Hyperautomation Product

Evade the SecOps Black Hole: A Five-Tier Approach to a Hyperautomated SOC

By Torq
January 11, 2024
5 Minute Read

There’s a term to describe what happens to something that gets sucked into a black hole: “spaghettification.” The gravitational pull of a black hole is so forceful, that it is believed to stretch and compress objects into long thin shapes resembling spaghetti.

SOC analysts spend their days trying to avoid being sucked into the black hole of overwhelming security events and alerts. They’re fighting to not be spaghettified.

Day in, day out, SecOps analysts face a staggering deluge of alerts. A recent Vectra AI study found that on average, SOC teams receive 4,448 alerts per day, and spend nearly three hours a day manually triaging them. Startlingly, that same study found that security analysts are unable to deal with 67% of the daily alerts they receive, with 83% reporting that alert alerts are usually false positives and not worth their time.

This overabundance of low-fidelity alerts and false positives clouds the judgment of security teams, and leads to alert fatigue. It’s also dangerous, in that it can distract from more impactful and important security operations, such as proactive threat hunting, strategy optimization, and addressing major vulnerabilities. According to IDC, 30% of alerts are ignored or not investigated due to alert fatigue. 

Meanwhile, according to IDC, 83 percent of cybersecurity employees say they’re struggling to cope with the volume of alerts, while 30% of alerts are ignored or not investigated due to alert fatigue. 

But all hope is not lost. Torq Hyperautomation provides the rocket fuel to help SOC analysts achieve escape velocity and evade the security events black hole. Through a hyperautomated SOC, a security operations center powered by hyperautomation through which the vast majority – 90% to 95% – of tickets, alerts, events, and incidents are handled and closed by hyperautomation, SOC analysts can eliminate alert fatigue and escape the black hole. 

A hyperautomated SOC helps eliminate alert fatigue through a five-tiered approach.

1. Collect the Noise: Millions of Events; One Hyperautomation Platform

First, Torq’s Hyperautomation platform effortlessly ingests event data with limitless horizontal scalability through a variety of mechanisms, such as message queues (AWS SQS, GCP Pubsub, Azure EventGrid,Kafka), direct webhooks, TCP transmission, email, and API polling, just to name a few. This is where we start collecting events. It’s where we embrace the chaos to bring order.

2. Start Filtering: Reduce the Noise 10x

Here, triggered workflow automations apply a 10x reduction filter. This slashes the volume of events from a million to hundreds of thousands. Torq’s technology sifts through the events to identify the data that matters most, zapping out false positives and low-fidelity alerts. Our horizontally scalable events pipeline performs numerous checks, ranging from string and numeric comparisons to more advanced regular expressions. Only the most relevant pieces pass through this stage. No more irrelevant and superfluous logs, events, or alerts get through.

3. Gain Context: Enrich Events With AI

This is where things get really exciting. We use stateful event filtering to reduce noise by 100x. Through intelligent event handling with large language learning models (LLMs), we enrich the

context for each security event. 

Your events volume is down to mere thousands now – as opposed to the millions you battled with before – and these are the events you should genuinely care about. 

From there, Torq Hyperautomation adds another layer of AI-driven stateful filtering, further enriched with context like threat intelligence, business context, or even historical events. Every event is vetted from multiple angles using LLMs and third-party security tools. Torq hyperautomates 95% of Tier-1 analysis with generative AI, which ultimately empowers you to make faster, better informed decisions.

4. Intelligent Security Case Orchestration: Automatically Triage, Classify, and Remediate 100s of Tier-1 and Tier-2 Cases

At this point, the funnel narrows to just 100s of security cases requiring further action, but they still don’t necessarily require human involvement. Torq Hyperautomation does the heavy lifting by intelligently delegating issues to R&D, DevOps, or related business owners.

If an event makes it this far, it requires serious attention. We’ve already performed significant

noise reduction and filtered out irrelevant events and alerts. It’s time to prioritize what’s critical. 

Through Torq’s sophisticated orchestration capabilities, some of these cases may still be handled entirely without analyst involvement. 

Third-party integrations like SecOps, DevOps, or application owners have handled vulnerabilities and other findings, and non-compliant assets have been flagged and are now considered exceptions. That, coupled with case management through external communication and ticketing, means you can automatically close about 90% of Tier-1 tickets.

