis capabilities to suggest suitable workflows and security tools from the list of ones explicitly made available inside the Torq platform. They align with the specific steps outlined in the document conveyed in natural language. 

Each workflow made available to Torq Socrates comes with a natural language description of the tasks it can accomplish.

Torq Socrates performing the initial actions within the runbook
Torq Socrates performing the initial actions within the runbook

3. Interpreting the Outcome of Executed Actions to Follow the Next Step Prescribed by the Runbook

Various security tools available in the arsenal of Tier-1 SOC analysts can return information in great detail. The analyst’s goal is to try and synthesize this information into a decision to support data on which next steps should be taken according to the runbook guidance.

An LLM is extremely powerful in accepting information in a structured or unstructured form by analyzing security tool output. Socrates can create dynamic-decision trees based on the previously-made analysis of a runbook that adapts, allowing for more context-aware and efficient incident handling. For example: Is the file malicious? Is the user a very important person (VIP)? Is the activity frequent or infrequent during a specific time period indicating anomalous behavior?

Execution showing semantic interpretation of threat intel result

4. Leveraging Knowledge of Security Frameworks for Context

More experienced alert triage specialists bring their own contextual knowledge and understanding of networking, endpoint architecture, and attack techniques into the mix.

Large Language Models are trained on an immense body of natural language documents containing information about the above and more. This allows the semantic analysis of an LLM to match between the observed outcome of a security tool and the technique described in a documented framework, such as the MITRE ATT&CK framework.

Using the above technique, Torq Socrates leverages the information available in numerous documents describing attack frameworks, such as the MITRE ATT&CK framework, and maps its tactics and techniques to the outcomes observed in the security event being analyzed.

Intelligent modeling with Torq Socrates enables it to mimic this human-like thinking process, correlating information efficiently and mapping the appropriate outcomes to common frameworks like the MITRE, NIST, and more.
Intelligent modeling with Torq Socrates enables it to mimic this human-like thinking process, correlating information efficiently and mapping the appropriate outcomes to common frameworks like the MITRE, NIST, and more.

5. Automated Incident Investigation

Just as human analysts rely on insights from the runbook, Socrates can assist in automating investigation or even incident response tasks. This includes tasks such as alert triage, data enrichment, containment, and remediation actions, speeding up response times and reducing the manual effort required from analysts.

Socrates utilized Splunk, Crowdstrike Falcon, and a Microsoft Windows WMI query information to distill the relevant information to the SOC analyst.
Socrates utilized Splunk, Crowdstrike Falcon, and a Microsoft Windows WMI query information to distill the relevant information to the SOC analyst.

6. Summarizing Relevant Security Case Information

An important pillar of any operational practice is meticulous documentation of all actions taken, decisions, and achieved outcomes. 

LLMs have proven to be efficient at rephrasing and summarizing large amounts of natural language text. Torq Socrates leverages this capability to summarize the “conclusions” and desired next steps, and document this in the “case timeline.”

Torq Socrates summarized the findings and actions taken of the security event and automatically added them to Torq’s built-in ticket management system timeline
Torq Socrates summarized the findings and actions taken of the security event and automatically added them to Torq’s built-in ticket management system timeline

Here’s a summary of how Torq Socrates uses powerful LLMs to perform Tier-1 SOC analyst duties:

  1. Tier-1 analysts work strictly according to defined runbooks. LLMs effectively analyze natural language text and break it down into components.
  2. Analysts match directives from the runbooks with tools at their disposal. LLMs are effective at finding similarities, in this case, between a “desired action” and an “available tool to execute this action.”
  3. Analysts digest the output of different tools to choose the correct follow-up course of action. LLMs analyze semantically the output of different tools and match it to the runbook directives related to follow-up steps.
  4. Analysts can bring in context from their training. LLMs can load related context from the myriad of documents scanned during the model’s training.
  5. Analysts are required to document all actions taken and the reasoning behind the conclusions. LLMs summarize the matches made and audit all the performed activities.
See how security analysts can leverage Torq Socrates to assist the triage of security alerts

Torq Socrates is designed to handle up to 90% of Tier-1 triage actions by mapping the tasks and activities of human Tier-1 analysts to use cases leveraging LLM. With Torq Socrates, security analysts remain in charge of processes and outcomes. The AI-powered system introduces dramatic new efficiencies and incident response accuracy, alleviating security analysts’ most critical challenges.

Get the latest on Torq Socrates at: https://torq.io/socrates

Share

Related Articles

Hyperautomation Product

8 Key Benefits of Using Hyperautomation

By Dallas Young, Sr. Technical Marketing Manager
July 27, 2023
3 Minute Read

SOAR was never built for hybrid cloud adoption at enterprise scale. SOAR’s complexity, critical operational holes, and technical limitation, make the fatal flaw sinking your organization’s ship. If you’re still using outdated Legacy SOAR, it’s time to make the switch TODAY. 

