Beyond the Hype: How Torq’s AI-Driven Innovations Are Transforming Security Automation

Making a real difference for our users with Generative AI

It has been over a year and a half since the latest generative AI revolution descended upon the world. All IT markets have seen a wave of both new AI products, as well as AI-driven capabilities in existing products being introduced with a breakneck pace. While most of them clearly perform things that, until recently, could have been described as “pure magic” even by the most cynical audiences, many questions can be raised regarding these capabilities being truly directed at transforming the customer experiences and outcomes vs. just being “mega cool.”

What’s wrong with “tech first”

Let’s take one step back. Allow me to introduce myself: I am a proud serial entrepreneur, having successfully established and grown two companies (one of which was acquired by a major player in the enterprise cybersecurity market). 

When learning “entrepreneurship 101” – not a formal discipline, of course, but rather a collective experience of a community of entrepreneurs – I was told that establishing a cool (or even a unique) technical capability and then searching for a problem to apply it to is not a great idea. In the entrepreneurial world this is referred to as the “tech first” approach to establishing a product or a company, and it has been proven inferior to a “problem first” approach, where one identifies a problem and then considers various alternatives on how to solve it. 

The collective experience of the past 2-3 decades has clearly shown that “problem first” products and companies have greater chances of generating long-lasting outcomes for their customers, and, therefore, have greater chances of establishing significant growing businesses. Tech first, on the other hand, might find a lot of support among the “romantics” of the technology, who enjoy technical capabilities because of what they can deliver, but might find it difficult to drive significant impactful outcomes.

Should we wait for a problem to present itself?

Does the above mean that every time a new technological barrier is being broken (just like it happened with the recent advancements in generative AI) we need to wait for the problems to present themselves and only then try to apply the new technology? 

Of course not. The problems exist everywhere in the world and in different markets today. It is only a matter of picking the right (worthy of solving) problem and researching whether it can be solved to a better extent with the new technology (in comparison to existing solutions).

When deciding on a problem to pick, therefore, it is important to understand the components of it, and not just the general “headline,” such as:

  • Who are the target audiences, i.e., the people or organizations having the problem? What are the unique characteristics of those who have it vs. those who don’t?
  • How severe is the problem? How critical will solving the problem be for the target audience?
  • What do these audiences do today? Do they have alternative solutions? How will our solution be better?

Finally, specifically when applying generative AI to certain problems, one of the most important questions to ask is: what would be the role of AI in the solution? Answering this question correctly is critical not only for creating the capability, but also for its future defensibility vs. the competition.

The role of AI in the solution

So what role does an AI play in the overall solution? Is there a real value in the integration of generative AI into the product environment, or is it just a “thin layer of glue” connecting mostly “off the shelf” Large Language Model (LLM) to the existing product “just for the cool effect?”

In my humble opinion, there is a huge difference between just bringing “some” AI capabilities into the UI of an existing product by integrating with one of the available off-the-shelf generative AI services and truly extending the unique technology in one’s product with AI

Does the AI-driven capability rely on some rich, unique, or powerful technology that exists in the product, or does it simply come “on its own” without deep ties to the underlying tech? Does the capability perform additional functions on top of or integrated with “sending information to an AI and receiving the response” or is it mainly about interfacing with AI? 

The answers to the above questions distinguish between an impactful and defensible technology and a cool thin layer of “AI”.

Case in Point: AI-driven automation workflow generation

During the past year Torq has released 5 different AI-powered capabilities inside the product: 

  • Automatic generation of advanced data transformation and cloud platform management actions (in Torq workflows)
  • Automatic generation of a documentation for complex automated processes to improve team collaboration
  • Generation of workflow structure and data flow based on natural language description of the use-case
  • Natural-language agent for security Case Management (a.k.a. Torq Socrates)
  • Automatic summary for complex security cases to improve SOC analysts collaboration

As always, each of these has undergone a deep ideation process, involving not only our product leaders, but also our close partners, in order to ensure delivering important outcomes to our users

The basic capability allows the person wishing to build an automated workflow expressing their needs with a native language prompt. For example:  “For every threat coming from my EDR, enrich its data with my Threat Intelligence systems and if the risk score is greater than X, take actions A,B,C to contain the threat”. After receiving the goals in such form, the system would automatically generate a Torq workflow based on the provided specifications that is close to being deployed to production after a quick review cycle.

While the above is a correct answer to the question “what is it doing?” it cannot drive the development of the capability without the consideration of challenges and problems experienced by a certain audience. In our case, we decided to double-down on accessibility of security automation for audiences of different technical abilities. Furthermore, we studied the ramp-up process of thousands of users developing security automation with Torq today, identifying existing gaps and focusing on rectifying the situation. Specifically, we realized that, as Torq becomes more sophisticated and feature-rich as a platform for developing automations, the task of finding the right and the most efficient way to implement a certain process becomes more challenging.