5. Security Analyst Expertise: High-Priority Cases Require Human Intervention

A hyperautomated SOC does not eliminate the need for human intervention. It does, however, ensure that humans are the last, and most critical, line of defense for the most severe and high-priority cases. At this part in the process, you’re left with only critical security cases that have undergone rigorous scrutiny and automated handling. Now humans must intervene. By now, the remaining cases are enriched with valuable data, minimizing the time and effort needed to take appropriate action. Analysts can tap into a library of pre-configured sub-processes, making their operations significantly more efficient.

By the time an event has passed through Torq’s Hyperautomation platform, it has undergone an intense, multi-tiered evaluation and action process, each phase of which is designed to optimize accuracy and efficiency, and, of course, improve your security posture to defend against threats.

Following this five-tier approach can help SOC analysts prevent being sucked into the security event black hole (and avoid spaghettification). 

To read more about achieving escape velocity, read our guide “Escape the SecOps Black Hole.” And if you’re ready to hyperautomate your SOC with Torq, request a demo.

Share

Related Articles

Product Use Cases

Automating Extension Risk Assessment and Permissions

By Aner Izraeli, Head of Information Security
January 8, 2024
6 Minute Read
Automating Extension Risk Assessment and Permissions

Browser extensions are a classic shadow IT concern. Assessing the reputation and security of a browser extension is crucial before installing it on a company computer, as extensions often have wide-ranging permissions that could be abused for data theft or other malicious activities.

In an open environment style company, extensions generate significant shadow IT risk that needs to be managed and addressed.

Let’s shed some light on the security challenges extensions present, and how you can use Torq to automate assessing the risk an extension may pose.

I decided to get into the crabs of a certain extension that helps to capture screen full pages. When browsing the extension’s official page, I went to its privacy page, and there I noticed a header saying: 

The developer has disclosed that it will not collect or use your data.

Oh yeah? Let’s go deeper into the privacy policy!

And there I found these two clauses:

When you access our Service, we may automatically collect non-personal data from you, such as web pages viewed, browser type, operating system, referring service, search information, device type, page views, usage and browsing habits on the Service and similar data.

and:

It is possible at times when collecting non-personal data through automatic means that we may unintentionally collect or receive personal data that is mixed in with the non-personal data

From this point, I checked more data properties that could help me decide if this should be removed or stay. Along with reviewing the privacy policy and extension’s web page, I checked a few additional parameters:

Installation method

How the extension was installed – NORMAL or SIDELOAD

  • NORMAL – Extension installed directly by the user from the browser’s official extension store.
  • SIDELOAD – Extension installed from a source outside of the browser’s official extension store.
  • DEVELOPMENT – Extension that is being loaded directly into the browser for testing or development purposes, rather than being installed from a web store or other official distribution channel.

This particular extension was installed in a SIDELOAD fashion, which can pose a greater risk because it may not have undergone as stringent of a security review as it would have if it was in an official store.

Permissions

I also examined the extension’s permissions – what it allows an extension to do. The list of permissions included some dangerous ones:

  • <all_urls> – Allows the extension to access all web pages. This is a very broad permission and is one of the most severe in terms of potential privacy and security risks.
  • tabs – Gives the extension access to various properties of the browser’s tabs. This can include reading the URL, title, and other attributes of tabs and closing, moving, or creating new tabs.
  • unlimitedStorage: Permits the extension to store more data than typically allowed in the browser’s local storage.
  • system.display – Allows the extension to interact with the display properties of the system. This could include things like:
  • Querying display metadata: Fetching information about connected displays, like their resolution, orientation, etc.
  • Manipulating display settings: Changing settings such as screen resolution or orientation.
  • Controlling display layout: Positioning screens in multi-display setups.
  • scripting – Depends on what scripts are executed (someone mentioned supply-chain risk)

Vulnerability Scans

Using the free extension scanning tool CRXcavator can shed more light on extensions that may be considered in the risk assessment. Decision making data could be added through its API, such as:

  • Vulnerabilities scan: Are there any vulnerable applicative components? Are there CISA KEV vulnerabilities?
  • Risk Over Time: The extension’s overall risk, is it escalated?
  • CSP (content security policy): More advanced insights
  • Networking: Could be correlated with <all_urls>

Whois

Use Whois to find the extension’s website URL. This could help you understand more about an extension, like where the extension’s coming from, its domain’s age, and more. Whois revealed the particular extension’s domain age is 59 days.

