Hyperautomation Insights

SIEM Wars: Revenge of the Logs

Unleash a Multi-SIEM Strategy with Hyperautomation
By Torq
May 30, 2024
10 Minute Read

Consolidation or Collapse of Legacy SIEM?

Industry Analysts Signal End of Legacy SIEM as Operational Costs Continue to Rise 

If you are a cybersecurity professional, it’s hard to ignore the recent shift in the SIEM landscape unless you’ve been living under a rock… or more likely, under the crushing weight of terabytes worth of disconnected SIEM logs. Let’s catch everyone up to speed anyway: 

  • March 2024: Cisco completed its $28 billion acquisition of Splunk, a significant move in the SIEM market.
  • May 2024: Palo Alto Networks (PAN) announced the acquisition of IBM’s QRadar SaaS assets, facilitating the migration of QRadar SaaS customers to Palo Alto’s Cortex XSIAM platform.
  • May 2024: LogRhythm and Exabeam, two major SIEM providers, announced their merger to create a unified entity specializing in AI-driven security operations (expected to close in the third quarter of 2024).

The consolidation – and collapse – of the legacy SIEM space is rapid, ongoing, and for those attuned to the cyclical nature of cybersecurity technology, not entirely surprising. We have seen the “lagging security vendor acquired by large tech titans” story play out plenty of times before. For example, Splunk’s acquisition of Phantom, Broadcom’s acquisition of Symantec, Palo Alto’s acquisition of Demisto, and even Cisco’s prior acquisition of Meraki… or Cisco’s acquisition of Sourcefire… or IronPort… or OpenDNS… or DuoSecurity. More often than not, an acquisition of this magnitude signals two things to the cybersecurity community: 

First, the vendor being acquired is struggling to maintain market share, with innovative technologies quickly emerging  to solve the challenges causing their churning customers significant reductions in both operational efficiency and security efficacy. We saw this when legacy AV (i.e. Symantec) was overtaken by NGAV/XDR platforms, or as legacy SOAR (i.e. Phantom) began to be overtaken by Hyperautomation solutions, and now again, with the emergence of Next-Gen or Multi-Data SIEM platforms. 

Second, the impending expectation of shockingly high renewal costs.

The key difference in this case is that legacy SIEMs, such as Splunk, are not losing customers. And with the massive amounts of highly-regulated sensitive data stored in these legacy SIEM solutions, it’s safe to say they aren’t expecting to do so for a very long time. Regardless of rapidly increasing costs, many organizations fear there is no escape from SIEM lock-in, and that is exactly what the acquiring companies like Cisco and PAN are counting on. 

Stuck in the SIEM-ulation?

Skyrocketing Data Volumes and Crippling Renewal Costs Are Holding the SOC Hostage

Historically, SIEM solutions have been the key centralization point of the Security Operations Center (SOC). They were built to enable threat detection and incident response by collecting and aggregating event logs across a multitude of security tools. However, SIEMs were built for an on-premise world, well before the explosion of cloud-based SaaS solutions or the multi-cloud environments that organizations are working with today. 

As more and more technologies shift to the cloud, the volume of logs, events, and alerts continue to increase exponentially. According to a recent report The Evolution of the Modern Security Data Platform written by Francis Odum and Josh Trup, the problem is legacy SIEM costs are largely indexed to data volume – meaning the more you ingest, the more you pay. Larger amounts of data ingestion and an increase of integration requirements with new cloud-based security solutions have led to additional SIEM related challenges, such as alert fatigue, manual triage processes, complexities in data conversion, and inadequate scalability and performance. But none, it seems, are more difficult to overcome than SIEM vendor lock-in. 

The reality is legacy SIEM solutions are deeply entrenched in the operations of both the Security Operations Center (SOC) and Governance, Risk, and Compliance (GRC) teams. Enterprise organizations are stuck in long-term contracts with their SIEM vendors due to regulatory compliance frameworks that require up to, if not more than, 7 years of sensitive data retention. Some organizations have found creative ways to implement a separation strategy by decoupling compute and storage costs, feeding data into multiple SIEMs. Though more often than not, these are simply cost-reduction strategies without an end-game in sight.   

The biggest barrier to severing ties with a legacy SIEM solution is that while ingestion and retention costs are considered expensive, they are relatively cheap when compared to the costs associated with retrieval and removal of old logs from cold storage. This makes a SIEM rip-and-replace initiative a non-starter, and most organizations have come to terms with the fact that they may never escape the constraints of their SIEM contract. But with every day an organization is not migrating their day-to-day log storage off their legacy SIEM, they continue to extend the length of that contract, one day at a time. 

The Emergence of the Multi-SIEM Strategy 

How Multi-SIEM Offers More Scalable and Cost-Effective Data Aggregation in the Cloud

There are a number of business-related reasons why organizations may adopt a multi-SIEM strategy. For example, mergers and acquisitions may result in security teams falling into an inherited multi-SIEM approach. Or it may even be as simple as a newfound lack of trust in the anticipated innovation of their legacy SIEM technology following the recent acquisitions we’ve seen piling up across the SIEM landscape. 

The main benefit that is driving organizations to adopt emerging best practices when it comes to data aggregation and event management, however, is cost reduction. An explosion in the volume and variety of data being ingested has made legacy SIEM a major burden on an organization’s budget. As a result, rather than attempting a costly rip-and-replace, teams may strategically choose which data is deemed important enough to send to the SIEM. The missing data, in turn, leaves gaps in the detection and investigation of potential security threats. 

As the need for a modern, cost-efficient approach to data management and security event aggregation has become more clear, a new evolution of cloud-native data platforms have emerged to help mitigate these SIEM challenges. A number of unique approaches have emerged such as ETL Data Orchestrators, Next-Gen SIEMs, Cloud Security Data Lakes, or Multi-Data SIEMs. Whether they intelligently filter and cleanse logs before routing events and alerts to a SIEM, or decouple security analytics from the logging layer while structuring security data to better enable real-time detection and threat hunting – these cloud-native solutions are all centered around more scalable and cost-effective cloud data management. 