  • The above has led us to a more focused definition of what we were looking for: a way to allow more people who are ramping up their security automation skills translate their ideas faster to fully-working and efficient automation workflows. Taking this challenge and breaking it down into components has clarified the main challenges that we needed to address.

Armed with the breakdown of required capabilities, we studied components that we already had in our product that should be leveraged to deliver the solution and identified gaps where AI could bring some critical game-changing value.

Thankfully, we had previously made a significant technological investment in the following:

  • Thousands of predefined “smart” actions that can be reused in different security processes
  • Carefully curated metadata explaining each such action in natural language, alongside possible usage variations and output examples
  • Reusable process templates that combine above mentioned actions into consistent processes driving to specific security outcomes
  • Unique extensibility architecture allowing flexible data retrieval and manipulation mechanisms, among other things

Building on top of the above technologies and leveraging generative AI for smart semantic analysis of natural language tasks, as well as for creating logical connections between consequent steps of automated processes has allowed us to deliver a uniquely powerful and flexible capability that stands out in terms of the value it provides. While the large language models we used for the task are trained on a generic set of data and can serve other solutions and not only Torq, the unique connective tissue are the data points and technologies mentioned above. These are the ones that ensure that the capabilities we deliver support the outstanding differentiation that Torq platform provides to its customers.

Summary

Having defined “product excellence” as a core value of our company, we are constantly on the lookout for innovation that can increase the outcomes we are delivering to our customers. Leveraging generative AI as a “tool” in our arsenal has allowed us to deliver multiple important innovations (and, BTW, if you are reading this blog, then stay tuned for more exciting things to come), but it is critical to view it as an important capability and continue building things targeted at solving user needs, rather than “trying to glue to AI into the product.”

P.S. This blog has been written entirely by human beings. No AI involved. Why? Not sure, but it felt like it would turn out more genuine this way.

Streamlining Security with Notion, Torq, and Slack

Security teams using legacy SOAR platforms often face struggles with scattered information, limited collaboration tools, and inflexible response playbooks. Managing knowledge, automating tasks, and communication can be complex and resource consuming. Let’s see how integrating Torq, Notion, and Slack address these challenges to improve and streamline security processes. 

Torq supports seamless integration with any third-party tool, empowering organizations to build and deploy complex workflows in minutes. Notion’s focus on flexibility and customization, with key productivity capabilities helps to unify efficiency across organizations. 

In this blog, we’ll discuss several key use cases that demonstrate how the combined strengths of Notion, Torq, and Slack, create a more streamlined and efficient security framework. 

Threat Intelligence Sharing Made Easy

Notion serves as the central repository, organizing threat intelligence from a wide variety of sources to storing threat reports, vulnerability information, and attack indicators (IOCs). Torq automatically aggregates data from a multitude of sources, populating Notion databases with relevant information, ensuring that teams have access to current threat data without manual intervention or searching in multiple resources. 

Now that the data and the relevant threat intel are updated in Notion via the Torq automation, it’s time to incorporate real-time communication and alerts via Slack. Creating a dedicated channel specifically for sharing critical threat intelligence updates related to your organization allows for immediate collaboration: team members can discuss findings, track emerging threats, coordinate responses efficiently, or launch additional predefined automation to investigate or escalate. Leveraging this use case in your security workflow delivers a multitude of advantages, such as receiving automated updates from Torq into the Notion hub and real-time notifications in Slack ensure everyone has immediate access to the latest threat intelligence.

Automate Security Awareness Training 

Effective security awareness training is the bedrock of any organization’s cybersecurity posture. However, traditional training methods often fail to engage employees, leaving them unprepared to combat modern cyber threats. This is where the powerful trio of Notion, Torq, and Slack comes in, revitalizing stale training programs for today’s fast-paced environment. Notion acts as a single, accessible repository to house engaging security awareness content. This includes a variety of assets such as articles, videos, and interactive quizzes, keeping learning dynamic and interesting.

Gone are the days of manual reminders and missed deadlines. Torq automates tasks such as training reminders, progress updates, and due dates for both employees and managers. This ensures everyone stays on track to complete training requirements in a timely manner, meeting compliance needs.  A dedicated security awareness training channel in Slack fosters a dynamic and quick learning environment. Employees can ask questions during training, share best practices and key takeaways, and navigate real-time use cases collaboratively.  By integrating Notion, Torq, and Slack, organizations can create a modern security awareness program that keeps employees informed, engaged, and prepared to combat ever-evolving cyber threats. This, in turn, leads to a more secure and resilient organization.