Here are the 8 key benefits of using hyperautomation

1. Simplicity

You don’t need to be a developer or experienced security professional to create powerful workflows in minutes with never-seen-before efficiency. The solution is powerful enough for the most complex threat responses, yet easy enough to deploy with a drag-and-drop interface. Unlike legacy SOAR solutions, multiple teams can eliminate repetitive security tasks with automations that can be created in minutes.

2. Extensibility

With Hyperautomation, you can empower your organization beyond security by connecting to collaboration, communication, infrastructure applications, and more. Whether it’s on-prem on in the cloud, Torq provides near-limitless connectivity to any system in your stack.

3. Enterprise-Grade Architecture

Torq is cloud-native, built on secure, zero-trust architecture, with elastic, horizontal scalability with flexible SLAs. It provides enterprise-grade immutable activity and audit logs to meet the most stringent compliance requirements, as well as granular scope, and role-based access control

4. Real ROI, Productivity, and Cost Savings

From day one, organizations can measure Torq’s cost savings by maximizing team productivity and process effectiveness with the Torq Insights dashboard. It granularly measures time savings and operational efficiency for total visibility into the hyperautomation platform’s impact. With Torq Hyperautomation, you’ll receive 10X+ operational and productivity boost just weeks after deployment.

5. Intelligent Case Management with Automated Contextual Resolution

Torq transforms large numbers of security events and signals into contextually-enriched cases, ordered by severity, priority, and field of ownership. It then orchestrates the analysis and remediation of security cases by centrally tracking all relevant activities and decisions, accelerating the detection, analysis, and response of security issues, freeing up significant analyst time to focus on strategic activities.

6. No Costly Professional Services

All Torq customers benefit from dedicated technical experts that help organizations achieve their automation goals at no extra cost. Say goodbye to surprise consulting bills that cost more than the automation solution.

7. Connect Every App and Stack

You never need to punch holes in your firewall for VPN services or reverse proxies. Torq uses zero-trust containerized agents to make outbound-only connections for on-premise connectivity.

8. Integrate Anything. Automate Everything.

Gain vast flexibility to expand use cases with capabilities such as SSH, PowerShell, SQL, Python, BASH, Kubernetes, AWS, GCP, Azure CLI, or other scripting or programming languages. Run multiple scripting languages concurrently within automation workflows.

The Writing’s On The Wall…SOAR is Dead

Simply put, your SOAR is hindering your organization. Hyperautomation equips your organization for the demands of modern cybersecurity

We’re just getting started… The SOAR is Dead Manifesto has the details on exactly why SOAR has been put to rest.

Share

Related Articles

Hyperautomation Product

5 Reasons Why SOAR is Dead

By Dallas Young, Sr. Technical Marketing Manager
July 19, 2023
3 Minute Read

SOAR is dead. At first glance, that might be a bold statement, but the writing’s on the wall. While SOAR may have been a thing in the past, it’s not built for hybrid cloud adoption at enterprise scale. Cue, Torq Hyperautomation

Here are 5 reasons why SOAR is dead: 

Disconnected Defenses

Lack of connectivity with ever-expanding tools = red flag. The traditional SOAR operating model is slow and inflexible. Legacy SOAR is built upon an outdated architecture that can’t meet the hyperconnectivity and scalability to address modern threats. Guess what? Torq Hyperautomation not only allows you to create workflows in minutes, but it allows you to do it without professional services. 

SOAR is Purely Reactive

You can’t be ahead of modern cyber threats if you’re a half a step behind. It’s not enough to just automate tasks around incident response, organizations need a solution that prevents incidents happening in the first place. Hyperautomation performs proactive, automated tasks like regular vulnerability assessments, configuration reviews, contextual threat intelligence, user behavior and insider threat monitoring, and threat hunting that prevent incidents while providing incident reports. Simply put, Hyperautomation allows you to stay ahead of the curve, SOAR keeps you a part of the pack. 

Limited Events Processing 

Pre-configured responses are a thing of the past. SOAR was built as a standard monolithic architecture, in which the entire application is deployed as a single entity, typically running on a single server or cluster of servers. You can’t teach a dog new tricks. Making SOAR extend beyond these configurations is too time-consuming, costly, and even potentially impossible to complete, as it typically requires the entire environment to be rebuilt and redeployed to upscale the entire system as a whole, instead of individual components. 

Narrow and Incomplete Visibility 

Lack of visibility? That’s sketchy. SOAR’s lack of a cloud-native architecture means they cannot deliver full visibility into on-premise, hybrid, and public or private cloud environments. Hyperautomation utilizes modern zero-trust containerized agents making outbound-only connections for on-premise environment connectivity. 

Hidden Costs 

You wouldn’t pay for a Ferrari to get a Prius, so why would you pay more for SOAR? The price tag and value don’t add up. SOAR’s licensing was based on the number of analysts or users in the organization, but that changed when it became a ticketing system, decreasing its value. Hyperautomation’s radically different approach delivers a much better correlation between price and the value received. There are also no hidden costs associated with hyperautomation.