Source: The Evolution of the Modern Security Data Platform via The Software Analyst Newsletter

Many organizations in the process of transitioning from an on-prem to a full-cloud or hybrid-cloud environment may choose to use this opportunity as a launch pad towards eventual migration. As more application and IT infrastructure moves to the cloud, they begin siphoning data away from their legacy SIEM provider into a more cloud-friendly option. Even if this means some data remains in legacy systems, especially considering the enormous cost of shipping existing data hosted in an already on-prem SIEM to the cloud, a multi-SIEM approach is still significantly more cost-efficient.

While the cost-reduction benefits of a multi-SIEM strategy have already been realized by forward thinking SOC teams, there is still hesitancy to separate data storage across many enterprise grade organizations who have become so accustomed to legacy SIEM way of life. Afterall, the original purpose of a SIEM solution was to have a centralized source of truth for all security logs, events, and alerts to coordinate investigation and response. Is decentralizing that data across multiple sources not taking a step backwards in security operations? 

Achieving the Multi-SIEM with Torq Hyperautomation 

Seamlessly Integrate Existing Processes Across Multiple SIEMS and Security Data Lakes

Hyperautomation enables the SOC to effectively achieve a multi-SIEM strategy without impacting existing processes or operational efficiency. It is the layer that sits on top of whichever SIEMs are ingesting logs, events and alerts allowing automated triage, investigation and remediation. With Hyperautomation, existing processes and workflows can run in parallel, automating actions within multiple SIEM solutions simultaneously instead of manually running the same actions multiple times across disparate data sources. This means organizations who want to free themselves from the legacy SIEM stranglehold finally have the key to unlock the cost-savings benefits of a multi-SIEM strategy, as well as the confidence that there is a definitive light at the end of the long, dark SIEM lock-in tunnel. 

Torq makes it simple for SOC teams to integrate with any SIEM solution, and build out automations across a multi-SIEM approach. Torq eliminates the complexity of connecting multiple SIEMs by using Hyperautomation to automatically analyze, triage, and remediate the most critical threats, while reducing alert fatigue and allowing organizations to utilize the full suite of their existing security tools investments. 

Torq’s drag-and-drop workflow designer makes it easy for SOC teams to replicate existing workflows and quickly replace a legacy SIEM vendor with their new cloud-native SIEM integration, maintaining existing processes without interruption. For more complex workflows, Torq’s natural language AI workflow builder levels up the SOC analysts’ skillset, enabling them to build and deploy workflows in minutes that run parallel actions across multiple SIEMs and Security Data Lakes. Torq’s purpose built HyperSOC solution will then correlate actionable data into comprehensive security cases and auto-remediate 95% of the entire case management lifecycle. 

With Torq as the all encompassing SOC adaptor, organizations can simply stop sending data to their legacy SIEM, begin sending all net-new logs, events and alerts to their new cloud-native SIEM of choice, and leverage hyperautomation to automatically run security operations across a Multi-SIEM architecture without impacting existing processes or sacrificing security data gaps for cost-savings.

How Innovative Companies are Leveraging Hyperautomation to Overcome Legacy SIEM Lock-In

Automate Multi-SIEM Processes to Cut Costs and Operationalize Data Migration 

One customer that Torq spoke with about the recent rumblings in the SIEM landscape is planning to use Hyperautomation as a means to an end of their legacy SIEM contract. Following acquisition of their legacy SIEM provider, they were informed their upcoming renewal would nearly double in price and were considering terminating their relationship. However, their security operations are so embedded and reliant on the legacy SIEM, that evaluating a rip-and-replace would be even more costly – not only financially (~2x), but also in labor hours and anticipated security risk. The decision was made to renew and accept the reality that there was nothing they could do about it. That is, until they realized the power of applying their existing Hyperautomation practices towards a multi-SIEM strategy. By running Torq as a layer sitting above both their legacy SIEM and a new next-gen SIEM, focused on cost-efficient data processing in the cloud, they are able to automate parallel processes, realize significant operational cost-savings, and reallocate funds to migrating regulated data from their on-prem storage at a much faster rate than they could previously afford. 

The SIEM landscape is rapidly evolving, and at a much faster rate than organizations can plan to remove their sensitive data and get out of their increasingly expensive contracts. While many organizations may feel stuck, there is a way forward. As quickly as legacy SIEM solutions are converging, cloud-native SIEM alternatives are evolving – and with Hyperatuomation as the glue holding the SOC together, organizations are finally able to achieve the benefits of a modern SOC architecture.
Ready to escape SIEM lock-in? Torq enables the Modern SOC to store data anywhere, and operationalize it with Hyperautomation. Get a demo today.

Share

Related Articles

Hyperautomation News Product

IDC Validates Torq HyperSOC™: A Game-Changer for SOC Analysts

By Torq
May 28, 2024
3 Minute Read
IDC HyperSOC report

IDC declares Torq HyperSOC™ the first solution to effectively mitigate SOC alert fatigue, false positives, staff burnout, and attrition.

In a groundbreaking report, IDC emphatically recognizes the potential of Torq’s latest innovation, Torq HyperSOC™, hailing it as a pivotal addition to the SOC analyst toolkit.

A Giant Leap Forward for SOC Analysts

IDC’s validation of Torq HyperSOC™ marks a significant milestone for SOC analysts. This endorsement is more than just a stamp of approval; it’s a signal that the industry is taking a giant leap forward. Torq HyperSOC™ was built with the unique needs of SOC teams in mind, offering features that embed automation across the entire case management lifecycle by combining AI-driven insights and Hyperautomation. Analysts can expect a reduction in false positives, faster identification of real threats, and a more intuitive interface that allows for quick adaptation. With the backing of a reputable organization like IDC, Torq HyperSOC™ is poised to set a new standard for SecOps, providing analysts with a powerful ally in the fight against cyber threats.