Security Policy Management

Keeping security policies accessible and up to date can be a constant struggle for fast-moving teams. Notion eliminates this hassle and helps organizations by providing a centralized location to maintain and revise your policies. This ensures that the latest information pertaining to critical security policies is updated, and also helps to encourage employees to be more self service oriented when reviewing compliance information. Please note, that while automation streamlines access, individual user permissions within the tools may affect immediate visibility.

Torq, your reliable task automation companion, takes care of the heavy lifting when it comes to security policy management. Torq automatically sends out policy updates and reminders to employees, ensuring entire organizations stay both informed and compliant. It is important to note that effective security practices go beyond the standard policy documents. This is where Slack delivers additional value, bridging the gap by facilitating open discussions and Q&A sessions around new or updated policies in relevant channels (in real time)! 

By harnessing the combined power of Notion, Torq, and Slack, teams improve current workflows to create a streamlined and efficient security framework. This empowers your team to stay informed and proactive, while simultaneously curating a collaborative and communicative environment – two fundamentals pillars of a proactive and robust cybersecurity culture.

See the power of Torq’s integrations – get a demo.

Torq Talks to Abnormal CISO, Mike Britton

The following was adapted from a conversation between Torq and Mike Britton, CISO at Abnormal Security. Abnormal Security is a cloud email security provider, and an esteemed customer of Torq. Read on to learn how hyperautomation has helped the Abnormal Security SecOps team scale and grow:

Introduction to Mike and Abnormal Security
I’m Mike Britton. I’m the Chief Information Security Officer for Abnormal Security. What I do is I run our security, our IT, and our privacy program here at Abnormal. Prior to Abnormal, I was an early customer of Abnormal’s when I was the CISO for a company called Alliance Data. I have 27 years of security experience. Abnormal is a very fast growing cloud email security company. We plug in through the APIs for Google and Microsoft and protect our customers from advanced phishing and BEC type email attacks.

Life for the Abnormal SecOps Team Before Implementing Torq 
In my nearly three years here, we’ve done a tremendous amount of growing. I was employee number one from a security perspective. So it was important to hire the right people, but also be able to put tools in place that allowed me to scale and grow. We’ve probably grown 6X from an employee perspective and probably about that much from an infrastructure and product perspective as well. I don’t have the luxury of hiring an army of people – so leveraging solutions like Torq enabled me to grow and scale the business and keep up with where we’re going as a company. 

I don’t have the luxury of hiring an army of people – so leveraging solutions like Torq enabled me to grow and scale the business and keep up with where we’re going as a company. 

Mike Britton, Chief Information Security Officer for Abnormal Security

Comparing Hyperautomation to Legacy SOAR
A lot of SOAR is really more tightly tied into maybe your endpoint detection or maybe your SIEM. Whereas [with] Torq, the sky’s the limit as far as what I want to automate and how I want to really make more efficiency and productivity in other tasks that my team does.

Hyperautomating Endpoint Security Audits
We have a lot of different endpoint solutions. We have a lot of different tools and things like that. And we’ve decided not necessarily go down into the full CMDB aspect of trying to use a tool to keep track of what agents are working. So we leveraged Torq to really go through our primary tool set, make sure everything has the necessary agents and security tools on it. And anytime there’s a missing tool or tools not performing correctly, Torq cuts a ticket back to my team so we can get on it quickly and figure out why. 

How Torq Hyperautomation Enables Just-in-Time Access
The other big use case is we have a couple of applications that we want to enable just-in-time access on instead of letting users keep access 24/7. We’ve been able to plug that into Slack where an employee or user needs to get access to something. They can type a quick Slack message. It kicks back a ticket form. They fill it out. They ask for how long they need the access for and Torq does all the work behind the scenes to grant access, to revoke access and close out the ticket. 

The Benefits and ROI of Hyperautomation
It’s freed up some of my IT team members from having to do manual tasks, like add people to groups and provision access. And then not necessarily productivity, but risk reduction. It’s allowed me to basically keep access to just that time period that someone needs it instead of the exposure of someone keeping access permanently. Now they have to request it. I get good tracking on why they’re requesting it for that purpose. And then it goes away as soon as that time period is over.

Why Other CISOs Should Consider Hyperautomating Their SecOps Teams 
We’re all in this situation where we always are pushed from our boards and our leadership to do more with less. One of the things I really like about the Torq team is they love to create new integrations. So if you come up with a SaaS or a tool or something that you want to get integrated into Torq, they’re phenomenal with turning that around quickly. Torq does a great job of helping you calculate that ROI as well. So not only can they help you automate it, but they can help you show that cost savings as well.

Want to see more? Get a demo.

Step Builder: One Giant Leap for No-Code Capabilities

No-code support should be just that – the ability to build automations without coding.

At Torq, we continually work to extend the out-of-the-box no-code automation features available in our platform. That’s just what we’re doing with Step Builder, a new no-code feature that is now in GA.

