With so many different market segments in the security industry, it’s inevitable to run into some overlap and confusion, particularly with newer segments like Breach and Attack Simulation (BAS) and Threat-Informed Defense, a subset of Continuous Threat Exposure Management (CTEM).
We often have this sort of conversation with security leaders hearing about Tidal Cyber for the first time:
Leader: “Are you a Breach and Attack Simulation (BAS) product?”
Tidal: “Tidal is not a BAS but we help you get the most out of your BAS and all your other security product investments”
Leader: “I have a BAS and it tells me MITRE ATT&CK® coverage, why do I need Tidal?”
Tidal: “Tidal provides an overview of your ENTIRE defensive stack (including but not limited to testing and evaluation tools), integrates cyber threat intelligence, provides insight and a confidence score for your entire security program and tracks its change over time, and makes recommendations on what to do next to improve your defenses based on the threats that matter to you most.”
Leader: “Oh I see, let’s talk more!”
Read on to see why BAS tools and Tidal both play a critical role in a mature Threat-Informed Defense program.
What is Threat-Informed Defense?
Threat-Informed Defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses (Source: MITRE Engenuity). As shown below, it is a continuous feedback loop of three pillars: Cyber Threat Intelligence (CTI), Testing & Evaluation, and Defensive Measures, all working together to iteratively improve your defenses against the threats that matter and evolve quickly as new threats emerge.
Figure 1 - Threat-Informed Defense Continuous Feedback Loop. Source: MITRE-Engenuity
What is Breach and Attack Simulation?
Breach and Attack Simulation (BAS) tools are part of the Testing & Evaluation pillar of Threat Informed Defense. BAS tools execute tests in an effort to validate your security controls. They are higher fidelity than purely analysis-based evaluation, and broader coverage than human-powered penetration testing and red teaming. BAS tools take some of what is done in these more manual exercises and productize it, so that a broader range of attack simulations can be run against an environment repeatedly. BAS tools also have dashboards and analysis to report on the state of test results and how your results are changing (hopefully improving!) over time.
What is Tidal Cyber Enterprise Edition?
Tidal Cyber Enterprise Edition coordinates all three pillars of Threat-Informed Defense in a single platform. It provides a comprehensive threat-informed score of how well your entire defensive stack protects against the tactics, techniques, and procedures (TTP’s) of concern to your organization in the MITRE ATT&CK framework -- even pre-attack reconnaissance and resource development, as well as techniques that would be too destructive to test. These TTPs can be organized into Threat Profiles. Tidal provides and maintains out-of-the-box threat profiles for many industry verticals, and users can add to them and create their own threat profiles from scratch.
Tidal uses mappings of product capabilities to attacker TTPs -- including the tests run by BAS tools -- to quickly identify and score each behavior. Tidal has integrations with many security products to refine the default mappings based on how you’ve configured that product in your environment, which may differ from the default settings. Tidal also has integrations with CTI products through our “Get CTI” integration to augment the intel Tidal already provides on top of the MITRE ATT&CK knowledge base.
Why are BAS tools and Tidal useful together?
Tidal Cyber Enterprise Edition provides a comprehensive view of your security program and the configuration of all your security tools. This deep understanding of the threat landscape can tell you what tests to prioritize running, what your expected outcomes are, and what your test results mean to your greater security posture.
Also, Tidal can help you speed up the triage of failing tests in your BAS. Did the test fail because you don’t have anything protecting against that attack, so of course the simulated attack succeeded? Or did you think you had that attack covered by your defensive stack? Those are two different kinds of failures, and Tidal can help you rapidly tell the difference.
Finally, defensive systems are complex, and complex systems can fail in unpredictable ways. BAS tools can validate if your defenses are working as Tidal is saying they should be working. Consider this hypothetical example of an organization with a finely tuned SIEM-based detection for a particular exploit run by a newly discovered threat actor that fires on web server logs being sent to the SIEM. All of these would tell you you’re protected:
- Tidal Cyber Enterprise Edition gives you a high confidence score for this behavior because you have capabilities of many types protecting you against this attacker technique
- Your EDR says the agent is installed on the web server and is checking in
- Your SIEM says the detection is in place and working as designed
- Your asset management system has the web server in its inventory
- Your vulnerability management system says the asset is up to date
However, if the flow of logs from this web server to the SIEM has failed due to any number of reasons that can be hard to detect, an actual attack can go undetected because your SIEM never saw the data from this host. One of the only ways to detect configuration drift and failing system components like this is by actively and continuously testing your entire environment against known attacks, which BAS tools can do at scale. This is one of the many reasons why BAS tools should be part of a mature security program, in addition to Tidal Cyber Enterprise Edition.
Together, Tidal and BAS provide the most complete picture – Tidal providing a strategic threat-informed view of your defenses, and BAS offering scalable real-world validation that they are working as designed.
How does Tidal Cyber Enterprise Edition use BAS tools?
Tidal Cyber Enterprise Edition creates capabilities of type Test for tests BAS tools run against each MITRE ATT&CK technique. This lets you see where you have test coverage and how that test coverage aligns with your other defenses. It also helps you prioritize which additional tests to run in your BAS tool.
Tidal Cyber Enterprise Edition makes it easy for our customers to get a continually updated and holistic view of their security coverage, provided by their entire stack of tools, against threats of concern. BAS platforms give customers detailed empirical evidence about how well those defenses are performing in their environment based on test evaluations. Stay tuned for more advancements coming soon from Tidal in using BAS products to bolster the analysis we provide of your environment. Email us to learn more.