Risk assessment time!

Given the insights I was able to gather, I can now assess the risk and make a decision.

  1. Privacy policy shows Uncompromised information of the ability to collect PII. This has tremendous consequences on compliance and privacy settings and policy.
  2. Considering permissions like <all_urls>, scripting, tabs – These generate risks affecting data privacy, compliance, supply-chain (scripting?), data-leak etc…
  3. Considering the installation method – NORMAL installation type would at least have lowered the risk, which is not the case here, as this one was installed in SIDELOAD fashion – outside of the browser’s official extension store, which means, it wasn’t reviewed by Google.
  4. Whois – domain age is very low – 59 – not always necessarily, but it could raise a concern that something fishy is going on.
  5. Considering there are a few high vulnerabilities (with high EPSS).

After examining the findings above, I assume that the prevailing conclusion would be to remove the extension. However, in any environment there are many variables that can cause decision-makers to leave the extension installed.

How to Automate Extension Risk Assessment

All this work has to be done manually, right? That may be feasible if you have only a few extensions to investigate. Most organizations, however, have 20 times that many extensions. So I decided to use Torq to create workflows to automate the extension risk assessment.

Here’s how I did it:

  1. Focus only on risky permissions. Extensions have dozens of permissions types. I used Torq’s Gen AI integration to assign a risk score (1 to 5) for each permission, considering their capabilities. Focusing on the most prominent permissions reduced the number of issues to address.
  2. Let AI summarize the privacy policy with a prompt focusing on personal information, additional data processors, and what is essential to keep compliance governed.
  3. Use WHOIS to grab the domain’s age and its activity status.
  4. Extract the extension’s CVEs and use the power of automation to enrich and attach CISA KEV, EPSS, and CVSS metrics for better vulnerability management.
  5. Correlate CVEs with your device vulnerabilities inventory to detect whether they are vulnerable.
  6. Aggregate all insights into one case for the verdict:
    1. If the risk is tolerable, reach out to the employee to understand whether the extension is used and needed for work purposes.
    2. If the risk isn’t tolerable, reach out to the employee to inform them of the extension removal. Execute the MDM command to remove immediately.
    3. Exclude the extension from use.

Conclusion

The decision to remove or keep an extension may change under different circumstances and based on differing data. However, an extension that violates privacy compliance and provokes severe vulnerabilities shouldn’t be ignored.

As security pros, it’s our job to educate and raise awareness about extensions and the potential risk they pose, while also providing insight based on investigation and analysis. From there, organizations can make informed decisions whether they’ll allow a certain extension.

Share

Related Articles

Product Use Cases

Squish the Phish: Hyperautomation Plays a Key Role in Phishing Defense

By Torq
January 5, 2024
4 Minute Read
Squish the Phish: Hyperautomation Plays a Key Role in Phishing Defense

Phishing isn’t anything new. It’s been a tried and true threat for nearly 30 years. Its age, however, doesn’t diminish its seriousness. 

Phishing By the Numbers

Actually, 2023 marked a significant growth in phishing attacks, mainly due to the rise in large language models and AI being used for nefarious purposes. For example:

  • Since Q4 2022, there’s been a 1,265% increase in malicious phishing messages (SlashNext)
  • On average, 31,000 phishing attacks are sent per day (SlashNext)
  • This year saw a 967% increase in credential phishing  (SlashNext)
  • An estimated 3.4 billion spam emails are sent daily (AAG)
  • 36% of all data breaches involved phishing (Verizon 2023 DBIR)

Enter Hyperautomation

What is hyperautomation’s role in phishing defense? Torq integrates with several key partners to offer use cases that can help organizations prevent, protect against, and understand phishing attacks and avoid costly data breaches – which AAG estimates can cost an organization more than $4 million on average. Here we look at six use cases where hyperautomation aids in fighting phishing. 

Secure Email Gateways (SEGs)

Torq partners with Secure Email Gateway providers to enhance their detection accuracy and response by correlating data across SEG solutions, like Abnormal Security, Microsoft, Proofpoint, Mimecast, and more. Torq autonomously initiates remediation actions, such as removing malicious emails or adjusting email security controls to protect against phishing attacks. 