Step Builder gives Torq users the ability to quickly and easily create custom content without the need to code, making your options for integration limitless. We already offer several thousand pre-built steps from more than 250 vendors, and Step Builder infinitely expands your options with a way to create a new, custom step with no code required. When we say “limitless integrations” we mean it – you can use automation for whatever you want.

And Step Builder features a dynamic preview of the step you’re creating – so you can see how it will look as you build it. You can also do a test run directly from Step Builder without having to return to the workflow.

Step Builder introduces new simplicity and efficiency to Torq’s already expansive no-code user experience, going well beyond what’s offered through legacy SOAR. There’s no need to code at all to extend the system and you can virtually create new steps or modify existing ones.

It’s also functionality not offered by other no-code automation solutions. With Step Builder, you can create high-level no-code steps that you can use without the need to understand the underlying REST APIs or care about technicalities, while other no-code systems allow for the creation of custom REST API/Webhook call steps, but you still have to take care of the additional details.

Step Builder is available to use now in the Torq Hyperautomation Platform.

AI Completions for Advanced Steps

Along with Step Builder, we’ve also released a new feature that gives automators of all skill levels the ability to bring scripting, querying, and coding capabilities into a no-code workflow by using Generative AI completion.

AI Completions for Advanced Steps is now available in the Workflow Designer. It simplifies and streamlines extensibility and the creation of advanced scenarios in Torq workflows. Specifically for cloud administrators using Torq in AWS, Azure, Google Cloud, and other platforms, this brings in a familiar language of capabilities available in the often very advanced CLI interfaces these platforms offer.

It’s simple to use: when you’re in the Workflow Designer, you can use the step name (description) as an input for Generative AI to generate that step’s advanced configuration and complete the step, whether that’s command arguments, scripts, queries, etc. Now in GA, the feature supports Python, Bash, PowerShell, JQ, RegEx, AWS CLI, Azure CLI, and GCP CLI.

This eliminates the need to bounce between tools and windows to build scripts – you can do it all from within Torq.

AI Completions for Advanced Steps is a win-win – giving less technical users in-context automation options, while giving more technical users who know what they want to achieve a more streamlined experience.

To see how Torq can improve your efficiency and productivity, request a demo.

Torq + Abnormal: Key Use Cases for More Secure Email

At Torq, we like to say “if it talks, we can connect to it.” Our limitless integrations are what set us apart from the pack. 

Our hyperautomation platform connects to any system seamlessly, no matter its complexity. It’s our open architecture that empowers this dramatic unification of your tech stack, and lets you maximize your security investment while enhancing efficiency and effectiveness of your security operations.

One of our key tech partners is Abnormal Security, the leader in email security. With Torq and Abnormal, you can orchestrate and automate response to email security events, analyze emails and their attachments, and automatically perform remediation actions. 

Here’s a look at two use cases in which Torq and Abnormal combine powers:

Account Takeover

This use case is simple, but effective, and is designed to help you protect your organization in the event of an account takeover.

When Abnormal Security detects a compromised email account, Torq sends an alert to the chosen collaboration platform – Slack or Teams – to notify response teams and the user that their account is suspended. In some instances, Torq can also request clarification from the user regarding the alert. From there, the account can be suspended or locked in Okta or in Microsoft Entra ID.

This use case also gives the option to communicate with the user first to give them a heads up of the compromise and that their account will be locked or suspended. There is an option in the workflow to kill all of the users authorized sessions to the organization’s resources, as well.

This use case is designed specifically to ensure that a compromised account can’t cause more damage. 

Without Torq, the time from detection to remediation would be longer, giving the bad actor more time to impersonate a valid authorized user. With Torq, the response is immediate. 

Post-Breach Remediation

This use case solves an all too common problem: an email is classified as malicious after a user has already interacted with it. 

It works like this: Torq fetches all of the pertinent details, such as the user affected, the device, and the geography. 

If there was a malicious file in the email that was opened or downloaded, Torq triggers a scan in the EDR, determines if other users received or interacted with the email, and isolate and delete that file. From there, you can add the file hash to your EDR block list or, if it’s a link, you can search for communication to the bad actor and if it happened in other places in the organization. activities from the organization.

Those are just two ways Torq and Abnormal work together to automate and improve email security. If you’d like to see this integration in action, schedule a demo.

How To Automate Recorded Future With Torq

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.  

In our latest blog series, Hyperautomation Cheat Codes, we look at some of Torq’s key partners and highlight some of the automations that we pair up on. In fact, we make it so easy it’s like you have a cheat code (and it usually takes fewer steps than Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start).

In this post, we’ll talk about how to automate Recorded Future using the enterprise-grade Torq Hyperautomation platform to level up how your organization collects, processes, analyzes, and disseminates threat intelligence.

Here are the top four Torq and Recorded Future automations:

Analyze URLs and Files in Recorded Future Sandbox

In three simple steps, this workflow submits URLs to Recorded Future Sandbox for analysis.