Torq Hyperautomation achieves 10X Faster ROI Compared to Legacy SOAR

Torq Hyperautomation analyzes cyberthreats at scale with unprecedented ease and efficiency, using built-in advanced AI capabilities that SOAR completely lacks. 

I’ve only scratched the surface on this topic… read the SOAR is Dead Manifesto to see exactly why SOAR has been put to rest: https://torq.io/resources/soar-dead-manifesto/

Share

Related Articles

Integrations Use Cases

It Takes a Cybervillage: Torq Collaborates With Team8’s Ecosystem at CISO Summit

By Torq
June 13, 2023
3 Minute Read
It Takes a Cybervillage: Torq Collaborates With Team8's Ecosystem at CISO Summit

Torq firmly believes in Team8’s philosophy that it takes a village to address the escalation in critical cyberthreats. This is why Torq is collaborating with Team8’s vast ecosystem of partners to unleash the most advanced hyperautomation solutions possible, which seamlessly integrate across the Team8 community.

We’re excited to showcase Torq Hyperautomation at Team8’s CISO Summit in Tel Aviv during Innovation Day on June 21. It’s an exclusive gathering for C-level leaders to discuss the evolving role of CISOs, the latest trends and technologies, mutual opportunities, common challenges, and pathways to success.

“The Torq team is really looking forward to taking part in Team8’s CISO Summit, which is bringing together an incredible braintrust of global C-level executives to address some of the most pressing and important topics in cybersecurity today,” said Ofer Smadari, CEO and Co-Founder, Torq. “Torq is delivering significant value to Team8’s ecosystem with our Enterprise-Grade Hyperautomation platform, which is automating the most complex security infrastructures at dramatic scale. We look forward to productive dialogs at CISO Summit that drive effective solutions.”

Here’s what founders of Team8 companies are saying about working with Torq:

“The combination of Talon and Torq enables organizations to maintain robust security across their workforce without impacting productivity. Through the power of Talon’s Enterprise Browser and Torq’s Hyperautomation platform, organizations are able to simplify and improve enterprise security in an extremely powerful way. We look forward to continuing to work together to add joint value for customers.” 

– Ofer Ben-Noon, CEO, Talon

“Through our partnership with Torq, Dig Security customers can quickly automate full remediations through a single hyperautomation system to improve overall data security posture, and stop data exfiltration in real time.”

– Dan Benjamin, CEO and Co-Founder & CEO, Dig Security

“Torq and Gem share a mutual vision of transforming cloud security operations. Together, we give customers the tools they need to better automate cloud detection and response, enabling seamless workflows to stop threats faster.”

– Arie Zilberstein, CEO, Gem

“Our integration with Torq allows our mutual customers to benefit from a fully-automated lifecycle on remediating supply chain security findings. It works across multiple organizational units and drives them with human-in-the-loop resolution. Now customers experience faster responses, cutting a lot of time from MTTR and keeping the operation more efficient and secure.”

– Neatsun Ziv, CEO and Co-Founder, OX Security

“IONIX’s remediation Action Items, together with Torq’s flexible hyperautomation workflows, align remediation tasks with the way that security operations actually work. Now, customers can spend less time on routing tickets manually and further reduce their MTTM (Mean Time To Mitigate) exposure across their attack surface.”

– Marc Gaffan, CEO, IONIX

Ready to learn more about how Torq Hyperautomation can transform your organization? Schedule a demo, now!

Share

Related Articles

Integrations

Torq is an inaugural WIZ Integration (WIN) Launch Partner

By Torq
June 13, 2023
2 Minute Read

Torq has been hand selected as a Wiz Integration (WIN) launch partner, bringing the power of Torq Hyperautomation to WIN, so that our joint customers can continue to seamlessly integrate Wiz into their workflows, empowering them to automate their response.

“Torq and Wiz work seamlessly together to give us a major real-time advantage in mitigating the ever-evolving cloud-based threat landscape.”

Jemuel Dalino, Application and Engineering Security Manager, Agoda

WIN enables Torq to deliver actionable remediation and response to threats with a full audit trail of automated security actions. Torq and Wiz work seamlessly together to provide a real-time advantage in mitigating the ever-evolving cloud-based threat landscape with comprehensive contextual and accurate malicious activity identification. And Torq frees up security teams’ precious time, empowering them to focus on strategic business initiatives without being overwhelmed by cloud alerts.

“Over 50% of our customers are utilizing our Wiz integration in order to strengthen their hyperautomation workflows and I’m thrilled for us to have been selected as a WIN launch Partner. I look forward to strengthening our relationship for the benefit of our joint customers.”

Eldad Livni, Co-Founder and CINO, Torq.

The combined value of Wiz and Torq streamline security for organizations that are on a cloud journey.

“A best-in-class cloud operating model reduces risk, improves ROI, and drives efficiency,” said Oron Noah, Director of Product Management, Wiz. “That value proposition is what lies at the heart of WIN, and what Torq as a partner helps to make a reality. This collaborative philosophy brings real customer benefits, and we are so thankful to have Torq on board for this launch.”