“Torq HyperSOC™ helps ensure Check Point internal security analysts’ time is used in the most productive and effective manner possible. We are impressed with how Torq HyperSOC™ harnesses AI to alleviate those burdens by automating investigation and remediation.”

Jonathan Fischbein, Global CISO, Check Point

The Game-Changing Impact on SecOps

The arrival of Torq HyperSOC™ signals a transformative era for SecOps. By integrating innovative automation and orchestration capabilities, SOC teams can now address alerts with unprecedented speed and accuracy. The impact is twofold: first, it dramatically reduces the time spent on menial tasks, freeing analysts to focus on strategic work; second, it enhances the organization’s overall security posture by enabling quicker response to threats. This is a game-changer in an environment where every second counts. The agility afforded by Torq HyperSOC™ allows for a more proactive and less reactive approach to security, shifting from a traditional, often cumbersome, process to a dynamic and streamlined operation. IDC’s recognition underscores the potential of Torq HyperSOC™ to redefine how we think about and execute security operations in the digital age.

How Torq HyperSOC™ Empowers CISOs and CIOs

CISOs and CIOs are under constant pressure to ensure their organization’s cybersecurity infrastructure is robust and efficient. Torq HyperSOC™ comes as a powerful asset for these leaders, providing them with a previously unattainable level of oversight and control. With its cutting-edge features, Torq HyperSOC™ equips CISOs and CIOs to enforce security policies more effectively, automate compliance procedures, and gain valuable insights into their security landscape. This solution translates into better decision-making based on real-time data, enabling a swift pivot as the threat environment evolves. Moreover, the efficiency gains from automating routine tasks can lead to significant cost savings, optimizing resource allocation and potentially lowering the risk of burnout among security teams. In essence, Torq HyperSOC™ is not just a tool for the present; it’s an investment in the future resilience of the enterprise.

Want to learn more about Torq HyperSOC™? Get a demo.

Share

Related Articles

Integrations Product Use Cases

Automate Non-Human Identity Security and Management with Torq and Astrix

By Torq
May 21, 2024
3 Minute Read

Organizations’ zero-trust policies and identity-centric programs ensure that user identities and login credentials are vigorously protected with IAM policies and security tools like MFA or IP restrictions. However, the situation is very different regarding non-human identities (NHI) like API keys, OAuth apps, service accounts, and secrets. Lack of visibility, monitoring, and governance of this permissive access is everywhere, and attackers have figured it out. 

Using Astrix Security, security teams can finally close this huge identity security gap, and now—it gets even easier. Astrix Security has teamed up with Torq to make inventorying, securing, and remediating NHI risks a seamless part of your SOC automation.

Integrating Torq and Astrix allows security teams to identify and respond automatically to anomalous behavior and over-permissioned, unused, or unrotated non-human identities – using automated workflows. This enables customers to avoid the need for multiple silos and instead easily operationalize Astrix through their existing Torq deployment.

Let’s walk through an example of how Torq and Astrix make it easy to close the gap.

Automated Response and Remediation

For the first time, Astrix Security applies behavioral analysis traditionally only seen for human identities to the non-human identity space. Through this behavioral analysis, customers can detect anomalous activity in real-time.

Customers of Torq and Astrix can then automatically respond through remediation playbooks based on preset logic with Torq. This allows for instantaneous action and immediate threat response without investigating across multiple toolsets.

Posture Management and Risky Integrations

Unused permissions, risky connections, and unrotated tokens needlessly increase your attack surface. 

Using Astrix, customers can identify unused, over-permissive, and malicious NHI access. These risk parameters and timeframes for non-use are fully customizable. These rule sets are then turned into playbooks and run through Torq to automate removing unused or risky access and unrotated tokens that do not meet the specified posture.

Astrix identifies only the highest-risk connections in your environment and feeds them into Torq for continuous attack surface reduction.

Enhanced Change Management

Astrix and Torq collaborate seamlessly to enhance the change management process within an organization by automating the data flow and remediation tasks for non-human identities. 

The integration begins with Astrix detecting a high-risk NHI event, which feeds it into Torq. A ticket in workflow management systems like Jira or ServiceNow is created as part of a controlled change management process, facilitating delegating remediation tasks. With its intelligent automation capabilities, Torq triggers specific playbooks that respond to the identified changes, such as decommissioning NHIs. This integration ensures that the change management process is efficient and minimizes manual intervention, allowing for swift and accurate updates across the system and reducing the potential for errors.

Integrating Torq and Astrix transforms the way security teams handle non-human identities. By automating the detection and response to unusual activities and poorly managed permissions, this partnership simplifies complex processes and eliminates the overwhelm felt by security teams. Embrace the future of security hyperautomation with Torq and Astrix, and experience a smarter, more integrated approach to protecting your digital assets.

Ready to see it live? Request a demo

Share

Related Articles

Hyperautomation Product Use Cases

How Torq Hyperautomation Simplifies Phishing Analysis for SOC Teams

By Torq
May 14, 2024
3 Minute Read

2023 went down in history as the worst year for phishing attacks on record, with nearly 35 million attempted business email compromise (BEC) attacks detected and investigated, according to the Microsoft Threat Intelligence Cyber Signals report. Unfortunately, phishing analysis is one of the most time-consuming tasks for the SOC. Responding to a phishing incident requires careful examination. SOC analysts quickly become overwhelmed by the volume of potential threats that need manual inspection, thanks in part to the use of Generative AI in these social engineering-based attacks. Phishing attacks have become so difficult for the untrained eye to detect that reports show that over 60% of end-user-reported phishing emails are false positives. SOC teams spend hours manually checking each email, attachment, and link against different databases and tools, which is time-consuming and error-prone. 

Streamlining Phishing Analysis in the SOC

Torq Hyperautomation helps automate repetitive phishing attack mitigation tasks, providing consistent and accurate case management without the fatigue. With Torq, SOC teams can quickly identify and evaluate risks through automated phishing analysis, cutting down analysis time from hours to minutes and freeing up analysts’ time for more critical tasks. By automating these otherwise monotonous tasks, security teams reduce false positives, experience less burnout, and can finally manage the growing volume of threats.

