Integrations

How Next DLP Automates Data Breach Investigations with Torq Hyperautomation

By Torq
April 19, 2024
4 Minute Read

The following is adapted from a conversation between Torq and Robbie Jakob-Whitworth, Cybersecurity Solutions Architect at Next DLP. Next DLP is a leading provider of insider risk and data protection solutions. Read on to learn how Robbie has used Torq Hyperautomation to automate alerts and reduce alert fatigue within his organization.  

Introduction to Robbie and Next DLP

I’m Robbie Jakob-Whitworth, Solutions Architect with Next DLP. Next DLP is focused on reinventing data protection, DLP, and insider risk. So, I spend a lot of time working with customers and enterprises focusing on how we can protect the data in their organization, how we can prevent a data leak or data breach, and also how we can manage the insider risk. 

So a key thing that I work on with a lot of customers is alerts, detections and incidents from a data protection perspective as well as an insider risk perspective. And alert fatigue is something that is a very real problem for security analysts. They spend a lot of time looking through alerts. 

Next DLP provides a fantastic platform to get an overview and take control of risky behavior taken by users. For example, the sharing of sensitive data, or accessing data that is controlled by regulation or compliance. But going through all of these alerts and all of these incidents can be quite a time thing sometimes for an analyst. So in that theme of alert fatigue, I was able to use Torq to build a workflow to notify me separately via Slack about the most serious data breaches.

Combatting Alert Fatigue with Hyperautomation

So in the example that I’m going to show you here, we can actually reduce alert fatigue by using Torq to just alert us about the most high severity alerts. So using Next DLP, I built out a web hook integration directly into Torq and streamed detection information for Torq where the data is Personal Identifiable Information (PII).

I’m only going to focus on the most high risk users, and I only want events that are a score of at least 80. So, particularly high severity alerts. Now, when a policy violation or incident occurs that meets these thresholds, a workflow in Torq is triggered and I get notified in real time through Slack or on my phone.

Then, I can launch an investigation in real time. So I can go and spend my time on other things that are more important to me than looking through logs. I’m saving a lot of time by getting these alerts through Torq.

A Real-World Example

Consider this – from a data protection perspective, I might have data in my organization, maybe personal information, social security numbers, or customer information that needs to be protected. And in this case, if I’m a user and I’m sharing this data through a site like WeTransfer, either maliciously or accidentally, Next DLP can provide real-time data protection by enforcing IT and corporate policy, preventing the taking of sensitive data. 

So in this case, we caught the fact that this file contains this sensitive information – email addresses and social security numbers – and that it was leaked out through WeTransfer. Next DLP protected and blocked that activity.

Now as a SOC or security analyst, I don’t need to sit in the Next DLP platform and look through every single alert. With this automation, Torq notifies me with all of the information around the incident: which user violated the policy, what the policy was, that it contains social security numbers, how the data was being exfiltrated, in this case to WeTransfer. I get a link to view the file and the forensic evidence, along with a screenshot of the user’s desktop at that moment in time. So I’m able to launch an investigation to dive down deeper into the context of this user’s activity. 

The Power of Torq Hyperautomation

Traditionally, for an analyst or in a SOC, you spend all your time kind of combing through logs and alerts. You have a lot of false positives to deal with. And all the information is presented to you within a powerful UI of most products. But, you have to spend a lot of time going through each alert.

It was super simple to build this automation because I’m combining the powerful open API provided by Next DLP with the really helpful no code workflow UI provided by Torq. Plugging those two together is the best of both worlds. It’s really a fantastic way to orchestrate and connect different systems together and to save me time by automating those manual tasks.

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

Hyperautomation Product

No More SuckOps: How Hyperautomation is Transforming SOC Analysts’ Lives Forever

By Torq
April 15, 2024
2 Minute Read

Today’s SOC analysts are drowning in myriad notifications. They’re trying to parse what’s real, what matters, and what’s a genuine threat to the organization. This exhausting daily routine is significantly contributing to job dissatisfaction and the high turnover rate in SecOps teams. But there’s a major new innovation that solves it: AI-driven hyperautomation. This modern SecOps approach is enabling a key shift away from code reliance and it’s transforming analysts’ roles forever.

SecOps Is No Longer Just For Code Warriors

During the legacy SOAR era, SecOps was largely exclusively the realm of expert coders. Analysts needed months of complex training and the ability to dig deep into myriad programming languages in order to assess and address threats. 