Endpoint Detection and Response (EDR)

Working with EDR providers like Crowdstrike, SentinelOne, Microsoft, and others, Torq can correlate endpoint data for a holistic view of a phishing attack’s scope and impact, triggering automatic malware scans and coordinating with the EDR solution for threat removal and system restoration.

Data Loss Identification and Prevention

Two key things an organization must do following a phishing attack is evaluating the scope and scale of data loss, and ensuring that they adhere to regulatory compliance with the appropriate notifications and reporting. Torq partners with Data Loss Identification and Prevention providers like Microsoft, Crowdstrike, Varonis, and Symantec to automate these two important pieces of the phishing puzzle.

Cloud Access Security Brokers (CASB) and Identity Access Management (IAM)

Proactive measures are imperative to protect against phishing. One way Torq does this is by analyzing cloud-based user and entity behaviors to detect anomalies that could be indicative of phishing. 

And if a phishing attack does occur, Torq partners with IAMs to automatically disable compromised credentials to halt unauthorized access across cloud, on-premises, and hybrid environments; and automate the reset process for compromised credentials to expedite resolution.

Key integrations to achieve this include Okta, Active Directory, JumpCloud, OneLogin, Ping, and Wiz. 

User Reporting and Security Awareness

Chatbots have become a key component in both reporting potential phishing attempts and educating users on what to look for to prevent falling victim. Chatbots provide an easy and immediate interface for users to report suspicious emails by integrating with an organization’s communication tools, such as Slack, Microsoft Teams, Discord, email, and others. Chatbots can also execute automated actions such as resetting passwords, revoking access, or initiating scans for malware, with the option for human-in-the-loop authorization. Chatbots can also provide educational resources and coaching to users on how to avoid phishing and other future compromises and to improve their cybersecurity awareness. 

Security Operations Metrics for Continuous Improvement

Understanding the metrics after the fact can help prevent a phishing attack in the future. Torq partners with SIEM, SEG, and EDR providers to evaluate response times and effectiveness of automated workflows in handling phishing attacks, and to provide insights to continually improve security posture against phishing and other threats. Torq Hyperautomation also prioritizes and categorizes incidents using LLMs to automatically create cases based on severity, impact, and other predefined criteria to ensure rapid response to critical threats. 

Through Torq’s limitless integrations, our platform can connect to and automate any security tool, meaning we can integrate with nearly any modern solution on the market to help understand phishing threats and automate the response to them.

Want to see the Torq Hyperautomation platform in action? Request a demo.

Share

Related Articles

Integrations Product

How to Simplify AWS Automations with Torq

By Torq
January 4, 2024
3 Minute Read

One thing we’ve consistently heard from our customers is that using legacy SOAR solutions to build AWS automations and workflows is complex and painfully slow.

Why? Because legacy SOAR solutions typically use Python to do anything, and to make Python work for you, you have to be an expert in it. Python is often complex and requires writing scripts to execute most commands. And, often times, Python scripts create a single point of failure, where the person who wrote the scripts is the only one in an organization that knows them – if that person leaves, the scripts leave with them.

Torq, however, integrates with AWS CLI, which eliminates the Python problem by allowing you to run AWS CLI commands directly from the Torq Hyperautomation platform. This saves you time and effort when automating in the cloud and lets you do more.

Torq is the only hyperautomation solution that offers integrated AWS CLI functionality. Other platforms force you to learn the API for AWS for every single workflow or automation. With Torq for AWS CLI, you don’t have to learn API calls – it cuts out APIs altogether. 

With AWS CLI, you can run any type of command you want in Torq – you don’t have to write the hundreds of steps you’d typically have to with Python Boto3 scripts. It simplifies your scripts into a concise workflow, making it easier to troubleshoot, build, and reuse automations. 

For example, if you wanted to produce a list of all of your active S3 buckets, all you have to do is find the command in AWS CLI documentation, type it into the AWS CLI in Torq, and it’ll return that list. It’s a super flexible way to run commands.

Torq with AWS CLI also lets you test workflows while you’re building them, which is a much less complex alternative to writing intricate Python scripts. And you can unlock the true power of Torq’s limitless integrations with solutions like Slack, Snyk, Wiz, and Orca Security, when you tie them together and build workflows that interact with AWS using the CLI command. 