Monitor an Outlook Mailbox for Phishing via Graph Subscription  

Torq Hyperautomation empowers SOC analysts to automate phishing analysis and improve SOC team efficiency using several pre-built phishing templates in our template library. If you’re an Outlook user, this one is for you! 

First, select the “Monitor an Outlook Mailbox for Phishing via Graph Subscription” template from the library. From there, once an email hits the monitored inbox, Torq will receive a copy to analyze. When the analysis starts, the email will be labeled as  “Scan-Started” within Outlook while the necessary elements are extracted and observables are enriched. Once the analysis is done, the labels within Outlook will change to show the verdict. In this example, we can see that the email contains malware and phishing URLs. 

All results will then be added to a new case as custom fields, observables or attachments. All additions to the case are shown on the timeline for compliance tracking purposes. The overview of the case shows details about the email along with the verdict for the attachment and URL. Custom fields include important data such as DMARC and SPF analysis to help understand if the email is coming from a trusted sender. As a result of the phishing URL enrichment, a screenshot of the site is attached, and we know without visiting the website that it is impersonating a known service. 

All sub-observables are attached and show a malicious verdict. As the final step in this case enrichment, AI reviews sanitized data pulled from the verdict and generates a human-readable summary of the entire case analysis.

Automate your Phishing Analysis with Torq

Phishing analysis automation with Torq Hyperautomation significantly reduces the workload for SOC teams. Torq integrates with several key partners to offer use cases that can help organizations prevent, protect against, and understand phishing attacks and avoid costly data breaches. Want to learn more about how you can automate phishing analysis with Torq Hyperautomation? Get a demo.

Share

Related Articles

Insights

An Introduction to SOC Automation

By Torq
May 5, 2024
9 Minute Read
What is SOC Automation

Contents

The security operations center, or SOC, is the backbone of modern security operations. By centralizing security monitoring, detection, and response, SOCs help organizations manage security risks more efficiently and effectively.

But simply setting up a SOC doesn’t guarantee optimal security workflows. To get the very most from your SOC, you must automate its operations as much as possible. SOC automation allows teams to manage security threats with even greater speed, efficiency, and accuracy than they can in a SOC that relies on manual operations.

Keep reading for a dive into how SOC automation works, how to define SOC playbooks and workflows for your SOC, and which benefits automation in the SOC provides to both security teams and the business as a whole.

What Is a SOC?

A SOC (pronounced “sock”) is the part of a business that is responsible for managing security threats. A SOC is made up of the people and tools that handle:

  • Threat intelligence, meaning the collection of data about potential security threats and risks.
  • Security monitoring, which allows security teams to detect active risks and breaches.
  • Security analysis, or the process of investigating threats and breaches in order to identify their root cause and plan a response operation.
  • Security response, meaning the processes by which the security team reacts to identified threats.
  • Recovery, which involves restoring systems to a secure state following a security incident.
  • Post-incident reporting and analysis, which teams use to evaluate why an attack occurred and plan strategies for preventing a similar incident from happening again in the future.


Although the term “security operations center” may seem to imply that the SOC is an actual facility or physical location, that’s not always the case. Ultimately, a SOC is an organizational function. You don’t need all of your security analysts to sit in the same room in order to have a SOC. As long as there is a team within your business that handles the security tasks described above, you have a SOC in place.

What Is SOC Automation?

SOC automation is the process of automating some or all aspects of SOC operations. When you automate your SOC, you replace manual security workflows with automated ones.

For example, SOC automation might entail automatically collecting and parsing threat intelligence reports in order to identify which threat intelligence data is most relevant to your business based on the types of resources it relates to and the types of risks it addresses. You could perform this process manually, but SOC automation allows you to do it faster and with fewer staff resources.

As another example, SOC automation could take the form of automated security analysis. Instead of relying on engineers to investigate and analyze a threat manually, you could automate that SOC function using tools that assess the threat’s potential impact and trace it back to its root cause.

The Benefits of SOC Automation

The main reasons to consider SOC automation include:

  • Speed: Automation helps security teams detect and respond to incidents faster.
  • Efficiency: Automation allows the SOC to do more with fewer staff resources.
  • Scale: Relatedly, automation helps the SOC to contend with threats of increasing volume and complexity without having to scale up the size of the security team.
  • Better use of human capital: By automating routine aspects of security response, SOC automation allows engineers to apply their skills where they matter most: solving complex problems that require original thought and analysis, as opposed to performing mundane, repetitive tasks.

These advantages of automation in the SOC reflect the benefits of automation in general. However, given that the ability to respond quickly and efficiently is particularly critical in the context of security, automating the SOC arguably delivers even more value than automating other parts of the business. It’s nice to automate, say, the deployment of an application to a server, which would save a bit of time and effort. But it’s not absolutely critical. By contrast, detecting and remediating threats in as little time as possible with the help of security automation is absolutely essential for preventing risks from turning into active breaches. 

Aren’t SOCs Always Automated?

It’s worth noting that, to a certain extent, virtually every SOC has some level of automation.

For example, security monitoring, which is one of the core functions of a SOC, is typically performed using tools that automatically collect and analyze data to reveal anomalies that could be the sign of a threat. SOCs may also automate some of the auxiliary processes required to drive security workflows, such as providing communication channels between stakeholders.

However, the typical SOC relies mostly on manual operations for handling more complex tasks. It doesn’t automate work like security analysis or response. Those processes are harder to automate because every threat or risk requires a different analysis and response process, so many teams perform them manually.

The goal of SOC automation, then, is to automate those aspects of a SOC that teams have conventionally managed using a manual approach. So, if your SOC is automated, you go above and beyond basic security automations; you automate the more complex and less predictable components of your security operations.

The Role of Playbooks in SOC Workflows

A fundamental building block of SOC automation is the security playbook. A playbook defines a security workflow by outlining the steps teams will take to handle different types of security incidents. By developing SOC playbooks ahead of time, teams avoid having to make a response plan every time an incident occurs.