Interested to learn more about the power of Torq and Wiz together, schedule a demo.

Share

Related Articles

Hyperautomation Product

Fix Cybersecurity Tool Sprawl with Hyperautomation

By Luke Bentley, Torq EMEA Account Executive
June 1, 2023
5 Minute Read

The evolution of cybersecurity tools is nothing short of remarkable, but I suppose they had to be when it isn’t just the Morris Worm you’re worried about. There has been a wave of buzz around the latest technology in years gone by. EDR evolved into MDR, then SASE, and in recent times we’ve seen Immutable Backup take the front seat.

But hey, I’m sure you can’t go far wrong by investing in all these kinds of technologies. The more the merrier, right? Depending on what you read, the number of cybersecurity-related technologies that enterprises have integrated and deployed in their infrastructure is between 45-70*, which is absurd. So, when there are vendors that are working in unison and supporting the idea of a better integrated and more visible cyber picture, it sounds like a win-win. This idea of your EDR, SASE and Email Security vendor working in tandem is a dream come true, right?

Some things don’t change unfortunately, and cybersecurity teams and CISOs are still being asked to do the impossible. Those age-old problems don’t budge easily: shortage of cyber professionals and resources, and a plethora of cyber vendors offering too many tools and too many processes. “With great tools, come great alerts,” or something along those lines, is what we’re typically told.

Who’s expected to deal with these additional alerts created from all of these technologies? Just because they integrate well, doesn’t mean they’re contributing to what the main focus should be: improving your cybersecurity posture and reducing the risk to your organization’s workforce. 

Some things do change, however. The new generation of CISOs don’t want to overload their teams with work to churn out results. They want to work smarter. They see business, people, and technology as one that can work together to get results.

CISOs are looking at the bigger picture. Empower the cyber teams, let them develop their skill sets, so they can return their knowledge and value back to the company. They’re not relying solely on the latest tech to churn through alerts and let the team on the ground deal with the processes.

The saying goes, “Train your people enough so they can leave, and treat them well enough so they don’t want to.” Nailed it.

Your infrastructure security engineer wants to develop into an AWS architect, but is too busy dealing with CSPM alerts. Your cyber analyst has aspirations of being a CISO themselves one day, but is bogged down by suspicious user activity, and misses all those opportunities to gain additional knowledge, learning how to present and communicate better, or simply lacks a development in strategic mindset to tackle problems. And that lack of development means they look elsewhere. Cybersecurity roles are notorious for job hopping, and I think that’s because the dreams of complex, technical and exciting projects are brushed away by daily firefighting.

Give the power back to the people, including the techies that are literally running the show, and retain them longer. But how? First, strip your mind of all pre-existing knowledge and thoughts on legacy SOAR. Those time consuming, low use case producing, pro-services heavy technologies are a thing of the past.

Hyperautomation is reforming how cyber teams, top to bottom, left to right, are approaching their CyberSecOps. The time to automate every task that comes from the latest and greatest cyber technologies you invest in, because it’s perfectly viable, is now. Torq’s enterprise-grade security hyperautomation has  made that possible.

The barrier to entry is no longer a dedicated DevSecOps team of 5 who can code in every language A through Z. Cyber and dev teams have spent years trying to create use cases with legacy SOAR vendors, and might be lucky if they publish 4 or 5 workflows/playbooks in a year. With Torq, the entry need only be a laptop, mouse and keyboard. Maybe a slight oversimplification, but it’s not far wrong. The ability to imagine, create and publish a workflow is now astonishingly rapid with Torq.

So, yes, the latest tech tools are great to have, the integrations will no doubt provide you with additional advantages and help secure your workforce, and sure they’ll do what they say on the tin. But the real power in your CyberSecOps is their new found time, being in control of alerts and tasks, and effectively remediating all of those alerts with a hands-off approach where possible. Torq is the tool to augment everything you have, say (and show) how we give time back to your teams,  as well as increase the efficacy and ROI of other tools. Here’s a sneak peek at what time you could be saving:

If you’ve miraculously found time between all your alerts to read this, don’t take my word for it; put our hyperautomation platform to the test. Any and all CyberSecOps or CloudOps processes you want automating – we’ve got you!

CSPM, IAM, alert remediation, email phishing response, threat hunting, and secure access to sensitive data – honestly the list is only limited to your imagination (or in my case, a word count).

* https://www.infosecurity-magazine.com/news/organizations-76-security-tools/

Share

Related Articles

Integrations

Building Efficient SecOps Pipelines with AWS Security Lake and Torq

By Torq
May 31, 2023
8 Minute Read

Amazon Security Lake automatically centralizes an organization’s security data from cloud, on-premises, and custom sources it into a purpose-built data lake stored in a customer’s AWS account.

