Why the World’s Top MSSPs are Ditching Legacy SOAR for Hyperautomation
By Torq
July 16, 2024
5 Minute Read
Managed Security Service Providers (MSSPs), desperate to automate repetitive tasks, initially turned to SOAR to reduce their workload and improve threat response times. Unfortunately, legacy SOAR tools still face scalability, flexibility, and integration challenges. As the complexity and volume of cyber threats continue to grow, the limitations of legacy SOAR have become more apparent, necessitating the move towards more advanced automation technologies like Torq Hyperautomation. Unfortunately, MSSPs that continue to rely on legacy SOAR solutions to manage security orchestration and automation across a broad customer base are destined to find themselves on a collision course barrelling towards the worst fate that the internet has to offer any business in 2024. They are going to get “memed”
Scalability Issues – SOAR Chokes Under Pressure
One of the significant challenges with legacy SOAR is its inability to handle large volumes of events efficiently. When there is a substantial influx of security alerts, the SOAR scheduler often gets overwhelmed, leading to significant delays in event processing. This bottleneck prevents a timely response to potential threats and impacts the overall performance of the SOC. For an MSSP, delayed response time is a massive risk to the security of their customers and can quickly become a detriment to their business’ revenue and overall reputation. The need for a more scalable solution is evident as cyber threats grow in frequency and complexity. This is where Torq Hyperautomation steps in, offering enhanced scalability to manage large volumes of events without compromising speed or efficiency.
Lack of Multitenancy
Legacy SOAR tools often struggle with multitenancy, a simple concept in which one instance serves multiple customers while maintaining separate environments. This design flaw means an issue affecting one customer can cascade to others, causing widespread performance degradation. This is especially problematic for MSSPs as they simultaneously manage multiple customer environments. If a flood of events from one customer overwhelms the system, it can delay responses and degrade performance for other customers using the same playbook. This lack of isolation risks compromising service quality and makes it challenging to guarantee client SLAs. In contrast, solutions like Torq Hyperautomation are built with robust multitenancy capabilities, ensuring performance issues or high event volumes from one customer do not impact others. This isolation is crucial for MSSPs delivering consistent and reliable security services across a diverse client base.
Integration Complexity
Creating custom integrations in legacy SOAR can be labor-intensive, requiring significant effort and maintenance. This complexity is especially evident when dealing with APIs and specific data-handling needs. Organizations must often develop custom integrations to meet their unique requirements, as out-of-the-box options may fall short. This demands substantial development resources and ongoing maintenance to ensure compatibility and performance, increasing costs for MSSPs. More often than not, professional services become necessary to help build these custom integrations, further increasing the SOAR investment while delaying the value returned. By contrast, Torq Hyperautomation simplifies the integration process, offering more flexible and user-friendly options for creating and managing custom integrations. This ease of use reduces the overhead of maintaining custom code and allows security teams to focus more on threat detection and response rather than integration challenges.
High Maintenance Costs
Legacy SOAR products often come with high maintenance costs in terms of time and resources. For example, an organization might use around 25 different playbooks for different services and integrations, each requiring regular updates and optimization. This complexity leads to a significant overhead in management and operational costs. In contrast, Torq Hyperautomation offers a more streamlined approach, reducing the need for intensive maintenance. Its intuitive interface and robust automation capabilities allow for easier management of playbooks and workflows, significantly lowering the time and cost involved in maintaining the system. This makes it a more sustainable and efficient solution for modern cybersecurity needs.
Lack of Customization and Flexibility
One of the critical shortcomings of legacy SOAR is its limited customization and flexibility. These tools often restrict the import of many Python libraries due to security concerns, limiting the ability to create custom functions and workflows. For instance, users can’t import essential libraries like the CrowdStrike Python SDK, hindering their ability to develop tailored solutions for specific tasks. This lack of flexibility forces organizations to rely heavily on pre-defined steps and actions, which may not always align with their unique security requirements. In contrast, Torq Hyperautomation provides a more versatile platform, allowing for easier customization of steps and actions without extensive Python scripting. This enhanced flexibility enables security teams to tailor the system to their specific needs, reducing the overhead of maintaining custom code and improving overall operational efficiency.
Join the World’s Top MSSPs in Ditching Legacy SOAR
For MSSPs, maintaining a positive customer experience and staying ahead of threats requires a robust, adaptable, and scalable toolset. Legacy SOAR tools are increasingly falling short of meeting the complex demands of modern security operations. Torq Hyperautomation addresses these challenges by offering enhanced flexibility, seamless integration, and cost-effective solutions that streamline security workflows and improve response times. This transition bolsters an organization’s cybersecurity posture and ensures that security teams can operate more efficiently and effectively, delivering better outcomes in protecting customer environments.
Ready to join the world’s top MSSPs in ditching Legacy SOAR for Hyperautomation? Get a demo today.
Global SOC Survey Reveals Hope for SecOps Teams As Post-SOAR Hyperautomation Boosts Analyst Retention and Tenure
By Torq
July 3, 2024
4 Minute Read
The SANS 2024 SOC Survey, a comprehensive new Torq-sponsored study, reveals that for the first time in decades, the tenure of SOC and Security Analysts is increasing. They’re choosing to remain at their posts for three-to-five years, up from an average of one-to-three years.
Modern post-SOAR hyperautomation solutions are playing a significant role in alleviating the burdens these cybersecurity pros face. Historically, they’ve been prone to severe, soul-destroying burnout related to dealing with endless manual alert processes, resulting in alert fatigue and a deluge of false positives that create constant, unnecessary fire drills that drain energy and motivation.
The report further states that staffing challenges and automation needs remain a red alert critical issue. The continued lack of skilled staff available further underlines the criticality of SOC pro retention.
