IAM is a critical foundation of modern enterprise IT infrastructures and governance. It’s one of the ways security professionals deliver value to their entire company, customer, and partner ecosystem. It’s also what drives the effective management of organizational roles, assets, and the connections between them. 

The product team at Torq is focused on changing the IAM game and leveling up our customers’ capabilities.

5 ways Torq is Reinventing IAM: 

1.  Automating the approval cycle of user access to assets

When a new user joins an organization or an existing user moves to a different role, IAM systems must be adjusted to provide access to newly-required applications and assets and to remove access permissions from previously (but no longer) required ones. Automating the process of reaching out to resource owners and obtaining their permissions can turn the complicated process into a streamlined one with very little organizational investment.

2. Improving security posture with Just-in-Time (JIT) access

Automatically allow users to have just-in-time access to add software to their devices without the need for an IT professional to assign, using a chatbot or web UI.

3. Allow a user to self-service using chatbots for managing user/device compliance

Providing scalable interactive automations that can reach out to users on behalf of the organization, guiding them through achieving compliance, reminding them to complete the operations and providing them convenient ways of managing exceptions. For example users can use this for a password reset; unlock their account if accidentally locked out; or register a new 2 factor authentication device. 

4. Democratize handling suspicious behavior events

While many IAM (or dedicated IAM-security tools) can raise events that potentially indicate malicious activity, these mechanisms face challenges such as credentials, different devices in different locations, and authentication failures. Enterprise-grade security automation can help organizations “sift through the noise” by democratizing the investigation of the events. Automatically reach out to users via an external channel, like instant messaging, SMS, or voice, and asking them to confirm whether they have performed the operation or not. Very little overhead on the user can serve as a rapid filter for legitimate operations vs. malicious activity indicators.

5. Discover and reduce inactive access permissions

In any organizational IAM (especially in larger organizations) there is an inherent challenge with ensuring that access permissions do not become stale. Torq will periodically access logs to automatically disable contractor and/or employee accounts that have been inactive for a certain period of time. 

Using enterprise-grade hyperautomation makes IAM processes cost less and scalable, ensuring that an IAM policy has a strong posture at any given moment.

Not using Torq yet? Get in touch to see how Torq security automation accelerates security operations to deliver unparalleled protection.

I love automation.

Seriously, what could be more satisfying than tricking a machine into doing all the things you don’t want to do using only the power of your mind? Paying bills, brewing coffee, making appointments, ordering food… it’s like being Tom Sawyer without all the manipulation and questionable ethical choices.

OK, Google, Do My Math Homework

If I’m being completely honest, I owe my career to automation. While I have always been interested in technology, it wasn’t until I got my hands on my first programmable graphing calculator back in high school (the trusty TI-83 Plus) that I really understood just how powerful the concept of using computers to solve all your problems was.

Literally.

One of the very first programs I ever wrote (which, now that I think about it, was probably the first program I ever wrote outside the Wild West that was Geocities website development) was a little graphing calculator utility that solved quadratic equations for me… and, eventually, the rest of the class.

It has been twenty years since that story, and while my teacher classified my ingenuity as cheating and nearly flunked me out of Algebra II, I ultimately learned a valuable lesson: with enough understanding of a problem space, well-designed automation can save an extreme amount of time, stress, and (eventually) money.

A Cure for Burnout

For over a decade now, I have worked in about every type of company you can imagine – from three-person startups to publicly traded companies with staff in the thousands – and if there’s one thing I’ve learned, it’s that there is never enough time, people, or money to get everything done. The reality is that just because we’re stretched thin doesn’t mean we can’t continue to execute. Add in the “unprecedented” events of the last two and a half years, and it’s no surprise that people are finding themselves pushed past their breaking points.

If “doomscrolling” was the word of 2020, “burnout” should be the word of 2022.

But the wheel never stops turning. So, how do we keep the business moving forward while still creating a healthy and supportive atmosphere for the people that make it all happen? I’ll give you a hint: automation.

