I’ve been on the road lately asking security leaders how their teams reply to the question: Can we defend our most valuable information assets against techniques known to be used by this threat actor, and, if not, what can we do about it?
Answering this question quickly and with confidence is at the core of what security teams are paid to do. However, the cyber risk analysis required to answer this basic question is too costly for all but the most well-resourced security teams.
The current time-intensive analysis process in detail:
- Security professionals first need to understand which adversaries are targeting the organization and which techniques matter. It’s a complicated process of sifting through layers of cyber threat intelligence (CTI) to understand which of the hundreds of techniques the adversary uses and prioritizing the techniques based on how impactful they are. (1-2 Days)
- On the defense intelligence side, they need to understand which tools in their security stack can defend against those techniques. This involves researching each tool, the level of efficacy against those techniques, and if the tool is configured to leverage that capability. (5-10 Days)
- The third step is comparing coverage against all techniques the adversary uses to identify and prioritize gaps to fill based on residual risk levels. (1 Day)
- Finally, the team runs through “what if” scenarios to determine if there are options to close those gaps with existing tools, or if there are other tools they need to purchase. The scenarios are evaluated based on the residual risk and implemented to close the gap and bring risk down to an acceptable level. (10-20 Days)
Time Is Money
Assuming you have a CTI team to kick off the process, the best case scenario is a security team can deliver an answer in 17-33 days. But time is money, and a simple back of the envelope analysis reveals the costs are prohibitive:
$100/hour x 17-33 days x 8 hours/day x 50 threats = $680,000 - $1,300,000
Not only that – the analysis must be repeated as threats evolve, updated for new products and feature releases, and revisited at least annually.
Most security leaders simply can’t afford to make the level of investment each year, even if it’s a requirement for us to do our jobs well. And with more than half of CISOs surveyed anticipating budget increases at less than 5% this year, teams can’t look for relief there.
We need a different approach that helps us stop wasting time and money in a resource-constrained environment, and answer this perfectly reasonable question with a high degree of confidence.
Save With Threat-Informed Defense
Threat-Informed Defense automates the process, shrinking weeks of work into minutes to get answers fast and save money. Here’s how Tidal Cyber delivers Threat-Informed Defense:
Organize: We begin by organizing your threat and defensive intelligence with a few clicks, using the same hierarchical structure as the MITRE ATT&CK framework. On the threat intelligence side, the ATT&CK knowledge base is the foundation for how we categorize threats, supplemented with additional threat intelligence the Tidal platform ingests. We create threat profiles specific to your sector and weight techniques based on relevant risks to you.
On the defensive intelligence side, we maintain a database of capabilities at a granular level that exist within security platforms that can impact your risk. Stacking defenses calculates cumulative risk reduction on a technique-by-technique basis.
As CTI and security products are added or updated, threat profiles and Defensive Stack capabilities are automatically updated to provide the individual and aggregate impact of your tools on relevant risk. In this first phase alone, Threat-Informed Defense eliminates tens of hours of expensive analyst grunt work each time the question is asked.
Synthesize: Aligning threat profiles and Defensive Stacks by techniques makes it easy to create Coverage Maps to illuminate your ability to defend against a given technique, campaign, adversary group, or portfolio of adversary groups. With a few clicks you get a clear and granular view of where risk exists, where it can be effectively mitigated, where there’s work left to do, and even where there’s overlap.
Operationalize: Our Recommendation Engine identifies best actions to take. Investigating the capabilities within your existing stack and prospective security tools, it can suggest in minutes whether to turn on a configuration in an existing tool to fill a gap or consider a new tool to add to your stack. Every time a threat changes or a capability in the defensive stack changes, not only does the coverage map recalculate, but the priorities of which capabilities to add next also change, automatically.
The Payoff
Threat-Informed Defense looks at your enterprise from the perspective of the adversary and gives you critical insights into how to prioritize your security operations and investments. Whether you’re:
- Answering the “threat question of the day” accurately and quickly
- Identifying opportunities to save money by eliminating redundancies and retiring tools
- Justifying additional investments in tools or processes to fill a gap when all other methods have been exhausted
With Tidal Cyber, you have an affordable way to understand if your defenses are good enough and, if not, what more you can do. For the first time, you also have a real-time, reliable view of residual risk you can use to inform and influence budget discussions.