Amazon Security Lake reduces the complexity and costs for customers to make their security solutions data accessible to address a variety of security use cases such as threat detection, investigation, and incident response. Amazon Security Lake is one of the many solutions that now supports the Open Cybersecurity Schema Framework (OCSF), an open industry standard, making it easier to normalize and combine security data from AWS and dozens of enterprise security data sources. 

Operationalizing the above (and additional) scenarios on top of the security data lake requires a set of basic building blocks that can either be used directly by SecOps professionals, or combined into larger workflows driving specific outcomes.

Executing Automated Actions as a Response to Security Events

As an Amazon Security Lake subscriber, Torq consumes logs and events from Security Lake. In order to control costs and adhere to least privilege access best practices, Torq workflows can be automatically notified of new Amazon S3 objects for a source as the objects are written to the Amazon Security Lake by setting up one or more data access subscribers.  Data access subscribers are notified of new Amazon S3 objects for a source as the objects are written to the Security Lake data lake.

In Torq, this notification is received in an Integration Webhook, so the first step of the configuration process is to create a new Webhook integration in Torq, as described in Torq’s documentation here. Take note of the resulting Webhook integration URL (endpoint), as it will be needed to set up a data access subscriber in Amazon Security Lake.

Completing the creation of the subscriber also requires setting up a new AWS Integration in Torq, as described in Torq’s documentation here. This integration will also be used afterwards to pull data from the Security Lake in Torq Workflows. As described in Torq’s documentation, setting up an AWS Integration requires creating a new Role in AWS Identity and Access Management. For that role to be able to pull data from the security lake, please sure to add the following permission policies to the role:

  1. Create a new IAM Policy with the following contents:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowInvokeApiDestination",
            "Effect": "Allow",
            "Action": [
                "events:InvokeApiDestination"
            ],
            "Resource": [
                "arn:aws:events:*:{accountId}:api-destination/AmazonSecurityLake*/*"
            ]
        }
    ]
}

Make sure to replace “{accountId}” in the JSON above with your own AWS Account ID.

  1. Add this policy to the Permissions Policies for role you’re creating for Torq’s Integration
  2. Add the following policy to the Permissions Policies of the role AmazonAthenaFullAccess (this is needed to enable querying, writing results, and data management through Amazon Athena, which is how Torq workflows will query data from the AWS Security Lake.

While setting up the AWS Integration in Torq, take note of the Torq Account ID and the AWS External ID, as you will need these in the process for creating a custom subscriber 

Next, follow the following steps to set up a new Data Access Subscriber through your AWS Console:

  1. Open the Amazon Security Lake console at https://console.aws.amazon.com/securitylake/.
  2. In the navigation pane, choose Subscribers.
  3. Click Create subscriber.
  4. For Subscriber details, enter the subscriber’s name and (optionally) a description.
  5. For Log and event sources, choose from which sources you want to receive notifications in your previously created Torq webhook (you can choose whether you want to send notifications from all your Amazon Security Lake sources to Torq or select specific sources for each subscriber).
  6. For Data access method, choose S3 to set up data access for the subscriber.
  7. For Subscriber credentials, provide the Torq Account ID and the AWS External ID you got from AWS integration in Torq for AWS account ID and external ID, respectively.
  8. For Notification details, select Subscription endpoint so that your Amazon Security Lake can send notifications through EventBridge to the HTTPS endpoint of the Torq Webhook created previously.
  9. For Service Access, select the IAM role named AWSServiceRoleForAmazonEventBridgeApiDestinations, which is automatically created during the Amazon Security Lake set up process when run from the AWS Console, and which gives EventBridge permission to invoke API destinations and send object notifications to the correct endpoints.
  10. Provide the Torq Webhook integration URL (endpoint) as the subscription endpoint
  11. Choose Create.
  12. Check the configuration of Subscription associated with the Amazon SNS Topic which has been created as a result of the previous steps, and verify that Raw message delivery is enabled for the Subscription. Enable it by editing the Subscription if it wasn’t.

Schematic configuration of Amazon Security Lake subscribers triggering Torq workflows

Depending on the settings you defined in step #5 above (Log and event sources) it might be necessary to define trigger conditions in your Torq workflows triggered from Amazon Security Lake events. Here’s an example of a trigger condition meant to restrict a workflow to be triggered by Route53 events in Amazon Security Lake from a region us-east-1 only:

A Torq workflow trigger condition definition example to restrict a workflow to be triggered only by Amazon Security Lake events for a specific account id, region and data source (such as AWS Route53)

Querying Data from Security Data Lake

The Amazon Security Lake creation and set up process run from the AWS console, automatically registers each Security Lake region as a new Database in AWS Athena.

AWS Athena is a serverless service which allows querying Amazon Security Lake S3 data (with an S3 bucket per region for which the Security Lake has been enabled) using SQL.

Querying Amazon Security Lake from Torq Workflows using SQL through AWS Athena

Querying Amazon Security Lake data from Torq workflows, either automatically triggered from Security Lake events, scheduled to periodically pull notifications of new objects by polling an Amazon Simple Queue Service (SQS) queue or run on-demand to search for specific data in the Security Lake, can be easily implemented by using SQL in AWS CLI steps to query Athena’s API.