And with the addition of Torq’s AI completions functionality in the AWS CLI command tool, your job just got even easier. You can use native language to find commands, saving the time you’d have spent digging into documentation to find the correct commands. Now, you can find and run AWS CLI commands without ever leaving the Torq platform. 

Want to see how Torq with AWS CLI can help you escape Python’s stranglehold and overcome slow automations? Get a demo.

Share

Related Articles

Hyperautomation Product

The Journey to True Hyperautomation

By Torq
December 19, 2023
4 Minute Read
The Journey to True Hyperautomation

The benefits of hyperautomation are well documented. But it can be challenging to determine where to get started. 

Maybe you’ve been burned by outdated and antiquated solutions, like legacy SOAR, that were so complex, costly, and time consuming that a path forward seemed impossible. 

At Torq, the journey to true hyperautomation is a three-phased approach that will transform your security posture and result in more than 90% of SOC processes automated.

  1. Phase 1: Task automation
  2. Phase 2: Process automation
  3. Phase 3: AI-driven hyperautomated SOC

Let’s examine each of the three phases of the hyperautomation journey.

Phase 1: Task Automation

The journey starts by determining which specific tasks require significant manual effort from SOC analysts. The goal is to automate repetitive, rule-based tasks – it’s essentially laying the bricks for your cybersecurity foundation. We use APIs and event feeds to pull data and automate tasks that would otherwise consume your team’s valuable time.

During this phase, you can automate a broad spectrum of task-based workflows, such as IOC enrichment, ticket triage, audit processes, and tasks related to handling vulnerabilities. 

This phase can run anywhere from two weeks to three months based on your organization’s maturity and whether you’ve pre-determined what to automate. The timing is also dependent on the priority your organization places on automation creation and implementation.

It gives you a solid start on your hyperautomation journey. Once completed, you’ll have automated roughly 15% to 20% of SOC processes.

Phase 2: Process Automation

Now that you’ve laid the foundation, the second phase focuses on automating process-based workflows. Here is where we automate entire security workflows and processes, not just tasks. You’ll automate rules-based decision making and allow for a few exceptions where human judgment is required. Internal and external event triggers help in seamless flow to create a more robust, responsive, and intelligent automated system.

Process automation requires extensive communication with your technology stack and tailoring use cases from start to finish. During this phase, multiple tasks converge to serve a specific use case, where Torq bridges all of the different elements, reducing user dependency. The goal is to involve users solely in critical decision-making aspects. 

The result is quicker identification of threats and risks, which allows for immediate action and a reduction of the window of exposure.

Based on organizational maturity and the priority your organization puts on automation creation and how much time to spend, this phase ranges from a few weeks to six months.

Once phase two is completed, you’ll have automated 30% to 65% of SOC processes.

Phase 3: AI-Driven Hyperautomated SOC

The third and final phase of your hyperautomation journey is harnessing the power of AI to hyperautomate your SOC. It’s this phase where you integrate AI and machine learning to deal with complex decision-making processes. Torq processes unstructured events to deliver contextual insights through cognitive automation. To do this, you’ll leverage your processes and technology solutions alongside large language models (LLMs).

The goal of this phase is to streamline day-to-day tasks through a combination of workflow automation, your security stack, and AI – all driven by your unique business logic. It combines the power of both process and AI to enhance efficiency and address your business needs.

This phase varies in duration based on the time it took for you to complete the first two phases. But once completed, you’ll achieve true automation and will have successfully automated more than 90% of your SOC processes. 

Achieve True Hyperautomation

Once you’ve completed all three phases of the journey, you’ll have evolved from basic task automation to an advanced, AI-driven, hyperautomated SOC. You’ll have automated more than 90 percent of your SOC processes, and your security team will be able to focus on only the most complex and nuanced issues. And your SOC analysis will be relieved to have automations that can support them 24/7.

You’ll have achieved true hyperautomation.

Ready to start the journey to true hyperautomation? Request a demo.

Share

Related Articles

Hyperautomation Product

How Hyperautomation Unblocks the Events Processing Bottleneck

By Torq
December 4, 2023
2 Minute Read
How Hyperautomation Unblocks the Events Processing Bottleneck

Legacy SOAR offers limited events processing. That’s just the way it was built. SOAR is a standard monolithic architecture in which the entire application is deployed as a single entity, which typically runs on a single server or cluster of services. This dramatically restricts SOAR’s processing capacity, and it’s time-consuming and costly to try and extend SOAR beyond these restrictive configurations – it typically would require an entire rebuild and redeploy to upscale.