Together, hyperautomation and generative AI liberate analysts from these requirements. The combination delivers auto-calibrated workflows in real time that can predictively mitigate threats before they happen–and even more importantly–handle them as they occur in real time. No code needed. The hyperautomation platform does all the work. And if something exceeds a critical impact threshold, hyperautomation’s human-in-the-loop crosschecks ensure the analyst is informed before a remediation approach is executed.

Out-of-the-Box Automations Don’t Cut It Anymore

Given the fact we’re living in the most complex security threat landscape in history, legacy SOAR’s out-of-the-box automations are simply no longer effective. They’ve historically been valuable prior to the explosion of novel cyberthreats, but with attackers hitting enterprises with more and more unanticipated tactics and strategies, the automation response must keep pace. Generative AI delivers a machine speed defense unlike anything we’ve previously seen in cybersecurity.

AI-driven hyperautomation is transforming and democratizing the role of SecOps analysts, so they can do more, with less training. This is lowering the bar to entry in the field, while further empowering their capabilities. By embracing AI-driven hyperautomation, we’re not just optimizing processes; we’re reinvigorating our teams, allowing them to shift from constant firefighting to proactive threat hunting and analysis. 
Ready to empower your SOC analysts? Learn more at: https://torq.io/product/

Share

Related Articles

Hyperautomation Insights

How to Save Your SOC Analysts From Alert Fatigue

By Torq
April 12, 2024
3 Minute Read

SecOps teams face an unyielding barrage of security signals raised by various systems and tools. It’s estimated that 56% of large companies receive 1,000 or more alerts per day

SOC analysts are expected to wade through these alerts and determine which ones are important, which are low priority, and which are imperative. 

According to IDC, 83% of cybersecurity employees say they’re struggling to cope with the overwhelming alert volume. Meanwhile, 30% of alerts are ignored or go uninvestigated due to security teams of all sizes struggling with alert fatigue, leaving the door open to potential threats that can adversely affect the organization.

Legacy SOAR: The #1 Cause of Alert Fatigue

The leading cause of alert fatigue is legacy SOAR’s flawed approach to alert prioritization. It treats every event as an incident and depends on inflexible SIEM-based event pipelines for the critical tasks of noise reduction and data enrichment. Further, SOAR requires significant costs for processing additional signals and automating subsequent follow up. And because SOAR relies primarily on on-premise architecture, its scalability is crippled, further increasing costs and hindering integration of modern security tools.

Legacy’s SOAR’s downsides include:

  • Difficulty finding useful information and managing vulnerabilities
  • Slower time to identify and respond to actual threats
  • Higher rates of SOC analyst burnout, which drives attrition

How a Hyperautomated SOC Eliminates Alert Fatigue

Torq Hyperautomation can process event volume orders of magnitude larger and faster than legacy SOAR, and has more flexible capabilities to filter, enrich, correlate, and aggregate events for automation processing. A Torq Hyperautomation-driven SOC is built on an event-driven architecture and offers easy workflow automation to sift through the noise, close out false positives more quickly, and prioritize responses more efficiently.

Torq also offers horizontal scalability to support a vast amount of processes and automatically parses all data, while SOAR requires manually selecting and mapping fields.

In addition, Torq offers more flexibility with trigger conditions, including templates. This means multiple triggers look at the same event and can launch a variety of different workflows dynamically. 

A Torq Hyperautomation-based SOC helps eliminate alert fatigue and frees SOC analysts from the endless, resource-draining game of event whack-a-mole SOAR is known for. With Torq, alerts are prioritized, enriched, and contextualized, and 95% of Tier-1 tasks are hyperautomated, so SOC analysts can focus their attention on only significant alerts and incidents without being bogged down by noise.

See how a hyperautomated SOC can eliminate alert fatigue. Get a demo.

Share

Related Articles

Hyperautomation

Enhancing Cyber Defenses: The Benefits of Hyperautomation in Cybersecurity

By Torq
April 11, 2024
4 Minute Read

Cyber threats are constantly evolving and becoming increasingly sophisticated, and organizations are continuously searching for ways to fortify their cybersecurity defenses. One approach that has gained significant traction is hyperautomation

Hyperautomation, which automates once-manual security workflows and processes, enhances cybersecurity posture, streamlines security operations, and effectively mitigates risks.

So, what are the benefits of hyperautomation in cybersecurity, and how does it improve security operations while reducing cyber risks?

The Benefits of Hyperautomation in Cybersecurity

Increased Efficiency

Hyperautomation increases efficiency in cybersecurity. It enables organizations to automate repetitive tasks, such as threat detection, incident response, and vulnerability management by automating these processes. This allows cybersecurity teams to focus their time and efforts on more strategic initiatives.

