As enterprise cloud infrastructure grows increasingly complex and alert volumes increase, it’s no longer feasible for security operations teams to rely on manual analysis and response workflows to address threats. Automation is needed to detect and respond to threats fast.
But automation is a double edged sword: security teams need automation to move fast, but unchecked automation can do more harm than good: threats must be contained without impacting production environments. Addressing these threats efficiently requires SecOps and DevOps teams to work in lockstep. But often, these two teams are using completely different sets of tools and lack integrated processes to effectively manage cloud threats.
That’s why at Gem, we’re excited to announce our latest partnership with Torq, combining the power of Torq’s hyperautomation toolset with Gem’s industry-leading cloud detection and response platform. Through our partnership, organizations can use Gem’s high-fidelity threat detections to trigger end-to-end workflows within Torq’s platform, enabling more efficient threat response and investigation while providing a seamless experience for collaboration between SecOps and DevOps teams.
Our partnership is launching with numerous public workflows available for teams to use immediately. To illustrate how Gem and Torq work seamlessly together, we’ll discuss an example here.
Example Workflow: Handle Overly Permissive Azure Network Security Group (NSG) Modification
One of the most sensitive resources that Gem monitors in any cloud environment are security groups. Security groups are crucially important networking resources that control which entities are allowed to communicate.
Security group entities exist in all cloud platforms, but in the Microsoft Azure context, security groups are referred to as Network Security Groups or NSGs. Attackers frequently attempt to alter NSG settings and make them more permissive, allowing them greater access to entities in the environment.
Gem monitors Azure Activity Logs in real time to detect any changes to NSG settings. When a potentially malicious change is detected, Gem will trigger an alert for the security operations team. It’s critical that the change be addressed as soon as possible, but the SOC team may not have the permissions to change security group settings. This can require a manual process in which the SOC team receives an alert and creates a ticket for the DevOps team to remediate. The security team is then left in the dark while the DevOps team investigates on their end before making any updates. Meanwhile, an attacker can be loose in the environment.
Enter Torq. This workflow begins with Gem delivering an alert, and ultimately drives an automated response that keeps both SecOps and DevOps in sync to address the threat.
Step 1: Detect
The workflow triggers when Gem detects that an Azure NSG has been created or modified to allow access from the public internet. When Gem’s alert triggers, the workflow immediately engages the DevOps team to begin remediation, sending a Slack message in the relevant DevOps channel. To keep the security team up to date, Torq also adds an event to Gem’s threat timeline, giving SOC analysts visibility that the request has been handed off to DevOps and is in process.
Step 2: Decide
The DevOps team can then make a decision as to whether automated remediation should take place. If they deny the automated step, security is notified: any comments the DevOps team makes to explain the denial are added to Gem’s threat timeline, enabling them to understand quickly why the decision was made and what subsequent actions are needed.
If they approve the remediation, security is also alerted with an update to the threat timeline within the Gem platform, and automated remediation begins.
Step 3: Respond
Through Torq, the workflow interacts directly with the Azure platform to delete the NSG access rules which allowed the suspicious access. Again, Torq will keep the relevant stakeholders up to date: updates on the remediation workflow are posted to the DevOps slack channel. Once the offending rules have been removed, the workflow exits.
Gem Co-Founder and VP Product, Ofir Brukner, noted that “our partnership with Torq allows SecOps and DevOps to work more closely together while lowering the amount of work they actually have to do. Gem automates cloud detection and response, while Torq automates the remediation processes and workflows that security teams need to respond effectively.”