The following figures illustrates the process of querying Amazon Security Lake from Torq Workflows in 3 steps:

  1. Creating a dynamic SQL query for AWS Athena:
  1. Using AWS CLI to execute the query in AWS Athena:
  1. The result of Athena SQL queries is stored as a csv document in S3 and can be easily pulled into a Torq workflow by using an AWS S3 Read File step, and then the Convert CSV to JSON step from Torq Utilities to simplify data extraction and transformation in later steps in the workflow:

Bringing It All Together

Operationalizing Security Operations with fully automated or human-in-the-loop pipelines using the above “building blocks” is a process consisting of the following phases:

  1. Identifying the relevant security events:

    Torq triggers can be configured with conditions, expected from the delivered event, in order to start performing automatic actions. In some cases, looking just at the event data might not be sufficient to decide whether it requires a certain security follow-up or not. For these scenarios, following up with additional automated enrichment and investigatory steps can be performed with Torq workflow steps.
  1. Defining the required enrichment / hydration data:

    Upon receiving a security event that has a potential for a follow-up, certain parts of it, such as (but not limited to) User Identifiers, Device Identifiers, Network Addresses, etc… should be retrieved for further enrichment with additional systems (IAM, CMDB, Threat Intelligence and more) by introducing initial steps in a workflow triggered by security lake events.
  1. Building the pipelines – what happens when the event occurs:

    Defining the response process can take place in an iterative manner. Main questions that need to be addressed are:
    • What additional information do we need to be able to better classify the event
    • Once classified, are there external notification / orchestration systems that need to be updated with this information
    • If building a human-in-the-loop pipeline, which role-players need to be provided an information about this event
    • If performing automatic remediation actions – what are they and which role-players can approve executing them

Summary

Amazon Security Lake provides a flexible and scalable repository for different kinds of security events. In order to  build flexible and scalable security operations, your teams will require this data to be at their fingertips with the ability to efficiently use it and to trigger processes based on it.

Implementing Torq workflows, that can be triggered either

  • Manually by security professionals via Messaging / Chat or Web
  • By identifying specific events reaching the security lake
  • By using detections made by 3rd party security products

In these workflows, following capabilities can be delivered to security professionals:

  • Retrieve data from security lake and present it to security role-players in a convenient fashion
  • Enrich operational systems with context from the security lake
  • Process the security lake data to make decisions on severity and priority of different security events
  • Suggest and execute containment and remediation strategies based on processed contextual data

Examples of these and additional scenarios can be found at Torq Template Library.

Share

Related Articles

Integrations

Turning Intelligence Into Action with Cybersixgill and Torq

By Dallas Young, Sr. Technical Marketing Manager
May 24, 2023
4 Minute Read

No matter the industry, geography, or organizational size, cybersecurity teams are united by their many shared challenges: talent shortages, expanding attack surfaces driven by digitization and remote work, increasing velocity of software development, and the rapidly growing scope and sophistication of global cybercrime. In response, these teams have embraced and incorporated a range of specialized tools within their defensive arsenal in attempt to address and resolve these issues. Threat intelligence and security automation solutions form the front lines of their battle, yet these pillars of the cybersecurity ecosystem are often disconnected, creating a dangerous gap between intelligence and action.

This divide prevents security teams from deriving the full value from their solutions. Non-actionable threat intelligence increases analyst fatigue with yet another stream of feeds and alerts. While automated security playbooks without context-rich threat data lack the means to validate, prioritize and triage threats, resulting in inefficient processes and extending the MTTR.

By integrating actionable, relevant, context-rich threat intelligence within orchestration automation tools and processes, security teams can unlock the full potential of their existing security stacks – saving precious time and resources while streamlining response and remediation

Turning Intelligence Into Action with Cybersixgill and Torq

Cybersixgill and Torq have partnered to bridge the divide between intelligence and action, operationalizing Cybersixgill’s market-leading threat intelligence through next gen security hyperautomation with Torq. With this strategic partnership, we have pioneered end-to-end, no-intervention threat protection, helping to dramatically reduce MTTR  through customizable, automated workflows and playbooks, triggered by context-rich threat intelligence extracted in real-time from the cybercriminal underground.

Using Torq’s library of automation components, organizations can build an automation infrastructure to orchestrate immediate responses to Cybersixgill’s early warnings of potential threats, allowing teams to build automated, alert-triggered playbooks with any other tool in their environment – without writing a single line of code. 

Alerts from Cybersixgill’s rich threat intelligence insights can be programmed to autonomously initiate incident response workflows in Torq to instantly remediate issues at the first indication of a potential threat. Alternatively, security teams can harness Cybersixgill’s rich threat context to create automated threat hunting workflows, triggering data enrichment upon the arrival of an event or signal discovered through any other security tool. 