In the business world, “automation” tends to have a lot of meanings, but for our purposes, I am using the word to mean the automatic execution of previously manual processes. In case you missed it, the key phrase in that definition is “previously manual processes.”

What do I mean by “previously manual?”

In a nutshell, I mean a process or action that an employee is either already doing by hand or would be doing by hand if they only had the time. This is an important distinction because it’s easy to buy into a new tool that proposes to “automagically” solve all of your problems without first identifying where in your current process it will reduce time or stress.

Automation 101

Take, for example, quality assurance. Many organizations hire people to manually test changes to an application or service before it gets deployed, and while testing is critical to the software development lifecycle, many of these tests are repetitive and ultimately prone to human error. By employing automated “record and playback” style testing tools, tests become not only repeatable but also cumulative. Whereas before, a single tester might take days to test a new feature plus run standard regression tests, automation can enable them to run those same tests in a matter of hours.

In a similar vein, automation can go a long way toward reducing long deploy times, which in turn can reduce the stress of a deployment. Many organizations rely on long checklists filled with backups, rollovers, tagging, and dozens of other steps necessary for releasing a new version of an application into a production environment. These checklists, while valuable, make deployments slow – and recovery from those deployments even slower. Automating releases not only speeds the process up, it also helps prevent errors and ultimately reduces the recovery time in the event of an incident – all of which reduce employee stress.

It’s not just about engineers, though. Automation can help support an overworked workforce in any capacity. For example, it can be used to automatically onboard new employees or increase the company’s security posture. Even simple things like managing conference rooms or on-call rotations can reduce the amount of repetitive administrative work employees are often expected to do.

A Checklist Is an Automation in Training

One thing to note is that in almost every situation, an automation is preceded by a checklist of some sort that outlines the steps necessary to successfully execute a manual procedure. The beauty of a checklist is that it is an already-documented repeatable process, which means that automating it is more a matter of time than complexity. Anywhere a checklist or documented process exists in an organization is an opportunity to reduce stress and increase predictability.

There will always be more work to do than time and people to get that work done. But just because we’re busy doesn’t mean we have to burn out. Automation can help provide that much-needed work-life balance by taking care of the “boring” stuff, leaving us to focus on the things that make our jobs worth doing. All it takes is a little understanding and effort. And, in case you were wondering, I did eventually pass Algebra II. All I had to do was update my little calculator program to also output the steps to the solution alongside the answer.

Always show your work.

The Incident

Yesterday, CircleCI, a Continuous Integration/Continuous Delivery (CI/CD) service, notified the world it had been breached via a critical advisory from its CTO. As a major software delivery pipeline service, CircleCI users store myriad credentials for various services in CircleCI’s “Secrets Store” infrastructure. A clear recommendation from their advisory is to “Immediately rotate any and all secrets stored in CircleCI.”

“Rotating a secret” refers to disabling and resetting it in the original system, then deleting it from CircleCI, and then allocating a new one with the same permissions, and putting it in CircleCI again. The latter element is critical to ensure pipelines keep working. However, doing this at scale is challenging. 

Torq has a highly-effective and straightforward solution to the issue, and will provide any organization that isn’t currently a customer a free account, and architect advice, to automate rotating secrets ASAP, with no further commitment.

How Torq Can Help

1. Immediately Rotate Any and All Secrets Stored in CircleCI

Torq can assist in immediately rotating all secrets rapidly and efficiently by accessing the secrets stored in CircleCI in project environment variables or in contexts. With Torq, organizations that use CircleCI can immediately retrieve all existing secrets, classify them, identify their owners, and ensure tight and fast follow-up on rotating each of them.

Torq has built and tested a highly-effective workflow that connects to the organizational CircleCI environment, retrieves all relevant secrets, together with their creation/usage dates, and continues following up by:

• Finding the owners and notifying them via email, Slack, and/or Microsoft Teams
• Rotating all keys
• Creating reports and updating status via desired communication methods
  

2. Review Internal Logs for Unauthorized Access

CircleCI recommends customers review internal logs for their systems for any unauthorized access starting from December 21, 2022, through to January 4, 2023, or upon completion of their secrets rotation.