Faster Response

Hyperautomation empowers SecOps teams to respond to threats in real-time. AI-powered hyperautomation that uses large language models can analyze vast amounts of data at incredible speeds, allowing for faster identification and remediation of security incidents before they have a chance to escalate into larger breaches.

Proactive Threat Detection

Hyperautomation uses AI in security to detect and analyze patterns indicative of potential cyber threats. By continuously monitoring network traffic, user behavior, and system logs, organizations can proactively identify and stop attacks before they have the chance to cause significant damage.

Seamless Integration

Hyperautomation integrates seamlessly with the vast majority of existing cybersecurity tools and technologies, which enhances their capabilities and provides a more unified approach to security management. This extensibility and interoperability ensures organizations can leverage their existing investments while maximizing the effectiveness of their cybersecurity defenses.

Scalability

As organizations grow and evolve, so do their cybersecurity needs. Hyperautomation delivers scalability by adapting to changing requirements and increasing workloads. Whether it’s securing new endpoints, expanding into cloud and hybrid environments, or integrating with emerging technologies, hyperautomation offers the flexibility to scale security operations accordingly.

How Does Hyperautomation Improve Security Operations?

AI-driven hyperautomation greatly improves security operations by streamlining workflows, accelerating response times, and enhancing decision-making processes. With hyperautomation you can achieve a 10X or more operational and productivity boost within weeks of deployment. Autonomously detecting, triaging, investigating, and remediating security threats introduces new efficiencies in cybersecurity without the need for human intervention. This dramatically filters out the noise of thousands of daily security alerts and only presents the most critical as needing attention, which greatly accelerates the mean-time-to-resolve genuine security. By leveraging AI and automation, organizations can:

  • Automate routine tasks: Hyperautomation automates repetitive tasks, such as log analysis, malware detection, and patch management, freeing up security teams to focus on more complex and strategic initiatives.
  • Enhance threat intelligence: AI algorithms analyze vast amounts of data to identify patterns and anomalies that indicate  a potential cyber threat. This enables organizations to stay ahead of emerging threats and proactively defend against potential attacks.
  • Improve incident response: Hyperautomation enables faster incident detection, analysis, and remediation. By automating incident response workflows, organizations minimize threat exposure and can more quickly mitigate the impact of security incidents.
  • Optimize resource allocation: AI-driven insights provide security teams with actionable intelligence, enabling them to prioritize tasks based on risk severity and potential impact. This eliminates the need to respond to low-priority alerts and tasks, and ensures resources are allocated efficiently to address the most critical security issues.

Can Hyperautomation Reduce Cybersecurity Risks?

Because hyperautomation gives security teams the ability to automate threat detection and response, reducing cyber risks is one of the main reasons organizations deploy it. Add to the mix AI cybersecurity advantages of being able to analyze massive amounts of data in real-time to identify indicators of potential security threats and security risk is further reduced. 

Ultimately, hyperautomation allows security teams to detect security threats faster and respond more quickly and more effectively, minimizing their impact and reducing cyber risks by.

  • Minimizing human error: By automating routine tasks and standardizing security processes, hyperautomation reduces the likelihood of human error, which is a common cause of security breaches.
  • Enabling proactive threat hunting: AI-powered analytics enable organizations to proactively hunt for threats across their infrastructure, identifying and neutralizing potential risks before they can be exploited.
  • Improving compliance posture: Hyperautomation ensures consistent enforcement of security policies and regulatory requirements, reducing the risk of non-compliance and potential penalties.

Hyperautomation offers myriad benefits, including increased efficiency in cybersecurity, faster response, proactive threat detection, seamless integration, and scalability. By leveraging AI and automation, organizations can enhance their security operations, reduce cyber risks, and strengthen their defenses against today’s evolving security threats.

To see the benefits of hyperautomation in action, schedule a Torq demo

Share

Related Articles

Insights

Torq Talks to Tyler Young, CISO at BigID

By Torq
April 8, 2024
5 Minute Read

The following is adapted from a conversation between Torq and Tyler Young, CISO at BigID. BigID produces software for data security, compliance, privacy, and governance. Read on to learn about how Torq Hyperautomation has helped BigID unlock new levels of efficiency and productivity by relieving their team of rudimentary tasks.

Introduction to Tyler and BigID

I’m Tyler Young, Chief Information Security Officer at BigID. I’ve been at BigID for two years, and I was brought in to take the company’s product security program to the next level. Prior to BigID, I was at Relativity for almost four and a half years where I was responsible for building out and scaling the security program. Prior to Relativity, I was at Zurich Insurance. Before that, I worked with some consulting firms and the US Government. I’ve had experience with multiple sectors am now focused in hypergrowth tech.