Torq and Cybersixgill make it easy for teams to turn manual security processes into automated, intelligence-driven workflows within minutes, eliminating reactive processes to build a resilient, proactive cybersecurity posture.

The Benefits of the Combined Solution

Cybersixgill gives users covert access to our complete body of context-rich threat intelligence from the deep, dark & clear web, including limited-access forums and markets, invite-only messaging groups, code repositories, paste sites and clear web platforms. We correlate our threat intelligence with each customers’ defined organizational assets, alerting teams to relevant threats at the earliest indication of risk, enabling preemptive action to be taken before they can materialize into an attack.

Torq’s enterprise-grade security hyperautomation platform unifies and automates the entire security infrastructure to deliver unparalleled protection and productivity. Torq drives maximum value and efficiency from existing security investments. It supercharges security teams with powerful, easy-to-use no-code, low-code, and full-code workflows that reduce manual tasks, freeing security professionals to focus on higher-value strategic activities.

Together, the combined solutions help users:

  • Reduce risk with automated end-to-end intelligence-driven security workflows- Identify, capture and block threats as they emerge with seamlessly deployed playbooks to accelerate Mean Time to Respond and better secure your environment. 
  • Save time and maximize team productivity- Eliminate manual work with automated workflows triggered by actionable and relevant threat intelligence data – built and deployed in minutes with no need for developers, professional third party services or month-long implementation delays
  • Minimize cost and maximize resources- with a consolidated end-to-end no-intervention threat protection solution that allows you to make the most out of your existing security stack, with faster time to value.
  • Optimize operations- by automating repeatable security processes, allowing you to shift valuable resources to higher priority tasks.

Schedule a demo to learn more about Torq Hyperautomation.

Share

Related Articles

Hyperautomation Product

The Top 4 Criteria for Choosing a Security Automation Solution

By Afik Levi, Product Specialist, Torq
May 18, 2023
5 Minute Read
The Top 4 Criteria for Choosing a Security Automation Solution

As businesses continue to evolve, automation has become an essential aspect of modern operations. The benefits of automation are numerous, ranging from reducing operational costs to increasing security, efficiency, and accuracy. However, with so many automation solutions available on the market, it can be challenging to select the right one for your business. As a product specialist at Torq with over a decade of experience in field positions, I have had the opportunity to witness countless businesses on their automation journey, and I want to share some of the insights with you. At the end of the article, you will have a better understanding of the critical factors to consider when choosing the right automation solution.

1. Business requirements, Technology Stack, In-House Solutions

The first step towards selecting the right automation tool is understanding your business requirements. This involves identifying the processes that need automation (repetitive tasks, high error rates, etc.) and mapping the technology stack. It is crucial to evaluate the automation solution’s capabilities to integrate seamlessly with your stack and provide out-of-the-box functions that are relevant to your technology stack, as this improves the time to value and ROI by enabling simplicity when creating automation workflows. It’s also equally as important to map your in-house customizations to examine how the potential solution works with them, as without the sync between the two, you will most likely face “unplanned costs” and it might lead to complete blockers.

2. Out-of-the Box vs Generic

Flexibility is another important factor to consider when selecting an automation solution. Wait a minute! What do we mean by flexibility? Referring to the balance between out-of-the-box capabilities and generic/customization capabilities. It is essential to ensure that the “out-of-the-box” capabilities can be fully customized; based on my experience, missing even one piece of the puzzle can prevent successful workflow automation, so you better be able to customize it or you might hit the same wall that is killing the legacy SOARs (content and integration creation; “Sorry, we don’t support it”). 

However, beware of generic solutions that may satisfy use cases but hinder time-to-value and solution maintenance (for example, vendor API updates). So at the end of the day, having both out-of-the-box and generic capabilities is desirable.

3. POC Time + Success Criteria

After understanding your business requirements and technology stack, evaluating potential automation solutions with a Proof of Concept (POC) is the next step. The focus is on time-to-value and ROI. Choosing your important use cases and evaluating how quickly and easily they can be fully operational is essential. It is equally important to determine how easy it is for you to accomplish this. It’s time to ask your team to complete a use case from scratch using the potential automation solution.

Here is the specific success criteria for the POC as I see it (I promise it will save you money in the long):

  • New content creation – “steps”.
  • New integration creation – out of the box and generic capabilities.
  • Bring your own code – relevant when you have a legacy code such as a big in-house solution that you can’t replace right away, or even empowering someone who wants to use code for specific use cases.
  • Connectivity capabilities – more than APIs  (SSH, Bash, SQL, etc).
  • Life cycle management – vendor API updates, production vs testing separation, testing and CI/CD solutions, etc.
  • Templates out-of-the-box workflows that reflect different use cases.
  • Content sharing – workflows and steps, relevant for a super user who helps others.
  • Compliance meet the standards of your company.

4. Scale + Vision

Now that we have a candidate that answers all of that (hint: Torq), it’s time to validate what the future looks like. It’s time to focus on scalability, maintenance, and the vision of the vendor. As your business grows, the solution should scale with it. It is essential to choose an automation system that can handle increased volumes of data and adapt to changing business needs over time. Selecting a solution from a vendor with a clear vision for the future can be critical to ensuring the long-term success of your automation efforts.