SANS surveyed more than 400 cybersecurity pros from across the world, with a focus on security administrators and analysts, security managers and directors, incident responders, and threat hunters. Geographies represented include the US, Canada, Europe, South America, Asia, the Middle East, Australia/New Zealand, and Africa. The survey represents industries including financial services, banking, insurance, government, and high tech.
Save the Analyst: Hyperautomation Drives Unprecedented Efficiency
According to the survey, the positive trend 30 percent of respondents are experiencing in retention and employee satisfaction underlines the value of new security automation solutions, such as the AI-driven Torq Hyperautomation Platform. Torq Hyperautomation automates every SOC process at scale, liberating SecOps pros from the manual threat identification and remediation grind. It collects, analyzes, and organizes unprocessed events and signals into contextually-enriched cases in real time. It then intelligently and intuitively orders them according to severity, priority, and field of ownership. Next, it auto-remediates the majority of cases across multiple organizational functions and escalates only the most critical and complex threats for human intervention.
“The positive impact Torq Hyperautomation is having on the productivity, efficiency, and job satisfaction for Citadel’s SOC team is significant,” said Moti Caro, CEO, Citadel. “With Torq Hyperautomation, the vast majority of the thousands of daily threat alerts and signals our team used to handle manually are now automatically and instantly processed, analyzed, identified, and remediated. Our SOC team is now able to place significantly more focus on proactive measures and longer-term strategic projects, with 100% confidence in how Torq Hyperautomation precisely handles threat response.”
“Torq has transformed efficiency for all five of my security teams and enabled them to focus on much more high-value strategic work, instead of manual detection and remediation tasks.” said Yossi Yeshua, CISO, Riskified. “Riskified is a ‘Torq-first’ company that’s seeking to take maximum advantage of its incredible hyperautomation capabilities at every opportunity.”
Boosting SOC Professionals’ Mental Health
The survey reflects a significant shift from January 2024, during which TechTarget assessed that, “Nearly a third of cybersecurity experts say they consider leaving the profession on an occasional (21%) or regular (9%) basis – citing stress associated with the career as the top reason. Coupled with SANS’ previous “It’s Time to Break the SOC Analyst Burnout Cycle” feature that revealed it takes seven months to two years to fill a SOC role, it becomes clear that the mental health benefits of the shift to new security automation approaches pays multiple dividends.
SANS’ findings correlate with another recent perspective on how Torq Hyperautomation alleviates SOC burnout from IDC.
“Every day, IDC is engaged with SOC professionals who communicate the existential challenges they’re facing, both in terms of keeping up with ever-escalating threat complexity and volume, and the incredible burden that places on the shoulders of their teams,” said Chris Kissel, Vice President, Security & Trust Products, IDC Research. “Torq HyperSOC is the first solution we’ve seen that effectively enables SOC professionals to mitigate issues including alert fatigue, false positives, staff burnout, and attrition. We are also impressed by how its AI augmentation capabilities empower these staff members to be much more proactive about fortifying the security perimeter.”
GET THE SURVEY
Torq is making the SANS 2024 SOC Survey available at no charge to qualified cybersecurity professionals. To submit your request for access, please fill out this form.
Exploring the Future of SOC Automation with Francis Odum
By Torq
June 25, 2024
5 Minute Read
Contents
The future of SOC automation is dynamic and rapidly evolving, promising to revolutionize how security operations centers (SOCs) tackle their most pressing challenges. As cybersecurity threats grow in volume and sophistication, SOC teams are increasingly overwhelmed by alert fatigue, false positives, and a critical shortage of skilled professionals.
In the early days of SOC automation, bespoke scripts were the primary tools used to streamline security operations. These scripts were often handcrafted by experienced analysts to automate repetitive tasks such as log parsing, alert triaging, and basic threat detection. While these custom scripts provided some level of efficiency, they had significant limitations. They were often brittle, difficult to maintain, and heavily reliant on the expertise of individual analysts who created them. This made scaling automation across the SOC challenging. Moreover, the scripts lacked the intelligence and adaptability to handle the growing complexity and volume of cyber threats. Despite these drawbacks, bespoke scripts laid the groundwork for future advancements in SOC automation, highlighting the potential for automation to alleviate some of the workload from human analysts.
The Rise and Fall of SOAR Platforms
As the limitations of bespoke scripts became apparent, we saw the emergence of Security Orchestration, Automation, and Response (SOAR) platforms. Legacy SOAR platforms were designed to bring a more structured and scalable approach to SOC automation. They integrated various security tools and data sources, enabling automated workflows that could handle complex threat scenarios more effectively. SOAR platforms made hefty promises of increased efficiency and scalability in the SOC. Unfortunately, SOAR’s monolithic, rigid architecture led to a lack of integrations, limited flexibility, and major complexity issues. Today, SOAR solutions are being phased out by SOC teams looking for a more modern, scalable approach to security automation.
Torq HyperSOC™: The First Purpose-Built Hyperautomated SOC Solution
Hyperautomation represents the next frontier in SOC automation, pushing the boundaries of what is possible. Unlike earlier approaches, hyperautomation aims to automate virtually every aspect of SOC operations, from threat detection and response to compliance and reporting. By leveraging AI and machine learning, hyperautomation can continuously learn and adapt to new threats, making SOCs more resilient and proactive. Additionally, hyperautomation platforms can orchestrate complex workflows that involve multiple tools and systems, providing a unified approach to cybersecurity management. As organizations face increasingly sophisticated cyber threats, Torq HyperSOC™ offers a scalable and robust solution, enabling SOCs to operate at peak efficiency while freeing human analysts to focus on more strategic tasks.