That said, simply having playbooks on hand doesn’t mean that you’ve automated your SOC. In order to enable complete SOC automation, your playbooks must integrate with other security tools and workflows so that your teams can deploy the playbooks easily and efficiently.

For example, in a fully automated SOC, monitoring tools might detect a certain type of risk, then identify the playbook that the team should use to respond to it. Then, the SOC can automatically keep track of the team’s progress as it works through the steps defined in the playbook. The SOC may also generate automatic post-incident reports based on the procedures laid out in the playbook.

What If There Is No Playbook for My Cyber Incident?

Of course, it’s impossible to create SOC playbooks ahead of time that address every type of incident. There will always be situations that your team didn’t anticipate, and for which it therefore didn’t prepare a playbook.

Even in those situations, however, the playbooks you do have can be useful for minimizing the manual effort required to respond to a security incident. During the response planning stage, your team can build on or borrow from existing SOC playbooks to craft a response strategy for a novel threat.

As a basic example, imagine you have a cyber incident playbook that defines a response plan for handling malware after you discover it on a server, but the security incident you’re dealing with involves malware inside a Kubernetes environment, not a standalone server.

These are different scenarios because they involve fundamentally different types of infrastructure or hosting environments. However, there is still likely to be a lot of overlap in the response process to each threat. In both instances, your team would need to identify the type of malware, then determine the most efficient way to remove it.

So, although the removal process would probably be different if you’re dealing with containers (where you could most likely replace the infected containers with new containers based on clean images) as opposed to a server (where you may need to scrub the malware from the server because you can’t just drop a new server into place), the initial stages of the response process would be more or less the same. The playbook for server malware response could therefore serve as the basis for responding to an incident involving malware on containers, saving your SOC from having to plan a response totally from scratch.

Of course, in order to automate the response process, your SOC would still need to be able to recognize the similarities between a malware incident in both types of environments, then alert your team to the relevant playbook. This can be done, but it requires nuanced, sophisticated SOC automation. Automation that is based on simple rules (like linking monitoring alerts to specific playbooks) wouldn’t be enough in this case to help the SOC automate the response process as much as possible based on the available resources.

What is the difference between cyber security and SOC?

A SOC is part of a company’s overall cybersecurity strategy – it’s the heart of security operations and where key functions like security monitoring, detection, and response occur. 

But a SOC is not the sole component of cybersecurity. It is one pillar of a complete cybersecurity strategy.

What is a SOC tool?

A SOC tool is any cybersecurity tool that is used in the security operations center.

What are the key tools in a SOC?

A SOC can comprise a number of different security solutions. Most modern SOCs include a combination of security automation and hyperautomation, endpoint protection/endpoint detection and response (EDR) platforms, intrusion prevention systems (IPS) and intrusion detection systems (IDS), networks security solutions, cloud SIEM/log management platforms, extended detection and response (XDR) platforms, mobile device management (MDM), asset discovery, vulnerability assessment and more.

What is the difference between SIEM and a SOC?
Security information and event management (SIEM) is a technology that supports threat detection, compliance, and security incident management. It collects and analyzes security events. While both SIEM and a SOC monitor for security events, SIEM is just one component of a SOC strategy and is often used as one tool within a SOC to detect and manage threats. 

Conclusion

Building a SOC is one step toward modernizing security operations, but it’s not enough on its own. Organizations should seek to automate SOC as much as possible – even in cases where there is no preexisting playbook to guide response operations. SOC automation helps security teams work faster while also maximizing their chances of shutting down threats before they cause harm to the business.

Share

Related Articles

Integrations Use Cases

How Next DLP Automates Data Breach Investigations with Torq Hyperautomation

By Torq
April 23, 2024
4 Minute Read

The following is adapted from a conversation between Torq and Robbie Jakob-Whitworth, Cybersecurity Solutions Architect at Next DLP. Next DLP is a leading provider of insider risk and data protection solutions. Read on to learn how Robbie has used Torq Hyperautomation to automate alerts and reduce alert fatigue within his organization.  

Introduction to Robbie and Next DLP

I’m Robbie Jakob-Whitworth, Solutions Architect with Next DLP. Next DLP is focused on reinventing data protection, DLP, and insider risk. So, I spend a lot of time working with customers and enterprises focusing on how we can protect the data in their organization, how we can prevent a data leak or data breach, and also how we can manage the insider risk. 

So a key thing that I work on with a lot of customers is alerts, detections and incidents from a data protection perspective as well as an insider risk perspective. And alert fatigue is something that is a very real problem for security analysts. They spend a lot of time looking through alerts. 

Next DLP provides a fantastic platform to get an overview and take control of risky behavior taken by users. For example, the sharing of sensitive data, or accessing data that is controlled by regulation or compliance. But going through all of these alerts and all of these incidents can be quite a time thing sometimes for an analyst. So in that theme of alert fatigue, I was able to use Torq to build a workflow to notify me separately via Slack about the most serious data breaches.

Combatting Alert Fatigue with Hyperautomation

So in the example that I’m going to show you here, we can actually reduce alert fatigue by using Torq to just alert us about the most high severity alerts. So using Next DLP, I built out a web hook integration directly into Torq and streamed detection information for Torq where the data is Personal Identifiable Information (PII).

I’m only going to focus on the most high risk users, and I only want events that are a score of at least 80. So, particularly high severity alerts. Now, when a policy violation or incident occurs that meets these thresholds, a workflow in Torq is triggered and I get notified in real time through Slack or on my phone.

Then, I can launch an investigation in real time. So I can go and spend my time on other things that are more important to me than looking through logs. I’m saving a lot of time by getting these alerts through Torq.

A Real-World Example

Consider this – from a data protection perspective, I might have data in my organization, maybe personal information, social security numbers, or customer information that needs to be protected. And in this case, if I’m a user and I’m sharing this data through a site like WeTransfer, either maliciously or accidentally, Next DLP can provide real-time data protection by enforcing IT and corporate policy, preventing the taking of sensitive data. 