Choosing the right automation tool is a critical aspect of a modern security team. It’s crucial to examine the standout aspects of the solution as it can have a significant impact on your organization, particularly in terms of efficiency, improved security posture and lowering costs. 

While there are many factors to consider when selecting a security automation tool, these essential elements should guide your decision-making process as they increase the probability of success. As a product specialist at Torq, we understand the importance of selecting the right automation tool (so we have created an Hyperautomation one), and I hope that this article has provided you with valuable insights to make an informed decision.

Share

Related Articles

AI Product

Hype vs. Reality: Are Generative AI and Large Language Models the Next Cyberthreat?

By Torq
May 17, 2023
5 Minute Read

Generative AI and large language models (LLMs) have the potential to be used as tools for cybersecurity attacks, but they are not necessarily a new cybersecurity threat in themselves. Let’s have a look at the hype vs. the reality.

The use of generative AI and LLMs in cybersecurity attacks is not new. Malicious actors have long used technology to create convincing scams and attacks. The increasing sophistication of AI and machine learning algorithms only adds another layer of scale and complexity to the threat landscape, which should be met with both common and innovative protection measures to maintain organizations’ security posture.

Generative AI and LLMs can have a significant impact on the scale of cybersecurity threats, both in terms of the number of attacks and their complexity. On one hand, these technologies can make it easier and faster for attackers to create convincing fake content. This could lead to an increase in the overall volume of attacks, as attackers are able to generate larger quantities of fraudulent content more quickly and easily.

Additionally, LLMs can be used to generate highly-targeted and personalized messages, which could make it more difficult for people to recognize them as fraudulent. For example, an attacker could use an LLM to generate a phishing email that appears to come from a friend or colleague, using their writing style and language to make the email seem more authentic. They could also be used to generate realistic-looking password guesses, in order to bypass authentication systems. Generative AI and LLMs can give attackers an advantage in certain situations. These tools can automate the process of creating convincing fake content, making it easier and faster for attackers to generate large quantities of phishing emails and other types of misleading content.

To mitigate the potential threats posed by generative AI and LLMs, organizations can take immediate steps, such as:

  1. Multi-factor authentication-Implementing multi-factor authentication systems can help to prevent attacks that use AI technology to guess or crack passwords. By requiring additional verification steps, such as a biometric scan or a one-time password, organizations can make it more difficult for attackers to gain access to sensitive data or systems.
  2. Employee training-Providing training to employees on the increasing threat of highly targeted and personalized phishing attacks as a result of generative AI. This can include training on how to identify and respond to phishing emails or suspicious behavior on the network.
  3. Email filtering-Email filtering systems can provide an effective defense against phishing attacks that leverage AI technology. These systems can analyze large volumes of email traffic and quickly identify and block suspicious emails, helping to prevent users from falling victim to these types of attacks.
  4. Hyperautomation-This new security automation approach is effective for countering the scale of attacks generated by AI, by providing organizations with comprehensively-integrated capabilities needed to quickly detect and respond to threats. In addition, it can help to reduce the workload on security teams by hyperautomating routine tasks such as incident triage and response. This can help to free up time and resources to handle more complex threats, such as those involving generative AI and LLMs.

The use of generative AI and LLMs is not limited to attackers. These tools can also be used by defenders to develop more effective security measures and detect potential threats. For example, security researchers can use LLMs to analyze large volumes of data and identify patterns that could indicate the presence of a cybersecurity threat. Some possible future applications of LLMs in cybersecurity protection can be developed to augment the existing tech stack, and help protect against a wide range of new and more sophisticated cyber threats:

  1. Phishing Detection-LLMs can be trained to recognize and flag suspicious emails that may be part of a phishing attack. By analyzing the text of an email, an LLM can identify patterns or keywords that are commonly used in phishing attempts and alert users or security teams to the potential threat.
  2. Malware Detection-LLMs can be used to analyze large volumes of code and identify patterns that are associated with malware or other types of cyber attacks. An LLM can identify keywords or phrases that are commonly used in malicious code and help to flag potential threats.
  3. Threat Intelligence Analysis-LLMs can be used to analyze and categorize large volumes of threat intelligence data, such as security logs or incident reports, to identify patterns and trends in the data and help that indicate potential threats or vulnerabilities in the system.
  4. Hyperautomation-By integrating AI-based threat detection capabilities into a hyperautomation platform, organizations can enhance their ability to quickly respond to attacks. For example, machine learning algorithms could analyze network traffic and identify patterns that indicate the presence of a threat. This would automatically trigger a response, such as blocking the malicious traffic or quarantining an infected device.

If you want to learn more about how hyperautomation can help your organization connect your entire tech stack, use no-code to full-code, and bring your own container, and deploy in a matter days, visit Torq.

Share

Related Articles