Torq can help break down the difficult task of identifying any unauthorized access into actionable and automated steps to save tremendous security analyst time, reduce mean time to response time (MTTR), and reduce any potential exposure due to unauthorized key usage.

Reviewing access logs is a procedure that is highly dependent on the type of infrastructure hosting the deliverables of CircleCI pipelines. Torq’s flexible out-of-the-box integrations can allow rapid building of automations that access logs on any infrastructure, such as (but not limited to):

• Amazon Web Services
• Google Cloud Platform
• Microsoft Azure
• Kubernetes clusters
• Github/Gitlab/Atlassian Bitbucket accounts
• “Artifactory” services
• Platform-as-a-Service solutions (such as Heroku)
• Infrastructure-as-Code services such as HashiCorp Terraform Cloud

As a concrete example, Torq automation can be used to ensure a full match between the artifacts repository and the software pipeline. Here is how an automation like that would work:

1. Torq can pull a list of container images from your Artifactory
2. For every image, Torq verifies via GitHub or another repository, the existence of a matching (time/content) commit, and flags all the gaps to orchestrate specific follow-up

Torq is Architected with a Zero Trust Approach

Torq, as a security automation and integration platform, can also carry a significant amount of credentials for various corporate systems. To mitigate risks like this incident, Torq has proactively deployed these critical architectural elements:

• Torq’s secrets store is implemented using a cloud-based Hardware Security Module (Cloud HSM), to reduce the risk of a mass breach
• Torq provides a full API allowing its users to rotate secrets as part of a regular routine, all included in the core product
• Torq integrates with all major customer-hosted secret stores, such as HashiCorp Vault, Britive, Akeyless, AWS KMS, Google Cloud Key Management, Azure Key Vault, and many more
• Torq enables using roles and workload identities to authenticate operations instead of using credentials where possible.

Begin Rotating Your CircleCI Keys Today 

CircleCI integration, as well as associated workflow templates, are available to Torq users, today. Find them in the workflow designer and template libraries, respectively. Users can also contact their customer service manager for a demo and walkthrough.

Not using Torq yet? Get in touch to handle this issue at no cost, and see how Torq security automation accelerates security operations to deliver unparalleled protection. 

CircleCI Demo Templates

If you’re already ready to go, we’ve prepared two workflow templates that utilize and demonstrate the power of Parallel Loop. Torq users can begin deploying them right away. 

• • Gather CircleCI Global Environment Variables with Creation Date
    This template lists Contexts in CircleCI and gathers all Global Environment Variables in each Context without having to use the UI to retrieve them. The output will contain all environment variables by context, including the creation date.
  • Gather CircleCI Environment Variables from GitHub Org Repos
    This template connects Github repositories and CircleCI for organizations that use both. It goes over all Github repositories and then checks for variables across both solutions. It is based on the process CircleCI support recommends.

Jason Chan is one of the world’s foremost cybersecurity authorities and we’re extremely proud to have him as a member of the Torq Advisory Board. He’s a pivotal figure in driving adoption of security automation best practices at many companies, including Netflix, where he led the information security organization.

In our third and final Chan video series, he discusses one of the most important challenges in cybersecurity: making cyberthreat identification, management, and remediation as simple as possible for professionals of all backgrounds and technical abilities.

Chan advocates for getting more people involved in cybersecurity and promoting the concept of interoperability across the security stack. He discusses how Torq reduces the barriers for entry into the world of security automation, and why as a result, it’s a force multiplier for practitioners to deliver the strongest security posture possible and move faster than ever to deliver maximum impact.

Watch the video below and learn more about Chan’s perspectives on Torq:

Take Action Today
Learn how to get started with security automation by reaching out to the professionals at Torq. You’ll learn more about the Torq platform and how we’ve helped myriad organizations achieve and exceed their security goals.

When you’re facing a cyberattack, waiting even just minutes to respond could be the difference between business as usual and a calamity. It may only take that long for threat actors to exfiltrate sensitive data or disrupt critical systems.