So in this case, we caught the fact that this file contains this sensitive information – email addresses and social security numbers – and that it was leaked out through WeTransfer. Next DLP protected and blocked that activity.

Now as a SOC or security analyst, I don’t need to sit in the Next DLP platform and look through every single alert. With this automation, Torq notifies me with all of the information around the incident: which user violated the policy, what the policy was, that it contains social security numbers, how the data was being exfiltrated, in this case to WeTransfer. I get a link to view the file and the forensic evidence, along with a screenshot of the user’s desktop at that moment in time. So I’m able to launch an investigation to dive down deeper into the context of this user’s activity. 

The Power of Torq Hyperautomation

Traditionally, for an analyst or in a SOC, you spend all your time kind of combing through logs and alerts. You have a lot of false positives to deal with. And all the information is presented to you within a powerful UI of most products. But, you have to spend a lot of time going through each alert.

It was super simple to build this automation because I’m combining the powerful open API provided by Next DLP with the really helpful no code workflow UI provided by Torq. Plugging those two together is the best of both worlds. It’s really a fantastic way to orchestrate and connect different systems together and to save me time by automating those manual tasks.

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

Hyperautomation

Stop SOAR From Killing Your SOC Budget With Hyperautomation

By Torq
April 17, 2024
6 Minute Read

Cyberthreats are escalating and SOC budgets are tightening. It’s a recipe for disaster, that is, unless you take advantage of new technologies that keep both in check. The fact is, businesses are now spending nearly a third of their cybersecurity budget towards running an in-house SOC, averaging out to $2.86 million per year, according to Ponemon. 

Historically, security teams anchored their SOCs with SOAR. In the distant, fading past, this was intended to improve efficiency and drive standardization across incident response activities. SOARs promised to enable organizations to integrate security solutions within the SOC technology stack, filter and prioritize incident data, and automate processes to improve remediation speed. However, reality quickly set in, and SOC teams experienced disconnected and reactive defenses, narrow visibility and event processing capabilities, and limited inflexible integrations that were putting the organization in danger.

Beyond the technical limitations, organizations found that the myriad of hidden costs associated with running SOAR negatively impacted the investment already made in three key areas of the SOC: People, Time, and Technology.

People

When the SOC receives an alert, three levels of analysts typically work together to cover the entire threat lifecycle. Entry level analysts handle the initial triaging and filtering of alerts, escalating legitimate threats to Tier-2/3 analysts for more advanced investigations, and eventual remediation. However, the need for continuous monitoring, troubleshooting, and maintenance of SOAR solutions creates a bottleneck, slowing down the incident response process at every level. According to ESG, 92% of security professionals agree that leveraging a SOAR effectively demands intensive programming/scripting skills, meaning organizations often find themselves allocating one, if not more, FTEs strictly to SOAR management. 

Depending on the size and maturity of the organization, staffing an efficient 24/7 SOC may require between 5-10 analysts, with the average entry-level analyst salary hovering around $90,000 annually. The challenge is, the cyber security space is already dealing with a 4 million global shortage of security staff, and Tier-1 analyst roles are so tedious and demanding that employees don’t stay in these positions long due to high stress, and eventual burnout.  This shortage has made finding highly skilled and experienced analysts much more difficult, increasing the competitive salaries organizations must offer throughout the recruitment process. 

Time

Whether it’s cost associated with increasing staff or labor hours due to overwhelming amounts of disconnected SOAR alerts, the impact of organization downtime when a legitimate threat is missed, or even regulatory compliance fines and reputational damages that are incurred in post-breach recovery. According to IBM’s Cost of a Data Breach Report (2023), the global average cost of a data breach has risen by 15% over the past 3 years, reaching an astronomical $4.45 million dollars

Improving SOC speed to combat the potential impact of downtime is a key investment area for most organizations, and an area in which SOAR has drastically failed. SOAR’s poorly-scalable architecture and integration rigidity makes the initial implementation and configuration slow, tedious and time-consuming. Once implemented, CISOs and Directors of Cybersecurity commonly report on the mean time to respond (MTTR) to an incident when measuring the efficiency of the SOC. Ironically, the amount of time spent manually triaging, correlating and escalating massive amounts of alerts within a SOAR is often the major contributing factor leading to analyst burnout, and almost 40% of cybersecurity professionals say that their average MTTR is still “months or even years”

Technology 

To help reduce MTTR, especially in this intensely-competitive era of hiring experienced SOC analysts, organizations invest more heavily in technology to arm their security operations center. In 2024, approximately 70% of IT leaders expect to increase their cybersecurity budget, with almost half of that budget being allocated towards the cloud security and incident response solutions that are pertinent to day-to-day SOC responsibilities. Despite significant investments in cybersecurity tooling to increase SOC productivity, many organizations experience the opposite effect. 

Security teams are overloaded, trying to protect legacy systems, hybrid infrastructures, and emerging technologies with siloed security solutions that do not have pre-built SOAR integrations allowing them to work in harmony with each other, or third-party threat intelligence feeds. The overabundance of security tools meant to safeguard an organization, ends up contributing to operational deficiency known as stack sprawl, where a lack of integration, limited connectivity, and an overwhelming amount of disconnected event data actually decreases SOC productivity. Even building basic SOC automation playbooks and setting up integrations with existing security solutions can often require custom development or lengthy professional services offered by the SOAR vendor, delaying productivity and decreasing ROI.