BigID’s Automation Journey

BigID’s automation journey consists of two different parts. First, we needed to bring in the right technologies that fed the right telemetry to our security engineering teams. Second, we wanted to save time by not building out an elaborate SOC. We talk all the time as an industry about burnout and talent shortage. Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq. We leverage Torq for the phishing aspects of what BigID is doing, as well as our level one and level two tasks. We built our automation strategy from scratch leveraging Torq.

Security teams want to build, they want to solve critical problems, they don’t want to be looking at alerts all day or wasting time on repetitive tasks that can be automated. That’s why we invested in Torq.

Tyler Young, CISO at BigID

Life Before Torq Hyperautomation

We had Torq Hyperautomation within my first five months of being at BigID, but in my last role, we used a SOAR platform. It took an entire team to operate and to manage it. I’m talking like six or seven people writing automation framework playbooks and writing threat detections in the platform. Instead of spending over a million dollars on the program, we could have been using those resources to build homegrown security solutions or leveraging open source that we could then offset some other security costs. I think a lot of places are leveraging these really robust SOAR capabilities, but they require a significant head count, a lot of funding and top-notch talent to write code, almost at the same level as some developers are writing.

Comparing Torq Hyperautomation to Traditional SOAR Offerings

Torq Hyperautomation’s click and drag capability and ability to integrate with companies like SentinelOne or Crowdstrike, combined with not having to write API connections and build connectors for all these different aspects make the program different from Legacy SOAR. Being able to just click and drag makes our job so much easier. I can do the same thing with one or two security engineers that we could do with ten when they’re having to write these things manually.

Benefits BigID Has Experienced with Torq Hyperautomation

Maybe this is the unconventional aspect of this, but I think the biggest benefit we’ve seen is our security engineers don’t have to focus on remedial workflows that they can build themselves in a playbook, which allows them to focus on more meaningful work. I’m a big believer in building security solutions, and leverage things off the shelf when possible. Torq allows our team to take the rudimentary tasks and automate them so that they can spend more of their time building. 

Advice to CISO’s Considering Torq Hyperautomation

I think it’s important to do a cost benefit analysis of how much time and money you spend today on your current SOAR offering. It’s also important to gauge your employees’ happiness and satisfaction with their responsibilities. There’s already a talent shortage. Ask yourself, is my team bought into what they’re doing? If not, leverage something like Torq Hyperautomation to automate those repetitive tasks so your team is focusing on more meaningful work. 

On the Future of AI and Security 

I think there’s a place and time where all the alerts, all the telemetry is going to some type of autonomous agent that’s leveraging AI in some capacity. In the future we’ll be able to understand the attacks that are happening in real time, something that’s lacking today with AI. If you have threat detections that are happening and updating in real time, then you have the ability to block and respond to those in real time. In a perfect world, I see AI enabling security teams to be focused on building solutions that are more custom tailored to your needs. 

Want to learn more about Torq Hyperautomation? Get a demo.

Share

Related Articles

Integrations Product

Detect and Respond to Threats Faster with Torq and Anvilogic

By Torq
April 1, 2024
3 Minute Read

Is SIEM lock-in preventing the transformational impact of Torq Hyperautomation? Due to cost and scale challenges, endpoint activity, cloud telemetry, and network flows are often missing from detection and security automation. For security teams that keep these and other large datasets outside their SIEM, Anvilogic has teamed up with Torq to take SOC automation to the next level.

Integrating Torq and Anvilogic gives security operations teams a new way to detect threats across data platforms like Splunk, Snowflake, and Azure Sentinel- and then quickly handle those detections with interactive remediation workflows. Sound complicated? Let’s walk through an example of how Torq and Anvilogic make it easy.

Detection Scenarios Across Your SIEM and Data Lake

Traditionally, critical data sets such as Active Directory and endpoint activity logs are a SIEM blind spot. Anvilogic’s support for cost-effective data lake alternatives means these high-volume security feeds can be used for detection rules and correlated scenarios. 

For example, the FIN6 cybercrime group targets the retail and hospitality sectors to steal payment card data using Active Directory (AD) attack techniques. While these may often seem benign, one of Anvilogic’s thousands of curated detection scenarios correlates FIN6-associated AD activity and what the threat group later does on victim endpoint hosts. The combination of these data points, which are often not available in a traditional SIEM, serves as a high-confidence indication that an attack is in progress.