What’s Next in SOC Automation
Automating Tier-One Analyst Tasks
Tier-one tasks, such as initial alert triage, data enrichment, and basic investigation, are often repetitive and time-consuming. Analysts can focus on more complex and critical issues by automating these processes. Automation not only speeds up response times but also reduces the chance of human error. Furthermore, it helps maintain high productivity even during high alert volumes, preventing burnout among analysts. Torq HyperSOC™ offers automation capabilities that ensure tier-one tasks are completed swiftly, allowing SOC teams to allocate their resources more strategically. This leads to a more effective security operation, where skilled professionals can focus on tasks that truly require their expertise.
AI Integration: LLMs and Beyond
AI integration has become a cornerstone of modern SOC automation, with large language models (LLMs) leading the way. These advanced AI models can process and analyze vast amounts of textual data, providing deeper insights into threat intelligence and incident reports. LLMs can assist in generating detailed incident summaries, recommending remediation steps, and even automating threat-hunting activities. Other applications of LLMs include unlocking the ability to create new integrations or build out automations using natural language, removing the barrier of entry for analysts who don’t have the necessary coding skills demanded by SOAR connectors and integration builders.Beyond LLMs, AI integration encompasses various machine learning algorithms designed to detect anomalies, predict potential threats, and optimize response strategies. The ability of AI to learn from historical data and adapt to new threat landscapes makes it an invaluable asset for SOCs. Furthermore, AI-driven analytics can correlate data from disparate sources, offering a more comprehensive view of the security environment. As AI technology continues to evolve, its integration into SOC operations will undoubtedly enhance the efficiency and effectiveness of cybersecurity measures.
The Vision of a Fully Hyperautomated SOC
A fully Hyperautomated SOC has already become a reality as we look at the modern security landscape. The modern SOC relies heavily on Hyperautomation to amplify the capabilities of human analysts, not replace them. Envision a system where sophisticated AI algorithms are continuously informed by vast troves of historical and real-time data, with humans providing the strategic oversight necessary to navigate the evolving threat landscape. This is precisely what Hyperautomation is already delivering and where SOAR solutions failed to rise to the challenge. In this modern Hyperautomated SOC, technology not only detects and counteracts threats faster but also forecasts and preemptively strengthens defenses against potential vulnerabilities. This level of human-guided automation promises to improve the speed of incident detection and mitigation, delivering expedited yet carefully vetted responses to emerging threats. A human-centric, hyperautomated SOC would ensure seamless compatibility with broader enterprise systems, promoting an integrated security orientation that comprehensively covers an organization.
Get a Demo
If you’re ready to experience the future of SOC automation, contact us to get a demo today.
Gartner Says “SOAR Is Obsolete” in ITSM Hype Cycle
By Torq
June 20, 2024
2 Minute Read
Gartner just hammered another nail into the coffin of SOAR. The just-released “Gartner IT Service Management software (ITSM) Hype Cycle” report confirms SecOps professionals are profoundly unhappy with antiquated, legacy SOAR products and vendors. In fact, it places SOAR at the very bottom of its “Trough of Disillusionment” column, meaning “the innovation does not live up to its overinflated expectations.”
According to Gartner, “SOAR requires both development and ongoing operational cycles to maintain, similar to other coding development practices” and that justifying the expense of a SOAR purchase “remains an obstacle for clients.”
In contrast, the report points to modern generative AI-based security automation as a path forward for modern enterprises. It refers to Automated Incident Response solutions, such as the Torq Hyperautomation Platform, as being on the “Slope of Enlightenment,” due to its advanced threat identification, management, and remediation capabilities, and vastly higher ongoing ROI.
“Workflow automation tools can automate workflows that are part of processes like converting actionable alerts into incidents, opening a communications channel in instant messengers for collaboration, updating the status on a web portal in real time and one-click remediation for existing runbooks,” states the report.
It goes on to applaud modern post-SOAR automation for its unique ability to “remediate and extend incident response capabilities that can integrate with DevOps toolchains.”
Gartner further highlights other critical limitations of SOAR in the report, including:
High initial set up and implementation costs
High ongoing maintenance and support costs
The requirement for specialized personnel and analysts with extensive coding skills
Integration and interoperability issues with third-party tools and custom connectors
The unrealistic and inaccurate expectation that SOAR can solve all security issues as a standalone solution
In closing, Gartner recommends organizations be extremely critical about their security platform purchase decisions, advising them to “select an appropriate product based on buyer understanding and its applicable use cases, such as SOC optimization, threat monitoring and response, threat investigation and hunting, and TI management.”
Torq professionals are ready to help emancipate organizations from the limitations of SOAR and answer any questions they may have stemming from this report.
If you’re in a trough of disillusionment and ready to ditch Legacy SOAR, contact us to get a demo of Torq Hyperautomation.
Unleash a Multi-SIEM Strategy with Hyperautomation
By Torq
May 30, 2024
10 Minute Read
Consolidation or Collapse of Legacy SIEM?
Industry Analysts Signal End of Legacy SIEM as Operational Costs Continue to Rise
If you are a cybersecurity professional, it’s hard to ignore the recent shift in the SIEM landscape unless you’ve been living under a rock… or more likely, under the crushing weight of terabytes worth of disconnected SIEM logs. Let’s catch everyone up to speed anyway:
March 2024: Cisco completed its $28 billion acquisition of Splunk, a significant move in the SIEM market.
May 2024: Palo Alto Networks (PAN) announced the acquisition of IBM’s QRadar SaaS assets, facilitating the migration of QRadar SaaS customers to Palo Alto’s Cortex XSIAM platform.
May 2024: LogRhythm and Exabeam, two major SIEM providers, announced their merger to create a unified entity specializing in AI-driven security operations (expected to close in the third quarter of 2024).