Maximize ROI with SOC Hyperautomation

Before signing on the dotted line, organizations need to be aware of the budget-busters of SOAR and other legacy SOC solutions that erode their value, lengthen their ROI, and make them downright expensive. Today, building an efficient SOC and maximizing not only the investment made in SOC solutions, but also the resource investment in people and time, requires Hyperautomation

SOC teams leveraging Torq Hyperautomation easily integrate any security solution, and build effective automations using AI-prompts or no-code, low-code, and full-code support. Purpose-built AI capabilities that leverage LLMs to understand natural language uplevel Tier-1 analysts to perform Tier-3 tasks at machine speed, without the typical learning curve or need for professional services. By applying automation not only to security solutions, but to repetitive investigation, organization, and escalation tasks as well, Hyperautomation not only reduces the workload of SOC analysts, but enables them to act faster on critical incidents with intelligent, dynamic prioritization. Finally, a secure and extensible, cloud-native, zero-trust architecture eliminates scaling or performance ceilings, while maintaining compliance regardless of which best-of-breed solutions or enterprise architecture the organization is working with.

When building out a SOC, the best way to maximize an organization’s ROI is to protect the three key areas of investment; People, Time, and Technology. Torq Hyperautomation not only protects that investment, but enhances the SOC by automating processes at scale, with ease and efficiency – effectively solving the challenges outlined above, and removing the hidden costs associated with SOAR solutions. 

Learn more about how Torq Hyperautomation protects your SOC investment, and download our spotlight report “SOAR is Dead: A Manifesto”. And to see Torq in action, schedule a demo.

Share

Related Articles

Hyperautomation Insights

How to Save Your SOC Analysts From Alert Fatigue

By Torq
April 12, 2024
3 Minute Read

SecOps teams face an unyielding barrage of security signals raised by various systems and tools. It’s estimated that 56% of large companies receive 1,000 or more alerts per day

SOC analysts are expected to wade through these alerts and determine which ones are important, which are low priority, and which are imperative. 

According to IDC, 83% of cybersecurity employees say they’re struggling to cope with the overwhelming alert volume. Meanwhile, 30% of alerts are ignored or go uninvestigated due to security teams of all sizes struggling with alert fatigue, leaving the door open to potential threats that can adversely affect the organization.

Legacy SOAR: The #1 Cause of Alert Fatigue

The leading cause of alert fatigue is legacy SOAR’s flawed approach to alert prioritization. It treats every event as an incident and depends on inflexible SIEM-based event pipelines for the critical tasks of noise reduction and data enrichment. Further, SOAR requires significant costs for processing additional signals and automating subsequent follow up. And because SOAR relies primarily on on-premise architecture, its scalability is crippled, further increasing costs and hindering integration of modern security tools.

Legacy’s SOAR’s downsides include:

  • Difficulty finding useful information and managing vulnerabilities
  • Slower time to identify and respond to actual threats
  • Higher rates of SOC analyst burnout, which drives attrition

How a Hyperautomated SOC Eliminates Alert Fatigue

Torq Hyperautomation can process event volume orders of magnitude larger and faster than legacy SOAR, and has more flexible capabilities to filter, enrich, correlate, and aggregate events for automation processing. A Torq Hyperautomation-driven SOC is built on an event-driven architecture and offers easy workflow automation to sift through the noise, close out false positives more quickly, and prioritize responses more efficiently.

Torq also offers horizontal scalability to support a vast amount of processes and automatically parses all data, while SOAR requires manually selecting and mapping fields.

In addition, Torq offers more flexibility with trigger conditions, including templates. This means multiple triggers look at the same event and can launch a variety of different workflows dynamically. 

A Torq Hyperautomation-based SOC helps eliminate alert fatigue and frees SOC analysts from the endless, resource-draining game of event whack-a-mole SOAR is known for. With Torq, alerts are prioritized, enriched, and contextualized, and 95% of Tier-1 tasks are hyperautomated, so SOC analysts can focus their attention on only significant alerts and incidents without being bogged down by noise.

See how a hyperautomated SOC can eliminate alert fatigue. Get a demo.

Share

Related Articles

Hyperautomation Insights

Enhancing Cyber Defenses: The Benefits of Hyperautomation in Cybersecurity

By Torq
April 11, 2024
4 Minute Read

Cyber threats are constantly evolving and becoming increasingly sophisticated, and organizations are continuously searching for ways to fortify their cybersecurity defenses. One approach that has gained significant traction is hyperautomation

Hyperautomation, which automates once-manual security workflows and processes, enhances cybersecurity posture, streamlines security operations, and effectively mitigates risks.

So, what are the benefits of hyperautomation in cybersecurity, and how does it improve security operations while reducing cyber risks?

The Benefits of Hyperautomation in Cybersecurity

Increased Efficiency

Hyperautomation increases efficiency in cybersecurity. It enables organizations to automate repetitive tasks, such as threat detection, incident response, and vulnerability management by automating these processes. This allows cybersecurity teams to focus their time and efforts on more strategic initiatives.

Faster Response

Hyperautomation empowers SecOps teams to respond to threats in real-time. AI-powered hyperautomation that uses large language models can analyze vast amounts of data at incredible speeds, allowing for faster identification and remediation of security incidents before they have a chance to escalate into larger breaches.

Proactive Threat Detection

Hyperautomation uses AI in security to detect and analyze patterns indicative of potential cyber threats. By continuously monitoring network traffic, user behavior, and system logs, organizations can proactively identify and stop attacks before they have the chance to cause significant damage.

Seamless Integration

Hyperautomation integrates seamlessly with the vast majority of existing cybersecurity tools and technologies, which enhances their capabilities and provides a more unified approach to security management. This extensibility and interoperability ensures organizations can leverage their existing investments while maximizing the effectiveness of their cybersecurity defenses.

Scalability

As organizations grow and evolve, so do their cybersecurity needs. Hyperautomation delivers scalability by adapting to changing requirements and increasing workloads. Whether it’s securing new endpoints, expanding into cloud and hybrid environments, or integrating with emerging technologies, hyperautomation offers the flexibility to scale security operations accordingly.

How Does Hyperautomation Improve Security Operations?

