All Exposures Aren’t Equal: The More Effective Path to CTEM

CTEM consists of multiple processes to help organizations scope, discover, prioritize, validate, and mobilize to mitigate risk. It also includes capabilities like Threat-Informed Defense (TID) and Breach and Attack Simulation (BAS) that work together to advance your CTEM strategy.  

Gartner defines continuous threat exposure management (CTEM) as a pragmatic and systemic approach organizations can use to continually evaluate the accessibility, exposure, and exploitability of digital and physical assets, and prioritize security investments accordingly. CTEM is capturing security leaders’ attention as Gartner estimates the approach can help organizations reduce breaches by two-thirds in two years. 

Better Detection is Just One Piece of the Puzzle

CTEM is gaining momentum, and we see a variety of ways vendors are focused to help organizations initiate CTEM programs. One bottom-up approach is detection engineering. 

Ensuring detections are up to date and effective while optimizing resources is a challenge for detection engineers. Tools that focus on measuring detection coverage and health and leveraging data effectively for SIEM optimization help detection engineers understand if they are triggering the right detections and where data inconsistencies are causing detection errors. But what if the detection isn’t relevant because you have other controls in place, or if the threat isn’t a priority for the organization? 

Focusing exclusively on detections to address exposure management, doesn’t provide an understanding of overall risk and if detection engineers are focusing their limited resources on what matters. Both pieces of information are crucial for prioritizing security investments and reducing breaches, promises of CTEM that are encompassed in a Threat-Informed Defense approach.

Advance Your CTEM Program with Holistic Risk Assessment and Reduction

Threat-Informed Defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses (Source: MITRE Engenuity). It is grounded in the MITRE ATT&CK^® knowledgebase of adversaries’ tactics, techniques, and procedures (TTPs). This relatively small and stable number of behaviors (compared to the number of IOCs and vulnerabilities in the wild) are the actual weapons adversaries use against organizations, once inside the network, to inflict damage. 

As shown below, TID is a continuous feedback loop of three pillars: Cyber Threat Intelligence (CTI), Testing & Evaluation, and Defensive Measures, all working together to iteratively improve your defenses against the threats that matter and evolve quickly as new threats emerge. 

Because the three co-founders of Tidal Cyber worked at MITRE, advancing ATT&CK and TID, we approach CTEM through TID, which allows us to support all five stages of CTEM – scoping, discovery, prioritization, validation, and mobilization. Getting to a holistic assessment of residual risk requires critical threat and defensive intelligence structured against ATT&CK. Our top-down approach to CTEM saves time and costs for a diverse set of users within the security and risk management departments of an enterprise, while improving their effectiveness. 

The Tidal Cyber Platform automatically:

• Identifies the threats that matter to the organization. Tidal Cyber continually collects, evaluates, and maps open-source intel, and integrates with customer-provided threat intel and multiple threat intel providers to provide the most complete view of the threat possible. We create threat profiles specific to your sector and weight techniques based on relevant risks to you. The platform continuously prioritizes and reprioritizes behaviors based on reported threat activity and relevance to the organization.
  
  
• Determines if the defenses deployed in an environment are effective. We maintain a database of the capabilities at a granular level that exist within security platforms that can impact your risk. We map specific defenses as they are configured in the environment to relevant adversary behaviors to determine coverage. Stacking defenses enables confidence score calculations based on their cumulative effectiveness against a specific threat.
  
  
• Provides recommendations to reduce risk to an acceptable level if there are coverage gaps. This can include turning “on” a configuration in an existing tool, accessing a vendor detection or third-party rules, writing a new detection, or suggesting a new tool when warranted.  
  
  
• Enables validation with BAS integrations. Our integration with BAS and red/purple team test results, enables us to provide customers with a dashboard view of which attacker behaviors have high confidence scores for prevention but are failing tests, which may indicate a control failure. Tidal can enable teams to drill down into test result details, pinpoint where in the tool to diagnose, and take action. Testing programs validate that actions taken are reducing residual risk to the level expected.
  
  
• Documents and updates activity continuously. Coverage maps, confidence scores, and priorities are continuously updated as threats and defensive capabilities evolve. Documentation of improvements makes it easy for teams to track activity, demonstrate the results of their efforts, and prioritize further actions based on residual risk.

Value for Detection Engineers and Your Other Security Teams

Tidal Cyber’s automation-driven approach, helps teams quickly identify coverage gaps, focus on security enhancements that matter most, and validate their effectiveness.  

In the case of detection engineering, Tidal Cyber has proven to drive significant efficiency gains such as:

• A 10X increase in Detection Coverage Measurement productivity
• Stronger threat coverage and faster response
• Increased ROI and optimized resource utilization

And that is the value for just one team within an organization using the Tidal Cyber Platform. In addition to detection engineers, CTI analysts, security architects, threat hunters, red teams, and compliance analysts each use the Tidal Cyber platform to save time and costs while reducing risk to the business. 

Each of these roles finds independent value in Tidal Cyber, but the value doesn’t stop there. Organizations derive even more value as their CTEM  maturity grows and additional teams start to use Tidal Cyber. For example, a threat-informed detection engineering program will prioritize detections based on the threat profile, but knowledge of what threats the threat hunting team has recently discovered will make that prioritization all the better. Similarly, knowledge of new detections available from detection engineering will help security architects make more informed recommendations to optimize the defensive stack. 

Get More Value from Your CTEM Program with Tidal Cyber

Tidal Cyber provides a holistic assessment of your risk and how to optimize each of your security resources to improve security while saving time and money. Let us show you how we turn weeks of work into just minutes for the diverse teams that make up your security and risk management practices.