The consolidation – and collapse – of the legacy SIEM space is rapid, ongoing, and for those attuned to the cyclical nature of cybersecurity technology, not entirely surprising. We have seen the “lagging security vendor acquired by large tech titans” story play out plenty of times before. For example, Splunk’s acquisition of Phantom, Broadcom’s acquisition of Symantec, Palo Alto’s acquisition of Demisto, and even Cisco’s prior acquisition of Meraki… or Cisco’s acquisition of Sourcefire… or IronPort… or OpenDNS… or DuoSecurity. More often than not, an acquisition of this magnitude signals two things to the cybersecurity community:
First, the vendor being acquired is struggling to maintain market share, with innovative technologies quickly emerging to solve the challenges causing their churning customers significant reductions in both operational efficiency and security efficacy. We saw this when legacy AV (i.e. Symantec) was overtaken by NGAV/XDR platforms, or as legacy SOAR (i.e. Phantom) began to be overtaken by Hyperautomation solutions, and now again, with the emergence of Next-Gen or Multi-Data SIEM platforms.
Second, the impending expectation of shockingly high renewal costs.
The key difference in this case is that legacy SIEMs, such as Splunk, are not losing customers. And with the massive amounts of highly-regulated sensitive data stored in these legacy SIEM solutions, it’s safe to say they aren’t expecting to do so for a very long time. Regardless of rapidly increasing costs, many organizations fear there is no escape from SIEM lock-in, and that is exactly what the acquiring companies like Cisco and PAN are counting on.
Stuck in the SIEM-ulation?
Skyrocketing Data Volumes and Crippling Renewal Costs Are Holding the SOC Hostage
Historically, SIEM solutions have been the key centralization point of the Security Operations Center (SOC). They were built to enable threat detection and incident response by collecting and aggregating event logs across a multitude of security tools. However, SIEMs were built for an on-premise world, well before the explosion of cloud-based SaaS solutions or the multi-cloud environments that organizations are working with today.
As more and more technologies shift to the cloud, the volume of logs, events, and alerts continue to increase exponentially. According to a recent report The Evolution of the Modern Security Data Platform written by Francis Odum and Josh Trup, the problem is legacy SIEM costs are largely indexed to data volume – meaning the more you ingest, the more you pay. Larger amounts of data ingestion and an increase of integration requirements with new cloud-based security solutions have led to additional SIEM related challenges, such as alert fatigue, manual triage processes, complexities in data conversion, and inadequate scalability and performance. But none, it seems, are more difficult to overcome than SIEM vendor lock-in.
The reality is legacy SIEM solutions are deeply entrenched in the operations of both the Security Operations Center (SOC) and Governance, Risk, and Compliance (GRC) teams. Enterprise organizations are stuck in long-term contracts with their SIEM vendors due to regulatory compliance frameworks that require up to, if not more than, 7 years of sensitive data retention. Some organizations have found creative ways to implement a separation strategy by decoupling compute and storage costs, feeding data into multiple SIEMs. Though more often than not, these are simply cost-reduction strategies without an end-game in sight.
The biggest barrier to severing ties with a legacy SIEM solution is that while ingestion and retention costs are considered expensive, they are relatively cheap when compared to the costs associated with retrieval and removal of old logs from cold storage. This makes a SIEM rip-and-replace initiative a non-starter, and most organizations have come to terms with the fact that they may never escape the constraints of their SIEM contract. But with every day an organization is not migrating their day-to-day log storage off their legacy SIEM, they continue to extend the length of that contract, one day at a time.
The Emergence of the Multi-SIEM Strategy
How Multi-SIEM Offers More Scalable and Cost-Effective Data Aggregation in the Cloud
There are a number of business-related reasons why organizations may adopt a multi-SIEM strategy. For example, mergers and acquisitions may result in security teams falling into an inherited multi-SIEM approach. Or it may even be as simple as a newfound lack of trust in the anticipated innovation of their legacy SIEM technology following the recent acquisitions we’ve seen piling up across the SIEM landscape.
The main benefit that is driving organizations to adopt emerging best practices when it comes to data aggregation and event management, however, is cost reduction. An explosion in the volume and variety of data being ingested has made legacy SIEM a major burden on an organization’s budget. As a result, rather than attempting a costly rip-and-replace, teams may strategically choose which data is deemed important enough to send to the SIEM. The missing data, in turn, leaves gaps in the detection and investigation of potential security threats.
As the need for a modern, cost-efficient approach to data management and security event aggregation has become more clear, a new evolution of cloud-native data platforms have emerged to help mitigate these SIEM challenges. A number of unique approaches have emerged such as ETL Data Orchestrators, Next-Gen SIEMs, Cloud Security Data Lakes, or Multi-Data SIEMs. Whether they intelligently filter and cleanse logs before routing events and alerts to a SIEM, or decouple security analytics from the logging layer while structuring security data to better enable real-time detection and threat hunting – these cloud-native solutions are all centered around more scalable and cost-effective cloud data management.
Many organizations in the process of transitioning from an on-prem to a full-cloud or hybrid-cloud environment may choose to use this opportunity as a launch pad towards eventual migration. As more application and IT infrastructure moves to the cloud, they begin siphoning data away from their legacy SIEM provider into a more cloud-friendly option. Even if this means some data remains in legacy systems, especially considering the enormous cost of shipping existing data hosted in an already on-prem SIEM to the cloud, a multi-SIEM approach is still significantly more cost-efficient.
While the cost-reduction benefits of a multi-SIEM strategy have already been realized by forward thinking SOC teams, there is still hesitancy to separate data storage across many enterprise grade organizations who have become so accustomed to legacy SIEM way of life. Afterall, the original purpose of a SIEM solution was to have a centralized source of truth for all security logs, events, and alerts to coordinate investigation and response. Is decentralizing that data across multiple sources not taking a step backwards in security operations?