Slashing the Mean Time to Respond

With the new integration between Anvilogic and Torq, the alert for possible FIN6 activity can quickly turn into mitigation, reducing the risk of payment card data theft. The Torq Hyperautomation platform receives a detailed alert from Anvilogic, with information about the users involved and potential indicators of compromise (IOCs). In parallel, the affected user receives a Slack message to determine if they’re aware of the suspicious activity, while the IOCs are extracted for investigation. All of this happens without analyst involvement.

If the user is not aware of the activity, their response, as well as the extracted IOCs, are funneled into the case management system, where the SOC can see why Anvilogic triggered the alert together with the context that’s been automatically gathered. The team can then isolate the system and take any additional steps needed to eliminate the threat from the environment. 

Fewer Silos, Better Fidelity: Keys to Effective Automation

We’ve shown how a security operations team can keep an initial network compromise from becoming a full-blown breach. To do this, the team needed to correlate high-volume datasets often unavailable to detection engineers. Anvilogic breaks SIEM lock-in so the SOC can put these large-scale security sources to work. In addition to supporting multiple data platforms, Anvilogic provides thousands of multi-stage detection scenarios off the shelf. This cuts the alert noise that can keep security teams from adopting hyperautomation across more of their processes. 

For Torq customers, fewer data silos and better alert fidelity translate to more value from their existing investments. Doing more with less is a common demand in the current climate. We’ve only shown one example of the many opportunities to tackle threats like ransomware, cryptomining, and data theft across clouds, networks, and endpoints. Reach out to learn more about the exciting combination of multi-data platform SIEM and hyperautomation.

Share

Related Articles

Hyperautomation Product

Implementing Hyperautomation: A Blueprint for Security Managers and SecOps Teams

By Torq
March 26, 2024
2 Minute Read

One of the key questions we get is “how do I get started with hyperautomation?” It can seem slightly overwhelming if you haven’t automated in the past, or you’re used to attempting to automate using legacy SOAR solutions. 

If you’re wondering where to get started with hyperautomation, look no further. We caught up with Security Automation Leader Filip Stojkovski, who put together a handy blueprint on how and where to start your journey to hyperautomation. It’s a step-by-step roadmap for Security Managers and SecOps teams looking to build an effective and mature hyperautomation program. 

1.  Decide what to automate: The first step is to dive into stakeholder needs, picking the right integrations, determining the areas that will benefit the most, and selecting the appropriate platform.

2. Determine the feasibility of automation: This is where organizations set expectations that align with a company’s rules and set a realistic timeline for when you’ll see a return on investment. 

3. Use hyperautomation: Automation has evolved from legacy SOAR platforms to hyperautomation. “It’s better. It’s faster,” Stojkovski says. Hyperautomation was designed with AI and machine learning in mind and is more flexible than its legacy SOAR predecessors. 

4. Implement automations: Determine who is implementing the automations. Is it the SecOps team? Is it specialized engineers? The right resource allocation can make a world of difference when implementing hyperautomation. 

5. Infrastructure and processes: Align with your organization’s goals and understand your infrastructure and processes. Set up test and production environments and document all processes to streamline hyperautomation. 

6. Develop use cases: Prioritize the processes that are most frequently used throughout the organization and focus on them. This will free up time and help an organization make the leap from reactive to proactive. 

7. Measure the impact: Determine what you should measure and then what metrics signify success. Is it reducing time to detect or respond to threats? FTE saved or added? Proactive threat mitigation? ROI? Understanding what signifies success up front will help ensure you’re measuring the right things.

We’d love to thank Filip for taking the time to chat with us and for sharing his blueprint for effective security automation. Be sure to watch the full video to learn more. 

Want to see the Torq Hyperautomation platform in action? Request a demo.

Share

Related Articles

Insights

Beyond the Hype: How Torq’s AI-Driven Innovations Are Transforming Security Automation

By Leonid Belkind, Co-Founder and CTO
March 14, 2024
8 Minute Read
Making a real difference for our users with Generative AI

Making a real difference for our users with Generative AI

It has been over a year and a half since the latest generative AI revolution descended upon the world. All IT markets have seen a wave of both new AI products, as well as AI-driven capabilities in existing products being introduced with a breakneck pace. While most of them clearly perform things that, until recently, could have been described as “pure magic” even by the most cynical audiences, many questions can be raised regarding these capabilities being truly directed at transforming the customer experiences and outcomes vs. just being “mega cool.”

What’s wrong with “tech first”

Let’s take one step back. Allow me to introduce myself: I am a proud serial entrepreneur, having successfully established and grown two companies (one of which was acquired by a major player in the enterprise cybersecurity market). 