AI-driven hyperautomation greatly improves security operations by streamlining workflows, accelerating response times, and enhancing decision-making processes. With hyperautomation you can achieve a 10X or more operational and productivity boost within weeks of deployment. Autonomously detecting, triaging, investigating, and remediating security threats introduces new efficiencies in cybersecurity without the need for human intervention. This dramatically filters out the noise of thousands of daily security alerts and only presents the most critical as needing attention, which greatly accelerates the mean-time-to-resolve genuine security. By leveraging AI and automation, organizations can:

  • Automate routine tasks: Hyperautomation automates repetitive tasks, such as log analysis, malware detection, and patch management, freeing up security teams to focus on more complex and strategic initiatives.
  • Enhance threat intelligence: AI algorithms analyze vast amounts of data to identify patterns and anomalies that indicate  a potential cyber threat. This enables organizations to stay ahead of emerging threats and proactively defend against potential attacks.
  • Improve incident response: Hyperautomation enables faster incident detection, analysis, and remediation. By automating incident response workflows, organizations minimize threat exposure and can more quickly mitigate the impact of security incidents.
  • Optimize resource allocation: AI-driven insights provide security teams with actionable intelligence, enabling them to prioritize tasks based on risk severity and potential impact. This eliminates the need to respond to low-priority alerts and tasks, and ensures resources are allocated efficiently to address the most critical security issues.

Can Hyperautomation Reduce Cybersecurity Risks?

Because hyperautomation gives security teams the ability to automate threat detection and response, reducing cyber risks is one of the main reasons organizations deploy it. Add to the mix AI cybersecurity advantages of being able to analyze massive amounts of data in real-time to identify indicators of potential security threats and security risk is further reduced. 

Ultimately, hyperautomation allows security teams to detect security threats faster and respond more quickly and more effectively, minimizing their impact and reducing cyber risks by.

  • Minimizing human error: By automating routine tasks and standardizing security processes, hyperautomation reduces the likelihood of human error, which is a common cause of security breaches.
  • Enabling proactive threat hunting: AI-powered analytics enable organizations to proactively hunt for threats across their infrastructure, identifying and neutralizing potential risks before they can be exploited.
  • Improving compliance posture: Hyperautomation ensures consistent enforcement of security policies and regulatory requirements, reducing the risk of non-compliance and potential penalties.

Hyperautomation offers myriad benefits, including increased efficiency in cybersecurity, faster response, proactive threat detection, seamless integration, and scalability. By leveraging AI and automation, organizations can enhance their security operations, reduce cyber risks, and strengthen their defenses against today’s evolving security threats.

To see the benefits of hyperautomation in action, schedule a Torq demo

Share

Related Articles

Customers Insights

Torq Talks to Tyler Young, CISO at BigID

By Torq
April 8, 2024
5 Minute Read

The following is adapted from a conversation between Torq and Tyler Young, CISO at BigID. BigID produces software for data security, compliance, privacy, and governance. Read on to learn about how Torq Hyperautomation has helped BigID unlock new levels of efficiency and productivity by relieving their team of rudimentary tasks.

Introduction to Tyler and BigID

I’m Tyler Young, Chief Information Security Officer at BigID. I’ve been at BigID for two years, and I was brought in to take the company’s product security program to the next level. Prior to BigID, I was at Relativity for almost four and a half years where I was responsible for building out and scaling the security program. Prior to Relativity, I was at Zurich Insurance. Before that, I worked with some consulting firms and the US Government. I’ve had experience with multiple sectors am now focused in hypergrowth tech.

BigID’s Automation Journey

BigID’s automation journey consists of two different parts. First, we needed to bring in the right technologies that fed the right telemetry to our security engineering teams. Second, we wanted to save time by not building out an elaborate SOC. We talk all the time as an industry about burnout and talent shortage. Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq. We leverage Torq for the phishing aspects of what BigID is doing, as well as our level one and level two tasks. We built our automation strategy from scratch leveraging Torq.

Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq.

Tyler Young, CISO at BigID

Life Before Torq Hyperautomation

We had Torq Hyperautomation within my first five months of being at BigID, but in my last role, we used a SOAR platform. It took an entire team to operate and to manage it. I’m talking like six or seven people writing automation framework playbooks and writing threat detections in the platform. Instead of spending over a million dollars on the program, we could have been using those resources to build homegrown security solutions or leveraging open source that we could then offset some other security costs. I think a lot of places are leveraging these really robust SOAR capabilities, but they require a significant head count, a lot of funding and top-notch talent to write code, almost at the same level as some developers are writing.

Comparing Torq Hyperautomation to Traditional SOAR Offerings

Torq Hyperautomation’s click and drag capability and ability to integrate with companies like SentinelOne or Crowdstrike, combined with not having to write API connections and build connectors for all these different aspects make the program different from Legacy SOAR. Being able to just click and drag makes our job so much easier. I can do the same thing with one or two security engineers that we could do with ten when they’re having to write these things manually.

Benefits BigID Has Experienced with Torq Hyperautomation

Maybe this is the unconventional aspect of this, but I think the biggest benefit we’ve seen is our security engineers don’t have to focus on remedial workflows that they can build themselves in a playbook, which allows them to focus on more meaningful work. I’m a big believer in building security solutions, and leverage things off the shelf when possible. Torq allows our team to take the rudimentary tasks and automate them so that they can spend more of their time building. 

Advice to CISO’s Considering Torq Hyperautomation

I think it’s important to do a cost benefit analysis of how much time and money you spend today on your current SOAR offering. It’s also important to gauge your employees’ happiness and satisfaction with their responsibilities. There’s already a talent shortage. Ask yourself, is my team bought into what they’re doing? If not, leverage something like Torq Hyperautomation to automate those repetitive tasks so your team is focusing on more meaningful work. 

On the Future of AI and Security 

I think there’s a place and time where all the alerts, all the telemetry is going to some type of autonomous agent that’s leveraging AI in some capacity. In the future we’ll be able to understand the attacks that are happening in real time, something that’s lacking today with AI. If you have threat detections that are happening and updating in real time, then you have the ability to block and respond to those in real time. In a perfect world, I see AI enabling security teams to be focused on building solutions that are more custom tailored to your needs. 

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

See Torq in Action

Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?