  1. URLs in the urls_list are submitted as URLs and are analyzed as a website.
  2. URLs in the files_url_list are downloaded and analyzed as a file in the sandbox.
  3. Both lists are verified to have valid URLs here submitted to analysis, other values are removed

Boom! It’s that simple to use Torq and Recorded Future to analyze URLs and files in the sandbox. 

Enrich Hashes, CVEs and IP Addresses with Recorded Future

The focus of this automation is for users to receive a message with one or more CVEs, SHA256 hashes, or suspicious IP addresses from Slack and enrich the data with Recorded Future.

The first step is receiving a Slack message that extracts all indicators of compromise (IoCs). Then, it confirms the extracted IoCs with the requesting user. If provided in the event, the CVE detail is enriched and the Slack thread is replied to. The same is done for hash details and IP details if they’re provided in the event. 

The results are then sent to the Slack thread where the request originated.

Monitor an Outlook Mailbox for Phishing With Recorded Future

Thwart phishing attempts by cutting them off at the pass!

With this workflow you can automatically scan the messages arriving to a specific folder in Outlook with Recorded Future and Recorded Future Sandbox to look for malicious or suspicious URLs and files. The workflow looks for messages in the folder labeled “Not-Scanned” and uses Microsoft 365 Delegated access for easy setup on a mailbox.

The message headers will also be extracted and the public IP addresses that are not outlook.com domains will be looked up for a verdict in Recorded Future. 

After that, the workflow will also attempt to look for additional attachments at the top level of the message that are included and scan them – nested file attachments will not be scanned.

When results are found in either Recorded Future or Recorded Future Sandbox, the label on the email will be updated to indicate either Torq Investigated, Suspicious, Malicious, and/or Phishing (this workflow automatically creates the necessary labels in the mailbox if they do not exist). Then an email is sent back to the originator of the message with the findings.

TIP: Setup an Outlook rule that moves messages into the scan folder and sets the Not-Scanned category on the message.

Detect Impossible Travels In Okta Logins

This workflow analyzes users’ successful logins from different locations within a three-hour timeframe. If the end user does not accept ownership of a login, account hijacking is suspected and can be remediated by resetting that user’s password. When the password is reset, the user will receive a link by email to create a new password.

This workflow triggers only on successful logins and maintains the user’s login history using global variables. It obtains the geolocation of the source IP and compares it with the geolocation of the last login to find the distance between the two locations.

It can use VirusTotal and Recorded Future to enrich the source IP reputation. 

Those are just three of the myriad integrations Torq offers with Recorded Future to improve how your organization collects, processes, analyzes, and disseminates threat intelligence. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.

Ready to see Torq in action? Click here to get a demo.

How To Automate Incident Response with SentinelOne and Torq

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.

In this post, we’ll talk about how the enterprise-grade Torq Hyperautomation platform integrates with SentinelOne to level up your organization’s SOC workflows with autonomous incident response

Here are the top three Torq and SentinelOne automations:

Enrich SentinelOne Incidents With Threat Intelligence From Intezer

Essentially, this workflow allows you to poll incidents in SentinelOne, and for each unresolved threat, it provides threat enrichment from Intezer with an optional Live Agent Endpoint Scan.

First, it will poll for recent threats in SentinelOne that are not resolved on a scheduled interval – for example one day. Each unresolved incident file hash will be queried against Intezer and the results will be provided in the notes of the threat.

A SentinelOne deep visibility query will also run to gather how many other instances of this hash have been found in the environment.

If the results from Intezer indicate a malicious or suspicious result, the customer’s Slack channel will be asked if an Intezer Live Scan is desired. If the answer is yes, the workflow will execute a remote script to install the Live Scan agent, run the scan, and gather the results of the scan, placing the results into the Slack channel and SentinelOne notes on the threat.

Threat Hunt for a Specified SHA1 Signature (SentinelOne) and Search Within SentinelOne XDR Solution for the Malicious File(s)

Using this workflow, you can receive a file signature from Slack and hunt for the signature across EDR agents, notify the owners of the endpoint, and kick off a scan of the device. 

Here’s how it works:

  • Receive a Slack command with platform and SHA1 hash
  • Add the hash to the blacklist for the platform if it does not exist
  • Initiate a Deep Visibility query to threat hunt for the signature
  • Go over the affected agents/hosts
  • Retrieve the information from either Jamf or Intune
  • If the owner is found in Slack, reach out to them directly, otherwise update the Slack channel
  • Scan the endpoint/host with a full disk scan

From there, you can search in SentinelOne’s XDR solution for the malicious files. 

Enrich SentinelOne Findings With Threat Intelligence

This workflow retrieves the latest threats from SentinelOne on a schedule (say, every five minutes). And for each threat found, it retrieves the signatures of the files involved. 