The only ways to deal with that is by either underprovisioning or overprovisioning your legacy SOAR. But that also creates problems. Underprovisioning creates poor performance, slow response times, and reduced availability. This affects the user experience and your solution’s ability to identify and remediate threats effectively. Overprovisioning allocates more resources than are actually needed to ensure there is always enough capacity to meet demand, but that method boosts costs, reduces efficiency, and increases risk with an extended infrastructure footprint.

Where legacy SOAR falls short, however, security hyperautomation shines. 

Here are the five major benefits of using hyperautomation to process your security events to overcome the limits of legacy SOAR.

  1. Hyperautomation provides limitless horizontal scalability that allows individual components and services to be independently scaled based on specific demands.
  2. Hyperautomation allows you to sift through the noise, prioritize events, close false positives, and more – all at scale and with precision accuracy. Plus, it’s entirely automated. 
  3. Hyperautomatn ensures specific event types are directed to relevant owners and automatically enriched with decision-supporting data.
  4. Hyperautomation empowers you to automate the orchestration and handling of diverse technical solutions that best suit your requirements, including CNAPP, CSPM, CWPP, EDR, XDR, EASM, IAM, SAST, and DAST.
  5. Hyperautomation enables you to have SLAs for different events to ensure the flood of events from one type or source does not prevent the system from processing other events. 

Through dynamic defenses, security hyperautomation allows you to unblock the events processing bottleneck. Read more about how hyperautomation outperforms SOAR in our “SOAR is Dead” manifesto.

Share

Related Articles

MSSP Product

Torq for MDR: Increase Margin and Onboard Customers Faster

By Torq
November 29, 2023
3 Minute Read
Managed detection and response (MDR) Hyperautomation Guide

Managed detection and response providers (MDRs) are at an inflection point. They previously relied on legacy SOAR to secure their customers. But SOAR solutions struggle to keep up with the evolving and maturing threat landscape, and were not designed to scale into cloud environments.

As a way to break free from SOAR’s shortcomings, MDRs are turning to hyperautomation.

Torq gives MDRs:

  • Increased margin: Automate more components in your alert investigation, analysis, and response, and handle security events more efficiently with less human involvement.
  • Faster customer onboarding: Automate customer onboarding and ramp-up, share workflows and use cases across customers, and automate in multiple environments.
  • Limitless integrations: Integrate with every tool within your customers’ security stacks to increase business value and widen total addressable market.

Torq for MDR is a significant evolution from legacy SOAR, and gives managed detection and response providers the ability to perform up to 90% of Tier-1 case analysis tasks with an autonomous agent; 10 times faster onboarding and provisioning of new customer environments, and the ability to handle 5 times more security events without adding headcount.

Regarded analyst firms IDC and GigaOm have both noted that hyperautomation is leading the shift away from legacy SOAR solutions and signaling the future of security automation. And one of the country’s largest MDRs, Deepwatch, recently announced it has standardized on Torq Hyperautomation. Ten other MDRs, such as SentinelOne Vigilance and Compuquip, have also joined the Torq for MDR program.

“With Torq Hyperautomation, we are significantly increasing productivity and efficiency, ensuring that our customers gain better evidence, analysis, and control over their cybersecurity, while staying protected from external threats and operational risks,” said Charlie Thomas, CEO, Deepwatch.

Torq Hyperautomation empowers MDRs to provide more value to customers to increase stickiness and reduce churn, while increasing SLA attainment. It also streamlines security operations and reduces costs by consolidating tooling and effortlessly integrating disparate tools managed by different teams for increased efficiency. At the same time, Torq Hyperautomation automates workflow management across an MDRs’ entire customer base, with the added flexibility of fine-tuned customization.

Torq also gives MDRs no-code, low-code, and full-code support; the ability to automate more processes; accelerated case management with AI; and a scalable, resilient infrastructure, all of which help MDRs improve efficiency and increase margin, while saving costs and scaling service offerings.

Hyperautomation is the future for MDRs.

Learn more about Torq for MDR. And download our guide, “Future-Proofing the MDR With Hyperautomation.”