Achieving the Multi-SIEM with Torq Hyperautomation
Seamlessly Integrate Existing Processes Across Multiple SIEMS and Security Data Lakes
Hyperautomation enables the SOC to effectively achieve a multi-SIEM strategy without impacting existing processes or operational efficiency. It is the layer that sits on top of whichever SIEMs are ingesting logs, events and alerts allowing automated triage, investigation and remediation. With Hyperautomation, existing processes and workflows can run in parallel, automating actions within multiple SIEM solutions simultaneously instead of manually running the same actions multiple times across disparate data sources. This means organizations who want to free themselves from the legacy SIEM stranglehold finally have the key to unlock the cost-savings benefits of a multi-SIEM strategy, as well as the confidence that there is a definitive light at the end of the long, dark SIEM lock-in tunnel.
Torq makes it simple for SOC teams to integrate with any SIEM solution, and build out automations across a multi-SIEM approach. Torq eliminates the complexity of connecting multiple SIEMs by using Hyperautomation to automatically analyze, triage, and remediate the most critical threats, while reducing alert fatigue and allowing organizations to utilize the full suite of their existing security tools investments.
Torq’s drag-and-drop workflow designer makes it easy for SOC teams to replicate existing workflows and quickly replace a legacy SIEM vendor with their new cloud-native SIEM integration, maintaining existing processes without interruption. For more complex workflows, Torq’s natural language AI workflow builder levels up the SOC analysts’ skillset, enabling them to build and deploy workflows in minutes that run parallel actions across multiple SIEMs and Security Data Lakes. Torq’s purpose built HyperSOC solution will then correlate actionable data into comprehensive security cases and auto-remediate 95% of the entire case management lifecycle.
With Torq as the all encompassing SOC adaptor, organizations can simply stop sending data to their legacy SIEM, begin sending all net-new logs, events and alerts to their new cloud-native SIEM of choice, and leverage hyperautomation to automatically run security operations across a Multi-SIEM architecture without impacting existing processes or sacrificing security data gaps for cost-savings.
How Innovative Companies are Leveraging Hyperautomation to Overcome Legacy SIEM Lock-In
Automate Multi-SIEM Processes to Cut Costs and Operationalize Data Migration
One customer that Torq spoke with about the recent rumblings in the SIEM landscape is planning to use Hyperautomation as a means to an end of their legacy SIEM contract. Following acquisition of their legacy SIEM provider, they were informed their upcoming renewal would nearly double in price and were considering terminating their relationship. However, their security operations are so embedded and reliant on the legacy SIEM, that evaluating a rip-and-replace would be even more costly – not only financially (~2x), but also in labor hours and anticipated security risk. The decision was made to renew and accept the reality that there was nothing they could do about it. That is, until they realized the power of applying their existing Hyperautomation practices towards a multi-SIEM strategy. By running Torq as a layer sitting above both their legacy SIEM and a new next-gen SIEM, focused on cost-efficient data processing in the cloud, they are able to automate parallel processes, realize significant operational cost-savings, and reallocate funds to migrating regulated data from their on-prem storage at a much faster rate than they could previously afford.
The SIEM landscape is rapidly evolving, and at a much faster rate than organizations can plan to remove their sensitive data and get out of their increasingly expensive contracts. While many organizations may feel stuck, there is a way forward. As quickly as legacy SIEM solutions are converging, cloud-native SIEM alternatives are evolving – and with Hyperatuomation as the glue holding the SOC together, organizations are finally able to achieve the benefits of a modern SOC architecture. Ready to escape SIEM lock-in? Torq enables the Modern SOC to store data anywhere, and operationalize it with Hyperautomation. Get a demo today.
IDC Validates Torq HyperSOC™: A Game-Changer for SOC Analysts
By Torq
May 28, 2024
3 Minute Read
IDC declares Torq HyperSOC™ the first solution to effectively mitigate SOC alert fatigue, false positives, staff burnout, and attrition.
In a groundbreaking report, IDC emphatically recognizes the potential of Torq’s latest innovation, Torq HyperSOC™, hailing it as a pivotal addition to the SOC analyst toolkit.
A Giant Leap Forward for SOC Analysts
IDC’s validation of Torq HyperSOC™ marks a significant milestone for SOC analysts. This endorsement is more than just a stamp of approval; it’s a signal that the industry is taking a giant leap forward. Torq HyperSOC™ was built with the unique needs of SOC teams in mind, offering features that embed automation across the entire case management lifecycle by combining AI-driven insights and Hyperautomation. Analysts can expect a reduction in false positives, faster identification of real threats, and a more intuitive interface that allows for quick adaptation. With the backing of a reputable organization like IDC, Torq HyperSOC™ is poised to set a new standard for SecOps, providing analysts with a powerful ally in the fight against cyber threats.
“Torq HyperSOC™ helps ensure Check Point internal security analysts’ time is used in the most productive and effective manner possible. We are impressed with how Torq HyperSOC™ harnesses AI to alleviate those burdens by automating investigation and remediation.”
Jonathan Fischbein, Global CISO, Check Point
The Game-Changing Impact on SecOps
The arrival of Torq HyperSOC™ signals a transformative era for SecOps. By integrating innovative automation and orchestration capabilities, SOC teams can now address alerts with unprecedented speed and accuracy. The impact is twofold: first, it dramatically reduces the time spent on menial tasks, freeing analysts to focus on strategic work; second, it enhances the organization’s overall security posture by enabling quicker response to threats. This is a game-changer in an environment where every second counts. The agility afforded by Torq HyperSOC™ allows for a more proactive and less reactive approach to security, shifting from a traditional, often cumbersome, process to a dynamic and streamlined operation. IDC’s recognition underscores the potential of Torq HyperSOC™ to redefine how we think about and execute security operations in the digital age.
