While vulnerability management is an essential part of good cyber hygiene, it isn’t the only defense necessary against threat actors. Even if organizations could keep all their systems patched, exploited vulnerabilities are only responsible for 38% of initial access, which means other infection vectors such as phishing, website compromise, or other common methods represent higher levels of residual risk.
To tackle the residual risk, more than a decade ago a growing community began to work to understand how cyber adversaries achieve their objectives beyond the use of vulnerabilities. A driving force has been the MITRE ATT&CK® knowledge base of adversaries’ tactics, techniques, and procedures (TTPs). This relatively small and stable number of behaviors, when compared to tens of thousands of CVEs released each year, are the actual weapons adversaries use against organizations and once inside the network, to inflict damage.
Optimizing your defenses to protect against these adversary behaviors is an approach called Threat-Informed Defense (TID).
At a high level, Threat-Informed Defense is about understanding if the defenses deployed in an environment are protecting the organization against threats that matter to them and, if not, providing recommendations for how to reduce the risk to an acceptable level. Getting to a reliable view of residual risk requires critical threat and defensive intelligence structured against ATT&CK.
TID is part of a broader strategy that Gartner refers to as Continuous Threat Exposure Management (CTEM). CTEM has been capturing security leaders’ attention since Gartner estimates the strategy can help organizations reduce breaches by two-thirds over the next two years. CTEM comprises multiple processes and capabilities including Threat-Informed Defense that work together to advance your defenses.
Because the three co-founders of Tidal Cyber worked at MITRE to advance ATT&CK and Threat-Informed Defense, we approach CTEM through TID, allowing us to support all five stages of CTEM – scoping, discovery, prioritization, validation, and mobilization. Our breadth and depth of coverage, through our own capabilities enriched with a few tactical integrations, enables us to complete the CTEM circle and provide customers with a holistic assessment of residual risk. We build on our foundation in ATT&CK to organize critical threat and defensive intelligence for prioritization and detailed coverage maps.
Our approach to CTEM delivers a level of technical rigor and precision that stands out in the industry. The Tidal Cyber Platform provides security operators with the information they need in minutes to gain confidence in their defenses and save their organizations time and money.
Threat Intel Depth, Transparency, and Flexibility
Threat-Informed Defense starts with the threat. It’s hard to put much stock in a solution with a shallow approach to cyber threat intelligence (i.e., lacking third-party integration, no ability to add your own, and limited attribution).
Tidal Cyber continually collects, evaluates, and maps open-source intel, and integrates with customer-provided threat intel and multiple threat intel providers to provide the most complete view of the threat possible. Our reinforced commitment and expanded use of AI-driven threat behavior mapping to ATT&CK techniques takes this even further, dramatically cutting the time and expertise requirements to process threat intelligence.
Given that ATT&CK is only updated twice per year, you need Tidal Cyber to deliver a continually updated picture of new TTPs, whether from our own intel or your existing third-party threat intel feeds. We make this threat intel available to customers in a searchable and cross-referenced knowledge base that enables customers to report at any level of detail on who and what they are defending against. Reflecting attackers’ ability to shift targets and tactics quickly, we use threat profiles to automatically prioritize and reprioritize behaviors based on reported threat activity and relevance to the organization.
Defensive Mapping That Leverages Granular Product Capability Analysis
Leading security solution products often have a thousand or more distinct defensive capabilities. We differentiate ourselves by being transparent, enabling customers to review mapping at a deep level and have greater confidence in scoring. For example, Tidal Cyber’s granular visibility into existing coverage, gaps, and vendor contributions has been shown to increase detection coverage measurement productivity by 10X and strengthen threat coverage by minimizing redundant efforts and prioritizing high-impact detections to build.
We know what capabilities are native to each product and what those capabilities do (i.e., mitigate, protect, detect, log, respond, test). We assign a level of risk reduction to each capability based on the capability type. Tidal Cyber integrates our platform via API with a customer’s security platforms to pull configuration data that lets us know which of those thousands of capabilities are configured “on,” and which are still dormant. Because our subject matter experts hail from MITRE and know ATT&CK inside and out, we know which adversary techniques and sub-techniques are mitigated by each of those capabilities (typically several techniques per capability).
Prioritized recommendations based on real-time residual risk
Since TTPs continually evolve and there are always many dormant capabilities, it is essential to know which capability to add first/next based on their ability to maximize the reduction of residual risk. Tidal Cyber continually rank-orders hundreds of dormant capabilities. When a customer’s or our threat intel changes, we immediately reflect that knowledge in the prioritization of which dormant capability to enable.
Validation with Security Validation Tool Integrations
Tidal Cyber integrates with BAS test results and can also ingest results from red team testing. BAS tools provide an important baseline function because they test and validate that security controls are working against threat intelligence available in ATT&CK.
Tidal Cyber is in the unique position of being able to provide customers with a dashboard view of which attacker behaviors have high confidence scores for prevention but are failing tests, which may indicate a control failure. Tidal Cyber enables you to drill down into BAS test result details and pinpoint where in the source tool to diagnose and take action. As customers turn on dormant capabilities, testing programs validate that they are reducing residual risk to the level expected.
Tidal Cyber was founded for one simple reason—a strongly-held belief that defenders need a practical and cost-effective way to operationalize Threat-Informed Defense. This mission drives many of the important deployment and delivery advantages of the Tidal Cyber Platform versus other approaches to CTEM.
Improved ROI from Existing Defenses
Tidal Cyber’s platform continually ensures that our customers are maximizing their return on investment from each of their tools because we rank order every dormant capability by its impact on residual risk and integrate with tools to validate the efficacy. Additionally, our BAS integration can reveal fully working security controls that customers may not have realized they had, or at least weren’t modeled in their defensive stack, in order to make sure they are accurately and fully represented.
Economic and Security Benefit from Multiple Use Cases
Tidal Cyber users have very diverse roles within the security and risk management departments of an enterprise. CTI analysts, security architects, threat hunters, detection engineers, red/purple teams, and compliance analysts each use the Tidal Cyber Platform to save time and costs while reducing risk to the business.
Ease of On-Boarding and Getting Started
Customers can self-service configure integrations in minutes and immediately get recommendations on how to improve security posture.
Tidal Cyber offers the flexibility to analyze and report on your security posture at any level of detail. You can align on your organizational structure, geography, platform, or any other way you want to look at your security posture and change how you organize your analysis over time.
Tidal Cyber’s usage-based pricing lets you begin with the level of commitment and adoption that fits your needs now and then grow when you need to – perhaps small and coarse-grained at first and then move to a more fine-grained approach in the future.
Isolated Tenant Architecture and Security Assurance
Each Tidal Cyber customer has their own single-customer tenant, providing the greatest protection possible against cross-customer data leaks. CTEM essentially contains an analysis of the defenses of the castle; strong data protection mechanisms must be in place.
The combination of technical rigor and precision Tidal Cyber brings to CTEM and Threat-Informed Defense with our practical and cost-effective approach to deployment makes the Tidal Cyber Platform stand out. The result? Threat analysis goes from weeks to minutes per TTP, allowing users to focus on what to do about the results of the assessment vs. manually performing the assessment for each new threat. Security teams are able to quickly identify many TTP exposures they were unaware of and unused capabilities from their current security stack that can be used to defend those gaps immediately.