Then, for each file, it queries VirusTotal and Recorded Future for analysis then updates the notes on the threat in SentinelOne with the results.

You can also run a deep visibility query on SentinelOne for other results for the same file hash and add the deep visibility count to the notes for the threat in SentinelOne.

Those are just three of the myriad integrations Torq offers with SentinelOne for autonomous incident response. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.

Ready to see Torq in action? Click here to get a demo.

How to Automate Cloud Security with Torq and Wiz

The Top 3 Wiz and Torq Automations

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.  

Integrating Torq and Wiz enables security teams to automate the remediation of cloud security issues, freeing up analysts’ time and giving them the ability to tend to the laundry list of low and medium issues that often go untouched. These low and medium issues still pose a threat, so creating an automation for them can help avoid a security incident. With Torq and Wiz, SecOps teams can create fully automated or human-in-the-loop remediation workflows for things like expired secrets, or unused privileged access keys. These automations are more powerful options than those available with legacy SOAR platforms.

In this post, we’ll talk about how the enterprise-grade Torq Hyperautomation platform integrates with Wiz to level up your organization’s cloud security. 

Here are the top three Torq and Wiz automations:

Handle Wiz Alerts For Public AWS S3 Bucket With Sensitive Data

Looking for a simpler way to deal with Wiz alerts for when public AWS S3 buckets contain sensitive data? You’re in luck.

This workflow receives an alert from Wiz when an AWS S3 bucket is found to be exposed to the public with sensitive personal data contained in it and it triggers on Wiz ID wc-id-1264.

When the trigger is received, the workflow will pull the bucket’s public access settings and tags and look for an owner tag. If an owner tag is not found, it will set notifications to a specific Slack channel.

From there, it checks the public settings on the S3 bucket to see if the issue was resolved before the alert from Wiz was triggered, and, if it is still publicly accessible, it will ask to limit access to the bucket. 

Once the user agrees, the bucket settings are updated and the Wiz alert is moved to in progress. If the user does not agree, or the question times out, a Jira issue is opened to track the issue and the issue ID will be added to the Wiz alert.

It’s important to note that this workflow will set the public block settings on the S3 bucket to “true” and block all public access. It is possible that your application will need a more granular update to the JSON policy to block the existing access; the existing policy will be provided in the Slack message

Enable AWS S3 Bucket Encryption On Alert From Wiz

This workflow is a simple and effective way to ensure that encryption is turned on for an AWS S3 bucket. 

First, the workflow receives an alert from Wiz and is triggered by an event with the control name “S3 bucket default encryption disabled.” If the owner tag is found, the owner will be contacted or notified in the Slack channel about the issue. 

This workflow then checks the encryption status on the bucket to see if encryption is still disabled and suggests remediation by enabling default AES256 encryption on the bucket. 

If the user or Slack channel rejects the notification, the workflow collects a reason and opens a follow up ticket and updates the notes on the Wiz issue. 

Remediate AWS EC2 Instance With Open SSH Access From Wiz Alert

This workflow receives an alert from Wiz and is triggered by an event with control name “Instances with open SSH to the world in AWS.”

If an owner tag is found, the user will be looked up in Slack, otherwise the Slack channel is updated. The user or channel is then asked to remediate the instance by shutting it down or removing the open SSH rule in the Security Group and by adding a specific network rule allowing SSH from a corporate owned network.

The user or channel will also have the option to open a Jira issue instead of doing the remediation. A Jira issue is opened for any issue with the process, and will be added to the issue notes in Wiz.

Those are just three of the myriad templates Torq offers with Wiz to improve cloud security. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.

Ready to see Torq in action? Click here to get a demo.

Evade the SecOps Black Hole: A Five-Tier Approach to a Hyperautomated SOC

There’s a term to describe what happens to something that gets sucked into a black hole: “spaghettification.” The gravitational pull of a black hole is so forceful, that it is believed to stretch and compress objects into long thin shapes resembling spaghetti.

SOC analysts spend their days trying to avoid being sucked into the black hole of overwhelming security events and alerts. They’re fighting to not be spaghettified.

Day in, day out, SecOps analysts face a staggering deluge of alerts. A recent Vectra AI study found that on average, SOC teams receive 4,448 alerts per day, and spend nearly three hours a day manually triaging them. Startlingly, that same study found that security analysts are unable to deal with 67% of the daily alerts they receive, with 83% reporting that alert alerts are usually false positives and not worth their time.

This overabundance of low-fidelity alerts and false positives clouds the judgment of security teams, and leads to alert fatigue. It’s also dangerous, in that it can distract from more impactful and important security operations, such as proactive threat hunting, strategy optimization, and addressing major vulnerabilities. According to IDC, 30% of alerts are ignored or not investigated due to alert fatigue. 

