The chaotic world of cybersecurity where the threats from nation-states, cyber gangs, botnet operators, and APT groups are real, has created an extensive landscape of cybersecurity tools and approaches to reduce risk. As organizations add more layers of defenses it becomes increasingly difficult to quickly and accurately answer the most basic security question: “Can we defend against this threat actor? If not, what should we do about it?”
There are different approaches aiming for that level of understanding. One that has been around for decades is a vulnerability-centric model, where efforts focus on identifying and closing vulnerabilities.
However, the growing volume and velocity of new vulnerabilities has led to a disturbing outcome: 56% of organizations report that their most recent data breach was caused by the exploitation of a known vulnerability that was not properly patched or addressed. As adversaries increasingly use AI to lower barriers to entry, building resilience to attacks is even more urgent.
Shifting Perspectives with CTEM
Continuous Threat Exposure Management (CTEM) is capturing security leaders’ attention as a more holistic way to strengthen security posture. Gartner estimates the approach can help organizations reduce breaches by two-thirds in two years.
CTEM consists of multiple processes to help organizations scope, discover, prioritize, validate, and mobilize to mitigate risk. It also includes capabilities like Threat-Informed Defense (TID) and Breach and Attack Simulation (BAS) that work together to advance your CTEM strategy.
As CTEM gains momentum, more vendors are jumping into the market with various approaches for initiating CTEM programs. Some are focused on working to improve vulnerability prioritization. Vulnerability management is still important because addressing exploitable vulnerabilities relevant to the organization should be part of good cyber hygiene. However, a bottom-up approach to CTEM that is wholly focused on what vulnerability to fix first doesn’t give security teams a complete picture of whether or not they are actually protected against a specific threat actor.
Threat-Informed Defense Optimizes CTEM
Exploited vulnerabilities are only responsible for 38% of initial access, which means other infection vectors represent higher levels of residual risk. In addition, security tools don’t operate in a vacuum. It’s important to understand what our combination of tools is doing in aggregate to mitigate the behaviors adversaries use to achieve their objectives beyond the use of vulnerabilities. Without that understanding organizations could be wasting resources patching vulnerabilities that they are already defended against.
In contrast to the tens of thousands of CVEs published every year, the MITRE ATT&CK® knowledge base consists of the few hundred techniques and sub-techniques and the adversaries that are known to use them. With ATT&CK as a foundation, TID focuses on the relatively small and stable number of ways that adversaries go about their business and uses that understanding to assess, shape, and test your defenses.
Rather than trying to boil the ocean of vulnerabilities, adopters of Threat-Informed Defense have a far more practical and sustainable means of organizing their defenses. By looking at the enterprise through the lens of the adversary, security teams gain critical insights to strengthen security posture. Having perspective into how a skilled adversary would use your enterprise’s resources against you provides a more accurate picture of whether you’re protected and, if not, what you can do about it.
Tidal Cyber’s Top-Down Approach to CTEM
With strong roots in MITRE and advancing ATT&CK and Threat-Informed Defense, the three co-founders of Tidal Cyber formed the company for one simple reason—defenders need a practical and cost-effective way to operationalize CTEM. TID provides that advantage.
The Tidal Cyber platform addresses all five stages of CTEM – scoping, discovery, prioritization, validation, and mobilization. Our top-down approach helps teams organize their defenses better and provide accurate answers fast. We overlay ATT&CK with additional intelligence and the enterprise’s security context to:
Scoping
Provide a deeper understanding of which behaviors matter and how much by using sector-specific threat profiles, threat ecosystems (e.g., Clop), or general threats (e.g., ransomware) and weighted techniques to determine relative risk. Tidal Cyber integrates with ASM and CSPM to understand the full blast radius of vulnerabilities and misconfigurations and extends traditional CTEM concepts by evaluating risk independent of vulnerabilities with ATT&CK.
Discovery
Allows users to Map specific defenses as they are configured in the environment to relevant adversary behaviors, each with their own overall impact to risk, to determine coverage. Tidal Cyber Integrates with asset management solutions to improve granular visibility.
Prioritization
Threat profiling integrates with CTI providers and provides a Tidal Cyber curated, AI-powered threat knowledge base to extend ATT&CK. Users create a unified view of coverage within the context of their current security products, down to the granularity of hundreds of capabilities in each product, and calculate a confidence score for unprecedented visibility into how their defenses protect against these risks.
Validation
Out-of-the-box visibility into expected performance against prioritized threats and automatically generates recommendations to reduce residual risk by optimizing existing defenses or suggesting new tools when warranted. Leveraging the continuously updated BAS integrations, you can refine assumptions for improved future assessments.
Mobilization
Continuously update coverage maps, confidence scores, and priorities as threats and defensive capabilities evolve. The Tidal Cyber Recommendation Engine leverages deep understanding of products and community content to identify the most effective ways to decrease threat exposure.
Multiplier Effect
Compared to simply focusing on better vulnerability prioritization, approaching CTEM from the foundation of TID is a force multiplier. It provides a complete picture of risk and the impact of an organization’s diverse security resources on strengthening security posture against all relevant adversary behaviors. In the process it also saves time and money, by delivering:
Improved ROI from existing defenses: Tidal Cyber’s platform continually ensures that our customers are maximizing their return on investment from each of their tools because we rank order every dormant capability by its impact on residual risk.
Economic and security benefit from multiple use cases: Tidal Cyber users hail from very diverse roles within the security and risk management departments of an enterprise. CTI analysts, security architects, threat hunters, detection engineers, red teams, and compliance analysts each use the Tidal Cyber platform to save time and costs while reducing risk to the business.
Immediate value that grows with usage: Our ease of onboarding accelerates time to value. Users can configure integrations in minutes and immediately get recommendations on how to improve their security posture. And our usage-based pricing lets you get started at the level of commitment and adoption that fits your needs today and grow over time.
We’re happy to show you how Tidal Cyber delivers value to CTEM programs so that you can build resilience to the threats that matter to your business.