When learning “entrepreneurship 101” – not a formal discipline, of course, but rather a collective experience of a community of entrepreneurs – I was told that establishing a cool (or even a unique) technical capability and then searching for a problem to apply it to is not a great idea. In the entrepreneurial world this is referred to as the “tech first” approach to establishing a product or a company, and it has been proven inferior to a “problem first” approach, where one identifies a problem and then considers various alternatives on how to solve it. 

The collective experience of the past 2-3 decades has clearly shown that “problem first” products and companies have greater chances of generating long-lasting outcomes for their customers, and, therefore, have greater chances of establishing significant growing businesses. Tech first, on the other hand, might find a lot of support among the “romantics” of the technology, who enjoy technical capabilities because of what they can deliver, but might find it difficult to drive significant impactful outcomes.

Should we wait for a problem to present itself?

Does the above mean that every time a new technological barrier is being broken (just like it happened with the recent advancements in generative AI) we need to wait for the problems to present themselves and only then try to apply the new technology? 

Of course not. The problems exist everywhere in the world and in different markets today. It is only a matter of picking the right (worthy of solving) problem and researching whether it can be solved to a better extent with the new technology (in comparison to existing solutions).

When deciding on a problem to pick, therefore, it is important to understand the components of it, and not just the general “headline,” such as:

  • Who are the target audiences, i.e., the people or organizations having the problem? What are the unique characteristics of those who have it vs. those who don’t?
  • How severe is the problem? How critical will solving the problem be for the target audience?
  • What do these audiences do today? Do they have alternative solutions? How will our solution be better?

Finally, specifically when applying generative AI to certain problems, one of the most important questions to ask is: what would be the role of AI in the solution? Answering this question correctly is critical not only for creating the capability, but also for its future defensibility vs. the competition.

The role of AI in the solution

So what role does an AI play in the overall solution? Is there a real value in the integration of generative AI into the product environment, or is it just a “thin layer of glue” connecting mostly “off the shelf” Large Language Model (LLM) to the existing product “just for the cool effect?”

In my humble opinion, there is a huge difference between just bringing “some” AI capabilities into the UI of an existing product by integrating with one of the available off-the-shelf generative AI services and truly extending the unique technology in one’s product with AI

Does the AI-driven capability rely on some rich, unique, or powerful technology that exists in the product, or does it simply come “on its own” without deep ties to the underlying tech? Does the capability perform additional functions on top of or integrated with “sending information to an AI and receiving the response” or is it mainly about interfacing with AI? 

The answers to the above questions distinguish between an impactful and defensible technology and a cool thin layer of “AI”.

Case in Point: AI-driven automation workflow generation

During the past year Torq has released 5 different AI-powered capabilities inside the product: 

  • Automatic generation of advanced data transformation and cloud platform management actions (in Torq workflows)
  • Automatic generation of a documentation for complex automated processes to improve team collaboration
  • Generation of workflow structure and data flow based on natural language description of the use-case
  • Natural-language agent for security Case Management (a.k.a. Torq Socrates)
  • Automatic summary for complex security cases to improve SOC analysts collaboration

As always, each of these has undergone a deep ideation process, involving not only our product leaders, but also our close partners, in order to ensure delivering important outcomes to our users

The basic capability allows the person wishing to build an automated workflow expressing their needs with a native language prompt. For example:  “For every threat coming from my EDR, enrich its data with my Threat Intelligence systems and if the risk score is greater than X, take actions A,B,C to contain the threat”. After receiving the goals in such form, the system would automatically generate a Torq workflow based on the provided specifications that is close to being deployed to production after a quick review cycle.

While the above is a correct answer to the question “what is it doing?” it cannot drive the development of the capability without the consideration of challenges and problems experienced by a certain audience. In our case, we decided to double-down on accessibility of security automation for audiences of different technical abilities. Furthermore, we studied the ramp-up process of thousands of users developing security automation with Torq today, identifying existing gaps and focusing on rectifying the situation. Specifically, we realized that, as Torq becomes more sophisticated and feature-rich as a platform for developing automations, the task of finding the right and the most efficient way to implement a certain process becomes more challenging.

  • The above has led us to a more focused definition of what we were looking for: a way to allow more people who are ramping up their security automation skills translate their ideas faster to fully-working and efficient automation workflows. Taking this challenge and breaking it down into components has clarified the main challenges that we needed to address.

Armed with the breakdown of required capabilities, we studied components that we already had in our product that should be leveraged to deliver the solution and identified gaps where AI could bring some critical game-changing value.