Meanwhile, according to IDC, 83 percent of cybersecurity employees say they’re struggling to cope with the volume of alerts, while 30% of alerts are ignored or not investigated due to alert fatigue. 

But all hope is not lost. Torq Hyperautomation provides the rocket fuel to help SOC analysts achieve escape velocity and evade the security events black hole. Through a hyperautomated SOC, a security operations center powered by hyperautomation through which the vast majority – 90% to 95% – of tickets, alerts, events, and incidents are handled and closed by hyperautomation, SOC analysts can eliminate alert fatigue and escape the black hole. 

A hyperautomated SOC helps eliminate alert fatigue through a five-tiered approach.

1. Collect the Noise: Millions of Events; One Hyperautomation Platform

First, Torq’s Hyperautomation platform effortlessly ingests event data with limitless horizontal scalability through a variety of mechanisms, such as message queues (AWS SQS, GCP Pubsub, Azure EventGrid,Kafka), direct webhooks, TCP transmission, email, and API polling, just to name a few. This is where we start collecting events. It’s where we embrace the chaos to bring order.

2. Start Filtering: Reduce the Noise 10x

Here, triggered workflow automations apply a 10x reduction filter. This slashes the volume of events from a million to hundreds of thousands. Torq’s technology sifts through the events to identify the data that matters most, zapping out false positives and low-fidelity alerts. Our horizontally scalable events pipeline performs numerous checks, ranging from string and numeric comparisons to more advanced regular expressions. Only the most relevant pieces pass through this stage. No more irrelevant and superfluous logs, events, or alerts get through.

3. Gain Context: Enrich Events With AI

This is where things get really exciting. We use stateful event filtering to reduce noise by 100x. Through intelligent event handling with large language learning models (LLMs), we enrich the

context for each security event. 

Your events volume is down to mere thousands now – as opposed to the millions you battled with before – and these are the events you should genuinely care about. 

From there, Torq Hyperautomation adds another layer of AI-driven stateful filtering, further enriched with context like threat intelligence, business context, or even historical events. Every event is vetted from multiple angles using LLMs and third-party security tools. Torq hyperautomates 95% of Tier-1 analysis with generative AI, which ultimately empowers you to make faster, better informed decisions.

4. Intelligent Security Case Orchestration: Automatically Triage, Classify, and Remediate 100s of Tier-1 and Tier-2 Cases

At this point, the funnel narrows to just 100s of security cases requiring further action, but they still don’t necessarily require human involvement. Torq Hyperautomation does the heavy lifting by intelligently delegating issues to R&D, DevOps, or related business owners.

If an event makes it this far, it requires serious attention. We’ve already performed significant

noise reduction and filtered out irrelevant events and alerts. It’s time to prioritize what’s critical. 

Through Torq’s sophisticated orchestration capabilities, some of these cases may still be handled entirely without analyst involvement. 

Third-party integrations like SecOps, DevOps, or application owners have handled vulnerabilities and other findings, and non-compliant assets have been flagged and are now considered exceptions. That, coupled with case management through external communication and ticketing, means you can automatically close about 90% of Tier-1 tickets.

5. Security Analyst Expertise: High-Priority Cases Require Human Intervention

A hyperautomated SOC does not eliminate the need for human intervention. It does, however, ensure that humans are the last, and most critical, line of defense for the most severe and high-priority cases. At this part in the process, you’re left with only critical security cases that have undergone rigorous scrutiny and automated handling. Now humans must intervene. By now, the remaining cases are enriched with valuable data, minimizing the time and effort needed to take appropriate action. Analysts can tap into a library of pre-configured sub-processes, making their operations significantly more efficient.

By the time an event has passed through Torq’s Hyperautomation platform, it has undergone an intense, multi-tiered evaluation and action process, each phase of which is designed to optimize accuracy and efficiency, and, of course, improve your security posture to defend against threats.

Following this five-tier approach can help SOC analysts prevent being sucked into the security event black hole (and avoid spaghettification). 

To read more about achieving escape velocity, read our guide “Escape the SecOps Black Hole.” And if you’re ready to hyperautomate your SOC with Torq, request a demo.

Automating Extension Risk Assessment and Permissions

Browser extensions are a classic shadow IT concern. Assessing the reputation and security of a browser extension is crucial before installing it on a company computer, as extensions often have wide-ranging permissions that could be abused for data theft or other malicious activities.

In an open environment style company, extensions generate significant shadow IT risk that needs to be managed and addressed.

Let’s shed some light on the security challenges extensions present, and how you can use Torq to automate assessing the risk an extension may pose.

I decided to get into the crabs of a certain extension that helps to capture screen full pages. When browsing the extension’s official page, I went to its privacy page, and there I noticed a header saying: 

The developer has disclosed that it will not collect or use your data.

