Core to Tidal Cyber’s mission is empowering organizations big and small to adopt threat-informed defense and give them confidence they are prepared to defend themselves against the threats that are most likely to target them. In addition to Tidal’s threat-informed defense platform, we also offer services designed to help accelerate an organization’s adoption of threat-informed defense.
The Tidal Threat-Informed Assessment works with the customer to understand their processes, threats, and solutions. A key aspect to any assessment is understanding how solutions map to MITRE ATT&CK®, both from a capability and data perspective. Transparency around ATT&CK is often challenging, simply because the right questions aren’t being asked. Tidal utilizes its deep expertise and relationships with solution providers to improve this transparency, and we then develop your custom Tidal Confidence Score™ to let you know exactly where you stand. Finally, utilizing your as-is state, Tidal leverages its large knowledge base of defensive solutions to identify near-term improvements to increase your Confidence Score. At the conclusion of the engagement, you can consider yourself threat-informed, and in a position to continually evolve and improve your defenses.
As ATT&CK gained in popularity, this stoplight chart became a primary use case and gained a formal name, “ATT&CK Coverage.” ATT&CK Coverage was used to describe everything from vendor capabilities (as talked about in our Product Registry announcement blog and subsequent “We Got This Covered” fireside chat series) to an entire enterprise’s security stack.
With this effective communication device came misuse and overgeneralization. Users and marketing alike started to strive for “all green”, so they could declare the problem solved. This is an overly aggressive goal to shoot for, for multiple reasons. There are simply too many ever-changing techniques and variations, and so-called procedures, to make “all green” credible. Additionally, what is the right level of defense? What “green” means comes into question, and even in the best of circumstances delivers a false sense of security.
This doesn’t mean ATT&CK Coverage visualizations and calculations aren’t useful. They are still effective, as they always have been, at summarizing how your defenses align to your threats at a high level and showing where you have gaps and where you have strengths. But you need to strike the balance between over-generalization and diminished value on accuracy. Figuring out the balance can be hard, and this is a main driver for why we founded Tidal Cyber.
The challenge with existing methods of measuring coverage is that there is a lack of granularity. Coverage isn’t as simple as yes or no, green or red. Instead, we need to look at your defense in-depth and take into account what threats matter more than others.
When Tidal looks at coverage, we look at it through the lens of confidence. This confidence needs to be driven by the capabilities you have, the data you are collecting, and the tests that you are running. It must recognize that all techniques are not created equal, let alone every threat. In that same vein, not every technique needs a protection capability, let alone an alert or detection.
We are working to move beyond the infamous ATT&CK stoplight chart and instead give it depth and context with a confidence score that provides clear understanding and actionable results. It’s your way of tracking your threat-informed progress, ensuring recommendations are meaningful to address your gaps, and understanding the relative value of the solutions you have towards defending your organization against the threats most relevant to you.
At Tidal, our mission is to make threat-informed defense both practical and sustainable. This means giving users the tools and the data they need so that they can understand what threats matter to them, how they are able to defend against them, and what they can do to improve. Practical and sustainable are key words. We want to make ATT&CK more accessible and coverage mean something to the end user.
Requiring everyone to be an expert in ATT&CK to leverage the benefits of threat-informed defense isn’t practical. At Tidal, we offer both services and products that will help organizations improve their ability to be threat-informed, but that’s only part of our mission. We also want to be able to help the global user community extend the great things that ATT&CK and its practitioners have been doing for years. We created the Tidal Platform and the Tidal Product Registry™ to help users and enterprises adopt threat-informed defense, and now our Threat-Informed Assessments will help organizations jump start their threat-informed defense journey. Use the button below to schedule a call with us to learn more about these assessments.