How Torq HyperSOC™ Empowers CISOs and CIOs
CISOs and CIOs are under constant pressure to ensure their organization’s cybersecurity infrastructure is robust and efficient. Torq HyperSOC™ comes as a powerful asset for these leaders, providing them with a previously unattainable level of oversight and control. With its cutting-edge features, Torq HyperSOC™ equips CISOs and CIOs to enforce security policies more effectively, automate compliance procedures, and gain valuable insights into their security landscape. This solution translates into better decision-making based on real-time data, enabling a swift pivot as the threat environment evolves. Moreover, the efficiency gains from automating routine tasks can lead to significant cost savings, optimizing resource allocation and potentially lowering the risk of burnout among security teams. In essence, Torq HyperSOC™ is not just a tool for the present; it’s an investment in the future resilience of the enterprise.
Want to learn more about Torq HyperSOC™? Get a demo.
Automate Non-Human Identity Security and Management with Torq and Astrix
By Torq
May 21, 2024
3 Minute Read
Organizations’ zero-trust policies and identity-centric programs ensure that user identities and login credentials are vigorously protected with IAM policies and security tools like MFA or IP restrictions. However, the situation is very different regarding non-human identities (NHI) like API keys, OAuth apps, service accounts, and secrets. Lack of visibility, monitoring, and governance of this permissive access is everywhere, and attackers have figured it out.
Using Astrix Security, security teams can finally close this huge identity security gap, and now—it gets even easier. Astrix Security has teamed up with Torq to make inventorying, securing, and remediating NHI risks a seamless part of your SOC automation.
Integrating Torq and Astrix allows security teams to identify and respond automatically to anomalous behavior and over-permissioned, unused, or unrotated non-human identities – using automated workflows. This enables customers to avoid the need for multiple silos and instead easily operationalize Astrix through their existing Torq deployment.
Let’s walk through an example of how Torq and Astrix make it easy to close the gap.
Automated Response and Remediation
For the first time, Astrix Security applies behavioral analysis traditionally only seen for human identities to the non-human identity space. Through this behavioral analysis, customers can detect anomalous activity in real-time.
Customers of Torq and Astrix can then automatically respond through remediation playbooks based on preset logic with Torq. This allows for instantaneous action and immediate threat response without investigating across multiple toolsets.
Posture Management and Risky Integrations
Unused permissions, risky connections, and unrotated tokens needlessly increase your attack surface.
Using Astrix, customers can identify unused, over-permissive, and malicious NHI access. These risk parameters and timeframes for non-use are fully customizable. These rule sets are then turned into playbooks and run through Torq to automate removing unused or risky access and unrotated tokens that do not meet the specified posture.
Astrix identifies only the highest-risk connections in your environment and feeds them into Torq for continuous attack surface reduction.
Enhanced Change Management
Astrix and Torq collaborate seamlessly to enhance the change management process within an organization by automating the data flow and remediation tasks for non-human identities.
The integration begins with Astrix detecting a high-risk NHI event, which feeds it into Torq. A ticket in workflow management systems like Jira or ServiceNow is created as part of a controlled change management process, facilitating delegating remediation tasks. With its intelligent automation capabilities, Torq triggers specific playbooks that respond to the identified changes, such as decommissioning NHIs. This integration ensures that the change management process is efficient and minimizes manual intervention, allowing for swift and accurate updates across the system and reducing the potential for errors.
Integrating Torq and Astrix transforms the way security teams handle non-human identities. By automating the detection and response to unusual activities and poorly managed permissions, this partnership simplifies complex processes and eliminates the overwhelm felt by security teams. Embrace the future of security hyperautomation with Torq and Astrix, and experience a smarter, more integrated approach to protecting your digital assets.
How Torq Hyperautomation Simplifies Phishing Analysis for SOC Teams
By Torq
May 14, 2024
3 Minute Read
2023 went down in history as the worst year for phishing attacks on record, with nearly 35 million attempted business email compromise (BEC) attacks detected and investigated, according to the Microsoft Threat Intelligence Cyber Signals report. Unfortunately, phishing analysis is one of the most time-consuming tasks for the SOC. Responding to a phishing incident requires careful examination. SOC analysts quickly become overwhelmed by the volume of potential threats that need manual inspection, thanks in part to the use of Generative AI in these social engineering-based attacks. Phishing attacks have become so difficult for the untrained eye to detect that reports show that over 60% of end-user-reported phishing emails are false positives. SOC teams spend hours manually checking each email, attachment, and link against different databases and tools, which is time-consuming and error-prone.
Streamlining Phishing Analysis in the SOC
Torq Hyperautomation helps automate repetitive phishing attack mitigation tasks, providing consistent and accurate case management without the fatigue. With Torq, SOC teams can quickly identify and evaluate risks through automated phishing analysis, cutting down analysis time from hours to minutes and freeing up analysts’ time for more critical tasks. By automating these otherwise monotonous tasks, security teams reduce false positives, experience less burnout, and can finally manage the growing volume of threats.
Monitor an Outlook Mailbox for Phishing via Graph Subscription
Torq Hyperautomation empowers SOC analysts to automate phishing analysis and improve SOC team efficiency using several pre-built phishing templates in our template library. If you’re an Outlook user, this one is for you!
First, select the “Monitor an Outlook Mailbox for Phishing via Graph Subscription” template from the library. From there, once an email hits the monitored inbox, Torq will receive a copy to analyze. When the analysis starts, the email will be labeled as “Scan-Started” within Outlook while the necessary elements are extracted and observables are enriched. Once the analysis is done, the labels within Outlook will change to show the verdict. In this example, we can see that the email contains malware and phishing URLs.
All results will then be added to a new case as custom fields, observables or attachments. All additions to the case are shown on the timeline for compliance tracking purposes. The overview of the case shows details about the email along with the verdict for the attachment and URL. Custom fields include important data such as DMARC and SPF analysis to help understand if the email is coming from a trusted sender. As a result of the phishing URL enrichment, a screenshot of the site is attached, and we know without visiting the website that it is impersonating a known service.