Share

Related Articles

AI Use Cases

Automating Incident Response: Exploring the Latest Conversational AI Tools

By Torq
November 17, 2023
3 Minute Read

Hagai Shapira, Torq’s Director of Product spoke at DeepSec 2023 about different levels of automation approaches for incident response, culminating in the latest additions of conversational AI tools. In this interview (originally posted on DeepSec) Hagai answers questions about his talk and provides key insights on how to leverage AI to streamline incident response processes and improve their overall security posture.

Interview: 

Please tell us the top 5 facts about your talk.

  1. Most sec ops teams are still immature when it comes to utilizing automation for their detection and response and incident response procedures.
  2. Powerful automation and efficiency improvements can be achieved without software engineers using modern security automation tools.
  3. Some of the most time consuming tasks in incident handling are tasks that require interaction with other people (employees or users) and waiting for their responses.
  4. Simple primitives for asking questions in messaging platforms are key for enabling many automation use cases.
  5. Recent advancements in LLM models and AI agent architectures have expanded the realm of what is possible to automate, including most Tier-1 level cases in day-to-day SOC operations.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

This talk is based on my experience and work with security teams over the last three years in automating their incident response. However, my exploration into use cases for the latest top-of-the-line LLM models and how AI agent architectures, such as ReAct, can be used for security automation, has driven the most recent and exciting frontiers in this field and are the focus of the talk.

Why do you think this is an important topic?

There are several reasons why this is an important topic. Firstly, the workload of security operations teams has significantly increased over the past few years due to the proliferation of security tools and sensors that they need to monitor, as well as the sheer volume of data and alerts these tools generate. Secondly, it has become increasingly difficult to hire qualified security professionals, exacerbating the problem. Given these challenges, automating security operations is the only rational solution to alleviate the burden on security teams.

Is there something you want everybody to know – some good advice for our readers maybe?

If there is something I’ve learnt from my three years trying to automate the world of security operations is that there is no magic behind it. You cannot expect a magical solution to solve all your problems. However, if you invest resources and prioritize automation, you can achieve returns and efficiencies that would be impossible to achieve otherwise.

A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?

I definitely look forward to seeing even more improvement in the performance of LLM models, solving some issues they still suffer from like hallucination, and a reduction in the cost of completions. These changes and improvements will surely be key in seeing even more use of LLMs in automations, in more complicated investigations and at a scale that is required for supporting some of the bigger organizations in the world.

Share

Related Articles

Hyperautomation Research

IDC: Hyperautomation Signals the End of SOAR Era

By Torq
October 10, 2023
3 Minute Read

“Purpose-built does not scale.” That’s what IDC says in its latest research report “How Hyperautomation Is Used to Reduce Gaps and Inefficiencies in Network Cybersecurity.”

What does that mean? It means that your monitoring point products, like legacy SOAR, just don’t cut it any longer. They can’t scale in today’s hybrid cloud and multi-cloud environments without piling on more tools, further fueling tech stack sprawl.

The report notes that SOAR, SIEM, XDR, and EDR were conceived as on-premises solutions and security’s shift left – the idea that security begins at the time of code development – was not considered. This creates an inherent inability to scale. Additionally, the tools are often too complex and their effectiveness has dwindled in today’s modern, often cloud-based, security environments. 

“No matter how you slice it, the cybersecurity platform strategies of today are holding on by a narrow margin. Too many processes are still being done manually,” IDC Research Vice President, Security & Trust Products Christopher Kissel writes, later adding, “Without continually adding new point products and appliances (which also take time to install), none of the current detection and response platforms are going to scale no matter how experienced or disciplined a security operations team is. “

But all is not lost. Hyperautomation and its many benefits can help pull enterprises out of the legacy point product pit of despair. 

The IDC report notes that hyperautomation enables:

  • Visibility and control of the heterogeneous network real estate, and all environments and for all processes and role players.
  • The ability to predict security gaps, proactively assess the network, and ultimately secure the network. 
  • Proper contextual awareness including more than security logs (firewall, NetFlow, antivirus, etc.), and integration fabrics
  • Automation of everything that can and should be automated 
  • Extensible capabilities using no code, low code, or full code with potential leveraging of generative AI to automate even more tasks.