Oh yeah? Let’s go deeper into the privacy policy!

And there I found these two clauses:

and:

From this point, I checked more data properties that could help me decide if this should be removed or stay. Along with reviewing the privacy policy and extension’s web page, I checked a few additional parameters:

Installation method

How the extension was installed – NORMAL or SIDELOAD

  • NORMAL – Extension installed directly by the user from the browser’s official extension store.
  • SIDELOAD – Extension installed from a source outside of the browser’s official extension store.
  • DEVELOPMENT – Extension that is being loaded directly into the browser for testing or development purposes, rather than being installed from a web store or other official distribution channel.

This particular extension was installed in a SIDELOAD fashion, which can pose a greater risk because it may not have undergone as stringent of a security review as it would have if it was in an official store.

Permissions

I also examined the extension’s permissions – what it allows an extension to do. The list of permissions included some dangerous ones:

  • <all_urls> – Allows the extension to access all web pages. This is a very broad permission and is one of the most severe in terms of potential privacy and security risks.
  • tabs – Gives the extension access to various properties of the browser’s tabs. This can include reading the URL, title, and other attributes of tabs and closing, moving, or creating new tabs.
  • unlimitedStorage: Permits the extension to store more data than typically allowed in the browser’s local storage.
  • system.display – Allows the extension to interact with the display properties of the system. This could include things like:
  • Querying display metadata: Fetching information about connected displays, like their resolution, orientation, etc.
  • Manipulating display settings: Changing settings such as screen resolution or orientation.
  • Controlling display layout: Positioning screens in multi-display setups.
  • scripting – Depends on what scripts are executed (someone mentioned supply-chain risk)

Vulnerability Scans

Using the free extension scanning tool CRXcavator can shed more light on extensions that may be considered in the risk assessment. Decision making data could be added through its API, such as:

  • Vulnerabilities scan: Are there any vulnerable applicative components? Are there CISA KEV vulnerabilities?
  • Risk Over Time: The extension’s overall risk, is it escalated?
  • CSP (content security policy): More advanced insights
  • Networking: Could be correlated with <all_urls>

Whois

Use Whois to find the extension’s website URL. This could help you understand more about an extension, like where the extension’s coming from, its domain’s age, and more. Whois revealed the particular extension’s domain age is 59 days.

Risk assessment time!

Given the insights I was able to gather, I can now assess the risk and make a decision.

  1. Privacy policy shows Uncompromised information of the ability to collect PII. This has tremendous consequences on compliance and privacy settings and policy.
  2. Considering permissions like <all_urls>, scripting, tabs – These generate risks affecting data privacy, compliance, supply-chain (scripting?), data-leak etc…
  3. Considering the installation method – NORMAL installation type would at least have lowered the risk, which is not the case here, as this one was installed in SIDELOAD fashion – outside of the browser’s official extension store, which means, it wasn’t reviewed by Google.
  4. Whois – domain age is very low – 59 – not always necessarily, but it could raise a concern that something fishy is going on.
  5. Considering there are a few high vulnerabilities (with high EPSS).

After examining the findings above, I assume that the prevailing conclusion would be to remove the extension. However, in any environment there are many variables that can cause decision-makers to leave the extension installed.

How to Automate Extension Risk Assessment

All this work has to be done manually, right? That may be feasible if you have only a few extensions to investigate. Most organizations, however, have 20 times that many extensions. So I decided to use Torq to create workflows to automate the extension risk assessment.

Here’s how I did it:

  1. Focus only on risky permissions. Extensions have dozens of permissions types. I used Torq’s Gen AI integration to assign a risk score (1 to 5) for each permission, considering their capabilities. Focusing on the most prominent permissions reduced the number of issues to address.
  2. Let AI summarize the privacy policy with a prompt focusing on personal information, additional data processors, and what is essential to keep compliance governed.
  3. Use WHOIS to grab the domain’s age and its activity status.
  4. Extract the extension’s CVEs and use the power of automation to enrich and attach CISA KEV, EPSS, and CVSS metrics for better vulnerability management.
  5. Correlate CVEs with your device vulnerabilities inventory to detect whether they are vulnerable.
  6. Aggregate all insights into one case for the verdict:
    1. If the risk is tolerable, reach out to the employee to understand whether the extension is used and needed for work purposes.
    2. If the risk isn’t tolerable, reach out to the employee to inform them of the extension removal. Execute the MDM command to remove immediately.
    3. Exclude the extension from use.

Conclusion

The decision to remove or keep an extension may change under different circumstances and based on differing data. However, an extension that violates privacy compliance and provokes severe vulnerabilities shouldn’t be ignored.

As security pros, it’s our job to educate and raise awareness about extensions and the potential risk they pose, while also providing insight based on investigation and analysis. From there, organizations can make informed decisions whether they’ll allow a certain extension.