All sub-observables are attached and show a malicious verdict. As the final step in this case enrichment, AI reviews sanitized data pulled from the verdict and generates a human-readable summary of the entire case analysis.
Automate your Phishing Analysis with Torq
Phishing analysis automation with Torq Hyperautomation significantly reduces the workload for SOC teams. Torq integrates with several key partners to offer use cases that can help organizations prevent, protect against, and understand phishing attacks and avoid costly data breaches. Want to learn more about how you can automate phishing analysis with Torq Hyperautomation? Get a demo.
But simply setting up a SOC doesn’t guarantee optimal security workflows. To get the very most from your SOC, you must automate its operations as much as possible. SOC automation allows teams to manage security threats with even greater speed, efficiency, and accuracy than they can in a SOC that relies on manual operations.
Keep reading for a dive into how SOC automation works, how to define SOC playbooks and workflows for your SOC, and which benefits automation in the SOC provides to both security teams and the business as a whole.
What Is a SOC?
A SOC (pronounced “sock”) is the part of a business that is responsible for managing security threats. A SOC is made up of the people and tools that handle:
Threat intelligence, meaning the collection of data about potential security threats and risks.
Security monitoring, which allows security teams to detect active risks and breaches.
Security analysis, or the process of investigating threats and breaches in order to identify their root cause and plan a response operation.
Security response, meaning the processes by which the security team reacts to identified threats.
Recovery, which involves restoring systems to a secure state following a security incident.
Post-incident reporting and analysis, which teams use to evaluate why an attack occurred and plan strategies for preventing a similar incident from happening again in the future.
Although the term “security operations center” may seem to imply that the SOC is an actual facility or physical location, that’s not always the case. Ultimately, a SOC is an organizational function. You don’t need all of your security analysts to sit in the same room in order to have a SOC. As long as there is a team within your business that handles the security tasks described above, you have a SOC in place.
What Is SOC Automation?
SOC automation is the process of automating some or all aspects of SOC operations. When you automate your SOC, you replace manual security workflows with automated ones.
For example, SOC automation might entail automatically collecting and parsing threatintelligence reports in order to identify which threat intelligence data is most relevant to your business based on the types of resources it relates to and the types of risks it addresses. You could perform this process manually, but SOC automation allows you to do it faster and with fewer staff resources.
As another example, SOC automation could take the form of automated security analysis. Instead of relying on engineers to investigate and analyze a threat manually, you could automate that SOC function using tools that assess the threat’s potential impact and trace it back to its root cause.
The Benefits of SOC Automation
The main reasons to consider SOC automation include:
Speed: Automation helps security teams detect and respond to incidents faster.
Efficiency: Automation allows the SOC to do more with fewer staff resources.
Scale: Relatedly, automation helps the SOC to contend with threats of increasing volume and complexity without having to scale up the size of the security team.
Better use of human capital: By automating routine aspects of security response, SOC automation allows engineers to apply their skills where they matter most: solving complex problems that require original thought and analysis, as opposed to performing mundane, repetitive tasks.
These advantages of automation in the SOC reflect the benefits of automation in general. However, given that the ability to respond quickly and efficiently is particularly critical in the context of security, automating the SOC arguably delivers even more value than automating other parts of the business. It’s nice to automate, say, the deployment of an application to a server, which would save a bit of time and effort. But it’s not absolutely critical. By contrast, detecting and remediating threats in as little time as possible with the help of security automation is absolutely essential for preventing risks from turning into active breaches.
Aren’t SOCs Always Automated?
It’s worth noting that, to a certain extent, virtually every SOC has some level of automation.
For example, security monitoring, which is one of the core functions of a SOC, is typically performed using tools that automatically collect and analyze data to reveal anomalies that could be the sign of a threat. SOCs may also automate some of the auxiliary processes required to drive security workflows, such as providing communication channels between stakeholders.
However, the typical SOC relies mostly on manual operations for handling more complex tasks. It doesn’t automate work like security analysis or response. Those processes are harder to automate because every threat or risk requires a different analysis and response process, so many teams perform them manually.
The goal of SOC automation, then, is to automate those aspects of a SOC that teams have conventionally managed using a manual approach. So, if your SOC is automated, you go above and beyond basic security automations; you automate the more complex and less predictable components of your security operations.
The Role of Playbooks in SOC Workflows
A fundamental building block of SOC automation is the security playbook. A playbook defines a security workflow by outlining the steps teams will take to handle different types of security incidents. By developing SOC playbooks ahead of time, teams avoid having to make a response plan every time an incident occurs.
That said, simply having playbooks on hand doesn’t mean that you’ve automated your SOC. In order to enable complete SOC automation, your playbooks must integrate with other security tools and workflows so that your teams can deploy the playbooks easily and efficiently.
For example, in a fully automated SOC, monitoring tools might detect a certain type of risk, then identify the playbook that the team should use to respond to it. Then, the SOC can automatically keep track of the team’s progress as it works through the steps defined in the playbook. The SOC may also generate automatic post-incident reports based on the procedures laid out in the playbook.
What If There Is No Playbook for My Cyber Incident?
Of course, it’s impossible to create SOC playbooks ahead of time that address every type of incident. There will always be situations that your team didn’t anticipate, and for which it therefore didn’t prepare a playbook.
Even in those situations, however, the playbooks you do have can be useful for minimizing the manual effort required to respond to a security incident. During the response planning stage, your team can build on or borrow from existing SOC playbooks to craft a response strategy for a novel threat.
As a basic example, imagine you have a cyber incident playbook that defines a response plan for handling malware after you discover it on a server, but the security incident you’re dealing with involves malware inside a Kubernetes environment, not a standalone server.
These are different scenarios because they involve fundamentally different types of infrastructure or hosting environments. However, there is still likely to be a lot of overlap in the response process to each threat. In both instances, your team would need to identify the type of malware, then determine the most efficient way to remove it.