How does that stack up against legacy SOAR? Here’s IDC’s breakdown:

According to the IDC report, hyperautomation is proactive, where legacy SOAR is reactive; hyperautomation connects devices, clouds, containers, and processes, where legacy SOAR connects devices; hyperautomation delivers enterprise-grade extensibility, where legacy SOAR offers connectivity only as strong as the sum of its APIs; and hyperautomation matches the resources needed for outcomes, while legacy SOAR has to either be over- or under-provisioned.

And when it comes to hyperautomation, Torq is leading the charge.

“The Torq hyperautomation approach is more comprehensive than what is offered in contemporary cybersecurity tooling,” the report states, adding “ Torq provides an end-to-end visibility, prevention, and detection application that entails the entire digital estate of a business.”

Don’t just take our word for it. Read the full IDC report, “How Hyperautomation Is Used to Reduce Gaps and Inefficiencies in Network Cybersecurity,” and you’ll see how Torq Hyperautomation is beating legacy SOAR.

Share

Related Articles

Hyperautomation Insights Product

Gigaom: Hyperautomation vs. Legacy SOAR

By Torq
October 5, 2023
3 Minute Read
Gigaom: Hyperautomation vs. Legacy SOAR

It wasn’t long ago that we at Torq proclaimed “SOAR is dead!”

And it didn’t take long for the industry to catch on. Leading analyst firm GigaOm in its recent GigaOm Radar report named Torq a leader and an outperformer in the security automation market, namely for our hyperautomation capabilities that legacy SOAR just can’t touch. And our competitors have also started jumping on the hyperautomation bandwagon since we shifted our focus to this model.

While SOAR was innovative and effective nearly a decade ago, it has become stagnant and beleaguered by its inherent complexity, management overhead, and high costs. Security pros have neither the time, the resources, nor the money to throw at legacy SOAR.

Enter hyperautomation.

An ‘Outperformer’

Let’s hear it directly from the source. 

In the report, GigaOm praises Torq for our “extensive feature set” and “impressive portfolio of customers.” And beyond that, the firm gave Torq top marks across many of its key criteria, including case management and collaboration; automated alert prioritization; triage and curation; autonomous operations; and validation and red teaming. 

GigaOm gave Torq Socrates, our just-announced Tier-1 analysis AI Agent – the first in cybersecurity – a nod for its use of AI to hyperautomate key security operations activities, like alert triage, contextual data enrichment, and indecent investigation, escalation, and response.

“Torq offers autonomous operations features for both the workflow design process and the workflow run time of processing security events,” the GigaOm report states. “Design-time capabilities consist of assistive development of automated processes, such as summarization for successful collaboration, improvement, development co-pilots, and the like. Run-time capabilities consist of data enrichment and data-driven suggestions to assign specific teams or analysts based on their profile, ownership, and history, and to recommend investigative steps to help understand the issue and containment actions that can help stop the negative effect and allow remediation as part of a process to resolve the issues completely.”

Additionally, the firm dubbed Torq’s Case Management as “exceptional” in how it hyperautomates security signal detection, streamlines decision making, and automatically 

“For case management and collaboration, Torq offers a built-in case management system developed in-house and integrated with the solution’s event-driven architecture and security automation capabilities,” the report states. “Torq also offers out-of-the-box bi-directional integrations with leading case management systems such as ServiceNow, Jira, and Zendesk, as well as communication platforms like Slack, Microsoft Teams, and Cisco WebEx. Torq supports in-the-platform virtual war rooms as part of its case management, and its multi-workspace architecture and granular RBAC can involve multiple teams across organizational disciplines: security, IT, engineering, business lines, and human resources.”

It’s clear through GigaOm’s latest report that Torq Hyperautomation is helping organizations overcome the limitations and challenges of legacy SOAR and empowering security pros with solutions that take out the complexity while also freeing up their time and budget for meatier projects.

The GigaOm Radar report confirms that we’re on the right path in our unwavering commitment to hyperautomation and our quest to make it as easy as possible for enterprises to fortify themselves against cyber threats without sacrificing protection. 

Download the full GigaOm Radar report now and read how hyperautomation is shaking up the sluggish SOAR category. And try Torq Hyperautomation for yourself: https://torq.io/demo/

Share

Related Articles

See Torq in Action

Torq helps you harness AI in the SOC to detect, prioritize, and respond to threats faster.

Is your security team ready to automate more, faster?