Thankfully, we had previously made a significant technological investment in the following:

  • Thousands of predefined “smart” actions that can be reused in different security processes
  • Carefully curated metadata explaining each such action in natural language, alongside possible usage variations and output examples
  • Reusable process templates that combine above mentioned actions into consistent processes driving to specific security outcomes
  • Unique extensibility architecture allowing flexible data retrieval and manipulation mechanisms, among other things

Building on top of the above technologies and leveraging generative AI for smart semantic analysis of natural language tasks, as well as for creating logical connections between consequent steps of automated processes has allowed us to deliver a uniquely powerful and flexible capability that stands out in terms of the value it provides. While the large language models we used for the task are trained on a generic set of data and can serve other solutions and not only Torq, the unique connective tissue are the data points and technologies mentioned above. These are the ones that ensure that the capabilities we deliver support the outstanding differentiation that Torq platform provides to its customers.

Summary

Having defined “product excellence” as a core value of our company, we are constantly on the lookout for innovation that can increase the outcomes we are delivering to our customers. Leveraging generative AI as a “tool” in our arsenal has allowed us to deliver multiple important innovations (and, BTW, if you are reading this blog, then stay tuned for more exciting things to come), but it is critical to view it as an important capability and continue building things targeted at solving user needs, rather than “trying to glue to AI into the product.”

P.S. This blog has been written entirely by human beings. No AI involved. Why? Not sure, but it felt like it would turn out more genuine this way.

Share

Related Articles

Integrations Product

Streamlining Security with Notion, Torq, and Slack

By Torq
March 12, 2024
4 Minute Read
Streamlining Security with Notion, Torq, and Slack

Security teams using legacy SOAR platforms often face struggles with scattered information, limited collaboration tools, and inflexible response playbooks. Managing knowledge, automating tasks, and communication can be complex and resource consuming. Let’s see how integrating Torq, Notion, and Slack address these challenges to improve and streamline security processes. 

Torq supports seamless integration with any third-party tool, empowering organizations to build and deploy complex workflows in minutes. Notion’s focus on flexibility and customization, with key productivity capabilities helps to unify efficiency across organizations. 

In this blog, we’ll discuss several key use cases that demonstrate how the combined strengths of Notion, Torq, and Slack, create a more streamlined and efficient security framework. 

Threat Intelligence Sharing Made Easy

Notion serves as the central repository, organizing threat intelligence from a wide variety of sources to storing threat reports, vulnerability information, and attack indicators (IOCs). Torq automatically aggregates data from a multitude of sources, populating Notion databases with relevant information, ensuring that teams have access to current threat data without manual intervention or searching in multiple resources. 

Now that the data and the relevant threat intel are updated in Notion via the Torq automation, it’s time to incorporate real-time communication and alerts via Slack. Creating a dedicated channel specifically for sharing critical threat intelligence updates related to your organization allows for immediate collaboration: team members can discuss findings, track emerging threats, coordinate responses efficiently, or launch additional predefined automation to investigate or escalate. Leveraging this use case in your security workflow delivers a multitude of advantages, such as receiving automated updates from Torq into the Notion hub and real-time notifications in Slack ensure everyone has immediate access to the latest threat intelligence.

Automate Security Awareness Training 

Effective security awareness training is the bedrock of any organization’s cybersecurity posture. However, traditional training methods often fail to engage employees, leaving them unprepared to combat modern cyber threats. This is where the powerful trio of Notion, Torq, and Slack comes in, revitalizing stale training programs for today’s fast-paced environment. Notion acts as a single, accessible repository to house engaging security awareness content. This includes a variety of assets such as articles, videos, and interactive quizzes, keeping learning dynamic and interesting.

Gone are the days of manual reminders and missed deadlines. Torq automates tasks such as training reminders, progress updates, and due dates for both employees and managers. This ensures everyone stays on track to complete training requirements in a timely manner, meeting compliance needs.  A dedicated security awareness training channel in Slack fosters a dynamic and quick learning environment. Employees can ask questions during training, share best practices and key takeaways, and navigate real-time use cases collaboratively.  By integrating Notion, Torq, and Slack, organizations can create a modern security awareness program that keeps employees informed, engaged, and prepared to combat ever-evolving cyber threats. This, in turn, leads to a more secure and resilient organization.

Security Policy Management

Keeping security policies accessible and up to date can be a constant struggle for fast-moving teams. Notion eliminates this hassle and helps organizations by providing a centralized location to maintain and revise your policies. This ensures that the latest information pertaining to critical security policies is updated, and also helps to encourage employees to be more self service oriented when reviewing compliance information. Please note, that while automation streamlines access, individual user permissions within the tools may affect immediate visibility.