So, although the removal process would probably be different if you’re dealing with containers (where you could most likely replace the infected containers with new containers based on clean images) as opposed to a server (where you may need to scrub the malware from the server because you can’t just drop a new server into place), the initial stages of the response process would be more or less the same. The playbook for server malware response could therefore serve as the basis for responding to an incident involving malware on containers, saving your SOC from having to plan a response totally from scratch.
Of course, in order to automate the response process, your SOC would still need to be able to recognize the similarities between a malware incident in both types of environments, then alert your team to the relevant playbook. This can be done, but it requires nuanced, sophisticated SOC automation. Automation that is based on simple rules (like linking monitoring alerts to specific playbooks) wouldn’t be enough in this case to help the SOC automate the response process as much as possible based on the available resources.
What is the difference between cyber security and SOC?
A SOC is part of a company’s overall cybersecurity strategy – it’s the heart of security operations and where key functions like security monitoring, detection, and response occur.
But a SOC is not the sole component of cybersecurity. It is one pillar of a complete cybersecurity strategy.
What is a SOC tool?
A SOC tool is any cybersecurity tool that is used in the security operations center.
What are the key tools in a SOC?
A SOC can comprise a number of different security solutions. Most modern SOCs include a combination of security automation and hyperautomation, endpoint protection/endpoint detection and response (EDR) platforms, intrusion prevention systems (IPS) and intrusion detection systems (IDS), networks security solutions, cloud SIEM/log management platforms, extended detection and response (XDR) platforms, mobile device management (MDM), asset discovery, vulnerability assessment and more.
What is the difference between SIEM and a SOC? Security information and event management (SIEM) is a technology that supports threat detection, compliance, and security incident management. It collects and analyzes security events. While both SIEM and a SOC monitor for security events, SIEM is just one component of a SOC strategy and is often used as one tool within a SOC to detect and manage threats.
Conclusion
Building a SOC is one step toward modernizing security operations, but it’s not enough on its own. Organizations should seek to automate SOC as much as possible – even in cases where there is no preexisting playbook to guide response operations. SOC automation helps security teams work faster while also maximizing their chances of shutting down threats before they cause harm to the business.
How Next DLP Automates Data Breach Investigations with Torq Hyperautomation
By Torq
April 23, 2024
4 Minute Read
The following is adapted from a conversation between Torq and Robbie Jakob-Whitworth, Cybersecurity Solutions Architect at Next DLP. Next DLP is a leading provider of insider risk and data protection solutions. Read on to learn how Robbie has used Torq Hyperautomation to automate alerts and reduce alert fatigue within his organization.
Introduction to Robbie and Next DLP
I’m Robbie Jakob-Whitworth, Solutions Architect with Next DLP. Next DLP is focused on reinventing data protection, DLP, and insider risk. So, I spend a lot of time working with customers and enterprises focusing on how we can protect the data in their organization, how we can prevent a data leak or data breach, and also how we can manage the insider risk.
So a key thing that I work on with a lot of customers is alerts, detections and incidents from a data protection perspective as well as an insider risk perspective. And alert fatigue is something that is a very real problem for security analysts. They spend a lot of time looking through alerts.
Next DLP provides a fantastic platform to get an overview and take control of risky behavior taken by users. For example, the sharing of sensitive data, or accessing data that is controlled by regulation or compliance. But going through all of these alerts and all of these incidents can be quite a time thing sometimes for an analyst. So in that theme of alert fatigue, I was able to use Torq to build a workflow to notify me separately via Slack about the most serious data breaches.
Combatting Alert Fatigue with Hyperautomation
So in the example that I’m going to show you here, we can actually reduce alert fatigue by using Torq to just alert us about the most high severity alerts. So using Next DLP, I built out a web hook integration directly into Torq and streamed detection information for Torq where the data is Personal Identifiable Information (PII).
I’m only going to focus on the most high risk users, and I only want events that are a score of at least 80. So, particularly high severity alerts. Now, when a policy violation or incident occurs that meets these thresholds, a workflow in Torq is triggered and I get notified in real time through Slack or on my phone.
Then, I can launch an investigation in real time. So I can go and spend my time on other things that are more important to me than looking through logs. I’m saving a lot of time by getting these alerts through Torq.
A Real-World Example
Consider this – from a data protection perspective, I might have data in my organization, maybe personal information, social security numbers, or customer information that needs to be protected. And in this case, if I’m a user and I’m sharing this data through a site like WeTransfer, either maliciously or accidentally, Next DLP can provide real-time data protection by enforcing IT and corporate policy, preventing the taking of sensitive data.
So in this case, we caught the fact that this file contains this sensitive information – email addresses and social security numbers – and that it was leaked out through WeTransfer. Next DLP protected and blocked that activity.
Now as a SOC or security analyst, I don’t need to sit in the Next DLP platform and look through every single alert. With this automation, Torq notifies me with all of the information around the incident: which user violated the policy, what the policy was, that it contains social security numbers, how the data was being exfiltrated, in this case to WeTransfer. I get a link to view the file and the forensic evidence, along with a screenshot of the user’s desktop at that moment in time. So I’m able to launch an investigation to dive down deeper into the context of this user’s activity.
The Power of Torq Hyperautomation
Traditionally, for an analyst or in a SOC, you spend all your time kind of combing through logs and alerts. You have a lot of false positives to deal with. And all the information is presented to you within a powerful UI of most products. But, you have to spend a lot of time going through each alert.
It was super simple to build this automation because I’m combining the powerful open API provided by Next DLP with the really helpful no code workflow UI provided by Torq. Plugging those two together is the best of both worlds. It’s really a fantastic way to orchestrate and connect different systems together and to save me time by automating those manual tasks.
Want to learn more about Torq Hyperautomation? Get a demo.