That’s one reason why automating remediation is an essential ingredient in an effective cybersecurity strategy. Although automated remediation can’t mitigate every threat, it gives organizations a leg up against the bad guys by helping them to react as quickly – not to mention as efficiently – as possible when threats arise.

What Is Automated Remediation?

In cybersecurity, automated remediation, or “auto-remediation”, is the use of tools to mitigate threats and risks automatically.

In other words, auto-remediation allows you to resolve cybersecurity problems with little to no action on the part of humans. Your tools automate the response for you.

Auto-Remediation Example

As an example of an auto-remediation workflow, consider a Security Orchestration, Automation and Response (SOAR) tool that detects malware on an endpoint within a business’s network. If auto-remediation tooling is in place, the SOAR can isolate the endpoint automatically from the rest of the network in order to prevent the malware from spreading. These rules can remain in force until the endpoint is cleared of malware.

How Does Auto-Remediation Work?

To set up auto-remediation, you have to deploy three basic types of resources:

• Conditions or rules that trigger an remediation workflow.
• The steps that should be performed when the remediation begins.
• Tools that can interpret the rules and perform the remediation steps.

You may also want to configure alerts to your Security Operations Center (SOC) so that the team is kept in the loop during automated remediation, even if there is no action required on the part of your security analysts or IT team.

Many modern SOAR platforms provide automated remediation functionality or integrate with external tools to support them.

Full vs. Partial Auto-Remediation

As noted above, automatic remediations may or may not require participation by humans.

If you configure a fully automated remediation, your cybersecurity tools can mitigate threats or risks entirely on their own. Full auto-remediations are typically used to resolve relatively simple security issues, such as blocking potentially malicious endpoints from the network.

In the case of partial auto-remediation, your security tools perform some of the steps required to mitigate a risk, but there still needs to be a “human in the loop” in order to complete the workflow. This approach to auto-remediation makes the most sense for resolving more complex threats or risks. As an example, you might configure partial auto-remediation to respond to malware that your tools detect on a mission-critical server. You could automatically isolate the server so that the malware doesn’t spread, but wait on a human to perform the malware removal. Since it’s hard to predict ahead of time exactly how malware needs to be removed, it’s best to leave this work to a human.

The Benefits of Auto-Remediation

Automated remediation provides three key benefits: speed, efficiency, and a reduction in toil.

Speed

By eliminating the need to wait for a human to respond to a cybersecurity issue before mitigation begins, auto-remediation ensures that threats and risks are blocked as quickly as possible.

That’s important because in some cases there is a short time separating an initial breach of your environment from significant harm to your business. For instance, ransomware that attackers plant on your servers will usually begin encrypting data immediately. But if you can automatically remediate the ransomware as quickly as it is discovered (or, at a minimum, isolate infected endpoints so that it doesn’t spread), you may be able to prevent a serious ransomware incident. On the other hand, if you have to wait a few hours for a human engineer to notice and respond to the issue, critical data might already be encrypted and held for ransom.

Efficiency

A second key benefit of auto-remediation is that it helps teams operate more efficiently. By automating work that humans would otherwise need to perform, auto-remediation helps SOCs do more with fewer staff resources.

Given that the frequency and complexity of cyberattacks are steadily increasing, the ability to gain efficiency through auto-remediation is a critical advantage for businesses going forward.

Reducing Toil

Last but not least, auto-remediation helps minimize toil for security teams. The more you can automate mitigation workflows, the less time your team has to spend on tedious, time-consuming, unrewarding tasks.

In this respect, auto-remediation helps increase team morale and satisfaction while simultaneously strengthening your security strategy.

Conclusion

You can’t automatically remediate every type of threat. But you can partially or fully mitigate many cybersecurity issues using automation tools. In doing so, you save critical time, increase efficiency and make your team happier due to a reduction in toil. It’s a win-win-win – unless you’re one of the bad guys who doesn’t want organizations to react quickly and effectively to cyberattacks, of course.