Torq, your reliable task automation companion, takes care of the heavy lifting when it comes to security policy management. Torq automatically sends out policy updates and reminders to employees, ensuring entire organizations stay both informed and compliant. It is important to note that effective security practices go beyond the standard policy documents. This is where Slack delivers additional value, bridging the gap by facilitating open discussions and Q&A sessions around new or updated policies in relevant channels (in real time)! 

By harnessing the combined power of Notion, Torq, and Slack, teams improve current workflows to create a streamlined and efficient security framework. This empowers your team to stay informed and proactive, while simultaneously curating a collaborative and communicative environment – two fundamentals pillars of a proactive and robust cybersecurity culture.

See the power of Torq’s integrations – get a demo.

Share

Related Articles

Insights

Torq Talks to Abnormal CISO, Mike Britton

By Torq
February 12, 2024
4 Minute Read

The following was adapted from a conversation between Torq and Mike Britton, CISO at Abnormal Security. Abnormal Security is a cloud email security provider, and an esteemed customer of Torq. Read on to learn how hyperautomation has helped the Abnormal Security SecOps team scale and grow:

Introduction to Mike and Abnormal Security
I’m Mike Britton. I’m the Chief Information Security Officer for Abnormal Security. What I do is I run our security, our IT, and our privacy program here at Abnormal. Prior to Abnormal, I was an early customer of Abnormal’s when I was the CISO for a company called Alliance Data. I have 27 years of security experience. Abnormal is a very fast growing cloud email security company. We plug in through the APIs for Google and Microsoft and protect our customers from advanced phishing and BEC type email attacks.

Life for the Abnormal SecOps Team Before Implementing Torq 
In my nearly three years here, we’ve done a tremendous amount of growing. I was employee number one from a security perspective. So it was important to hire the right people, but also be able to put tools in place that allowed me to scale and grow. We’ve probably grown 6X from an employee perspective and probably about that much from an infrastructure and product perspective as well. I don’t have the luxury of hiring an army of people – so leveraging solutions like Torq enabled me to grow and scale the business and keep up with where we’re going as a company. 

I don’t have the luxury of hiring an army of people – so leveraging solutions like Torq enabled me to grow and scale the business and keep up with where we’re going as a company. 

Mike Britton, Chief Information Security Officer for Abnormal Security

Comparing Hyperautomation to Legacy SOAR
A lot of SOAR is really more tightly tied into maybe your endpoint detection or maybe your SIEM. Whereas [with] Torq, the sky’s the limit as far as what I want to automate and how I want to really make more efficiency and productivity in other tasks that my team does.

Hyperautomating Endpoint Security Audits
We have a lot of different endpoint solutions. We have a lot of different tools and things like that. And we’ve decided not necessarily go down into the full CMDB aspect of trying to use a tool to keep track of what agents are working. So we leveraged Torq to really go through our primary tool set, make sure everything has the necessary agents and security tools on it. And anytime there’s a missing tool or tools not performing correctly, Torq cuts a ticket back to my team so we can get on it quickly and figure out why. 

How Torq Hyperautomation Enables Just-in-Time Access
The other big use case is we have a couple of applications that we want to enable just-in-time access on instead of letting users keep access 24/7. We’ve been able to plug that into Slack where an employee or user needs to get access to something. They can type a quick Slack message. It kicks back a ticket form. They fill it out. They ask for how long they need the access for and Torq does all the work behind the scenes to grant access, to revoke access and close out the ticket. 

The Benefits and ROI of Hyperautomation
It’s freed up some of my IT team members from having to do manual tasks, like add people to groups and provision access. And then not necessarily productivity, but risk reduction. It’s allowed me to basically keep access to just that time period that someone needs it instead of the exposure of someone keeping access permanently. Now they have to request it. I get good tracking on why they’re requesting it for that purpose. And then it goes away as soon as that time period is over.

Why Other CISOs Should Consider Hyperautomating Their SecOps Teams 
We’re all in this situation where we always are pushed from our boards and our leadership to do more with less. One of the things I really like about the Torq team is they love to create new integrations. So if you come up with a SaaS or a tool or something that you want to get integrated into Torq, they’re phenomenal with turning that around quickly. Torq does a great job of helping you calculate that ROI as well. So not only can they help you automate it, but they can help you show that cost savings as well.

Want to see more? Get a demo.

Share

Related Articles